NCCCO Exam 4 | Study Guide & Practice Questions
Vendor Management: What (7) areas of risk should 3rd party risk assessments consider? -
(answer)Credit Risk
Liquidity Risk
Interest Rate Risk
Transaction Risk
Compliance Risk
Strategic Risk
Reputation Risk
What (6) due diligence practices does NCUA recommend when CUs evaluate a 3rd party vendor? -
(answer)1) Background Check (performance with other FIs etc.)
2) 3rd party's business model
3) Cash Flow movement between all parties
4) Financial and operational condition (ex. SSAE 18)
5) Legal counsel review
6) Impact of contract on credit union's accounting
What are the (3) phases that help to mitigate the risk of 3rd party relationships? - (answer)1) Risk
Assessment
2) Controls
3) Ongoing monitoring and review
NCUA: What should CUs consider during risk assessment phase? - (answer)1) Expectations for any
outsourced functions?
2) CU staff expertise
3) Criticality or importance of the outsourced activity
4) Insurance considerations
5) Impact on membership if 3rd party is used
6) Exit strategy
,NCCCO Exam 4 | Study Guide & Practice Questions
FFIEC: Due Diligence areas for Technology vendors - (answer)1) Service delivery capability, status and
effectiveness
2) Technology and systems architecture
3) Internal Controls
4) Security History
5) Insurance coverage
6) Ability to meet disaster recovery and business continuity requirements
CFPB Due Diligence Requirements - (answer)CFPB expects that FIs verify that vendors understand and
can comply with consumer financial laws
That vendor trains its employees
That FI review the vendor's policies/procedures/ training/controls
Do vendor relationships alleviate a CU from liability for member complaints or compliance violations? -
(answer)No. This is true even if the vendor is responsible for compliance with regulations under the
contract. CU is responsible for ensuring vendor is actually complying with applicable regulations.
Vendor Mgt: Monitoring/Oversight Requirements - (answer)Must continue to monitor during course of
relationship
Ex. obtaining annual review of vendor's financial condition and insurance requirements is normal
Info Security Program: what must be addressed? - (answer)1) Protect CU from all types of crime (ex.
cybercrime, physical security)
2) Keep member info secure and confidential
3) Respond to incidents of unauthorized access to member info
4) Assist in the identification of bad actors
, NCCCO Exam 4 | Study Guide & Practice Questions
5) Prevents destruction of vital credit union records
Info Security Program: when must it be updated? - (answer)When CU makes changes to its operations,
should review and update the Program.
Three (3) reporting requirements in NCUA Reg Part 748 - (answer)1) Certify compliance with Part 748
annually;
2) Catastrophic Act Report (within 5 days of event impacting CU); and
3) SAR Reporting
What is a catastrophic act? - (answer)A disaster that results in physical destruction/damage to the CU or
causing an interruption in vital member services projected to last more than 2 consecutive business days
What does NCUA require from CUs in the event of a catastrophic event? - (answer)1) File report with
NCUA within 5 business days
2) Make a record of the incident as soon as possible to include: where the act occurred, when it took
place, the amount of loss/damage and any operational, technical or mechanical deficiencies contributed
to the incident.
How should a CU certify compliance with NCUA's security program requirements? - (answer)Must certify
compliance annually via the NCUA's CU Online Profile
Role of the Board: Oversight of the IT Program - (answer)Board must implement and maintain, cannot
just "rubber stamp" decisions. Should receive reports on the overall status of the Program
What is required to be in the response program for unauthorized access to member information? (6) -
(answer)Program must address:
1) How the CU will assess nature and scope of any incident
2) Identify what member info has been accessed
3) Steps to contain/control the incident to prevent further access
4) Preserve records and evidence related to the breach so bad actor can be identified
Vendor Management: What (7) areas of risk should 3rd party risk assessments consider? -
(answer)Credit Risk
Liquidity Risk
Interest Rate Risk
Transaction Risk
Compliance Risk
Strategic Risk
Reputation Risk
What (6) due diligence practices does NCUA recommend when CUs evaluate a 3rd party vendor? -
(answer)1) Background Check (performance with other FIs etc.)
2) 3rd party's business model
3) Cash Flow movement between all parties
4) Financial and operational condition (ex. SSAE 18)
5) Legal counsel review
6) Impact of contract on credit union's accounting
What are the (3) phases that help to mitigate the risk of 3rd party relationships? - (answer)1) Risk
Assessment
2) Controls
3) Ongoing monitoring and review
NCUA: What should CUs consider during risk assessment phase? - (answer)1) Expectations for any
outsourced functions?
2) CU staff expertise
3) Criticality or importance of the outsourced activity
4) Insurance considerations
5) Impact on membership if 3rd party is used
6) Exit strategy
,NCCCO Exam 4 | Study Guide & Practice Questions
FFIEC: Due Diligence areas for Technology vendors - (answer)1) Service delivery capability, status and
effectiveness
2) Technology and systems architecture
3) Internal Controls
4) Security History
5) Insurance coverage
6) Ability to meet disaster recovery and business continuity requirements
CFPB Due Diligence Requirements - (answer)CFPB expects that FIs verify that vendors understand and
can comply with consumer financial laws
That vendor trains its employees
That FI review the vendor's policies/procedures/ training/controls
Do vendor relationships alleviate a CU from liability for member complaints or compliance violations? -
(answer)No. This is true even if the vendor is responsible for compliance with regulations under the
contract. CU is responsible for ensuring vendor is actually complying with applicable regulations.
Vendor Mgt: Monitoring/Oversight Requirements - (answer)Must continue to monitor during course of
relationship
Ex. obtaining annual review of vendor's financial condition and insurance requirements is normal
Info Security Program: what must be addressed? - (answer)1) Protect CU from all types of crime (ex.
cybercrime, physical security)
2) Keep member info secure and confidential
3) Respond to incidents of unauthorized access to member info
4) Assist in the identification of bad actors
, NCCCO Exam 4 | Study Guide & Practice Questions
5) Prevents destruction of vital credit union records
Info Security Program: when must it be updated? - (answer)When CU makes changes to its operations,
should review and update the Program.
Three (3) reporting requirements in NCUA Reg Part 748 - (answer)1) Certify compliance with Part 748
annually;
2) Catastrophic Act Report (within 5 days of event impacting CU); and
3) SAR Reporting
What is a catastrophic act? - (answer)A disaster that results in physical destruction/damage to the CU or
causing an interruption in vital member services projected to last more than 2 consecutive business days
What does NCUA require from CUs in the event of a catastrophic event? - (answer)1) File report with
NCUA within 5 business days
2) Make a record of the incident as soon as possible to include: where the act occurred, when it took
place, the amount of loss/damage and any operational, technical or mechanical deficiencies contributed
to the incident.
How should a CU certify compliance with NCUA's security program requirements? - (answer)Must certify
compliance annually via the NCUA's CU Online Profile
Role of the Board: Oversight of the IT Program - (answer)Board must implement and maintain, cannot
just "rubber stamp" decisions. Should receive reports on the overall status of the Program
What is required to be in the response program for unauthorized access to member information? (6) -
(answer)Program must address:
1) How the CU will assess nature and scope of any incident
2) Identify what member info has been accessed
3) Steps to contain/control the incident to prevent further access
4) Preserve records and evidence related to the breach so bad actor can be identified
