The U.S. House of Representatives added hundreds of unrelated amendments to the National Defense Authorization Act (NDAA) in late July, including Section 5403 that would grant NCUA oversight and examination authority over any and all businesses that contract with or provide products/services to federally insured credit unions.
This significant agency authority expansion would increase the size of NCUA as an agency because they lack the expertise to examine every type of vendor that does business with a credit union, thus demanding more exam fees and share insurance fund dollars through the overhead transfer to hire the staff and provide the training for this dramatic increase in agency authority.
Likewise, we are concerned about the possibility that such unlimited authority to examine any credit union vendor could result in overreach far beyond the national core processors that have direct access to member data and extend those examinations to local vendors that provide services and products to a credit union on a day-to-day basis. We see considerable reputation risk to credit unions if the NCUA is authorized to show up and ask for financial statements from local companies simply because they do business with a credit union.
Lastly, we submit that NCUA can already obtain access to exams of the national core processing firms – which are the types of vendors with direct access to member data most often cited by NCUA in requesting this expanded agency authority in the name of cyber security – from other federal financial regulatory agencies that already conduct such exams.
As a member of the Federal Financial Institutions Examination Council (FFIEC), NCUA can request exam reports from other FFIEC agencies that already conduct exams of the larger core processors of which most serve banks and credit unions. It is duplicative and naïve to believe a separate NCUA examination is going to provide more data security than the exams already taking place with FDIC, the OCC and the Federal Reserve.
We feel that Section 5403 should be removed from the NDAA, as this unnecessary, costly and unrelated expansion of a federal agency authority should not be extended solely based upon an add-on amendment to a national defense bill.
In addition, last week three members of the Senate introduced S. 4698, the “Improving Cybersecurity of Credit Unions Act” at the request of the NCUA which would give the NCUA additional authority to examine credit unions’ third-party vendors.
When reading S. 4698, the Senate bill says “Until 2001, the NCUA maintained third-party examination authority over credit union organizations.” This statement is only partially true. It implies that NCUA had unlimited third-party examination authority prior to 2001, which is not accurate – NCUA only had limited third-party examination authority to look at critical IT vendors to ensure compliance with Y2K requirements, and once the Y2K crisis was averted, that limited third-party examination authority went away.
NACUSO, NAFCU and CUNA are leading the effort in the Senate to stop the unlimited vendor authority, or at least to restrict the vendor authority language to those third-party organizations that are directly involved in processing member data and therefore actually pose a potential cybersecurity risk. We further feel that NCUA should first look at third-party examinations conducted by the OCC, FDIC or Federal Reserve, pursuant to their membership in the FFIEC, prior to conducting an exam on a third-party vendor.
Some of our members have expressed concern that with the number of credit unions down below 5000, the NCUA is pursuing this additional examination authority to increase their regulatory and supervisory authority over businesses other than credit unions in order to keep building an agency that once regulated and examined 15,000 credit unions with a smaller staff than NCUA has today. They point to the fact that as the number of banks has declined, so has the number of FDIC and OCC staff, while NCUA actually has more staff and a larger industry funded budget now than they did in 2000 when there were over 10,000 federally insured credit unions.
We encourage you to oppose Senate Bill 4698, for being overly broad, covering third-party vendors that are not engaged in handling credit union member data, and because NCUA has not been transparent on the costs and how they would use this new authority. Implementing such new authority for the NCUA would require significant expenditures by the agency, a direct cost to credit unions across the country who fund the NCUA’s ever growing budget. We believe the NCUA should focus on regulating credit unions and working with the FFIEC to gain information on vendors already vetted by federal regulators.
If you have concerns about the significant grant of additional NCUA examination authority, it is important to contact your Senators this month to let them know of your concerns. Either the NDAA amendment or S. 4698 will likely pass if there is no opposition from the industry and the only things Senators are hearing are from NCUA lobbyists.