WASHINGTON—The Independent Community Bankers of America supports NCUA obtaining third-party vendor oversight authority, noting that VyStar Credit Union’s problems with the rollout of its online and mobile banking platforms exemplify the risks posed by the agency lacking this power.
Independent Community Bankers of America (ICBA) President and CEO Rebeca Romero Rainey offered that opinion after the CFPB slapped VyStar Credit Union with a $1.5-million civil money penalty for the botched rollout of the digital platforms.
“Today’s Consumer Financial Protection Bureau penalty against VyStar Credit Union for harming consumers via a failed rollout of a new online system exemplifies the risks posed by the National Credit Union Administration’s inability to examine credit union third-party service providers,” Romero Rainey said. “While the CFPB has ordered VyStar to make affected consumers whole and pay a $1.5-million civil penalty to the Bureau’s victims relief fund, policymakers must provide the NCUA with the same authority that bank regulators use to supervise for cyber risk.
As CUToday.info reported, NCUA Chairman Todd Harper stated during the agency’s October open board meeting that NCUA may consider adjusting the normal operating level of the NCUSIF due to the growing risk third-party cyber incidents present to the fund.
“NCUA Chairman Todd Harper has called the agency’s lack of authority a ‘regulatory blind spot’ that means the agency doesn’t ‘necessarily know what is happening’ with credit union cybersecurity and could leave the industry as the ‘soft underbelly’ of the broader financial system,” Romero-Rainey said. “After a third-party service provider’s cybersecurity incident disrupted the daily operations of 60 credit unions last year and a separate credit union earlier this year breached the personal information of more than one million members during a ransomware attack, Harper recently noted that approximately 90% of the tax-exempt credit union industry’s assets are managed by third-party service providers with no NCUA oversight.
“This lack of regulatory oversight is particularly concerning given the surge in tax-exempt credit unions acquiring tax-paying community banks, with last week’s deal (Y-12 FCU’s purchase of First State Bank of the Southeast) extending 2024’s single-year record,” continued Romero Rainey. “Bipartisan legislation introduced in the previous Congress to ensure the NCUA has the same authority as bank regulators to supervise for cyber risk is supported by the NCUA’s Harper and inspector general, the Government Accountability Office, and the Financial Stability Oversight Council, and we continue calling on lawmakers to reintroduce and pass this critical bill.”