Heather AndersonThis year at GAC, the conversations I had with credit union industry executives in line at Starbucks or at the Marriott bar were quite a bit livelier than they have been in year's past. Yes, the usual issues were all there: Credit union tax exemption, supplemental capital and member business lending. Risk based capital and regulatory burden were still a concern.

However, cybersecurity and the NCUA's efforts to obtain vendor authority emerged as this year's hot button issues. Data breaches and retailer responsibility, in particular, were top of mind. Most experts agreed a bill that would mandate data security standards might actually pass this Congress.

The retailing lobby is a powerful one, and of course they will continue to fight legislation that increases their liability. However, it's not just credit unions advocating for change; the banking lobby sides with credit unions on this one. Further, the issue affects too many Americans to ignore.

According to the 2014 Breach Level Index report, more than 1 billion data records were compromised last year. That number represents a 78% increase over 2013 levels.

If you divvy up that billion plus number, it works out to nearly 3 million data records compromised every single day. That's nearly 117,000 every hour, 2,000 every minute and 32 every second.

To put it into perspective, consider that since you began reading this column, approximately 1,000 data records were stolen.

Clearly, this issue has some legs.

Vendor authority was another topic GAC attendees brought up during our conversations. My feelings on the topic are mixed.

On the one hand, I can appreciate the NCUA's concern when it comes to cybersecurity. I started thinking about all the different ways vendors could compromise member information and it was pretty overwhelming. It's not just about card breaches. From the paper statement mailing house to the GAP insurance vendor to the janitor who could steal a laptop, vendors present considerable data security risk to credit unions.

NCUA oversight, in theory, would mitigate some of that risk.  Yes, credit unions perform due diligence when they select a new vendor, but a regulator would have greater access to information.

However, it also seems like a major NCUA operating budget increase would be unavoidable.

The NCUA insists otherwise. Director of the Office of Insurance and Examination Larry Fazio told a breakout group at GAC the agency is hoping to keep vendor authority as budget neutral as possible.

Most people found that statement unbelievable. After all, the reason for vendor authority – so many different organizations putting credit union member data at risk – makes this a monster of a project. Sending examiners to every mobile app vendor, marketing agency and lawn care service would surely require additional staff and training.

Not true, Chairman Debbie Matz said, and she gave me two reasons why.

First, the NCUA would not examine every vendor on a regular basis.  Instead, those exams would be triggered by something the examiner saw or heard while at the credit union conducting its regular exam, or a tip provided by another agency.

I question how effective spotty oversight would be.  By the time something looked risky on the books or attracted the attention of another regulator, it would be too late. Matz assured me that was not the case, and the method has been used effectively at the FDIC and OCC, both of which have had vendor authority for years.

Sounds like regulatory envy, doesn't it? Part of the motivation here is that the NCUA feels like a second rate regulator. Envy jokes aside, I can sympathize with the NCUA when it is forced to tag along with the FDIC to examine vendors that pose a risk to credit unions because the agency lacks the authority to do it on its own.

The NCUA also believes it already has the expertise needed to effectively examine vendors. Behind the scenes, as small credit unions merged out of existence and small credit union examinations were scaled back, the NCUA internally converted regular examiners into specialists. As a result, Matz said, the NCUA is well staffed with experts in subjects like cybersecurity and member business lending, and could effectively examine vendor books.

To me, it sounds too good to be true. Of course, the NCUA has to find a member of Congress willing to introduce the bill, and faces long odds with deregulation-minded Republicans controlling both ends of the Capitol. We'll see how this one fleshes out.

 

 

NOT FOR REPRINT

© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.