Industry cheerleaders and trade associations representing federally insured credit unions have traditionally touted them as a better choice over banks because they serve a specific community, offer members access to financial products and services at better rates, and operate as member-owned, not-for-profits. What they don't say, however, is that a bank customer has greater levels of protection than a credit union member when it comes to cybersecurity and consumer financial protection.
That's because the agency I lead, the National Credit Union Administration, which regulates, supervises and insures our nation's credit union system, lost its temporary authority over credit union vendors and service providers that Congress provided in response to the potential for Y2K disruptions nearly a generation ago.
With that statutory expiration, the NCUA lacks the same authority that all other federal banking regulators have to oversee and examine the vendors that depository institutions use for critical services like information technology, loan underwriting, payments and mortgage originations. As a result, the credit union system is vulnerable to exploitation by the cybercriminals, terrorist financiers, fraudsters and other lawbreakers who threaten our nation's economic security and the financial well-being of our citizens.
Many others share my concerns. The risks posed by NCUA's lack of vendor authority have been cited repeatedly by the
Critics claim that the NCUA has the authority to review vendors' operations or utilize the reports and findings of other federal regulators like the FDIC or OCC. The first part of that argument is only half right, and the second part of that statement is a myth.
First, the NCUA may only review credit union third-party vendors with their permission, and often, vendors decline these requests. Even if they allow our examiners to do what they are trained to do, the NCUA has zero enforcement authority. This lack of an enforcement tool has real-world implications for our financial system and consumers.
For example, suppose the NCUA gets permission to examine a vendor that provides loans to members and finds the vendor fails to comply with the consumer financial protection laws and regulations that prevent discrimination in lending. In this instance, the NCUA has no authority to stop those practices and hold the vendor accountable. That vendor can ignore our findings and continue to discriminate. That's unacceptable.
Second, it's disingenuous to claim that the NCUA can simply use the findings of the other banking regulators. The NCUA's access to examination reports on vendors is restricted because we lack parity with the banking agencies. Also, NCUA examiners can only participate in vendor examinations with the banking agencies if we get express approval from the vendor.
While the credit union industry argues that giving the NCUA authority and oversight over its vendors amounts to overregulation, they are avoiding a painful reality: The NCUA's lack of vendor authority puts credit unions at a competitive disadvantage.
Why? Because when the banking agencies complete an examination of a vendor, they share those findings with the vendor's bank clients. But, that sharing of information only applies to products offered to banks. Credit unions, especially small ones, don't have the same ability to access information about their vendors, even if they offer the same services to both banks and credit unions.
This fact prevents credit unions from knowing the potential risks their vendors pose to their members, operations, safety and soundness, and reputations. The lack of vendor authority also prevents the NCUA and other regulators from seeing the breadth of potential threats to our economy and financial system — providing our nation's adversaries an easily exploitable vulnerability.
As credit unions outsource more and more services to third parties, now is the time to close this growing regulatory blind spot in our financial and regulatory system. The U.S. House Financial Services Committee approved a bill to provide the NCUA with third-party vendor authority and that measure was later added to the House-approved 2023 National Defense Authorization Act.
In the Senate, Sens. Jon Ossoff, Cynthia Lummis and Mark Warner have introduced, S. 4698, the Improving Cybersecurity of Credit Unions Act, to restore the NCUA's third-party vendor examination authority. In the rush to wrap up the 117th Congress, lawmakers should not squander this chance to better protect consumers, insulate credit unions from bad actors and strengthen the defenses of our entire financial system.
Restoring the NCUA's authority over credit union service providers and vendors will give credit union members the same level of protection that bank customers currently enjoy. If this legislation fails to be approved, thousands of credit unions, 134 million credit union members and more than $2.1 trillion of assets will continue to be exposed to unnecessary and potentially devastating risks. Why are we waiting?
