Congress on the verge of expanding NCUA's oversight powers

After 20 years, the National Credit Union Administration may finally be getting what it wants from Congress.

Lawmakers have put forth discussion draft legislation that would amend the Bank Service Company Act in order to provide NCUA and the Federal Housing Finance Agency with third-party vendor oversight for the purpose of cybersecurity protection. Credit union trade groups have said NCUA has requested that authority repeatedly since at least the late 1990s.

The bill, which would be known as the Strengthening Cybersecurity for the Financial Sector Act of 2019, is only a draft, and does not yet have a sponsor. The House Financial Services Committee Taskforce on Artificial Intelligence was expected to meet Friday for a discussion on cyberattacks targeting financial services providers, and many credit union watchers expect a bill to formally be put forward soon that would give NCUA oversight authority over credit union service organizations and other third-party vendors.

NCUA officials had not made public comment on the draft legislation when the story was published, but CU trade associations wasted no time in lambasting the proposal.

“Giving NCUA authority over third parties will provide no clear benefit to credit unions and their members, but will result in duplicative regulation as other federal agencies already compile and can share this information with the NCUA,” Dan Berger, president and CEO of the National Association of Federally-Insured Credit Unions, said in a statement.

Lance Noggle, senior counsel for payments and cybersecurity at the Credit Union National Association, noted in a statement that because the bill is only in draft form, credit unions still have the opportunity “to engage policymakers to address concerns.”

In a Thursday letter to House lawmakers, CUNA representatives emphasized that while the group opposes expanding NCUA’s oversight authority, “in the interest of ensuring that our nation’s information security apparatus is as strong as it needs to be to combat cyberattack[s] and data breach, we are open to continued dialogue regarding proposed amendments … that could augment NCUA’s current oversight of third-party vendors and CUSOs.”

NCUA Chairman Rodney Hood and his predecessor, board member Mark McWatters, have both testified before the Senate on this topic. After McWatters’ testimony last fall, observers returned repeatedly to many of the same arguments against third-party oversight for NCUA.

Not only does the regulator already have access to information about fintechs and other regulated vendors through its participation in the Federal Financial Institutions Examination Council. But the agency’s CUSO rule already gives it access to credit union service organizations by examining the institutions that invest in those companies.

On top of that, broadening authority at NCUA would likely result in further increases to the agency’s budget at a time when the regulator’s budget continues to rise despite calls to slow that down.

“I understand NCUA is the only banking regulator that doesn’t have this power, but it’s not like the regulators that have this authority have made banks hack-proof,” Alissa Knight, senior analyst at Aite Group, told Credit Union Journal last year. “The number of bank compromises that have happened over the last decade — it’s not like they’ve gone down with this expanded authority.”