WASHINGTON — Credit unions and CUSOs largely panned a recent report issued by the U.S. Government Accountability Office (GAO) that specifically called on Congress to authorize NCUA to examine credit unions' third-party technology providers.
The report concerned an evaluation of the risk-based examination approach that oversees the adequacy of information security at various depository institutions — banks, thrifts, and credit unions — which GAO said could be improved by better targeting future examinations through the analysis of deficiencies across multiple institutions.
GAO noted, among other things, that while the largest institutions were generally examined by information technology (IT) experts, medium and smaller institutions were sometimes reviewed by examiners with little or no IT training.
In addition, citing that bank regulators directly address the risks posed to their regulated institutions from third-party technology service providers, the NCUA currently lacks this authority.
As such, GAO urged Congress to consider granting NCUA authority to examine third-party technology service providers for credit unions and to encourage regulators to explore ways to better collect and analyze data on trends in IT examination findings across institutions.
"We need to close this regulatory blind spot and better protect the credit union system by providing NCUA with the power to examine and take enforcement actions at third-party vendors," NCUA Chairman Debbie Matz said in response to the GAO report.
She added that the GAO's recommendation reinforces NCUA's long-standing request for legislative action and comes on the heels of a similar recommendation by the Financial Stability Oversight Council.
"Obtaining this authority would allow the agency to proactively address cyber threats and better position credit unions to avoid a crisis," she noted.
But some voices within the credit union movement assert that such a move by Congress would be redundant.
Alicia Nealon, director of regulatory affairs at NAFCU, told Credit Union Journal that "as we have consistently maintained, NAFCU believes the agency's bid for third-party vendor examination authority is unnecessary given that NCUA is already authorized to thoroughly regulate credit unions and their third-party relationships."
Nealon added that while NAFCU acknowledges the importance of cybersecurity and risk management, "we firmly believe that cybersecurity and third-party vendor examination authority do not go hand in hand."
Ryan Donovan, chief advocacy officer at CUNA, said he opposes new statutory authority for the NCUA to regulate and supervise directly CUSOs or other third-party entities that provide products and services to credit unions.
"Credit unions are subject to due diligence requirements with respect to their relationships with third-party vendors," Donovan told Credit Union Journal. "We believe that through the supervisory process NCUA has sufficient authority to ensure that the vendors on which credit unions rely follow sound information security practices."
But such authority is hardly unheard of in the credit union community. "About three out of every four state regulators already have the power to examine CUSOs," noted Pat Keefe, spokesman for the National Association of State Credit Union Supervisors (NASCUS), adding that NASCUS "will be watching this discussion very closely as it unfolds."
From the perspective of third-party vendors who serve credit unions, Jane Pannier, Esq., SVP and in-house counsel at AffirmX LLC in Frederick, Md., said that while the GAO report points out that other federal financial institution regulators have the authority to examine third-party technology service providers, the report provides no data to show that this authority has led to any decrease in the cybersecurity risk or the incidents of cybersecurity breaches in those institutions versus those faced by or experienced by credit unions.
"Instead, the [GAO] report states that the greatest weakness in the current oversight of cybersecurity risk is the fact that none of the federal financial institution regulators have an effective process in place to collect and aggregate data on the deficiencies they find in their examinations of financial institutions, which could allow them to identify and analyze trends that could better tailor and improve the IT examination process going forward," she added.
Dean J. Young, SVP of industry engagement at PSCU, pointed out GAU's support for granting NCUA examination authority over third-party service providers is nothing new, as the government agency has had this stance for more than 15 years.
"Each time, Congress has rejected the need for additional authority as both unnecessary and potential costly to the credit union industry," he told Credit Union Journal. "The NCUA's position has not gained strength simply because it is now waiving the cybersecurity flag."
In contrast, Carol Quillen, vice president of risk management for Affiliates Management Company, parent company to TMG (The Members Group), indicated that TMG agrees cybersecurity is a priority issue for credit unions, adding that "the organizations that do business with credit unions have to hold themselves to incredibly high standards, and NCUA oversight may be what it takes to ensure this is happening across the board."
Quillen explained that TMG takes a "layered" approach to cybersecurity that includes preventative, detective and recovery controls, as well as a comprehensive incident response program to ensure the information and systems our credit union partners rely on are adequately protected from cyber-attacks.