IT for Credit Unions: Compliance, Security, and Member Trust

Back to Blog

Credit unions occupy an unusual position in the financial landscape. They are federally regulated financial institutions that operate without shareholders, answerable only to their members. They process payroll direct deposits, hold retirement savings, issue mortgages and auto loans, and manage the day-to-day transactional banking lives of hundreds of thousands of Californians. And they do all of this — often with lean staff and tight operating budgets — under the scrutiny of the National Credit Union Administration.

The NCUA's examination process has grown dramatically more rigorous over the past several years. IT controls that once received a cursory review are now the subject of detailed, multi-day examination workpapers. Examiners arrive with structured questionnaires, request evidence of specific controls, and expect documented policies rather than informal practices. Credit unions that cannot demonstrate a functioning Information Security Program — in writing, with evidence — are receiving Matters Requiring Attention (MRAs) that follow them into subsequent exam cycles.

We work with credit unions throughout Southern California — including smaller community-chartered institutions in Greater Los Angeles whose membership may be tied to a specific trade or employer group. The IT challenges those institutions face are shared by nearly every community credit union in our market: aging infrastructure, lean IT staffing, core banking integration complexity, and the growing expectation from both members and regulators that their financial data will be protected to the same standard as a major bank.

This article is for credit union CEOs, CFOs, compliance officers, and IT committees who want a clear-eyed view of what the NCUA examines, what findings look like, and how a managed IT partner changes the outcome.

Why Credit Unions Face Unique IT Challenges

Most industries have IT challenges. Credit unions have IT challenges layered on top of regulatory examination risk, member trust obligations, and core banking system dependencies that create a uniquely demanding operating environment.

Member PII is the target. A credit union's database contains some of the most comprehensive financial profiles of any individual that exist in a single system: Social Security numbers, account balances, loan payment histories, payroll deposit amounts, employment information, and in many cases tax return data used for loan underwriting. This data is extraordinarily valuable to identity thieves, and credit unions — especially smaller ones perceived as having weaker security than banks — are active targets.

Core banking systems create integration risk. Most California credit unions run core banking platforms from vendors like Symitar (Episys), Fiserv (DNA, XP2), or Jack Henry (Symitar). These systems are the operational heart of the credit union — they process every transaction, update every balance, and feed every report. They are also aging, complex to secure, and deeply integrated with payment networks, online banking portals, and third-party servicers. A security misconfiguration in a core banking integration can expose member data, enable fraudulent transactions, or create examination findings across multiple control domains simultaneously.

Branch network segmentation is a persistent problem. Multi-branch credit unions operate networks that span physical locations — main offices, branch offices, shared service centers, and increasingly, remote employees with access to core banking systems from home. Each location represents a network node that must be properly segmented, monitored, and secured. A single branch with an improperly configured firewall or an unsegmented network is an entry point into the entire institution.

Staff size creates concentration risk. A 15-person credit union may have one person handling IT, compliance, and member services simultaneously. When that person is out, security controls are not actively monitored. When they leave the organization, their institutional knowledge of the IT environment leaves with them. Managed IT solves this concentration risk by providing a dedicated team rather than a single individual.

What the NCUA Information Security Examination Covers

The NCUA conducts IT examinations using the Automated Cybersecurity Examination Tool (ACET), which maps credit union IT controls to five cybersecurity maturity domains: Cyber Risk Management and Oversight, Threat Intelligence and Collaboration, Cybersecurity Controls, External Dependency Management, and Cyber Incident Management and Resilience.

Within those domains, examiners assess dozens of specific control areas. The ones that generate the most findings at community credit unions are consistently the same:

Access Management: Who Can Get to What

Access management is the foundation of everything else. Examiners will request evidence that your credit union has a documented process for granting, modifying, and revoking access to all systems — core banking, email, network, loan origination, and any third-party portals — and that the process is actually being followed.

Common access management failures examiners find:

• Former employees whose accounts were not disabled at termination — sometimes accounts open for months or years after separation
• Shared or generic credentials used by multiple staff members on the same system login
• No documented access review process — access is granted but never audited as roles change or employees move between departments
• Administrative privileges granted broadly to non-IT staff because it was easier than configuring role-based access correctly
• Third-party vendor accounts with persistent, always-on access to core banking systems that should be time-limited and monitored
• Multi-factor authentication absent on email, remote access, and internet-facing banking portals

During one onboarding engagement at a Los Angeles-area community credit union, one of the first issues we addressed was a set of vendor accounts with persistent VPN access that had never been reviewed since the original implementation. The vendors had not accessed those accounts in over a year, but they remained active and would have passed a credential check. We documented the remediation, disabled the inactive accounts, and helped the institution establish a quarterly access review cycle — which became part of their examiner evidence package.

Change Management: Controlling What Gets Modified

Change management in a credit union context means having a documented, approved process for every change made to any system that touches member data or transaction processing. This includes software updates to the core banking platform, firewall rule modifications, new third-party integrations, and changes to online banking configurations.

Examiners look for evidence that changes are requested, reviewed, approved, tested in a non-production environment when possible, and documented after the fact. What they find instead, at many small credit unions, is an informal process where the IT person or the core vendor makes changes without documentation, without approval records, and without testing — because the team is too small and too busy to build formality into every action.

A managed IT provider brings structured change management by default. Every configuration change, patch deployment, or system modification goes through a documented ticket. Approvals are captured in the system. Test environments are used where they exist. The evidence that examiners request exists because the process generates it automatically, not because someone had to reconstruct it after the fact.

Vendor Management: Due Diligence on Third Parties

Credit unions rely on an extensive ecosystem of third-party vendors: core banking providers, online banking platforms, payment processors, collections servicers, loan origination software, insurance program administrators, and IT managed service providers. The NCUA expects credit unions to perform meaningful due diligence on each of these relationships — and to have the documentation to prove it.

NCUA Letter to Credit Unions 01-CU-20 established the baseline expectation: credit unions must assess the risk of each vendor relationship, review vendor security practices and financial health, include security requirements in contracts, and monitor ongoing performance. The ACET examination builds on this with specific questions about whether vendor due diligence is conducted at onboarding, whether it is updated periodically, and whether there are documented contracts with security and breach notification provisions.

The most common vendor management failure we see: credit unions have no formal vendor register. They cannot produce a list of all third-party vendors, the data those vendors access, the risk tier assigned to each relationship, or the last date of due diligence review. When an examiner asks for this inventory, staff scramble to reconstruct it from memory and email — which is not the posture regulators want to see.

We help credit unions build and maintain a vendor register as part of our managed IT engagement. Every vendor relationship is documented: data access level, contract terms, SOC 2 report status, date of last review, and risk classification. The register is updated when new vendors are added or existing relationships change. When examination time comes, the evidence is ready.

Incident Response: What Happens When Something Goes Wrong

The NCUA requires credit unions to have a written incident response plan that addresses how the institution identifies, contains, eradicates, and recovers from security incidents — and how it notifies regulators and members when a breach occurs.

The NCUA's cybersecurity incident notification rule, which took effect in September 2023, requires credit unions to report any reportable cybersecurity incident to the NCUA within 72 hours of becoming aware of it. A reportable incident is defined broadly: any actual or reasonably possible unauthorized access to, or disruption of, member data or systems that could harm member information, credit union operations, or financial stability.

Seventy-two hours sounds like a long time until you are in the middle of an incident. Determining whether an event is reportable, preserving evidence, containing the threat, and drafting a regulatory notification simultaneously — while trying to keep operations running — is genuinely difficult without a practiced plan and a technical partner who has been through the process before.

An effective incident response plan for a credit union must address:

• Clear definitions of what constitutes a reportable incident under NCUA rules
• Roles and responsibilities — who calls whom, who declares an incident, who communicates with the Board
• Containment procedures specific to the credit union's environment, including how to isolate core banking systems without taking down member-facing services unnecessarily
• Evidence preservation steps that do not destroy forensic data needed for later investigation
• Member notification obligations under California law (SB 1386 and subsequent amendments), which may be triggered alongside NCUA requirements
• Recovery procedures with defined recovery time objectives (RTOs) for each critical system
• Post-incident review process and documentation requirements

Core Banking System Security

The security of the core banking platform itself is an examination area that catches many credit unions unprepared because they assume their core vendor handles security. The vendor handles the application security of the core system — patch management, application hardening, encryption of data in transit — but the credit union is responsible for the environment in which that system runs and the controls around who can access it.

This includes the servers or cloud infrastructure hosting the core (for credit unions on a private cloud or in-house model), the network path between branch teller workstations and the core system, the authentication controls governing who can log in and at what privilege level, and the monitoring of administrative actions within the system itself.

Examiners consistently find that credit unions have not configured core banking audit logging to capture privileged user actions — or that the logs are being generated but never reviewed. A log that no one reads is not a compensating control. We configure log management and review as a standard component of our credit union managed IT program, giving examiners evidence of active monitoring rather than passive log generation.

Branch Network Segmentation

A properly segmented credit union network treats member-facing Wi-Fi, teller workstations, back-office systems, and core banking access as separate network zones with controlled traffic between them. An improperly segmented network treats all of this as one flat environment — which means a compromised teller workstation has direct network access to the same systems as a core banking administrator.

Flat networks are a finding. They have been a finding for years, and examiners continue to cite them because the remediation requires both technical expertise and capital investment that some credit unions have deferred. IT Center performs network segmentation assessments as part of our onboarding process and can design and implement VLAN-based segmentation that satisfies the NCUA's expectations for network architecture without requiring a complete infrastructure replacement.

Common Exam Findings — and How IT Center Resolves Them

The Real Cost of Non-Compliance vs. Managed IT

Credit union leaders sometimes evaluate managed IT as an operating expense line and look for ways to reduce it. That calculus changes significantly when you factor in the actual cost of non-compliance — and the hidden costs carried by under-resourced IT programs.

Examination remediation costs. An NCUA Matter Requiring Attention doesn't come with a fine, but it does come with a requirement to remediate and document the remediation within a defined timeframe. If the finding persists into the next examination cycle, it can escalate to a Document of Resolution or a Letter of Understanding and Agreement — both of which carry formal supervisory implications and require Board-level responses. The staff time, legal involvement, and outside consultant fees associated with escalated examination findings routinely exceed the cost of a managed IT engagement several times over.

Data breach response costs. The average cost of a data breach in the financial services sector exceeded $6 million in 2024, according to IBM's Cost of a Data Breach report. For a community credit union, a breach of member PII triggers California breach notification obligations (California Civil Code 1798.82), NCUA notification requirements, potential NCUA supervisory action for inadequate security controls, and member attrition. A single breach event can represent an existential threat to a small institution.

Core banking downtime costs. If a ransomware attack encrypts core banking files or disrupts the network path between branches and the core system, the credit union cannot process transactions. Members cannot access their accounts. Tellers cannot complete transactions at the counter. ATMs may go offline. Every hour of downtime represents direct reputational and operational damage that is very difficult to quantify in advance and very painful to absorb in practice.

IT Center's managed IT program is priced at $300 per computer user per month — a flat, predictable rate that covers continuous monitoring, endpoint security, backup management, patch management, email security, helpdesk support, and the documentation infrastructure needed to pass an NCUA examination. For a credit union with 20 employees, that is $6,000 per month against the risk of a six-figure breach response or a multi-cycle regulatory remediation program.

IT Center's Credit Union IT Services

Our credit union practice is built around the specific requirements of federally regulated financial institutions. We are not a general-purpose IT provider that happens to have a financial services client or two — we have structured our program to address the examination, security, and operational requirements that define the credit union operating environment.

Information Security Program Development

We develop and maintain the written Information Security Program required by NCUA regulation — covering risk assessment, access management, change management, vendor management, incident response, business continuity, and employee awareness training. The ISP is a living document, updated annually and whenever material changes occur to the credit union's technology environment or regulatory guidance.

NCUA Examination Readiness

Before every NCUA examination, we conduct an internal review of the controls the examiner will assess, identify any gaps, and work with the credit union to remediate issues and organize evidence. We can join examination kick-off meetings as the IT subject matter expert, present technical controls to examiners, and respond to information requests directly. Examiners appreciate dealing with a technical team that understands the examination framework — it shortens the examination and produces cleaner results.

Core Banking Environment Security

We work within whatever core banking platform the credit union uses to ensure the surrounding environment is properly secured: network segmentation between core-adjacent systems and member-facing infrastructure, audit logging configured and reviewed, privileged access to core systems controlled and documented, and patches applied on a defined schedule. We coordinate directly with core vendors on scheduled maintenance windows to ensure changes are tested and documented.

Endpoint and Email Security

Every credit union workstation is managed with enterprise-grade endpoint detection and response. Email security goes beyond spam filtering to include advanced phishing protection, impersonation detection, and DMARC/DKIM/SPF authentication that protects the credit union's domain from being spoofed in member-targeted fraud attacks. We monitor for credential compromise continuously and respond to alerts around the clock.

Business Continuity and Disaster Recovery

We implement and test backup and recovery systems that meet the NCUA's expectations for business continuity planning. This includes defined recovery time objectives and recovery point objectives for each critical system, tested restoration procedures, and documented continuity plans that address core banking unavailability, network outages, and facility losses. Testing results are documented and available as exam evidence.

Security Awareness Training

We deploy and manage security awareness training programs for all credit union staff, including simulated phishing exercises, monthly training modules, and role-specific training for staff with elevated system access. Training completion records are documented for examination purposes. Staff who click simulated phishing emails receive immediate remedial training rather than waiting for the next scheduled session.

"Credit unions are held to the same security standard as banks but often operate with a fraction of the IT resources. Our job is to close that gap — to give community credit unions the documentation, the controls, and the monitoring that examiners expect to see, at a cost structure that makes sense for institutions of their size."

Exam Readiness Action Checklist for Credit Unions

• 1
  Review your Information Security Program. Does it exist as a written document? Was it reviewed and approved by the Board in the past 12 months? Does it address every element the NCUA examination workpapers ask about — risk assessment, vendor management, incident response, access controls, and employee training? If any of these answers is no, the ISP needs attention before the next exam cycle.
• 2
  Conduct a formal access review. Pull a complete list of user accounts across core banking, email, network access, loan origination, and online banking administration. Confirm every account belongs to a current, active employee with a legitimate business need. Disable any account that cannot be tied to an active user. Document the review — examiners will ask when it was last done.
• 3
  Enable MFA everywhere credentials are used. Microsoft 365, core banking remote access, VPN, online banking admin portals, loan origination systems — every system with internet-accessible credentials needs multi-factor authentication. No exceptions for executives or long-tenured staff. Examiners specifically look for MFA gaps in privileged accounts.
• 4
  Build your vendor register. List every third party that accesses your member data or critical systems. For each one, document the data they touch, the contractual security provisions, whether they hold a SOC 2 Type II report (and whether you have reviewed it), the risk tier you have assigned to the relationship, and the date of last due diligence review. Update this register whenever a new vendor is onboarded.
• 5
  Test your incident response plan. Schedule a tabletop exercise this quarter. Walk your team through a ransomware scenario: who gets called first, what systems get isolated, who makes the 72-hour NCUA notification, what do you tell members, what does the Board receive? Document the results. Note the gaps. Update the plan. Repeat annually and after any actual incident.
• 6
  Assess your network segmentation. If your member Wi-Fi, teller workstations, and core banking-adjacent servers are all on the same network segment with no VLAN separation or access control lists between them, you have a finding waiting to happen. Get a current network diagram and have a qualified engineer review whether your segmentation meets minimum examination expectations.
• 7
  Verify your backups with an actual restoration test. Generate a list of your most critical data sets — core banking database exports, loan files, member records, email archives. Restore a sample of each from backup to a clean environment. Confirm the data is complete and current. Document the test. If restoration fails or data is missing, that is an urgent finding to address before an examiner asks the same question.
• 8
  Document your patch management process. Examiners want to see that patches are applied on a defined schedule — not when someone gets around to it. Define your patching window (critical patches within 14 days, standard patches within 30 days is a common baseline), and ensure your IT team or provider can produce patch deployment records for any given endpoint on request.

Protecting the Trust Members Place in Their Credit Union

The cooperative model that defines credit unions is built entirely on trust. Members choose a credit union because it is theirs — it represents their community, their industry, their union, their neighborhood. When that trust is violated by a data breach or a service outage, members do not simply tolerate it because they have nowhere else to go. They leave, and they tell others.

Regulators understand this dynamic. The NCUA's examination intensity around IT controls reflects a recognition that a cybersecurity failure at a credit union is not just a business problem — it is a harm to the members who entrusted the institution with their financial lives. That is why examination standards have risen and why they will continue to rise. The question for each credit union is whether their IT infrastructure can keep pace.

IT Center has served Southern California businesses and financial institutions since 2012. Our work with community credit unions and other financial institutions is built around a simple principle: give every credit union access to the documentation, the controls, and the technical expertise that examiners expect to find — at a price point that makes sense for institutions that exist to serve members, not generate shareholder returns. Call us at (888) 221-0098 to talk about where your credit union stands today.