WASHINGTON–Not surprisingly, the credit union trade groups and NCUA have opposite reactions to a GAO recommendation that the federal regulator be given authority to oversee third party technology vendors to credit unions.
As CUToday.info reported here, GAO made the recommendation as part of a broader study of cyber-security and cyber-exams in financial institutions. GAO has made similar recommendations in 1999 and 2003. NCUA has said that obtaining third-party vendor authority is its top legislative priority.
NAFCU’s Director of Regulatory Affairs, Alicia Nealon, issued a statement that “as we have consistently maintained, NAFCU believes the agency’s bid for third-party vendor examination authority is unnecessary given that NCUA is already authorized to thoroughly regulate credit unions and their third-party relationships. While NAFCU acknowledges the importance of cybersecurity and risk management, we firmly believe that cybersecurity and third-party vendor examination authority do not go hand in hand.”
NCUA Chairman Debbie Matz, however, welcomed the GAO recommendation.
“We need to close this regulatory blind spot and better protect the credit union system by providing NCUA with the power to examine and take enforcement actions at third-party vendors,” Matz said in a statement. “The GAO report’s recommendation reinforces NCUA’s long-standing request for legislative action and comes on the heels of a similar recommendation by the Financial Stability Oversight Council. Obtaining this authority would allow the agency to proactively address cyber threats and better position credit unions to avoid a crisis.”
In the report, GAO says cyber-risks “affecting a depository institution can arise from weaknesses in the security practices of third parties that process information or provide other IT services to the institution. Bank regulators routinely conduct examinations of service providers’ information security. Authorizing NCUA to routinely conduct such examinations could help it better ensure that the service providers for credit unions also follow sound information security practices.”
Many state regulators, meanwhile, have long had oversight authorities with third parties, and supports NCUA having the authority, as well.
"Since year 2000, and the concern about the Y2K date changes, NASCUS has been on record in support of NCUA’s desire to obtain examination authority over technology service providers," said NASCUS CEO Lucy Ito. "However, NASCUS supports this authority over technology service providers to the extent that the agency will rely on exams of these entities that are already administered by state credit union supervisory agencies to the maximum extent feasible. This would reduce system redundancy, minimize regulatory burden, and foster interagency cooperation and coordination while also strengthening cybersecurity across the industry."