Don’t Be Fooled by Phony SOC Reports

A credit union guide to cloud provider due diligence. Part I

In this 4-part series we dig into what credit unions should be looking for in SOC reports. As credit unions research Loan Origination Systems and other cloud-based solutions we point out the value of working with a provider that has done detailed work to earn their SOC Certifications.

The NCUA’s Supervisory Letter no. 07-01, dated October 2007, and titled Evaluating Third Party Relationships, details what’s expected of every credit union in terms of evaluating, selecting and maintaining a relationship with each third-party provider that performs a mission-critical service for the credit union, such as supporting the credit union’s loan origination system or software. Since then, the NCUA has devoted and continues to devote, considerable resources to keeping credit unions current on cybersecurity issues. Even so, this letter remains as the primary guidance for credit unions when evaluating third-party relationships.

The NCUA looks at three distinct areas:

  1.      Risk assessment and planning
  2.      Due diligence
  3.      Risk measurement, monitoring, and control

What the NCUA Requires

Risk assessment looks only at the risk associated with the underlying endeavor without any consideration for a particular vendor. In other words, before any vendor evaluation commences, the credit union must determine whether the fundamental objective is a sound one.

Due diligence focuses on the assessment of a particular vendor. Is the company under consideration financially sound? Is the technology sound and is all personally identifiable information (PII) and non-public information (NPI) secure? Are the vendor’s systems and controls reliable?

Assessing the safety and suitability of any cloud-based vendor is not a one-time undertaking. Rather it’s an ongoing endeavor that credit unions must take very seriously. Risk measurement, monitoring, and control are the means by which a credit union maintains this ongoing assessment. The risk of failing to make these assessments is twofold. First, failure to document these efforts could result in issues on the credit union’s NCUA audit. Second and most important, failure to execute an ongoing assessment could jeopardize the credit union’s operations and/or members’ PII/NPI.

About Sync1 Systems

Sync 1 Systems, a fully SOC-certified technology CUSO, is the developer of the industry’s first 100% cloud-based Loan Origination System (LOS). The Sync1 product is not an on-premise product that was repurposed for cloud deployment; it was designed from the ground up to take full advantage of the features and benefits of a true cloud deployment. A copy of Sync1’s current SOC 3 report is available on request.

For additional information about Sync1 Systems or any information presented in this paper, please feel free to contact us at or (888) 200-7801

Pin It on Pinterest

Share This