For years, the NCUA has been fighting for authority over third-party vendors servicing credit unions and more recently, vendors providing AI solutions to credit unions. The granting of such authority would allow the NCUA to have examination and enforcement authority over CUSOs (even ones owned by credit unions) and examination authority over other service vendors.
In their statement on the need for third-party authority, the NCUA cited the need to protect both the National Credit Union Share Insurance Fund and the national security of the country as reasons behind the push.
They wrote, “This growing regulatory blind spot has the potential to trigger cascading consequences throughout the credit union industry and the financial services sector that may result in significant losses to the National Credit Union Share Insurance Fund.”
“Furthermore, third-party vendors may pose a national security risk to the United States due to a lack of oversight and enforcement authority over their business operations—mainly with respect to cybersecurity given the amount and type of data they hold, as well as the business functions they perform.”
On Friday, May 13th, Congress held a hearing about artificial intelligence and regtech, where NCUA Director of the Office of Examination and Insurance Kelly Lay testified on the current status of the NCUA’s AI projects and the need for third-party authority to members of the House of Representatives Committee on Financial Services Task Force on Artificial Intelligence.
In regards to current AI projects, Lay reported that despite the NCUA’s lack of an AI budget, they have several efforts currently underway to create services using AI technology. These consist of AI technology to validate Call Reports (which they are currently testing), robotics automation through which they can perform routine tasks during examinations (currently in the researching phase), and other AI projects which focus on a “data-driven supervisory initiative with its largest credit unions.”
Lay went on to cite the shortcomings of smaller credit unions in terms of staff, resources, and expertise as reasons for NCUA intervention.
“In general, credit unions are small, not-for-profit institutions and may not possess sufficient expertise to properly conduct due diligence on what is rapidly becoming a very complex ecosystem of third-party vendors. These smaller institutions may neither have the economies of scale nor the expertise necessary for sophisticated analytics,” Lay noted.
“While small credit unions play a vital role in their communities, they are commonly short-staffed and may lack the resources required to keep abreast of evolving AI technologies.” She added, “The continued transfer of operations to CUSOs and other third parties hampers the ability of the NCUA to accurately assess the risks present in the credit union system and determine if current CUSO or third-party vendor risk mitigation strategies are adequate.”
Credit unions and other organizations however are against the NCUA stepping in and taking authority over third-party AI vendors. Both CUNA and the NAFCU have conveyed their objection to such a move.
CUNA’s chief advocacy officer, Ryan Donovan spoke on CUNA’s inability to support the legislation that would allow such authority, claiming the NCUA has little expertise in the area, and while he recognizes the increased cybersecurity risk, allowing authority over all third-party vendors would be too drastic.
“We will continue to work with the committee to tailor it so it targets high-risk areas such as cybersecurity and AML and ensures that credit unions don’t pay higher direct or indirect costs as a result of NCUA exercising this authority,” Donovan said.
Furthermore, NAFCU Vice President of Legislative Affairs Brad Thaler wrote a letter to Committee Task Force members in which he argued that the granting of vendor authority is unnecessary, as the NCUA already has the ability to access third-party vendor information. He also feels that giving the NCUA such authority would only result in increased expenses by the agency along with budget increases, which he believes would then be borne by credit unions and their 130 million members, who fund the NCUA.
“NAFCU believes in a strong NCUA,” Thaler wrote, “but we also believe that the NCUA should stay focused on where their expertise lies – regulating credit unions.”