Nussle Says NCUA Does Not Need Third-Party Vendor Supervisory Powers

America's Credit Unions opposes H.R. 7036 and suggests a different approach.

America’s Credit Unions is urging Congress to ignore a recently introduced House bill that would give the National Credit Union Administration supervisory powers over third-party vendors.

“We believe in a strong NCUA, but we also believe that the NCUA should stay focused on where its expertise lies—regulating credit unions,” association President/CEO Jim Nussle wrote in a letter to the House Financial Services Committee. “Credit unions fund the NCUA budget. Implementing such new authority for the NCUA could result in the agency increasing its budget, due in part to hiring examiners with sufficient expertise, ultimately having credit unions and their members bear the cost.”

Credit union trade groups traditionally have opposed granting the NCUA supervisory power over vendors.

Nussle’s letter cites H.R. 7036, legislation recently introduced by House Financial Institutions and Monetary Policy Subcommittee ranking Democrat Rep. Bill Foster of Illinois. That bill would grant the NCUA and the Federal Housing Finance Agency the power to oversee third-party vendors. In introducing the bill, Foster said the two agencies are the only financial regulators without supervisory powers over vendors.

Foster noted that the Government Accountability Office, the Financial Stability Oversight Council, and the boards of both agencies have said that the NCUA and FHFA need to be able to supervisor third-party vendors.

He also cited a November 2023 cybersecurity breach of third-party providers that disrupted operations at about 60 credit unions across 40 states. He said that data breach alone put about $912 million in assets and 93,000 credit union members at risk. “This bill would bring parity amongst our regulators to ensure that our financial services and housing industries are well protected against cyberattacks,” Foster said.

Foster noted that a similar bill was approved by the House Financial Services Committee during the last Congress, when Democrats controlled the chamber. The bill, however, was never considered by the full House.

In his letter, Nussle stated the NCUA does not need the power. He wrote that the NCUA and other financial regulators sit on the Federal Financial Institutions Examination Council, which he said was created to coordinate examination findings among regulators in an effort to encourage consistency and to avoid duplication. He said the NCUA should be permitted to request the results of core processors from one of the other regulators and should not have to send an NCUA team to duplicate that agency’s work.

“Sharing relevant cybersecurity information with credit unions does not depend on gathering intelligence through a duplicative supervision program,” he wrote.

Nussle called on Congress to encourage the FFIEC to share exam findings with the NCUA. If the other financial agencies object to the NCUA having that information, Congress should consider compelling them to do so, he added.