Oversight or overreach? NCUA plan to examine vendors sparks dissent

The National Credit Union Administration wants to regain its authority over third-party vendors — including credit union service organizations – that expired at the end of 2001, but some industry insiders think that's a bad idea.

Currently, the NCUA conducts "CUSO reviews" and can only make recommendations to those groups. It has no power over other vendors that do business with credit unions.

But that could change.

The U.S. House of Representatives in July passed legislation that would provide the NCUA third-party vendor authority within the 2023 National Defense Authorization Act. The NCUA is now asking the Senate, where the defense bill is still pending, to do the same.

NCUA chairman Todd Harper 2021
"This examination authority is critical, given the system's increased reliance on third-party vendors and credit union service organizations," said Todd Harper, chairman of the National Credit Union Administration.
Al Drago/Bloomberg

NCUA Chairman Todd Harper told the Senate Banking Committee this week that many third-party vendors simply deny the NCUA the permission they need to review those firms. And even those that grant permission can reject NCUA recommendations to implement appropriate corrective actions that mitigate any risks the agency identifies, Harper said. 

The credit union system's growing reliance on digital services, increased credit union outsourcing of core business functions and resulting concentration risks are among the concerns driving the NCUA to ask for broader authority. Cybersecurity risk alone could become a national security risk given this lack of oversight, Harper said. 

"This statutory change would provide the NCUA parity with other agencies that supervise and regulate federally insured depository institutions," Harper said in prepared remarks. "This examination authority is critical, given the system's increased reliance on third-party vendors and credit union service organizations."

The NCUA was granted limited exam authority over some technology vendors in 1999 because of looming concerns about the Y2K bug — an issue thought to afflict many systems developed before the year 2000 that relied on two-digit dates, and thus might interpret the change-over from '99 to '00 as invalid or a step back in time. This authority was automatically repealed at the end of 2001.

Dennis Dollar, now a credit union consultant, was chairman of the NCUA board at the time. He said the NCUA did not ask that the limited authority be extended. 

"And I agreed with that decision at that time because it lacked then — as it, frankly, continues to lack — the expertise, staff or resources to examine every type of vendor that does business with a credit union," Dollar said.  "Even the limited Y2K authority they got in 1999 was tied to technology vendors only." 

Dollar said such power would allow the NCUA to become essentially the Federal Trade Commission of the credit union industry, and that would require a major increase in NCUA's budget.

The NCUA already said it needs to increase its budget by 8.1% for next year. 

Any decision by Congress to expand the NCUA's authority could also lead to the agency "taking their eye off their primary ball," which is safety and soundness of credit unions themselves, according to Dollar.

"And it has the potential of abuse for small businesses that are simply doing business with a credit union that NCUA wants to pursue further after an exam finding," Dollar said. "The NCUA is an excellent regulator, insurer and examiner of credit unions, and they need to stick to their knitting."

Jack Antonini, president and CEO of the National Association of Credit Union Service Organizations, agrees. 

The trade group is opposed to the NCUA being granted unlimited vendor examination authority in part because the cost of hiring new examiners will be passed along to credit unions, further straining their capital.

"The NCUA has not been transparent on what they plan to do with the requested vendor examination authority, including how much they plan to spend to implement it," Antonini said.

But Antonini added that one of the potential benefits would be that all vendors would be subject to the same examinations and oversight that today that only CUSOs are subject to, through NCUA's CUSO reviews. Antonini said more than 1,000 CUSOs are in operation today.

This request by the regulator comes at the same time the agency has been considering expanding lending authority for credit union service organizations.

The major credit union trade groups are also against the NCUA's request for more power. 

In a Nov. 14 letter to the Senate Banking Committee, the National Association of Federally-Insured Credit Unions said it "strongly opposes" granting the NCUA examination authority over credit union third-party vendors. 

NAFCU and its member credit unions say that cybersecurity, including the security of vendors that credit unions do business with, is an important issue, but that only goes so far. 

"NAFCU believes in a strong NCUA, but we also believe that the NCUA should stay focused on where its expertise lies — regulating credit unions," wrote Brad Thaler, NAFCU's vice president of legislative affairs.

For reprint and licensing requests for this article, click here.
Credit unions NCUA Financial regulations
MORE FROM AMERICAN BANKER