Risk-Confusion
As third-party relationships become more complex and cybersecurity threats escalate, credit unions are facing increasing pressure to enhance their third-party risk management (TPRM) programs, according to the 2025 Third-Party Risk Management Survey released by Ncontracts.
The survey, which gathered responses from over 170 banks, credit unions and mortgage firms, found that 73% of institutions have just one or two full-time employees overseeing vendor risk, despite more than half managing over 300 vendors. For credit unions, this staffing constraint is particularly challenging given their cooperative structure and often limited resources.
Recommended For You
“Third-party incidents are now the most common problem with credit unions,” one credit union respondent noted. “Paying attention to the status and health of your third-party customers is essential to reduce the probability of problems.”
The pressure to improve is mounting, with two-thirds of institutions citing regulators and auditors as the primary drivers for upgrading TPRM systems. Notably, 31% of institutions reported being told to make improvements following their most recent audit or exam.
Cybersecurity and artificial intelligence are also top concerns. Nearly half of financial institutions experienced a third-party cyber incident in the past year, and 30% identified AI use by vendors as a major risk heading into 2025.
Despite these concerns, many institutions still rely on manual tools like spreadsheets for risk management. Institutions using such tools were significantly more likely to receive regulatory findings during audits.
Credit unions, particularly those with less than $1 billion in assets, are encouraged to adopt hybrid or centralized models, implement AI-specific controls in contracts and leverage TPRM software to streamline oversight. According to the report, 85% of financial institutions using dedicated TPRM software platforms reported moderate to high return on investment, citing stronger vendor oversight, compliance and cost savings.
With regulations tightening and threats evolving, proactive and scalable TPRM is becoming a critical differentiator for credit unions committed to safeguarding their operations and members.
READ MORE: 2025 Third-Party Risk Management Survey
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Michael Ogden
Editor-in-Chief at CU Times. To connect, email at [email protected]. As Editor-in-Chief of CU Times since 2016, Michael Ogden has led the editorial team in all aspects of content strategy and execution, including the creation of the publication’s exclusive and proprietary research database of the credit union industry’s economic landscape. Under Michael’s leadership, CU Times has successfully shifted to an all-digital editorial product with new focuses on the payments, fraud, lending and regulatory beats. Most recently, he introduced a data-focused editorial product for subscribers that breaks down credit union issues into hard data, allowing for a deeper and more factual narrative for readers. In 2024, he launched the "Shared Accounts With CU Times" podcast, which offers a fresh, inside-the-newsroom perspective through interviews with leaders from the credit union industry and the regulatory world. He dives into pressing credit union issues, while revealing the personalities working behind-the-scenes to push the credit union world forward. His background includes years as a radio and TV anchor/reporter and a public relations and digital/social media manager, where he covered the food and music industries, as well as cooperatives and credit unions. Over the years, he has launched numerous exclusive video and podcast series, including a successful series of interactive backstage interviews with musicians at music festivals, showcasing his social media and live streaming production skills.
