In a move opposed by credit union trade groups, Senators Jon Ossoff, D-GA, Cynthia Lummis, R-WY, and Mark Warner, D-VA, introduced a new bill that would provide NCUA with oversight powers over credit union organizations and service providers.
The bill, S.4698 or the Improving Cybersecurity of Credit Unions Act, is aimed at amending “the Federal Credit Union Act to modify requirements relating to the regulation and examination of credit union organizations and service providers.”
The sponsors suggested that as bank supervisors have similar oversight powers, NCUA should also have those same powers to ensure members’ data and interests are protected. Said Ossoff, “Georgians should not have to fear that their identity or data could be stolen by hackers who target their bank or credit union. This bipartisan bill will strengthen protections against hacking and identity theft.”
NCUA had previously had examination authority over credit union organizations until 2001, cites the bill. What isn’t mentioned in the bill is that this authority had only temporarily been installed in 1999 as part of The Examination Parity Act, with that authority expiring December 31, 2001.
In its March 2022 whitepaper on Third Party Vendor Authority, the NCUA even went so far as to say that it is “seeking the restoration of statutory authority over third-party vendors, including credit union service organizations (CUSO),” emphasis included, as though it was a long held power revoked.
The Examination Parity Act—also know by its full name as The Examination Parity and Year 2000 Readiness for Financial Institutions Act—however, was specifically drafted to ensure the successful rollover of financial institutions during Y2K.
More specifically: “Defines Year 2000 computer problem as any problem which prevents information technology from accurately processing, calculating, comparing, or sequencing date or time data: (1) from, into, or between the 20th and 21st centuries, or the years 1999 and 2000; or (2) with regard to leap year calculations.”
Although the Act did amend “the Federal Credit Union Act to subject a credit union organization owned in whole or in part by an insured credit union to examination and regulation by the Board to the same extent as an insured credit union,” the Act explicitly stated that all power and authority conferred would end at the conclusion of 2001. If such powers were integral to the successful stewardship of credit unions, why were those powers not excluded from that expiration?
The NCUA argues that as the adoption of the recent CUSO rule has expanded the services such organizations can provide, so too should its authority over them. And as credit unions become increasingly dependent on third-party service providers, it poses a greater risk.
“Additionally, the NCUA’s lack of statutory authority to examine third-party vendors increases the risk that operational or financial problems can cascade through the credit union industry and the broader financial system. For example, as cyber actors continue to target third-party vendors, a failure or disruption of a critical third-party vendor that severely impacts the credit union system could affect the broader financial sector—including runs on other financial institutions. Without examination and enforcement authority, the NCUA has limited ability to determine the risk these relationships pose and to intervene when necessary.”
One interpretation of this doomsday prediction is that the NCUA has little faith in credit unions to effectively perform their vendor due diligence, as outlined by NCUA’s guidance and regulations. However, these efforts continue to be positioned as a value-added service to support credit unions that “do not possess the clout and subject matter expertise necessary to fully monitor their service providers.” Don’t credit unions already have a vested interest in partnering with reliable, well-protected and managed third parties?
The bill now sits with the Committee on Banking, Housing, and Urban Affairs.
Section 5446 of the House-introduced National Defense Authorization Act for Fiscal Year 2023 includes similar provisions for “strengthening cybersecurity for the financial sector.”