Former NCUA Chairs Support Third-Party Vendor Authority

In a surprising move, four former chairs of the NCUA Board filed letters with Senate and House lawmakers this week stating it is “imperative” that Congress grant the NCUA authority over third-party vendors. This issue has been at the forefront of many speeches given and a top policy priority laid out by current NCUA Chairman Todd Harper since he took over the leadership position in 2021.

According to copies of the letters provided to CU Times by former NCUA Chairman Michael Fryzel, which were filed Monday, May 13 and signed by Fryzel (chair 2008-2009), Debbie Matz (chair 2009-2016), Rick Metzger (chair 2016-2017) and Mark McWatters (chair 2017-2019), the group stated they “fully support Chairman Harper’s request of the Congress to provide the NCUA with the statutory authority to supervise and examine Credit Union Service Organizations (CUSO) and third-party vendors — a policy already supported and vocalized by the NCUA’s Inspector General, the Financial Stability Oversight Council and the Government Accountability Office: all of whom have called for the restoration of the NCUA’s authority over third-party vendors.”

The two-page letter, sent to both House and Senate financial committee leaders, stated the growing reliance on third-party vendors by credit unions to support loan services, core systems, and mobile and online banking has created a significant risk exposure to credit unions.

“Without proper oversight of these service providers, credit unions may be exposed to greater chances of operational disruptions, financial losses, reputational damage, and, most importantly, threats to the security and privacy of their members’ information,” the letter stated.

CU Times asked Fryzel what led the four former NCUA chairs to submit their thoughts on the issue at this time. In an email, Fryzel responded: “The subject of sending a letter in support of third-party vendor authority for (the) NCUA came up in a conference call amongst the four former chairs of (the) NCUA. Over the last few weeks each of them contributed their thoughts and agreed upon the content of the letters sent to the leadership of the House and Senate. With Congress about to hear from financial regulators at scheduled hearings, the former chairs felt it was a good time to express their strong, bi-partisan support of including such authority in pending legislation.”

The letter pointed to the issue that other financial regulators, such as the FDIC and the Office of the Comptroller of the Currency, already have this authority and stated this move would better align the credit union industry with the other regulators; a similar point made previously in comments by Chairman Harper.

NCUA Spokesperson Joseph Adamoli confirmed the agency received the letter and said, “Chairman Harper is in receipt of the letter from the former NCUA Chairs and thanked them for their support of this essential legislative request. It is time for the very real threats to the credit union system—a major piece of our nation’s critical economic infrastructure— to be recognized and for the federal agency charged with maintaining its safety and soundness to be provided the legal authority to do its job in full.”

Chairman Harper is currently taking a temporary leave of absence, which began Monday, to undergo and then recover from back surgery.

In a response for comment from CU Times concerning the issue raised by the former NCUA leaders, America’s Credit Unions Chief Advocacy Officer Carrie Hunt said, “America’s Credit Unions supports interagency coordination to mitigate vulnerabilities to the financial system. We believe it is unnecessary for the NCUA to have a duplicative program that has the potential to drastically increase costs for credit unions. Congress should encourage the NCUA to use the FFIEC to access information on companies that have already been examined by other regulators and if the other regulators don’t comply, Congress should consider compelling them to share this exam information directly with the NCUA. At this time, it’s unclear if replicating the existing supervisory authorities of other federal banking regulators will reduce the exploitation of third-party vulnerabilities. We believe that that focusing attention on improving information sharing with the other FFIEC agencies would be time well spent.”

An additional point made by the group in its letter was the fact that many credit unions serve “large concentrations of members that could be of high value to our nation’s foreign adversaries” such as the military and other federal agencies, and if a cybersecurity incident targeted these fields of membership, having third-party vendor authority “would, at a minimum, mitigate the risk of a vendor-created cyber event.”

The letter continued, “It is not hyperbolic to say that the safety and soundness of the credit union system is at risk due to the potential for operational failures, cybersecurity breaches and compliance violations by third-party vendors. Credit unions in many cases unknowingly expose themselves to financial losses, reputational damage and regulatory enforcement actions because of vendors who fail to meet regulatory requirements or adequately manage risks.

“Moreover, these types of risks are not posed in a vacuum. The ability for the NCUA to contribute substantively with greater insight into vulnerabilities or cyber tactics used in the credit union industry, would be valuable in discussions with the broader federal government to protect our nation’s critical financial infrastructure — primarily in the agency’s work on the Financial and Banking Information Infrastructure Committee,” the letter stated.

READ MORE: A copy of the letter to lawmakers from the former NCUA chairs.