NCUA asked Congress last week to restore authority it had briefly during the Y2K scare to examine and monitor independent, third-party credit union vendors to help it combat the growing threat of security breaches.
NCUA General Counsel Robert Fenner, noting the increasing incidents of computer systems breach infecting credit unions, told a House Financial Services subcommittee the additional authority over service providers will help the federal regulator better monitor risk and protect credit union members' financial data.
But the proposal will have a difficult time in Congress as it will be opposed by the credit union lobby, which usually works hand-in-hand with the credit union regulator on legislative issues.
"We have a fundamental, real difference of opinion with the agency on this issue," said John McKechnie, chief lobbyist for CUNA. "On Y2K we thought it was appropriate that they have these powers on a limited basis, because all of the other regulators did. But they have not proven that it's necessary to have them on a permanent basis."
McKechnie said that CUNA will oppose the measure because its members "feel it distracts from the agency's main responsibilities, the examination and supervision of credit unions."
But Fenner detailed the growing numbers of security breaches that are harming credit unions, including last year's theft from more than 160 credit unions of data at BJ's Wholesale Club; the theft of a hard drive with member information from California CU in 2003; the theft of member data from Schools Financial CU and Redwood CU last year from a third-party processor in California, and growing incidents of "phishing," "pharming," and other online fraud schemes.
The additional monitoring for security and technical requirements under the Gramm-Leach-Blilely Act, and the Fair and Accurate Credit Transactions Act, raise the issue of whether NCUA and the other federal banking regulators should have third-party authority over merchants and other service providers, Fenner said.
Other federal regulators currently have authority to audit and monitor third-party vendors, helping them to protect data security, noted Fenner. "In the absence of such authority," he told lawmakers, "NCUA has occasionally experienced difficulty in obtaining the full cooperation of vendors, and in obtaining key documents."
Fenner noted that recent government reports by the Government Accountability Office recommended that NCUA ask Congress for the authority to monitor and audit third-party vendors.
NCUA was given authority over third-party vendors to help deal with the threats related to the Y2K computer issue but that authority expired in January 2001, after the threat receded.
Clifford Northup, chief congressional liaison for NCUA, said the agency had abandoned the idea of seeking the expanded powers over outside vendors after lawmakers expressed opposition to it in the last Congress but interest was renewed when NCUA was asked to testify on the issue of database breaches. "It got a more positive reception today, than it did in the past," said Northup after last week's hearing.
If NCUA pursues the initiative it will not be part of a regulatory relief bill, as the agency hoped in the last Congress, but more likely as a package aimed at tightening oversight and monitoring of commercial entities, like BJ's Wholesale Club, for security breaches, said Northup.
