Editor's Note: An earlier version of this story reported that NCUA Vice Chairman Kyle Hauptman has expressed support for third party oversight authority by NCUA. Mr. Hauptman has not done so. This story has been updated to reflect the change.
WASHINGTON–Citing what they say are growing risks to both credit unions and the country itself, four former chairs of the National Credit Union Administration have sent a joint letter to the respective leadership in the House and the Senate urging the agency be given statutory authority to supervise and examine credit union service organizations (CUSOs) and third-party vendors.
Such authority has been a long-time, bipartisan request made by members of the NCUA board, especially since the expiration of such authority granted temporarily during COVID. The agency has had such authority on a temporary basis in the past, but it also expired.
The credit union trade groups oppose such oversight, arguing NCUA already has all the authority it needs to oversee vendors and CUSOs.
In the letter, former NCUA chairs Michael Fryzel, Debbie Matz, Mark McWatters and Rick Metsger said they “fully support” calls by current NCUA Chairman Todd Harper to be provided with such oversight authority, and note similar support has also been expressed by NCUA’s Inspector General, the Financial Stability Oversight Council, and the Government Accountability Office.
Requires Change to FCU Act
The letter was sent to leadership of the House Committee on Financial Services and the Senate Committee on Banking, Housing and Urban Affairs. NCUA needs Congress to act because third party oversight authority would require a change in the Federal Credit Union Act.
“Currently, there are more than 139 million members of roughly 4,600 credit unions with total assets of $2.26 trillion in the United States,” the letter states. This equates to roughly one in three Americans using a credit union for basic financial products and services. As this committee well knows, financial institutions make up a vital part of our nation’s critical infrastructure—a complex and interconnected web of organizations as well as physical and virtual operations that the federal government has a solemn obligation to protect from ordinary criminals, as well as our nation’s most capable and determined foreign adversaries.
Potential for ‘Operational Disruptions’
“Given the increasing reliance of credit unions on third-party vendors for critical functions such as data processing, deposit taking, payment services, loan servicing, and mobile and online member services, it is imperative that the NCUA be granted the authority to oversee these vendors effectively,” the letter continues. “Without proper oversight of these service providers, credit unions may be exposed to greater chances of operational disruptions, financial losses, reputational damage, and, most importantly, threats to the security and privacy of their members' information.”
The four former chairs told Congress such statutory authority to supervise and examine third-party vendors would align with of other regulators.”
Contrary View
“Contrary to industry talking points in opposition to this request, this is not simply a data sharing issue, as the other prudential regulators are not legally allowed to share exam information with the NCUA, nor would other regulators be examining for matters that would normally be within the NCUA’s regulatory purview such as specific impacts to the Share Insurance Fund or field of membership regulatory compliance,” the letter states. “
Additionally, this authority would translate to significant regulatory relief for many small and mid-size credit unions who, in many cases, do not have the requisite experience, or resources to conduct due diligence on vendors who are vital to their survival.”
The letter further told the committees that many CUs have large concentrations of members who could be of “high values” to adversaries of the U.S., including those tied to military installations, State Department, agencies of the United States intelligence community, congressional staff, and others.
“A cyber incident could create devastating consequences for these very sensitive populations. Vendor authority would, at a minimum, mitigate the risk of a vendor-created cyber event,” the chairs stated.
It's Not Hyperbole
In addition, the letter told Congress it is “not hyperbolic” to say that the safety and soundness of the credit union system is at risk due to the “potential for operational failures, cybersecurity breaches, and compliance violations by third-party vendors. Credit unions in many cases unknowingly expose themselves to financial losses, reputational damage, and regulatory enforcement actions because of vendors who fail to meet regulatory requirements or adequately manage risks.”
The letter argues that such risks are not “posed in a vacuum” and the ability for the NCUA to “contribute substantively with greater insight into vulnerabilities or cyber tactics used in the credit union industry, would be valuable in discussions with the broader federal government to protect our nation’s critical financial infrastructure—primarily in the agency’s work on the Financial and Banking Information Infrastructure Committee.”
‘Our Strongest Support’
The four ex-chairs concluded by telling Congress, “For these reasons and so many more, we reiterate our strongest support for the NCUA’s request to amend the Federal Credit Union Act to provide the agency with the authority to supervise and examine CUSOs and third-party vendors that operate within credit unions in every community in the country. With cyber incidents occurring every day, it is time that the NCUA be granted the same authorities that already exist within its peer regulators.”