The Government Accountability Office has just recommended that Congress give the NCUA the authority to examine credit unions’ third-party technology service providers.
The GAO’s July 2 report was music to the ears of the NCUA but sounded a sour note to others who question whether the agency is up to the task, or even needs to be.
Titled “Bank and Other Depository Regulators Need Better Data Analytics and Depository Institutions Want More Usable Threat Information”, the report says this: “Bank regulators routinely conduct examinations of service providers’ information security. … Authorizing the NCUA to conduct such examinations could help it better ensure that the service providers for credit unions follow sound information security practices.”
And lest credit unions and their vendors think the NCUA wasn’t on board, the regulator says this in response to the GAO report: “Obtaining third-party vendor authority is the NCUA’s top legislative priority.”
It’s all in the name of cybersecurity, and while the GAO — after reviewing 15 IT examinations — believes that putting the credit union regulator on par with its peers such as the FDIC would help everyone, agency critics think it would be a bridge too far. Here are three reactions:
“CUNA opposes new statutory authority for the NCUA to regulate and supervise directly CUSOs and other third-party entities that provide products and services to credit unions,” that trade group responded after the GAO published its report on July 2.
“As we have consistently maintained, NAFCU believes the agency’s bid for third-party vendor examination authority is unnecessary given that NCUA is already authorized to thoroughly regulate credit unions and their third-party relationships,” says Director of Regulatory Affairs Alicia Nealon.
“The banking regulators have more authority over vendors than the NCUA does in this area and the NCUA desperately wants it. You can see that in their efforts to find ways to regulate CUSOs. This is another backdoor way to try to expand their authority, and I’d be very concerned about giving the NCUA anymore authority,” says Chris Howard, vice president of research at Callahan & Associates.
There's also concern about both the potential cost to the agency — which is funded by credit unions — and whether such oversight is generally beyond the scope of practice for the examiner force.
The GAO report says something similar in its report. “While the largest institutions were generally examined by IT experts, medium and smaller institutions were sometimes reviewed by examiners with little or no IT training,” it says.
At least one recent credit union data breach has been caused by an NCUA examiner who walked out of the building with a flash drive containing unencrypted data. The drive was never found, but the agency says no unauthorized access to that data has been reported, and the agency cleared itself of wrongdoing in an internal report that followed.
Still, the GAO report reinforces the agency’s intent to seek expanded authority to examine technology providers, and it’s for the industry’s own good, the NCUA’s board chairman says. “We need to close this regulatory blind spot and better protect the credit union system by providing the NCUA with the power to examine and take enforcement actions at third-party vendors,” Debbie Matz says in a July 6 statement.
Matz notes that this has been a long-standing request and follows a similar recommendation from the Financial Stability Oversight Council, of which Matz is a voting member. “Obtaining this authority would allow the agency to proactively address cyber threats and better position credit unions to avoid a crisis,” Matz says.
Authority Already Exists
Veteran credit union attorney Andy Keeney asks rhetorically when a third-party vendor has ever caused a hit on the share fund and says he thinks such congressional action is way down the priority list on Capitol Hill. He adds that the NCUA already has the authority to approve bond forms for insurers such as CUNA Mutual, and more.
“They already have the power of persuasion to to examine data processors. They already have the toe in the door to examine CUSOs in the form of the rule that will require credit unions to provide more information about CUSOs in their call reports. And if examiners want information on a vendor, they will pressure the credit union to increase their due diligence on that vendor and then review the documents during the NCUA exam,” Keeney says.
“In summary, either directly or indirectly, the NCUA already has much of the authority recommended by the GAO,” Keeney says, “and considering all the issues Congress has in front of it, the likelihood of action is slight.”
Pam Perdue, executive vice president of compliance specialist Continuity, takes a more nuanced approach. "I think that Congress is positioned to address the inconsistency between NCUA and the other agencies when it comes to regulatory oversight of third-party vendor,” Perdue says. “Whether they will do so remains to be seen. It's true that the banking agencies have had this authority for quite some time. The question of whether this authority is necessary depends on your vantage point.”
She makes these points:
From the public policy perspective, allowing this access to NCUA introduces parity by granting the NCUA rights that the other banking supervisors have had for quite some time.
From the NCUA's perspective, its access to inspect vendors is essential to ensure stability and confidence in the credit union system, and protect credit unions against potential third-party weaknesses in an environment where CUs increasingly rely on third parties.
From a fintech vendor's perspective, allowing multiple agencies inspection rights over a vendor's business conduct has the potential to disrupt in ways that could distract and potentially hinder or harm performance.
Perdue adds that Congress will have to resolve the question in a way that balances these competing interests, and suggests this compromise:
“Because the largest vendors already undergo inspections from interagency examination teams, granting the permission to the NCUA and then incorporating NCUA representation on those teams — rather than fostering a whole new exam regime — might be the smartest solution.”