If you work in IT at a credit union, you know the drill. Every 12-18 months, the NCUA examination team arrives. They ask questions. They want documentation. And increasingly, they want to see how you're managing your IT assets — including what's expiring and when.
The days of "we have a spreadsheet somewhere" are over.
What Examiners Actually Look For
NCUA examiners evaluate credit union IT operations under several frameworks, including the FFIEC IT Examination Handbook and the NCUA's own Information Security guidelines. While specific requirements vary by examination scope and credit union size, here's what consistently comes up:
1. Certificate and Encryption Management
Examiners want to know:
- What SSL/TLS certificates does the credit union use?
- Who manages them?
- When do they expire?
- What happens when they expire? (Is there a process?)
An expired SSL certificate on your online banking portal isn't just an IT inconvenience — it's a member-facing security event. Examiners take it seriously.
2. Domain and DNS Management
Your credit union's domain is a critical asset. Examiners may ask:
- Who controls domain registration?
- When does the domain expire?
- Is there a succession plan if the primary admin leaves?
- Are DNS records monitored for unauthorized changes?
Domain hijacking and expiration are real threats that have affected financial institutions. Examiners know this.
3. Vendor and Contract Management
NCUA regulation 748 and FFIEC guidance require credit unions to manage vendor relationships, including:
- Active contracts and their renewal dates
- Warranty coverage for critical hardware
- Software licensing compliance
- Service level agreements and their terms
4. IT Asset Inventory
Examiners expect a current, accurate inventory of IT assets, including:
- Hardware (servers, workstations, network equipment) with warranty status
- Software licenses and their expiration/renewal dates
- Service accounts and API keys with defined lifecycles
- Any third-party integrations and their certification status
5. Risk Management Documentation
Perhaps most importantly, examiners want evidence of a process — not just a snapshot. They want to see:
- How frequently are assets reviewed?
- Who is responsible for each category?
- How are expirations tracked and escalated?
- What is the remediation process when something expires?
Common Examination Findings
Credit unions frequently receive findings related to:
- No centralized asset tracking — Information scattered across spreadsheets, email, and vendor portals
- Stale data — Asset inventories that haven't been updated in months
- No ownership assignment — Nobody clearly responsible for specific renewals
- Inadequate alerting — No proactive notification before expirations
- Poor documentation — No evidence of regular review cycles
These findings can range from "document of resolution" items to more serious examination concerns, depending on severity and the credit union's overall risk profile.
How to Prepare
Here's a straightforward approach to being examination-ready:
Centralize Everything
Get all expiring IT assets — certificates, domains, warranties, contracts, licenses — into one system. Not five systems. Not a spreadsheet and two vendor portals. One place.
Assign Owners
Every tracked item should have a named owner. When the examiner asks "who manages your SSL certificates?" you should be able to answer instantly.
Set Up Proactive Alerts
Document your alert thresholds (e.g., 90, 30, 14, 7 days before expiration). Show the examiner that your team gets notified well in advance, through multiple channels.
Generate Reports on Demand
When the examiner asks for a summary of all IT assets expiring in the next 90 days, you should be able to produce it in under a minute. Not "let me pull up the spreadsheet and filter..."
Document Your Process
Write a simple policy: "All IT assets with expiration dates are tracked in [system]. Alerts are configured at [thresholds]. [Person/role] is responsible for [category]. Reviews occur [frequency]."
That document, combined with a tool that actually does what it says, is usually enough to satisfy examiners.
Built for This
Lapse.watch was built by IT professionals who've been through this exact examination process. One dashboard for SSL certificates, domains, warranties, contracts, and software licenses. Automated alerts. Assigned ownership. PDF reports.
When the examiner asks how you track IT asset expirations, you open one screen and show them everything.
Start your free 14-day trial → No credit card required.