Risk & Governance Brief

This document is intended for the risk, compliance, and third-party oversight teams at financial institutions evaluating Cotribute MCP Connect. It is a self-contained reference that explains how the service is designed, how it fits within the regulatory frameworks your examiners already apply, and which controls map to which obligations.

You do not need to have spoken with a Cotribute representative to read this document. It is organized so that each section can be lifted into your internal evidence binder or shared with your examiner without modification. Pre-filled responses to common Third-Party Risk Management questionnaire items appear in Section 9; an implementation checklist for your risk team appears in Section 10; suggested questions to bring to a walkthrough appear in Section 11.

Where this document references regulatory frameworks (FFIEC, OCC, FRB, FDIC, NCUA, CFPB, GLBA, ECOA, Reg Z, FCRA), the descriptions are intended as a crosswalk to MCP Connect's design — not as legal advice. Your own counsel and compliance team should make the final determination of how each framework applies to your institution.

MCP Connect is a governed access layer, not an AI product. It is the channel through which your team's already-approved enterprise AI tools can answer scoped, audited questions about your Cotribute data — without exporting it, without training a foundation model on it, and without taking decisioning out of human hands.

What it is

MCP Connect implements the Model Context Protocol (MCP), an open standard for letting AI clients query enterprise systems through a controlled server. Your institution operates the server through your existing Cotribute tenant. Each query passes through OAuth-based identity, a role-based authorization model, PII masking, and an immutable audit log before any data leaves the Cotribute boundary.

What it is not

• It is not a decisioning system. Credit, fraud, account-opening, and adverse-action decisions remain in the systems and human reviewers that produce them today. The AI retrieves and drafts; it does not approve, deny, or adjudicate.
• It is not a new data store. No member data is copied to Cotribute MCP Connect. Queries run against the same Cotribute platform records your authorized staff already use.
• It is not a training pipeline. Cotribute commits no-train on the MCP layer. The enterprise AI platforms your institution has already approved (Microsoft Copilot, Claude for Enterprise, ChatGPT Enterprise) carry the same contractual commitment.
• It is not member-facing. MCP Connect is a staff-facing capability. Communications with members continue to be drafted by AI where you have already approved that, and sent by your staff under existing disclosure obligations.

The risk posture in one paragraph

MCP Connect is designed to be evaluated under the regulatory frameworks your institution already applies to vendor relationships and information-security programs — not as a novel category. FFIEC IT Examination Handbook controls apply. OCC 2023-17 / FRB SR 23-4 / FDIC FIL-29-2023 third-party risk management lifecycle requirements apply. GLBA Safeguards Rule applies. NCUA 2026 supervisory priorities on artificial intelligence and vendor management apply where your institution is a credit union. Because the AI does not make decisions, SR 11-7 model risk does not apply to MCP Connect itself; it continues to apply to the underlying decisioning systems unchanged.

MCP Connect sits between your enterprise AI tools and your Cotribute platform data. Every AI call passes through a single governed boundary before any data is returned.

The five enforcement points

1. Identity. OAuth 2.1 with PKCE, federated to your existing identity provider (Microsoft Entra ID, Okta, Google, or Ping). The named human user issuing the query is propagated to every tool call.
2. Authorization. Role-based scope determined by the user's group membership in your identity provider, mapped to a Cotribute role catalog that you configure.
3. PII masking. SSN, full date of birth, and full account numbers are redacted by default in tool responses. Unmasking requires elevated permission and stepped-up authentication.
4. Read-only enforcement. Version 1.0 of MCP Connect exposes no write tools. The AI cannot move money, change a decision, modify a member record, or alter system state.
5. Audit. Every tool call writes an immutable audit log entry with full attribution, request parameters, and response summary. Retention is seven years. The log is examiner-exportable in CSV and JSON.

What flows where

The AI client (Copilot, Claude, ChatGPT) sees only the response Cotribute returns for a specific, scoped tool call. There are no bulk extracts. There is no continuous stream. Each natural-language question from a staff member becomes one or more discrete tool calls; each tool call returns only the fields necessary to answer the question; the response carries PII masking already applied. The model never receives more than what the requesting staff member would have seen on screen if they had clicked through the Cotribute interface manually — and frequently sees less.

Each pillar below states the concern, the design decision that addresses it, the specific control mechanism, and the regulatory framework it maps to.

The table below maps the regulatory frameworks most commonly cited in our customers' TPRM and risk-committee reviews to the specific MCP Connect controls that address them.

Every tool call writes one audit log entry. Entries are immutable, retained for seven years, and exportable to your examiner in CSV or JSON.

Fields captured per entry

Retention, integrity, and export

• Retention. Seven years from entry write, configurable upward by contract.
• Immutability. Append-only storage with cryptographic chain over batches; tamper-evidence verifiable on export.
• Export formats. CSV (for examiner spreadsheets) and JSON (for SIEM ingestion). Both formats include all fields above.
• Access. Export is available to your designated compliance and risk roles through the Cotribute customer portal at any time, without ticket or wait.
• Search. The portal supports filtering by user, tool, date range, AI client, and elevation events.

MCP Connect applies a three-tier classification at the field level. Default behavior is the most restrictive; elevation requires explicit configuration and stepped-up authentication.

How masking works in practice

When a staff member asks "What is the status of the loan application for the member with SSN ending in 1234?", MCP Connect resolves the member by the last-four token through a server-side lookup. The AI client never sees the full SSN. The audit log records that the query was made by member-identifier and that no full SSN was returned to the model.

When a staff member with elevated permissions performs a quarterly identity-verification review and explicitly requests full DOB values for a small sample of records, the elevation event is recorded, the stepped-up authentication is captured, and the records returned in full are tagged in the audit log as pii_classification: full.

MCP Connect ships with seven default roles, each scoped to a curated subset of MCP tools. Roles are mapped to the groups in your existing identity provider during onboarding. You may modify the catalog at any time.

Stepped-up authentication for elevation

When a role attempts a tool call that would return Tier 3 data in unmasked form, MCP Connect challenges the user through your identity provider for additional authentication (typically a fresh factor, not a cached session). The elevation grant is single-use, time-bounded, and recorded in the audit log with a distinct elevation_event identifier. Subsequent calls in the same session do not inherit the elevation.

Token revocation

OAuth tokens issued to MCP Connect are revocable from your identity provider, from the Cotribute customer portal, or from the AI client's admin console. Revocation propagates within seconds and is recorded in the audit log.

MCP Connect inherits the operational, security, and incident-response posture of the Cotribute platform, with documented additions specific to the MCP layer.

Encryption

• TLS 1.3 in transit between AI clients, the MCP server, and the underlying Cotribute platform.
• AES-256 at rest for audit log storage and the role catalog.
• OAuth tokens are short-lived and rotated automatically.

Network controls

• IP allowlisting available on Enterprise tier for AI client and customer portal access.
• mTLS available for institutions that require certificate-based service authentication in addition to OAuth.
• Dedicated tenant URLs per institution; no cross-tenant shared endpoints.

Rate limiting and abuse controls

Per-user and per-tenant rate limits prevent runaway query patterns. Anomalous behavior (sudden burst of Tier 3 elevation requests, atypical query volume) triggers alerts to both Cotribute and the institution's designated security contact.

Incident response

Cotribute maintains a documented incident response process inherited from the underlying platform. Security-relevant incidents affecting your tenant are reported to your designated security contact within the timeframes specified in your customer contract. The MCP Connect scope addendum specifies notification timelines that are equal to or stricter than the platform baseline.

Business continuity

MCP Connect is operationally part of the Cotribute platform and inherits its disaster-recovery, backup, and continuity controls. SLA on Enterprise tier is 99.95% uptime with credits-back. Detailed RTO and RPO figures are available under NDA and form part of the standard vendor due-diligence pack.

Certifications

• SOC 2 Type II inherited from the Cotribute platform, with a documented MCP scope addendum reviewed annually.
• Annual penetration testing of the MCP server boundary with summary report available under NDA.
• Vendor questionnaire packs pre-filled and updated for FFIEC and NCUA 2026 supervisory priorities.

The following responses are written to be pasted directly into your standard vendor intake or oversight questionnaire. Cotribute will sign attestations of these responses as part of your contracting process.

A concrete list of validation steps your CRO, GRC, and TPRM teams may want to complete during evaluation and before go-live.

Pre-contract due diligence

• Review the Cotribute SOC 2 Type II report and MCP Connect scope addendum under NDA.
• Confirm your enterprise AI tool contracts (Microsoft Copilot, Claude for Enterprise, ChatGPT Enterprise) include no-train commitments for tenant data.
• Confirm Cotribute's MCP Connect addendum to the customer contract includes the no-train, read-only, and audit retention commitments described in this brief.
• Confirm subprocessor list does not change as a result of MCP Connect activation.

Configuration and onboarding

• Identify the identity provider that will federate with MCP Connect (Entra ID, Okta, Google, or Ping).
• Determine the IdP groups that will map to each MCP Connect role (Member Services, Lending Officer, Operations, Fraud Analyst, Compliance, Marketing, Executive).
• Decide whether to accept the default PII classification map or tighten it further before go-live.
• Designate the staff who will hold elevated permission for Tier 3 unmasking and define the case-bound workflows under which they will use it.
• Define the audit-log export cadence and recipients in your institution.

Pre-launch validation

• Perform a tabletop walk-through of a typical query for each role and verify the audit log captures the expected fields.
• Trigger an elevation event with the designated Tier 3 user and verify stepped-up authentication is enforced and recorded.
• Revoke an OAuth token through your IdP and verify the revocation is reflected in the next query attempt.
• Export the audit log for a sample period and verify the CSV and JSON formats meet your SIEM ingestion or examiner-binder requirements.
• Conduct a fair-lending sanity review: confirm with your compliance team that no MCP Connect tool participates in decisioning or in member-facing communication.

Ongoing monitoring

• Schedule quarterly review of role-to-group mappings against IdP changes.
• Schedule annual review of the PII classification map.
• Include MCP Connect in your annual vendor oversight review with reference to the updated SOC 2 report and pen-test summary.
• Set alert thresholds for anomalous query patterns (e.g., elevated Tier 3 elevation rate, atypical query volume per user).

Concrete prompts your risk team can bring to a 30-minute walkthrough with Cotribute. Each is designed to test a specific control rather than a marketing claim.

1. Show me the audit log for a query my staff member just ran. The team should be able to point at a specific entry, show all the fields described in Section 05, and explain how each field is populated.
2. What happens when a Member Services rep asks for a full SSN? The team should demonstrate that the AI client receives a masked value, that no elevation prompt is offered to a non-elevated role, and that the denial is logged.
3. What happens when an elevated Compliance Analyst asks for a full SSN? The team should show the stepped-up authentication challenge, the recording of the elevation event, and the masked-vs-full classification tag on the resulting audit log entry.
4. Demonstrate token revocation. Have Cotribute revoke a token from the portal and show that the AI client's next call is rejected.
5. Show me the SOC 2 Type II report and the MCP scope addendum. Confirm the latest report covers the MCP Connect boundary in the audit scope.
6. What is the no-train commitment in the contract? Cotribute should point at specific contract language and explain how it flows down to the AI client side.
7. What happens to my data if I terminate the service? The team should describe the post-termination data handling, audit-log access window, and any wind-down obligations.
8. What MCP tools are in the catalog today, and how do new tools get added? The team should walk through the tool catalog, explain change management for additions, and explain how role mapping is updated when the catalog changes.
9. How do I prove to my examiner that the AI did not make a credit decision? The team should explain the contract language, the absence of decisioning tools in the catalog, and the audit-log evidence that supports the assertion.
10. What happens during a Cotribute platform incident? The team should describe communication channels, expected timeframes, and how MCP Connect-specific incidents differ from platform-wide incidents in handling.
11. Walk me through a fair-lending review using MCP Connect. The team should demonstrate how the Compliance Analyst role accesses adverse-action notice timing, decision rationale, and reason codes — without the AI participating in the decision itself.
12. What is on the roadmap that might change this risk picture? The team should be transparent about future capabilities (e.g., MCP Pro, scoped write actions) and explain how those capabilities will be contracted, scoped, and audited separately.

If your risk team has questions that are not answered by this document, please reach out through one of the channels below.

For evaluation conversations

Contact your Cotribute account manager. If you are evaluating MCP Connect ahead of becoming a Cotribute customer, the team at hello@cotribute.com will route you to a representative.

For technical or security follow-up

The Cotribute customer portal includes a dedicated CRO & TPRM document library with the SOC 2 Type II report, the MCP scope addendum, the penetration test summary, and the subprocessor list. Access is granted to your institution's designated risk roles after contracting.

For an updated version of this brief

This document is maintained on a quarterly cadence to reflect regulatory updates and product changes. The most recent version is available at the Cotribute MCP Connect landing page. The version stamp on the cover indicates the publication date.