Dear Board of Directors:
The National Credit Union Administration (NCUA) board recently approved NCUA Rules and Regulations, Part 721, Incidental Powers. Categories of activities pre-approved as incidental powers necessary for Federal Credit Unions (FCUs) to carry on business include:
- Electronic Financial Services (Part 721.3(c)) - authorizes FCUs to offer through electronic means any services, products, functions, or activities that a credit union could otherwise perform, provide, or deliver to members.
- Finder Activities (Part 721.3(f)) - authorizes FCUs to introduce or otherwise bring together outside vendors with its members for the negotiation and consummation of transactions. Included in this authorization is the ability that the credit union can provide information to members about the products and services of third parties.
Credit unions are increasingly using their electronic financial service infrastructure to provide finder activities to assist their members. This is most commonly evidenced by credit union web sites on the Internet containing links to third-party web sites. These linked third-party sites can provide a variety of important services to the membership. However, these weblinking relationships may also expose the credit union to additional risk.
Before entering into any new activity, the credit union board should properly evaluate the credit union’s risks, develop appropriate policies, contract appropriately with third parties, seek the advice of legal counsel, and provide the necessary staff training. The same risks associated with the use of information technology also apply in establishing a weblinking relationship:
- Strategic Risk – Failure to plan adequately for weblinking. Management should determine the needs of the membership and select an appropriate third party to assist in meeting those needs.
- Transaction Risk – Failure to determine the security and reliability of linked third-party web sites. Management should assess the security and performance reliability of web sites whose performance is beyond their control.
- Compliance Risk – Failure to verify that the third-party web site complies with all applicable laws (HMDA, Privacy, etc.). Management should evaluate linked third-party web sites for compliance where applicable.
- Reputation Risk – Failure to address and manage the public perception of linked sites. Management should determine if the information, links and advertising appearing on such sites is appropriate.
There are several ways to present a linked third-party web site. In some cases, a linked third-party web site is displayed in its own window without reference to the credit union. In other instances, a linked third-party web site is displayed in a window framed with the credit union’s name.
Credit unions may increase their risk of exposure to liability by framing a third-party web site because the member may think they are still at the credit union’s web site. In some cases, members may believe the credit union endorses the information, product or services offered by linked third parties, or that the insurance protections afforded the member at the credit union also apply to the products offered at the linked third-party web site.
When providing links to third-party web sites, credit unions are strongly encouraged to include a clearly written, conspicuous disclaimer that addresses the following:
- The member is leaving the credit union’s web site;
- The member is linking to an alternate web site not operated by the credit union;
- The credit union is not responsible for the content of the alternate web site;
- The credit union does not represent either the third party or the member if the two enter into a transaction; and
- Privacy and security policies may differ from those practiced by the credit union.
Management should develop detailed, written policies that address the following:
- Selection criteria – Determine type of web site needed and contract with each third party, or an intermediary party, who will arrange the FCU’s links.
- Due diligence – Determine the third party’s financial stability, customer service standards, privacy, security, performance, and veracity of web-site content.
- Web-site reviews – Determine the frequency and process for reviewing the linked web sites for appropriate presentation and content.
- Implementation – Determine the appropriate manner in which to implement links to various third parties depending on the relationship. For example, there may be instances where linking is intentionally transparent to the members. This may occur in situations where a credit union hosts its own web site containing marketing and contact information, but offers on-line account access via a button on their web site that links to a third party. The linked third party acts on behalf of the credit union to provide electronic account access for the members. This alternate web site is actually supporting a part of the credit union’s site. In such cases, it may not be necessary for members to distinguish the third-party site from the credit union’s web site.
Contracts should be clearly written and contain understandable and enforceable definitions of all obligations, liabilities, and recourse arrangements. Appropriate contract provisions include:
- Establishing the relationship between the credit union and the third party specifying that they are not forming a partnership or entering into a joint relationship.
- Excluding links that would violate any federal, state, or local laws, rules, or regulations.
- Excluding links or portions of a linked web site that the credit union determines 4 is unacceptable.
- Limiting risk when entering, maintaining, and ending the weblinking relationship.
- Including guidelines for adding new products or services.
- Addressing security and privacy issues.
- Including the conditions for ending or terminating the link.
- Specifying that the entity providing the link is directly responsible to the credit union, if using an intermediary party.
Staff involved in managing the weblinking arrangement should have sufficient training and guidance to carry out the board’s desires including:
- Selecting third-party relationships
- Monitoring the activity of third-party web sites
- Conducting ongoing due diligence of third parties
Enclosed for your review is the Office of the Comptroller of the Currency’s (OCC) recently issued OCC Bulletin 2001-31, Weblinking. The OCC Bulletin discusses the risks and related control mechanisms that credit unions should consider when they establish weblinking relationships.
In addition, NCUA has published guidance papers to assist FCUs in evaluating the risks and understanding the legal requirements involved in some of these activities. This guidance includes:
- NCUA Letter to Credit Unions No. 01-CU-11 (August 2001), focuses primarily on the electronic aspects of member data security;
- NCUA Letter to Credit Unions No 01-CU-09 (September 2001), guidance on how credit unions should protect member information from identity theft and pretext calling;
- NCUA Letter to Credit Unions No. 01-CU-04 (March 2001), encouraging credit unions to consider the benefits of offering Internet-based electronic financial services to your credit union’s membership;
- NCUA Letter to Credit Unions No. 01-CU-02 (February 2001), offering guidance on the privacy of consumer financial information;
- NCUA Letter to Credit Unions No. 109 (September 1, 1989), discussing risks associated with certain computer operations;
- NCUA Letter to Credit Unions No. 97-CU-5, addressing electronic financial services;
- NCUA Letter to Credit Unions No. 00-CU-11, regarding risk management of outsourced technology services; and
- NCUA Interpretive Ruling and Policy Statement 85-1, covering trustees and custodians of pension plans.
NCUA’s published guidance, along with NCUA’s regulations, are available from the agency’s website at www.ncua.gov.
Additional interpretive letters and guidance issued by other federal financial institution regulators may assist you in understanding an activity’s risks, for example, OCC Bulletin 2001-12 on bank-provided account aggregation services and OCC Advisory Letter 2000- 9 on third-party risk. The OCC guidance is available from the agency’s website at http://www.occ.treas.gov (opens new window). Depending on the activities an FCU undertakes, it may also need to comply with applicable state laws and consult with its own legal counsel and other professional advisers.
If you have any questions or concerns, please contact your NCUA Regional Office.