On May 19, after the House Financial Services Committee Chairwoman Maxine Waters prepared a draft bill for introduction a few days earlier, NCUA Chairman Harper testified at the House Financial Services Committee requesting unlimited vendor authority. Clearly cyber security has taken on more urgency as we see continued high profile attacks on America’s infrastructure in recent weeks. However, we feel there was some erroneous inferences in the Chairman’s testimony on the vendor authority issue and wanted to make it clear that the NCUA already has several choices for how to monitor key vendors for cyber security compliance, such as utilizing the FFIEC exam sharing option to obtain copies of the FDIC & OCC vendor examinations, without incurring the costs of redundant examinations of vendors.
Given the primary reason the NCUA cited for the unlimited vendor authority requested from Congress, which is cyber security, we believe a more rifled approach to this issue than the all-encompassing shotgun approach to all credit union vendors, including direct and costly supervision of CUSOs would be more appropriate. The potential cost to credit unions and their members of the dramatic expansion of the NCUA to oversee all credit union vendors is hard to justify, especially when focused cyber security examinations are already being conducted by both the FDIC and OCC, and one of the primary purposes of the FFIEC is to share reports and eliminate redundancy and duplicate costs. And is it reasonable to think that a handful of NCUA examiners at a financial institution service provider, are going to find cyber security weaknesses that the FDIC and OCC did not find?
It is also interesting to note that the FDIC’s vendor authority is based upon the holding company structure of most banks and empowers the FDIC to penetrate the holding company structure to look at affiliates. The FDIC’s vendor authority only relates to affiliates or vendors that perform “essentially banking services” under contract (i.e. direct access to customer information), not all types of banking vendors. The OCC’s vendor authority is similarly limited in scope. The FDIC & OCC’s vendor authority is not unlimited as the NCUA has requested, despite implying that NCUA was simply asking for what the FDIC & OCC already have.
It is also interesting to note that NCUA is not the only financial services regulator that does not have vendor authority, either limited as the FDIC & OCC or the unlimited authority the NCUA seeks. The Federal Housing Finance Board does not have vendor authority and neither does The Farm Credit Administration.
When you look at the types of vendors that the NCUA is asking to examine and regulate, it includes vendors regulated by other qualified regulators, such as insurance companies who are overseen by state insurance regulators. Investment brokers are already regulated by the SEC. Clearly those regulators are focused on cyber security, and NCUA asking to do the same is redundant. For those vendors, including CUSOs, that provide critical services such as statement processing, card issuance & processing, etc. they will feel the impact of additional direct regulation and supervisory exams by the NCUA and they will pass the cost on to their credit union partners and ultimately credit union members.
Chairman Harper referenced a 2015 report by the GAO in his remarks as being supportive of NCUA’s request for unlimited vendor authority. Actually, in the GAO report, they focused on cyber security and included in their recommendation to Congress that NCUA be granted vendor authority over technology vendors. It was not recommended by GAO for NCUA to have the unlimited vendor authority over all vendors and CUSOs that they seek.
Lastly, NCUA Chairman Harper cited $300 million in losses between 2008 – 2015 allegedly caused by CUSOs. We have requested detailed support of these amounts under FOIA (Freedom of Information Act) but were flatly refused by the NCUA. In November 2013, the NCUA adopted the CUSO rule giving themselves the ability to “review” CUSOs and to compile a database on all CUSOs through the NCUA’s CUSO Registry. There have been minimal documented losses from CUSOs since this time. Anecdotal evidence of the alleged $300 million of “CUSO generated losses” were primarily from the 2008 Great Recession and caused by a handful of MBL CUSOs that were each wholly owned by the founding credit unions, and much of the losses were from credit union (not CUSO) decisions that were already under the purview of the NCUA.
NCUA is asking for unlimited vendor authority, and the new legislation proposed by Chairwoman Waters does not include any restrictions such as cyber security risk to member information, or a requirement to work with other financial institution regulators and utilize examinations already being conducted, rather than perform redundant examinations. This is simply too broad and potentially too costly, given the other oversight tools available to the NCUA, so we wanted to make the members of the House Financial Services Committee aware of this situation, and we want you to be aware of this potentially costly and unnecessary over-reach by the NCUA.
Ultimately to extend NCUA authority to all credit union vendors, the result would be the largest expansion of the NCUA’s regulatory & examination powers in the history of the agency — a result that would bring about increased NCUA budgets for credit unions to fund and higher costs that could better be utilized to serve credit union members.
I wanted to share what we sent to the House Financial Services Committee, as well as the NCUA Board Members, so we are being transparent as we ask for your help on this issue. As we continue to fight this costly and unnecessary expansion of NCUA’s regulatory and supervisory authority, one thing that we need, is your support. Let your members of Congress know that NCUA already has several options for addressing cyber security risks, and unlimited vendor authority is costly and unnecessary given their existing oversight options.