Will cybersecurity risks compel Congress to expand NCUA's authority?
The National Credit Union Administration’s latest push for third-party vendor oversight is a blast from the past, but it could have a different outcome this time.
NCUA Chairman Mark McWatters reiterated last week in testimony before the Senate Banking Committee the agency’s request for the power to regulate third-party technology vendors. He claimed cybersecurity risks from fintechs and other firms – including credit union service organizations – pose a threat to credit unions and the National Credit Union Share Insurance Fund.
Many within the credit union system aren’t buying that argument. The NCUA has pushed for the last two decades to gain this additional oversight, molding its claims to fit with the current threat of the day, critics of the plan argue.
However, there are others that believe that high profile cybersecurity breaches and the proliferation of fintech companies could finally push Congress to act.
“What is the problem they’re trying to cure?” said Carrie Hunt, general counsel at the National Association of Federally-Insured Credit Unions. “If you go back and look at the history of NCUA, it’s always been a different thing, whether it’s Y2K, cybersecurity or another issue.”
For the most part, fintechs are already overseen by other regulators, such as the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corp. and the Federal Reserve. Others still are subject to state oversight. The NCUA also can gain access to information about these vendors through the Federal Financial Institutions Examination Council.
Since the majority of fintech vendors are already regulated by others, critics of McWatters’ recent remarks question what exactly NCUA would bring to the table that’s new.
“When [McWatters] first came in he went so far as to question how could NCUA possibly add anything to the reviews already being done by the OCC, FDIC and the Federal Reserve for most big technology companies,” said Jack Antonini, president and CEO of the National Association of Credit Union Service Organizations.
McWatters, in contrast to then-NCUA Chairman Debbie Matz, initially opposed third-party oversight when he joined the board in 2014. NCUA representatives did not give a reason for McWatters' new position, but said cybersecurity “has been an agency priority for many years as the number and sophistication of cyberattacks on businesses and the financial sector have grown.”
Representatives from the agency said NCUA’s approach would likely be similar to that of these other regulators.
One point of contention are CUSOs, which are organizations owned by credit unions but are not directly overseen by the NCUA. There are concerns that problems with a CUSO can affect the overall soundness of its credit union owners.
McWatters’ written testimony claimed CUSOs have led to $500 million in losses at federally insured credit unions since 2008 and contributed to the failure of 11 CUs. Jack Antonini, president and CEO of the National Association of Credit Union Service Organizations, countered that the regulator has never offered details on those statistics.
Antonini pointed out that while NCUA has no enforceable powers over CUSOs, it does have that authority over their credit union owners. The agency can instruct credit unions to divest from CUSOs they may have concerns about.
NCUA already struggles “to bring people in and get enough staff in place to do CUSO reviews and credit union exams,” Antonini said. “How on earth are they going to be able to provide effective oversight on cybersecurity risks from new technology businesses?”
While many federal trade groups remain opposed to granting the regulator further oversight, the National Association of State Credit Union Supervisors is willing to see that power extended to NCUA – but only in the 23 states where state regulators don’t already have that oversight. That would allow state and federal regulators to share information about security concerns while avoiding duplicating exams or adding too many costs to credit unions, said Lucy Ito, NASCUS president and CEO.
"The 27 states that do this have a cooperative, collaborative approach and can share that information with other states where they know a vendor is active and share it with NCUA,” said Ito, adding that current policies at the state level and FFIEC prevent NCUA from subsequently sharing that information with credit unions.
Not just the same old threats?
To be sure, there are some that believe cybersecurity threats to financial institutions may have finally evolved enough to merit Congress granting NCUA some authority.
“I think the threat has changed a bit,” said Jackson Mueller, associate director of the Center for Financial Markets at the Milken Institute. “Over the last five years we’ve seen the growth and proliferation of fintech platforms encroaching on banks and credit unions. … A lot of these digital-savvy platforms are trying to connect to these banks and credit unions through back-end processes, and that alarms a lot of financial institutions because it could open the back door for hackers to get into their own systems.”
One analyst also pointed out that acceding to NCUA’s request could potentially make life easier for credit unions.
“It shifts some of the burden from the credit union in terms of what they need to be doing from a compliance and oversight standpoint to the vendor,” said Nick Lane, a consultant at Cornerstone Advisors. “To me it kind of makes sense because it gives some accountability from the credit union space back to the vendor. It shares some of that accountability.”
Those sentiments aren’t universally shared, however. Alissa Knight, senior analyst at Aite Group, said NCUA hasn’t provided enough empirical evidence to justify its case. Knight said current cybersecurity issues within the credit union space aren’t so systemic that the problem has to be address by NCUA. She thought it should be up to individual credit unions to create formal information security management programs.
“I understand NCUA is the only banking regulator that doesn’t have this power, but it’s not like the regulators that have this authority have made banks hack proof,” she said. “The number of bank compromises that have happened over the last decade – it’s not like they’ve gone down with this expanded authority.”
Ball in Congress’s court
NCUA can make all the requests it wants, but there’s only so much that can happen until Congress chooses to take action. And, for now, the jury is split on whether that’s likely to happen.
Cybersecurity is a concern for lawmakers, particularly in the wake of high-profile events like the Equifax breach, Mueller said. There is the chance that this change could be stuck onto a larger bill that is passed during the lame duck session after the November election.
“If a regulator is calling out and saying, ‘We could be faced with some serious issues if we don’t effectively oversee our third-party management providers to credit unions, that could make some waves on Capitol Hill,” Mueller said. “There’s obviously a ton of issues going on right now in Washington, but that’s not to say nothing’s going to be passed this year.”
But these concerns could be drowned out other controversies currently consuming Washington. And even if one or both chambers of Congress flips to the Democrats, there may not be many changes coming.
"What isn’t going to change is that the Trump administration is still in office and the type of regulation Chairman McWatters is proposing really runs counter to what the Trump administration has been talking about in terms of reducing regulation,” said Ryan Donovan, chief advocacy officer at the Credit Union National Association. “I don’t know that the prospects for it are enhanced with the election given that the administration isn’t going to change.”