NCUA Inspector General: Lack of Vendor Authority Puts Billions at Risk

NCUA inspector general renews call for Congress to give NCUA oversight powers

The National Credit Union Administration’s inability to oversee credit union third-party vendors leaves billions of dollars at risk, agency Inspector General James Hagen said last week.

“Without this authority, the NCUA cannot accurately assess the actual risk present in the credit union system or determine if the risk-mitigation strategies of credit union service organizations and third-party vendors, which provide much of the industry’s information technology infrastructure, are adequate and can effectively protect the system from potential attacks,” Hagen wrote, in a letter to the NCUA board, outlining the agency’s top management and performance challenges.

“In determining whether to identify an issue as a challenge, we consider its significance in relation to the NCUA’s mission, its susceptibility to fraud, waste, or abuse, and the NCUA’s progress in addressing the challenge,” Hagen wrote.

Under federal law, agency Inspectors General are required to issue top management and performance issues each year.

Many of the risks that Hagen cites are the same as the supervisory priorities that NCUA Chairman Todd Harper listed in a letter to credit unions last month.

Hagen, members of the NCUA board, the Government Accountability Office and the Financial Stability Oversight Council have all called for the agency to have authority over vendors. Granting the NCUA that power would require congressional action, and so far, Congress has not addressed the issue.

Credit union trade groups have argued that the agency does not need oversight powers, since other members of the Financial Stability Oversight Council conduct audits of third-party vendors and may share those reports with the NCUA.

Hagen disagreed. “This regulatory blind spot leaves thousands of credit unions, millions of credit union members, and billions of dollars in assets potentially exposed to unnecessary risks,” he wrote. He added that vendors have declined NCUA requests to conduct examinations and may reject recommendations the agency makes.

“As a result, the NCUA’s Share Insurance Fund is exposed to risk from credit union service organizations and vendors that can cause significant financial hardship, or even failure to the credit unions that use them,” Hagen wrote.

In his letter, Hagen outlined several additional issues facing the NCUA in 2024.

Industry consolidation and challenges facing small credit unions

Hagen wrote that as credit unions consolidate, they become increasingly complex and offer additional services to their members. That could pose a more significant risk to the Share Insurance Fund.

In addition, Hagen said that his office will be conducting an audit of the NCUA’s streamlined chartering process that is designed to ease the way for organizations to start credit unions. He wrote that his office would try to determine if the agency has succeeded in that endeavor, and in a separate report, whether the agency has done an effective job of informing organizations about the streamlined process.

Interest rate risk

The credit union system was solid last year, Hagen concluded. However, he warned that a high level of interest rate risk can lead to liquidity risks and capitol erosion. “Credit unions must be prudent and proactive in managing interest rate risk and the related risks to capital, asset quality, earnings, and liquidity,” Hagen wrote. “This is particularly the case for those credit unions whose assets are concentrated in fixed-rate long term mortgages that were originated when interest rates were at record lows.”

Credit rate and liquidity risks

Slowing growth and moderately higher unemployment rates could create challenges for credit unions, Hagen warned. In 2023, rising short-term interest rates put pressure on credit unions to raise deposit rates. If longer-term rates fall, it will put downward pressure on credit union loan rates.

Cybersecurity and Information Technology

Credit unions are relying more on complex technology tools and those tools expose the credit unions to escalating cybersecurity attacks, Hagen noted. This year, Hagen wrote, the NCUA must continue to assess whether credit unions have implemented effective information security programs. His office plans to review the agency’s new rule requiring credit unions to notify the NCUA of a cyber incident within 72 hours and will assess the NCUA’s efforts to share threat information.