ALEXANDRIA, Va.–During recent testimony before a House committee NCUA Chairman Todd Harper pointed to losses of more than $300 million from CUSOs over a seven-year period as evidence the agency needs vendor oversight authority—but which CUSOs caused those losses? The agency isn’t providing details.
As CUToday.info reported here, Harper recently told the House Committee on Financial Services, “While there are many advantages to using these service providers, the concentration of credit union services within CUSOs and third-party vendors presents safety and soundness and compliance risk for the credit union industry,” Harper said. “For example, the top five credit union core processor vendors provide services to approximately 87% of total credit union system assets. The top five CUSOs provide services to nearly 96% of total credit union system assets. A failure of even one of these vendors represents a significant potential risk to the Share Insurance Fund and the potential for losses from these organizations are not hypothetical.”
As an example, Harper told Congress between 2008 and 2015 CUSOs contributed to more than $300 million in losses to the Share Insurance Fund.
When asked by CUToday.info for specifics related to those losses, an NCUA spokesperson said, “Due to the supervisory nature of the action, the NCUA is not able to comment on which CUSOs caused losses to which credit unions.”
GAO Report Cited
Instead, the spokesperson cited a 2020 report from the agency’s Office of Inspector General (OIG), “Audit of the NCUA's Examination and Oversight Authority over Credit Union Service Organizations and Vendors” as the basis for the statement.
The OIG report, which repeatedly recommends NCUA be given third party oversight and examination authority, states, “However, because the NCUA lacks the authority to enforce corrective actions to mitigate significant problems it identifies during CUSO reviews, problems that occurred between 2008 and 2015 could be repeated,” a statement that is also annotated with a footnote that reads, “The NCUA uses a document of resolution to outline high priority problem(s) and concern(s) from an examination or supervision contact and uses corrective action plan(s) that represent agreements reached with credit union officials to correct these problems…”
No additional details or citations are provided.
The History of Oversight
NCUA had briefly had third party oversight authority in the years leading up to and following 2000 related to the so-called “Y2k bug.” That authority expired in 2001, and NCUA has consistently asked Congress to restore its ability to oversee vendors and CUSOs, with then Chairman JoAnn Johnson testifying in favor of such authority in 2004, and subsequent NCUA chairs and other board members also supporting the expanded authority.
The OIG states in its audit report, “During our audit, we learned that between 2011 and 2012, federal banking agencies tried to stop the NCUA’s participation in vendor reviews due to the NCUA lacking vendor authority. The other federal banking agencies were concerned that NCUA’s participation without statutory authority could result in vendors not allowing the federal banking agencies to conduct reviews.
“This led the other federal banking agencies to draft and eventually adopt a ‘guiding principles document’ for vendor reviews, which essentially stopped the NCUA from participating in examinations of technology service providers with the other federal banking agencies,” the report continued. “Because the NCUA could not meet the requirements in the guiding principles document, the NCUA’s vendor review program stalled.”
Association Pushback
To varying degrees, the CU trade associations have pushed back on any expanded authority for NCUA, although CUNA has indicated a receptiveness to oversight of tech vendors as data breaches remain a growing threat. NAFCU said it firmly opposes any such authority, as does the National Association of CUSOs (NACUSO), which recently told Congress NCUA is attempting to become a “de facto FTC.”