“Instead, the NCUA asked for more regulation. The word embarrassing comes to mind,” he said.

According to McWatters, the NCUA should have focused on secondary capital authority and increasing the member business lending cap.

“It's within the NCUA's regulatory discretion, in effect, to grant secondary capital authority for risk-based capital purposes but the NCUA cannot grant secondary capital for leverage ratio purposes,” he said.

“Small business lending is a job creator and it's very difficult to argue against that,” he added.

McWatters said he knows some of the committee staff and the takeaway message was that the agency came to a regulatory relief hearing and asked for more regulation.

“The fact that member business lending and field of membership were thrown somewhere in a 20-page written testimony toward the end with a few sentences does not really count,” he said. “It's not front and center.”

Without the authority, NCUA Board Chairman Debbie Matz said the agency feels like its hands are tied because it cannot examine or issue enforcement actions against third-party vendors doing business with credit unions. McWatters warned that having the authority could hurt the reputation of the agency.

“If you're granted the authority and you screw up and you don't execute, you don't actually protect the credit unions from the software that can be breached. Then the NCUA looks bad, so it's a very difficult issue,” he said.

McWatters argued the current third party vendor supervisory process is sufficient.

“This is an issue I continue to analyze, but my instincts tell me we don't need it. I may change my mind on that but … there are protocols already in place with respect to due diligence when a credit union retains a vendor. It seems to me to be pretty thorough and pretty robust,” he said.

If the agency was granted the authority, Matz said the NCUA would be on the forefront of detecting cyber threats. She vowed to remain aggressive in advocating for the authority in meetings with lawmakers.

“Particularly in this day and age with the trades going to Congress and the White House talking about the need for additional protections dealing with cybersecurity, this goes hand in glove with those requests,” Matz said.

McWatters questioned how the NCUA would be able to identify and prevent vendor security breaches.

“I've asked the question, does the NCUA have the expertise to actually deal with this issue? I'm not at all convinced that the NCUA would be able to retain the services of third parties that would add much value to the process,” he said.

“Lets say a credit union wants to license some software so it goes to a vendor (to license and use it). What would the NCUA do? Does that mean the NCUA would go to the vendor, look at the source code of the computer program and somehow be able to examine it to find a potential breach in the source code that the a hacker could use? I think it's preposterous to think the NCUA would be able to do that,” he added.

McWatters said vendors are operating on a market basis and do not want their software to be breached.

“They're doing everything within their power not to be breached,” he said. “To think that somehow the NCUA, with two or three people, are going to be able to go in and solve the problems and negate the risk of a hacker attacking a piece of software licensed from a software provider is something I don't see happening.”

McWatters said more resources would be needed to carry out the authority.

“We're not just talking about cybersecurity. We're talking about, presumably, all vendors,” he said. “Lots of vendors and lots of different areas of expertise beyond cybersecurity. I can't image it won't be a substantial increase to the NCUA budget,” he said.