Preparing for the Worst, Hoping for the Best
Maybe it’s because the desolate Albany landscape with its frozen mounds of exhaust-tinged snow and sub-zero temperatures makes me feel like I’m inhabiting a post-apocalyptic world, but a couple of days ago I got around to reading the FFEIC’s new appendix to its examination handbook dedicated to disaster preparedness entitled Strengthening the Resilience of Outsourced Technology Services. In all seriousness, it is a must-read for any credit union that has to have a business continuity plan (BCP) and contracts with third parties for services that should be integrated into this business plan. I bet that is almost every credit union.
Regulators have long emphasized the need for appropriate due diligence when entering into third-party relationships. In addition, Business Continuity Planning has been a major point of regulator emphasis since 9-11; not to mention that “once in a century storms” seem to be coming every other year. This new appendix zeros in on the importance to financial institutions of insuring that appropriate vendor services are integrated into BCP plans and testing. As the regulators commented in releasing the appendix, “a financial institution should ensure that its third-party service providers do not negatively affect its ability to appropriately recover IT systems and return critical functions to normal operations in a timely manner.“
The appendix highlights four key points of emphasis for examiners assessing third-party relationships.
(1) Third-party management addresses a financial institution management’s responsibility to control the business continuity risks associated with its third-party service providers (TSPs) and their subcontractors.
(2) Third-party capacity addresses the potential impact of a significant disruption on a third-party servicer’s ability to restore services to multiple clients.
(3) Testing with third-party TSPs addresses the importance of validating business continuity plans with TSPs and considerations for a robust third-party testing program.
(4) Cyber resilience covers aspects of BCP unique to disruptions caused by cyber events.
I don’t want anyone to break into a cold sweat thinking that a new compliance requirement is necessarily being imposed on them. If you don’t outsource core operational functions to third parties this appendix shouldn’t concern you much. But if your credit union can’t operate effectively unless a vendor is also on the job, then you have an obligation to work with that vendor and make sure that it has a Business Continuity Plan that is compatible with your own.
Think about it: if your vendor backs up all your account information at a facility down the block from your credit union, your BCP plan has some serious holes.
Don’t Fire Until You See the Whites of Their Eyes
Yesterday, the CU Times reported that Sen. Richard Shelby (R-Ala.), chairman of the Senate Banking, House and Urban Affairs Committee, would not rule out doing away with the credit union tax exemption as part of an overhaul of the tax code.
Shelby’s equivocation on the tax exemption underscores that tax reform poses dangers for credit unions, but his stance should hardly surprise anyone, nor should it send us scrambling to the ramparts as if the industry is in imminent danger. The fact is that in any push to overhaul the tax code a prominent veteran lawmaker like Shelby isn’t going to take anything off the table. There is a lot of negotiating to be done, if and when we ever get to a tax reform end game.
Should the industry be vigilant? Absolutely. But, in my ever so humble opinion (and I stress only my opinion), in recent years the industry has overreacted to the threat of tax reform with the result that it has not pushed aggressively enough for other parts of its agenda. There may come a time when we need to activate the grassroots in a major push to save the exemption, but that time is not here yet. In the meantime, let’s not let the bankers sideline our agenda every time they advocate for ending the exemption or draw too many conclusions every time a legislator gives less than 100 percent support for the industry.