The FDIC did not increase its budget when it gained the authority in 1999.

“I'm told by our Division of Finance staff that there was no impact on our budget once we received this authority back in 1999 under the Bank Service Company Act,” FDIC spokesman David Barr said.

However, NCUA Board Member Mark McWatters predicted the NCUA's budget would increase.

“It's problematic to suggest that the grant of vendor authority would not dramatically increase NCUA's already bloated operating budget,” he said.

“We're not just talking about cybersecurity. We're talking about, presumably, all vendors,” he said. “Lots of vendors and lots of different areas of expertise beyond cybersecurity; I can't image it won't be a substantial increase to the NCUA budget,” McWatters added.

Matz emphasized the NCUA does not intend to examine vendors or CUSOs on a regular basis if it is granted the authority from Congress.

“It would be on a need to examine basis when we have reason to believe there is something in that entity that could pose a threat to the system,” she said.

Matz said the agency is reallocating examiners to credit unions that hold the greatest risk.

“The examiners can also be used to examine vendors that may pose a threat to a particular group of credit unions or to the system,” she said.

Matz said vendor authority is the agency's top legislative priority. She added the agency feels like its hands are tied since it cannot examine or issue enforcement actions against third-party vendors that are doing business with credit unions.

“It's been important all along but now in the age of cyberthreats, it's absolutely critical. It's essential. We need to have that authority to do our jobs properly,” she said.

NACUSO has created an advocacy fund with contributions from the association's members and retained the services of a governmental relations entity to communicate its opposition to Congress, including the congressional offices of members on the banking committees.

“If NCUA gets vendor authority, it will be examining thousands of additional businesses, where they don't have the expertise, and it will be very costly and ultimately the credit unions will bear the cost of this. In a nutshell, that is why we are opposed to this action,” NACUSO President/CEO Jack Antonini said.

If the agency was granted the authority, Matz said the NCUA would be on the forefront of detecting cyberthreats. She vowed to remain aggressive in advocating for the authority in meetings with lawmakers.

“Particularly in this day and age, with the trades going to Congress and the White House talking about the need for additional protections dealing with cybersecurity, this goes hand in glove with those requests,” Matz said.

She continued, “Asking the president and Congress to do something on cybersecurity and not giving the regulatory agency authority that we need when we're closest to the industry and can have the most direct impact on cybersecurity is shortsighted.”

McWatters warned vendor authority could hurt the NCUA's reputation

“If you're granted the authority and you screw up and you don't execute, you don't actually protect the credit unions from the software that can be breached. Then the NCUA looks bad, so it's a very difficult issue,” he said.

McWatters questioned how the NCUA would be able to identify and prevent vendor security breaches.

“Does the NCUA have the expertise to actually deal with this issue? I'm not at all convinced that the NCUA would be able to retain the services of third parties that would add much value to the process,” he said.

McWatters said vendors are operating on a market basis and do not want their software to be breached.

“They're doing everything within their power not to be breached,” he said. “To think that somehow the NCUA, with two or three people, are going to be able to go in and solve the problems and negate the risk of a hacker attacking a piece of software licensed from a software provider is something I don't see happening.”

Former NCUA Board Member Geoff Bacino said the NCUA does not need authority over third party vendors.

“This is a new jacket on an old solution – the new jacket being cybersecurity and my sense is, why does the agency think they can do it better than all of these other agencies that have direct oversight and direct expertise in that area like the FBI,” said Bacino, who was appointed to NCUA board in 2000.

“What do they know that these other groups that have long-term expertise in cybersecurity do not know?” he asked.

Matz said the NCUA would not be competing with the FBI or CIA, but instead working with them to combat cyberattacks.

“We intend to collaborate with them and cooperate with them and they welcome that. A chain is only as strong as the weakest link, and the NCUA and credit unions are the weakest link because we do not have that authority,” she said. “(Other federal agencies) are very concerned that we do not have that authority. They feel their authority is limited because we do not have that authority.”

Matz said a vendor examination would originate from a red flag noticed during a normal credit union examination.

“We will have an established framework outlining the circumstances under which we would go into a particular vendor or CUSO,” she said.

Bacino argued that a credit union would not put its reputation at risk for a vendor.

“The NCUA will tell you, 'we don't regulate the vendors.' No, but you regulate and insure the credit union. If you think for one minute there's a credit union (leader) out there that's going to put his or her credit union, reputation, job and board at risk for a vendor, you've got to be kidding me,” he said.

McWatters said the current third party supervisory process is sufficient.Matz confirmed that the agency has discussed the issue with the White House.