Is NCUA’s Lack of Vendor Oversight a ‘Regulatory Blind Spot?’

Federal cybersecurity supervision has a “regulatory blind spot” since the National Credit Union Administration lacks the power to regulate third-party vendors that offer cybersecurity services, witnesses told a House Financial Services Committee subcommittee on Wednesday.

“The NCUA should have more power to regulate our vendors,” Carlos Vasquez, chief information security officer at Canvas Credit Union in Colorado told the Consumer Protection and Financial Institutions Subcommittee.

NCUA officials, the Government Accountability Office and the agency’s Inspector General have called for the NCUA to be given the power to regulate vendors. The NCUA is the only banking regulator that does not have that power.

“Canvas Credit Union is supportive of parity for NCUA with the other federal regulators if the NCUA shares its information with state regulators,” Vasquez said.

Bankers agreed.

Granting the NCUA vendor authority “would correct a disparity in rulemaking between banking regulators and credit union regulators and strengthen the financial sector as a whole,” Jeffrey Newgard, president/CEO of the Bank of Idaho told the subcommittee. Effective cybersecurity must include visibility, harmonization, and cooperation.”

In a statement prepared for the hearing, the American Bankers Association was even more vehement, contending that the NCUA’s recent decision to allow Credit Union Service Organizations to provide more services posed an even higher risk.

“Congress should take a serious look at the interplay between Credit Union Service Organizations and the safety-and-soundness risks to the broader credit union system and to the protection of consumer data and privacy,” the ABA said.

“Because of the absence of vendor authority, NCUA has no authority to supervise or examine CUSOs for compliance with federal laws, including data protection, privacy, [and] federal consumer financial protection laws, creating what NCUA’s chairman termed a ‘wild west’ of regulation and putting consumers at risk,” the ABA said.

Rep. Bill Foster, D-Ill., has introduced legislation to give the NCUA that oversight power. Foster said Wednesday that banks and credit unions support his bill.

However, the National Association of Federally-Insured Credit Unions made it clear on Tuesday that it remains opposed to the legislation.

“NAFCU believes in a strong NCUA, but we also believe that the NCUA should stay focused on where their expertise lies—regulating credit unions,” NAFCU Vice President for Legislative Affairs Brad Thaler wrote in a letter to the subcommittee. “Credit unions fund the NCUA budget. Implementing such new authority for the NCUA would require significant expenditures by the agency.”

Thaler said that as a member of the Federal Financial Institutions Examination Council, NCUA has access to the results of cybersecurity examinations conducted by other banking regulators and should not have to replicate an examination that already had been conducted.

Spread the word. Share this post!