In the ongoing saga over whether NCUA should be given authority to oversee third party vendors, officials with the agency now have one more feather in their cap.
In a lengthy report release July 2, the U.S. Government Accountability Office presented the NCUA with a Christmas in July present by again siding with the regulatory agency and suggesting that NCUA should, in fact, have the authorization to examine third party technology service providers used by credit unions, just as all the other regulatory agencies can.
NCUA Board Chairman Debbie Matz said it is time to close the regulatory blind spot so that NCUA may better protect credit unions.
Recommended For You
"The GAO report's recommendation reinforces NCUA's long-standing request for legislative action and comes on the heels of a similar recommendation by the Financial Stability Oversight Council," Matz said in a statement. "Obtaining this authority would allow the agency to proactively address cyber threats and better position credit unions to avoid a crisis."
However, NAFCU Director of Regulatory Affairs Alicia Nealon disagreed in a prepared statement.
"As we have consistently maintained, NAFCU believes the agency's bid for third-party vendor examination authority is unnecessary given that NCUA is already authorized to thoroughly regulate credit unions and their third-party relationships," she said. "While NAFCU acknowledges the importance of cybersecurity and risk management, we firmly believe that cybersecurity and third-party vendor examination authority do not go hand in hand."
The report was ordered by a congressional committee from the U.S. House of Representatives whose members wanted a better understanding of the cybersecurity threats financial institutions are facing, how they're being handled and in what ways they can be improved.
The report specifically referenced the infamous Target breach and the millions of dollars financial institutions lost as a result, as well as the hits on Neiman Marcus, Michael's Stores and Home Depot. The Target breach alone cost banks and credit unions more than $200 million.
The audit by the GAO was conducted from February 2014 until the start of July 2015. The audit suggested that, along with Congress giving NCUA oversight ability, all regulators should find better ways to collect and analyze the IT and cyber threat data it finds and share them among institutions.
The study noted: "Although each regulator described collecting some information across examinations to assist its oversight, the regulators did not have standardized methods for collecting examination data that could allow them to readily analyze trends in specific information security problems across institutions."
In other words, when auditors asked regulators for the number of deficiencies found during examinations of information security, the answers were varied and were not compiled and organized into categories that made it easy to see where the problems were with each institution. Regulators responded by saying the different operating systems for each regulator and different software being used, depending on the size of the financial institution being examined, made it all but impossible to find patterns or trends in cybersecurity.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
