The sponsors of that bill, Reps. Stephen Fincher (R-Tenn.), Bill Posey (R-Fla.) and Denny Heck (D-Wash.), followed the bill's committee passage with an Oct. 6 letter to Matz, asking her to voluntarily conduct the study prior to finalizing the rule.

Matz responded Oct. 8, telling the congressmen she would report the requested study results to Congress after the rule was finalized.

“It is deeply troubling that you would utterly disregard the express will of this committee and rush to adopt a misguided rule that risks undermining the safety and soundness of credit unions in a contravention of the NCUA's statutory mandate,” Hensarling wrote.

The committee chairman urged Matz comply with the requirements of the proposed law before finalizing the rule, and further requested that his letter be read into the record during Thursday's NCUA board meeting.

In response, NCUA Public Affairs Specialist John Fairbanks acknowledged that the NCUA received Hensarling's letter and would review it carefully.

“(The) NCUA has crafted the proposed risk-based capital rule in order to comply with current federal law and to protect the safety and soundness of the credit union system,” he said in a statement.

Hensarling also referenced an Oct. 2 letter from Matz to Senate Banking Committee Chairman Richard Shelby (R-Ala.) and Ranking Member Sherrod Brown (D-Ohio), requesting the committee adopt the NCUA's proposal to gain third-party vendor authority.

“I also find it troubling, though not surprising, that at the same time you have chosen to disregard the clear wishes of Congress, you are also seeking vast new regulatory authority for (the) NCUA, as evidenced by your Oct. 2 letter requesting that the agency be granted direct oversight of all third-party vendors doing business with credit unions. Under the circumstances, (the) NCUA has not demonstrated that it can be entrusted to exercise such broad new authority responsibly,” Hensarling wrote.

On Aug. 4, Sen. Elizabeth Warren (D-Mass.), a member of the Senate Banking Committee, proposed an amendment to S. 754, the Cybersecurity Information Sharing Act of 2015, that would grant the NCUA authority to regulate and examine third-party vendors who provide services to credit unions. That amendment was not approved.

In her letter to Shelby and Brown, Matz wrote that the NCUA's lack of third-party oversight presented an ever-increasing regulatory blind spot for the agency, especially as it relates to cybersecurity. The NCUA was granted temporary vendor authority to address Y2K issues; the FDIC, Federal Reserve and OCC retained that authority after 2000.

“Credit unions are increasingly using third-party vendors to provide technological services, including for security services, and there is a greater interconnectedness among vendors,” Matz wrote. “Simultaneously, the number and sophistication of hackers, criminals and cyberterrorists seeking to exploit vulnerabilities in these networks and systems continues to grow. Without the tools and authorities that other federal financial institutions regulators have at their disposal, (the) NCUA may not have the capability to address this growing threat.”

Read Matz' letter on third-party vendor authority here.

Matz also referenced Government Accountability Office and Federal Stability Oversight Council recommendations earlier this year that recommended Congress adopt regulation that would provide third-party vendor authority.

The NCUA chairman also took aim at CUSOs, writing that since 2008, the NCUA estimated that nine CUSOs have caused more than $300 million in direct losses to the NCUSIF.

“The potential risk to the credit union system is significant given the interconnectedness of the credit union system and credit unions' common use of vendors and CUSOs for services,” Matz wrote. For example, the top four credit union core processing vendors serve over 53% of federally insured credit unions representing 84% of total system assets. Unresolved problems within a key technology service provider, the failure of a key technology service provider, or both, could result in losses to credit unions and, in turn, the share insurance fund.”

Matz also advocated for two additional authorities: Statutory changes to the Central Liquidity Facility and expanded access to the U.S. Treasury to ensure sufficient emergency liquidity, and the authority to charge NCUSIF risk-based premiums as the FDIC does for its deposit insurance fund.

“Risk-based premiums would lessen the funding burden on small credit unions, which generally pose less risk to the share insurance fund. The proposed legislation also would provide (the) NCUA with greater flexibility in managing the share insurance fund's equity ratio,” she wrote.