The letter from the NCUA was intended to capture this information from the unknown CUSOs and prepare them for the registration process, which begins Feb. 1 and ends March 31.

The registration developed out of the NCUA's CUSO rule.  The agency created the CUSO registry as a "direct result of lessons learned from the failure of nine CUSOs that caused more than $300 million in direct losses to the share insurance fund and resulted in the failures of consumer credit unions with more than $2 billion in assets," NCUA Communications Specialist Ben Hardaway said.

While the process to get to the registry has been several years in the making, some CUSO executives said they are still not happy with the registry despite its looming start date.

"It's sort of a typical government response to a couple of bad things happening to CUSOs and suddenly they're all high risk and they all need to be regulated," Tony Boutelle, president/CEO at CU Direct, said. He added that regardless of his feelings on the legality of the registration, his company will comply with the request for information.

However, Boutelle and others said they worry how the NCUA will use the data and how protected it will be, once it is collected.

"The concern that I have is the NCUA will take all of this data and drop it into a database and use it for some set of objectives; it's not clear to me what those objectives are yet," Mike Atkins, CEO at Open Technology Solutions, a CUSO that serves three credit unions, said.

Atkins explained if the NCUA used the data to ascertain which CUSOs are not profitable, a firm such as his that is not designed to generate a profit could come under NCUA scrutiny. That could, in turn, influence the credit unions with which his company works.

"What does that mean? Am I going to get additional scrutiny because somebody who does not understand our business model but only has access to some data believes that I am no longer profitable and therefore need additional scrutiny?" Atkins asked.

Atkins and others also questioned the confidentiality of the data and said they also worry the registry could ultimately end up being disseminated through a Freedom of Information Act request.

"They are basically treating it as supplemental examination materials they are collecting, as part of a credit union examination," Antonini explained. "They've assured us that if they get a FOIA request, that they're going to be able to defend it as examination materials and therefore not subject to FOIA discovery."

That means competitive data could fall into a competitor's hands.

The NCUA said its FOIA regulations will apply to the information CUSOs submit to the NCUA. However, data such as a CUSO's name, address and contact information will be publically available through the registry.

"Sensitive information like confidential commercial or financial information and trade secrets will be protected, and will be withheld under the applicable exemptions in FOIA and our own FOIA regulations," Hardaway said.

However, he cautioned the NCUA will share CUSO-related information with "state supervisory authorities that have signed written information sharing agreements with the agency."

The efforts are duplicative, according to Antonini. The information the NCUA is asking for is available through individual credit union call reports.

"It's very difficult and duplicative to go out through the credit union each time they do an exam and ask for all the information on the CUSO," Antonini said.

The NCUA agreed, to a point.

"Obtaining CUSO-related data directly from credit unions has proven to be problematic, redundant and unreliable," Hardaway explained. "We also found that oversight and monitoring on an individual credit union basis alone wasn't sufficient to manage the exposure to the fund because individual CUSOs can serve several hundred credit unions. Having CUSOs report to us directly reduces these occurrences and provides us with better offsite data in a cost-effective way."

CUSOs reporting directly to the NCUA is a sore spot for the organizations because some said they see it as a short slope toward NCUA control over third-party vendors.

"The NCUA has been looking for a way to regulate third-party vendors for a long time," Atkins said. "They have stated that as an objective, to have the ability to regulate all third-party vendors, not just CUSOs. They don't have that today, now they want to look at and regulate CUSOs, which frankly puts CUSOs at a competitive disadvantage with other third parties that provide services to credit unions – whom we compete against."

Boutelle agreed, adding, "In some way you could say we've been penalized versus the rest of the vendors because they don't have the authority to ask them for stuff like this."

The NCUA said that while it's true that obtaining vendor authority is a key legislative priority for the agency, the CUSO rule and its reporting requirements are separate.

"The rule and the new registry allows (the) NCUA to get a better understanding of the number of CUSOs and their operations only," Hardaway said. "If a material or systemic risk is identified during a review, (the) NCUA will continue to have no regulatory authority to address the issue with the CUSO directly."

The regulator argued that while the CUSO rule helps close a regulatory blind spot, it is not the same as having the level of vendor authority that federal banking regulators have, which includes non-CUSO third-party vendors.

Ultimately, Antonini said he fears how far the regulation will ultimately go.

"The history, unfortunately, of regulation in the United States has not been one that it tends to roll back. Once something's put in place, they only want to add to it," he said.

"The next crisis, they will say they didn't do enough, this time we need to do more. That tends to be the history and that's why we were so opposed to the original CUSO rule," Antonini added.