Preparing for the Worst, Hoping for the Best

February 12, 2015 at 9:16 am 2 comments

Maybe it’s because the desolate Albany landscape with its frozen mounds of exhaust-tinged snow and sub-zero temperatures makes me feel like I’m inhabiting a post-apocalyptic world, but a couple of days ago I got around to reading the FFEIC’s new appendix to its examination handbook dedicated to disaster preparedness entitled Strengthening the Resilience of Outsourced Technology Services. In all seriousness, it is a must-read for any credit union that has to have a business continuity plan (BCP) and contracts with third parties for services that should be integrated into this business plan. I bet that is almost every credit union.

Regulators have long emphasized the need for appropriate due diligence when entering into third-party relationships. In addition, Business Continuity Planning has been a major point of regulator emphasis  since 9-11; not to mention that “once in a century storms” seem to be coming every other year. This new appendix zeros in on the importance to financial institutions of insuring that appropriate vendor services are integrated into BCP plans and testing. As the regulators commented in releasing the appendix, “a financial institution should ensure that its third-party service providers do not negatively affect its ability to appropriately recover IT systems and return critical functions to normal operations in a timely manner.“

The appendix highlights four key points of emphasis for examiners assessing third-party relationships.

(1) Third-party management addresses a financial institution management’s responsibility to control the business continuity risks associated with its third-party service providers (TSPs) and their subcontractors.

(2) Third-party capacity addresses the potential impact of a significant disruption on a third-party servicer’s ability to restore services to multiple clients.

(3) Testing with third-party TSPs addresses the importance of validating business continuity plans with TSPs and considerations for a robust third-party testing program.

(4) Cyber resilience covers aspects of BCP unique to disruptions caused by cyber events.

I don’t want anyone to break into a cold sweat thinking that a new compliance requirement is necessarily being imposed on them. If you don’t outsource core operational functions to third parties this appendix shouldn’t concern you much. But if your credit union can’t operate effectively unless a vendor is also on the job, then you have an obligation to work with that vendor and make sure that it has a Business Continuity Plan that is compatible with your own.

Think about it: if your vendor backs up all your account information at a facility down the block from your credit union, your BCP plan has some serious holes.

Don’t Fire Until You See the Whites of Their Eyes

Yesterday, the CU Times reported that Sen. Richard Shelby (R-Ala.), chairman of the Senate Banking, House and Urban Affairs Committee, would not rule out doing away with the credit union tax exemption as part of an overhaul of the tax code.

Shelby’s equivocation on the tax exemption underscores that tax reform poses dangers for credit unions, but his stance should hardly surprise anyone, nor should it send us scrambling to the ramparts as if the industry is in imminent danger. The fact is that in any push to overhaul the tax code a prominent veteran lawmaker like Shelby isn’t going to take anything off the table. There is a lot of negotiating to be done, if and when we ever get to a tax reform end game.

Should the industry be vigilant? Absolutely. But, in my ever so humble opinion (and I stress only my opinion), in recent years the industry has overreacted to the threat of tax reform with the result that it has not pushed aggressively enough for other parts of its agenda. There may come a time when we need to activate the grassroots in a major push to save the exemption, but that time is not here yet. In the meantime, let’s not let the bankers sideline our agenda every time they advocate for ending the exemption or draw too many conclusions every time a legislator gives less than 100 percent support for the industry.

Entry filed under: Advocacy, Compliance, Political, Regulatory. Tags: , , , , .

Good News: You’re Small Have you hugged a millennial today?

2 Comments Add your own

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


Authored By:

Henry Meier, Esq., General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 435 other followers

Archives