To the NCUA, the lack of supervisory powers over third-party vendors is a regulatory blind spot.
To credit union trade groups, granting the agency those powers would amount to a regulatory over-reach.
The two sides have been fighting about it for years and if Congress doesn’t solve the issue during its lame duck session, the battle will continue into 2023.
Here’s the problem: The NCUA is alone among the prudential banking regulators in lacking those powers. The agency’s Inspector General, the Financial Stability Oversight Council (FSOC) and the Government Accountability Office (GAO) all say the NCUA needs those powers.
“Our audit also determined that since 2004, the last four NCUA Board Chairmen have led an effort through Congressional committee testimony to amend the Federal Credit Union Act to provide the NCUA with the authority over CUSOs to hold them accountable for unsafe and unsound practices,” an IG audit from 2020 found.
In its 2021 annual report, FSOC said that the NCUA has increased the permissible activities of Credit Union Services Organizations—a move that has made the third-party oversight powers even more important.
And as far back as 2015, the GAO noted the importance of granting the NCUA such authority.
“Cyber risks affecting a depository institution can arise from weaknesses in the security practices of third parties that process information or provide other IT services to the institution,” the GAO said, noting that bank regulators routinely conduct examinations of service provider information security.
In a recommendation accompanying the report, the GAO added that, “Authorizing NCUA to routinely conduct such examinations could help it better ensure that the service providers for credit unions also follow sound information security practices.”
Where Things Stand in Congress
This year, the House included vendor oversight authority in its version of the annual defense authorization bill—considered by members of Congress to be must-pass legislation.
Separately, Sen. Jon Ossoff, D-Ga., has introduced stand-alone legislation to grant the NCUA vendor oversight powers.
In congressional testimony before the House Financial Services Committee and the Senate Banking Committee this month, NCUA Chairman Todd Harper said that the agency may only review third-party vendors with their consent, and that often the vendors have declined to give examiners permission to do so.
Vendors and CUSOs also may reject NCUA recommendations to implement corrective actions to mitigate risks.
“The NCUA needs visibility into these entities for several reasons, including the credit union system’s growing reliance on digital services, increased credit union outsourcing of core business functions and resulting concentration risks, and cybersecurity, which could be a national security risk given this lack of oversight,” he told the committee.
The National Association of State Credit Union Supervisors (NASCUS) likewise supports the NCUA gaining oversight powers to examine technology service providers as long as the agency relies on state examinations of those providers when states have the authority to examine them.
The association of state supervisors has further endorsed efforts to strengthen state regulatory exams and supervision of third parties serving state-chartered credit unions.
Pushback From Credit Union Groups
So, if all those government entities and NASCUS say the NCUA needs vendor authority, why hasn’t Congress enacted legislation giving the agency that power?
Well, credit union trade groups say the NCUA already has all the authority it needs.
“The agency presently has extensive authority to request information regarding CUSOs from the credit union owners of the CUSO; and the agency has broad authority to adjust the due diligence expectations credit unions must satisfy when engaging third party vendors,” CUNA President/CEO Jim Nussle, NAFCU President/CEO B. Dan Berger and Defense Credit Union Council President/CEO Anthony Hernandez wrote in a joint letter to lawmakers describing their position on the defense authorization bill.
They said the NCUA has exercised effective oversight without that power, rendering the House proposal “a solution in search of a problem.”
The trio added they are concerned extending the power to the NCUA would require the agency to increase its budget to hire personnel with the expertise needed for the job.
“While NCUA has requested this authority for several years, the agency has yet to develop a clear vision of the scope of this authority or how they would implement it,” they wrote.
In a separate letter to Ossoff, Nussle added, “If Congress conveys this authority to NCUA, the agency should commit to funding this authority by reducing expenditures elsewhere.”
His letter likewise noted that while the agency has sought this authority for several years, a clear vision of how it would use the new powers has yet to be developed.
“Sharing details of their intentions with Congress and the industry is necessary to us understanding what to expect if NCUA is granted this authority, and it could help allay some of our concerns,” he wrote.
As difficult as this prolonged back and forth makes it for credit unions to both predict and prepare for what comes next, there are certain steps that can be taken.
For instance, maintaining a detailed overview of all third-party vendors and any associated integrations can prove vital for both assessing and averting data security issues. This should naturally be of concern to any credit union, beyond the debate over examinations.
Further, should the NCUA attain the oversight powers it is seeking, credit unions should be aware of what other technology solutions and vendors are available to them, in case they are compelled to change providers.