CRS: Credit Unions Vulnerable Since NCUA Doesn’t Have Vendor Authority
Congress’s research arm joins chorus of other agencies saying NCUA needs vendor authority
Yet another federal government agency, the Congressional Research Service, is warning that as credit unions use more technological services, they face significant operational risks because the National Credit Union Administration lacks supervisory powers over third-party vendors.
“Small financial institutions—particularly those providing financial services primarily to underserved communities, which would include mission-driven credit unions—face significant challenges when attempting to acquire new technologies,” the CRS said, in a new report. “With growing reliance on [technology service providers], the NCUA (as well as the federal bank regulators) is increasingly concerned with operational risks—the risk of loss having to do with failed internal controls, people, systems, or external events.” The CRS said that operational risks can increase the potential for systemic risk, such as panic runs on depository institutions.
Unlike federal banking regulators, such as the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp., the NCUA does not have supervisory powers over third-party providers.
The NCUA’s Inspector General, the Government Accountability Office, and the Financial Stability Oversight Council have called on Congress to extend supervisory powers to the NCUA, but so far, no legislation doing that has been enacted.
The CRS said that the NCUA has cited a report that depository institutions with less than $35 million in annual revenue are particularly vulnerable to hacking and malware breaches. “Hence, many credit unions, which are generally smaller relative to many small banks, are arguably more vulnerable,” the CRS said.
The CRS acknowledged the opposition of credit union trade groups to extending vendor supervisory powers to the NCUA. “The opposition arises due to an anticipated increase in costs for the NCUA to hire specialized examiners, which would be covered by levying additional fees on credit unions unless the legislation provided another funding source,” the CRS said.
Credit union trade groups have said that the NCUA should use its existing authority to obtain information from Credit Union Service Organizations, which are owned by credit unions.
In addition, the credit union trade groups have said that, as a member of the inter-agency Federal Financial Institutions Examination Council, the NCUA should be able to gain access to examinations of technology service providers that serve credit unions and banks. If the NCUA is not granted access, Congress should compel the other agencies to provide that access, they say. That approach would prevent additional costs to credit unions.