By Paul Gentile
I read with interest the piece from Mark Begich and Ronaldo Hardy, “The NCUA Should Stick to the Job Congress Gave It.” This has become a lightning rod issue for the credit union system with legitimate concerns about NCUA’s budget potentially skyrocketing if vendor authority is granted or whether vendor authority is even part of NCUA’s mission.
I understand both of those concerns, but there’s always another side of the story and as a longtime, passionate credit union system advocate I urge credit union leaders to at least consider other aspects of this issue that could be much more damaging than an increase in NCUA’s budget.
I do not want to see an unnecessary increase in the NCUA budget. In my past life as a league president I twice testified at NCUA’s annual budget hearing on substantive, concrete ways the agency can and should control costs. I have been a longtime advocate of more remote NCUA exam functions to limit the agency’s travel costs. We have so much data we can provide NCUA remotely to help limit on-site exam time. I also strongly believe in the 18-month exam cycle for credit unions that meet certain metrics to limit examiner resources and redirect agency resources where they are needed.
It is important that the vendor authority issue is in focus, but I have been disappointed by what seems to be a one-sided view of the issue; that it’s bad for NCUA to have vendor authority. The vendor authority issue poses much more risk than an NCUA budget increase and we need to at least consider what those risks are.
Members Worried About Fraud
Talking to credit union members every day in my role as CEO I often hear concerns about the safety and soundness of their accounts. We live in an era where fraud is on the rise. Member checks are being stolen out of the mail, washed and fraudulently deposited at other institutions. Credit card fraud is a daily occurrence. Elder financial abuse, something that credit unions in particular have been highly focused on, is on the rise.
We as credit unions do excellent work protecting our members, but we all know there is no way to 100% protect against fraud or cyberattacks. Members will often say I bank here because “I feel safe.” Safety and soundness is the currency of our credit union system. Just like in life your reputation is everything; in our world of financial services our reputation for providing a safe and sound banking experience is everything. Our reputation as trusted financial services providers is more important than the products we offer or the competitive rates we offer members.
Once you lose the battle on safety and soundness you lose trust.
Consider This Lens
Let’s look at the vendor authority issue through this lens. Over the last year we saw one of the credit union system’s biggest statement providers hit with a ransomware attack that delayed statements for hundreds of thousands of credit union members. Unfortunately, this has led to class action lawsuits against some of our nation’s best credit unions. We have even seen credit unions have their online banking systems impacted by ransomware and members losing access to online banking. These dreaded events can happen to any of us and our reputations and the trust of our members is at stake.
A ’Catastrophic’ Scenario
Imagine however, if one of these scenarios hit a key credit union vendor that serves thousands of credit unions. We have such vendors and it would be catastrophic.
Credit unions are much more vendor-dependent than banks. We have always been more vendor-dependent and it has been a source of strength over the years. Many vendors and CUSOs have brought tremendous innovation to the credit union system. One fast fact on the vendors serving credit unions — three vendors in the credit union space that are involved in core processing, credit/debit processing and mobile banking, touch approximately 75% of credit union assets. Those three vendors have that big an impact on credit unions, and that is the definition of concentration risk. It’s not a bad thing, but it has to be recognized, respected and monitored.
A Bigger Worry
I certainly don’t want to see an excessive increase in the NCUA budget for vendor authority, but what worries me more is the perception that credit unions are not as safe as banks. Imagine a very large attack hits one of these key credit union vendors and credit union members are impacted. If it becomes a national story, the banking trade associations would claim that banks have more stringent vendor oversight than credit unions, so such an occurrence would be unlikely in the banking industry.
Whether you believe that or not, that would greatly reduce our reputation for safety and soundness with credit union members.
Answering a Member’s Question
If a member asked, “Is it true that the vendor oversight from your regulator is not the same as it is from bank regulators?’, what would you say? This is somewhat similar to the age-old issue of FDIC insurance vs. NCUSIF. The coverage is the same but with FDIC being much more visible, people believe banks have better coverage. During COVID, we frequently heard the question asked, “Why doesn’t your credit union have FDIC coverage?” To inform them that it is identical is an education process we go through. We know how safe our insurance fund is and that’s a great story to tell members, but the uncertainty of a cyber-attack or ransomware and our difference in vendor oversight would not be comforting or easy to explain to members.
The one aspect of the trade associations’ concerns on vendor authority that is troubling to me is the trade associations simply saying, or even conceding, that once NCUA has vendor authority they will regulate everyone from the credit union’s janitorial firm to the core processing firm and expenses will be out of control. Isn’t this why we have credit union trade groups? Shouldn’t they hold the regulator accountable?
A Great Role for Trade Groups
Fortunately, we have strong credit union trade groups and the recent merger of NAFCU and CUNA puts a lot of power in their successor, America’s Credit Unions, to advocate for us. Our national trade association and state leagues could hold NCUA accountable for effectively managing vendor authority. It would be a great role for them to play.
Consider that NCUA requires us to risk rate our vendors. Couldn’t our trades work with NCUA to ensure vendor authority efforts are concentrated on our critical vendors? Do we think NCUA wants to be in the news for doing a major third-party vendor audit of a florist that a credit union used? NCUA is on record saying that if it at least had cybersecurity vendor oversight that would be a major step forward. We should at least consider this aspect of vendor authority. I respect our trade groups, but we all know as credit union leaders, if we have a major cyber-attack as a system, it will be us as credit union leaders answering our member questions and quelling their concerns, not the trade associations.
Covering Critical Areas
If NCUA was examining the cyber protection for the vendors doing core processing, mobile banking and credit and debit processing, we would have the major critical areas covered. We have tremendous vendors serving credit unions who would be willing to provide NCUA with whatever information they need for their review. Would NCUA be ultra-effective in this role? I don’t know, but what I do know is the vendors would know NCUA is out there and looking at them and for us as credit unions we would know there is some additional oversight. From a member perception standpoint we would be on par with the banking industry.
Another argument against vendor authority is the banking regulators are already doing this on major vendors that serve banks and credit unions, but do we want to rely solely on that? Large vendors have different divisions serving banks and credit unions and how do we know the bank regulators give the credit union business units the same level of focus? Credit unions should also know that banks are able to secure their vendor’s audit from their regulators. Why should banks have that insight into their vendors but we as credit unions do not?
Consider the Downsides
I may be in the minority on this issue, but I urge my fellow passionate credit union leaders to at least consider the downsides and risks of not evaluating this issue beyond the impact to NCUA’s budget. Vendor authority must be brought into play as a new protection for credit unions and eliminate the member perception risk we could all face one day if a major cyber incident hits the system.
Paul Gentile is president and CEO OF Merck Employees FCU in Rahway, N.J.