“The council supports efforts to synchronize these authorities, including bypassing new legislation that helps to enhance the security of third-party service providers and the critical services they provide. The council supports the granting of examination and enforcement powers to the NCUA and [Federal Housing Finance Agency] to oversee third-party service providers engaged respectively with credit unions and the GSEs.”

NCUA Board Chairman Debbie Matz, who holds a voting position on the council, pounced on the endorsement in a same-day statement that appeared to link the vendor authority issue with the ability to examine vendors to counter cybersecurity concerns.

“I'd like to briefly highlight some risks and recommendations in this year's annual that are particularly pertinent to the credit union sector,” Matz said in a prepared statement.

“This year's annual report emphasizes operational risks, including cybersecurity risks, as an evolving and important threat. Credit unions are not immune to this threat, and the NCUA has identified cybersecurity as a key supervisory priority.

“I am extremely pleased that the council recommends the granting of examination and enforcement powers to the NCUA and Federal Housing Finance Agency to oversee third-party service providers engaged respectively with credit unions and the government-sponsored enterprises,” Matz added. “I view the NCUA's inability to examine critical credit union service providers as a significant regulatory gap.”

NCUA Deputy Director for Examination and Insurance Tim Segerson expanded on this linkage in an email to CU Times.

Segerson pointed out that credit unions, like other financial service providers, rely upon computers and rely on them even more due to increased use of the Internet and mobile or wireless services.

He also noted that third-party vendors have committed mortgage and investment fraud at credit unions and that the NCUSIF incurred significant losses from these frauds.

Further, Segerson argued the risk extends beyond just one credit union.

Read more: NAFCU lightly mocked the endorsement …

“There is a growing risk, and it can affect more credit unions than any other critical risk facing the system,” Segerson wrote. “Nearly 100% of credit unions have Internet connections; 81% have web pages and more than 70% have transactional websites. All credit unions connect to national payment systems through one or more service providers. As a result, risk can quickly escalate to a system-wide concern if one major service provider has a critical failure that exposes thousands of credit unions and potentially millions of members. A significant number of technology vendors provide service mainly and in some cases exclusively to credit unions. Those providers are not subject to the same level of oversight as similar organizations providing services to banks, and could pose a material risk to many credit unions and the NCUSIF.”

However, critics remained unswayed.

NAFCU General Counsel Carrie Hunt lightly mocked the endorsement, suggesting a council of regulators would naturally favor more regulations.

“Given that the Financial Stability Oversight Council is a regulatory body, the suggestion of this added layer of regulation is not surprising,” Hunt said. “We continue to view third-party vendor examination authority for the NCUA as a costly proposition and unnecessary for credit union industry safety and soundness, and we will continue to weigh in with lawmakers to urge against it. While NAFCU acknowledges the importance of cybersecurity and risk management, we firmly believe that cybersecurity and third-party vendor examination authority do not go hand-in-hand.”

NAFCU Director of Regulatory Affairs Alicia Nealon also argued that the association still considered the NCUA to have all the authority it needs.

“As we have consistently maintained, NAFCU believes the agency's bid for third-party vendor examination authority is unnecessary given that the NCUA is already authorized to thoroughly regulate credit unions and their third-party relationships,” Nealon wrote in an email, adding, “If the NCUA were granted this authority, it would only increase credit unions' already excessive regulatory burden and would do nothing to enhance credit unions' safety and soundness or provide any regulatory relief.”

Nealon also questioned the NCUA's choice to prioritize this request on its legislative agenda, and added that NAFCU firmly disagreed with the NCUA's assertion that such authority would provide any regulatory relief for credit unions.

CUNA Chief Advocacy Officer Ryan Donovan took up this point as well, arguing in an email that the NCUA's regulatory record did not inspire confidence in credit unions.

“We strongly disagree with the NCUA's suggestion that direct regulation of CUSOs and third-party vendors by the NCUA would mean less regulation of credit unions as the NCUA has suggested, given the agency's track record of frequently issuing overly prescriptive regulations,” Donovan wrote. “In any case, it is difficult to foresee the savings resulting from such 'regulatory reduction' exceeding the costs of the new supervision.”

Agency critics argued that, in many ways, vendor authority for the NCUA would largely duplicate the due diligence work credit unions already must perform when dealing with vendors.

The NCUA's Letter to Credit Unions 01-CU-20, dated November 2001, laid out the degree of due diligence the agency expected credit unions to deploy when hiring a third party service provider. Areas covered included planning, background checks, legal reviews, financial reviews, returns on investment and insurance requirements, and critics noted that NCUA examiners already review credit unions to make sure they perform those checks.