Financial Stability Oversight Council announced its support of the NCUA's efforts to gain examination authority over third-party vendors has drawn even more attention to the controversial measure.
The FSOC is a multi-agency board charged with identifying and responding to threats to the U.S. financial services system.
In its 2015 annual report, released on May 19, the FSOC put the issue squarely in the context of having a uniform regulatory regime across agencies.
“In addition, the council notes that approaches and authorities to supervise third-party service providers vary across financial regulators,” the FSOC wrote.
“The council supports efforts to synchronize these authorities, including bypassing new legislation that helps to enhance the security of third-party service providers and the critical services they provide. The council supports the granting of examination and enforcement powers to the NCUA and [Federal Housing Finance Agency] to oversee third-party service providers engaged respectively with credit unions and the GSEs.”
NCUA Board Chairman Debbie Matz, who holds a voting position on the council, pounced on the endorsement in a same-day statement that appeared to link the vendor authority issue with the ability to examine vendors to counter cybersecurity concerns.
“I'd like to briefly highlight some risks and recommendations in this year's annual that are particularly pertinent to the credit union sector,” Matz said in a prepared statement.
“This year's annual report emphasizes operational risks, including cybersecurity risks, as an evolving and important threat. Credit unions are not immune to this threat, and the NCUA has identified cybersecurity as a key supervisory priority.
“I am extremely pleased that the council recommends the granting of examination and enforcement powers to the NCUA and Federal Housing Finance Agency to oversee third-party service providers engaged respectively with credit unions and the government-sponsored enterprises,” Matz added. “I view the NCUA's inability to examine critical credit union service providers as a significant regulatory gap.”
NCUA Deputy Director for Examination and Insurance Tim Segerson expanded on this linkage in an email to CU Times.
Segerson pointed out that credit unions, like other financial service providers, rely upon computers and rely on them even more due to increased use of the Internet and mobile or wireless services.
He also noted that third-party vendors have committed mortgage and investment fraud at credit unions and that the NCUSIF incurred significant losses from these frauds.
Further, Segerson argued the risk extends beyond just one credit union.
Read more: NAFCU lightly mocked the endorsement …
“There is a growing risk, and it can affect more credit unions than any other critical risk facing the system,” Segerson wrote. “Nearly 100% of credit unions have Internet connections; 81% have web pages and more than 70% have transactional websites. All credit unions connect to national payment systems through one or more service providers. As a result, risk can quickly escalate to a system-wide concern if one major service provider has a critical failure that exposes thousands of credit unions and potentially millions of members. A significant number of technology vendors provide service mainly and in some cases exclusively to credit unions. Those providers are not subject to the same level of oversight as similar organizations providing services to banks, and could pose a material risk to many credit unions and the NCUSIF.”
However, critics remained unswayed.
NAFCU General Counsel Carrie Hunt lightly mocked the endorsement, suggesting a council of regulators would naturally favor more regulations.
“Given that the Financial Stability Oversight Council is a regulatory body, the suggestion of this added layer of regulation is not surprising,” Hunt said. “We continue to view third-party vendor examination authority for the NCUA as a costly proposition and unnecessary for credit union industry safety and soundness, and we will continue to weigh in with lawmakers to urge against it. While NAFCU acknowledges the importance of cybersecurity and risk management, we firmly believe that cybersecurity and third-party vendor examination authority do not go hand-in-hand.”
NAFCU Director of Regulatory Affairs Alicia Nealon also argued that the association still considered the NCUA to have all the authority it needs.
“As we have consistently maintained, NAFCU believes the agency's bid for third-party vendor examination authority is unnecessary given that the NCUA is already authorized to thoroughly regulate credit unions and their third-party relationships,” Nealon wrote in an email, adding, “If the NCUA were granted this authority, it would only increase credit unions' already excessive regulatory burden and would do nothing to enhance credit unions' safety and soundness or provide any regulatory relief.”
Nealon also questioned the NCUA's choice to prioritize this request on its legislative agenda, and added that NAFCU firmly disagreed with the NCUA's assertion that such authority would provide any regulatory relief for credit unions.
CUNA Chief Advocacy Officer Ryan Donovan took up this point as well, arguing in an email that the NCUA's regulatory record did not inspire confidence in credit unions.
“We strongly disagree with the NCUA's suggestion that direct regulation of CUSOs and third-party vendors by the NCUA would mean less regulation of credit unions as the NCUA has suggested, given the agency's track record of frequently issuing overly prescriptive regulations,” Donovan wrote. “In any case, it is difficult to foresee the savings resulting from such 'regulatory reduction' exceeding the costs of the new supervision.”
Agency critics argued that, in many ways, vendor authority for the NCUA would largely duplicate the due diligence work credit unions already must perform when dealing with vendors.
The NCUA's Letter to Credit Unions 01-CU-20, dated November 2001, laid out the degree of due diligence the agency expected credit unions to deploy when hiring a third party service provider. Areas covered included planning, background checks, legal reviews, financial reviews, returns on investment and insurance requirements, and critics noted that NCUA examiners already review credit unions to make sure they perform those checks.
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.