Doing Business with Credit Unions

No.

NCUA does not approve, endorse, or license any specific products, services, or vendors. Credit unions remain responsible for verifying that any product, service, or vendor supports their specific needs and requirements.

Credit unions may consider NCUA’s guidance on third-party risk management as a helpful resource when evaluating whether external relationships support safe, sound, and compliant operations.

As a federal financial regulator, NCUA supervises and insures federally insured credit unions. It does not evaluate, certify, or promote outside companies or solutions. However, the NCUA Board does approve fidelity bond forms as required by the Federal Credit Union Act and associated regulations.

No.

NCUA does not certify or validate vendor compliance. Credit unions that rely on any vendor for services or financial technology are still responsible for complying with applicable laws, regulations, and security expectations. Credit unions may consider NCUA’s guidance on third-party risk management as a helpful resource when evaluating whether external relationships support safe, sound, and compliant operations.

Any representations by a company that it and/or its product(s) are “NCUA certified” or “NCUA approved,” or similar representations, are false and should be reported to NCUA at OGCMail@ncua.gov.

No.

Vendors may not state or imply that NCUA has reviewed, approved, or validated their products. Even if a vendor’s product or service is designed to support regulatory compliance, NCUA does not confirm or endorse the validity of the vendor’s claims.
Credit unions remain responsible for verifying that any product or service supports their specific needs and requirements.

No.

NCUA does not approve, endorse, or license any specific technology platform, software, or solution. Credit unions are responsible for selecting technologies that meet their needs. This includes performing due diligence, evaluating risks, and implementing appropriate risk-mitigation controls.

NCUA evaluates whether a credit union complies with laws and regulations and is operating in a safe and sound manner—not which systems, software, or tools it selects.

In limited cases, NCUA staff may meet with a company to learn about new products or technologies.

A meeting with NCUA staff does not constitute approval, endorsement, or validation of a product or service. Meetings are for informational purposes and must never be represented as agency support for a company or product.

NCUA focuses its resources on the agency’s core functions and avoids situations where meeting with a vendor could imply preferential treatment. The agency may participate in events to share information about regulatory topics and industry risks—not to evaluate, promote, or endorse providers. NCUA’s participation in an event should not be interpreted as approval of any product, service, or vendor in attendance.

If requesting a meeting with NCUA staff to discuss products or technologies, please contact OEACmail@ncua.gov. The agency will assess the reason for the meeting and facilitate meetings with staff as appropriate. Submission of information does not create an obligation for the agency to respond or engage in further discussion.

No.

The use of NCUA’s name, seal, or logo requires prior, express, written authorization. Unauthorized use may violate federal law, including 18 U.S.C. § 709.

Any claim of endorsement, approval, certification, or affiliation without written NCUA authorization may violate federal law—including 18 U.S.C. § 709—and should be reported to NCUA immediately.

Yes.

Credit unions remain fully responsible for third-party due diligence, vendor monitoring, cybersecurity considerations, contract oversight, and ensuring compliance with applicable laws and regulations for all activities, including those outsourced to a third party.

It is also important to note that one credit union’s responsible management of the risk associated with a vendor, product, service, or technology does not mean that every credit union is similarly positioned to manage similar risks. Each credit union must have the necessary financial and operational capacity to safely use the vendor, product, service, or technology.

If NCUA finds that a specific credit union is unable to manage the risks associated with a specific vendor, product, service, or technology, this speaks to the credit union’s risk management and should not be construed as an assessment of the vendor, product, service, or technology itself.