Is Congress primed to give NCUA additional oversight powers?
This story is the latest entry in Credit Union Journal’s special report on cybersecurity, which will run throughout the month of October. Previous coverage is available here.
Another federal agency could be the element that finally gets the National Credit Union Administration’s long-standing request for third-party vendor oversight across the finish line.
Earlier this month, the House Financial Services Committee’s task force on artificial intelligence released discussion draft legislation that would grant NCUA and the Federal Housing Finance Agency vendor oversight for cybersecurity protections. That’s been a recurring request from the credit union regulator for more than two decades, but it hasn’t gained much traction beyond being occasionally mentioned during Senate testimony by various NCUA chairmen.
So the fact that legislation exists — even in draft form and without a sponsor — is a sign things could finally be changing.
“I’m not sure they would have put the discussion draft out in the way they did if there wasn’t some intention to introduce it formally in the near future,” said Ryan Donovan, chief advocacy officer at the Credit Union National Association. While discussion drafts are circulated frequently, he added, this bill was put out in a more public fashion than normal. “What that indicates to me is that they’re very eager in getting feedback, but may be a little further along in the process of getting it introduced.”
Lawmakers aren’t likely to have a shortage of feedback.
Trade groups and credit unions have repeatedly said NCUA is seeking a solution for a problem that doesn’t exist, particularly given that the agency already has access to fintechs and other vendors through its participation in the Federal Financial Institutions Examination Council. The regulator also has limited oversight of credit union service organizations thanks to its 2013 CUSO rule.
Though it can obtain information about those companies, NCUA can only examine the CUs that run them and not the firms themselves.
Donovan and others also emphasized that NCUA has never fully explained what impact this authority would have on the agency’s budget, which continues to rise (in contrast with budgets of many other federal regulators, including the FDIC).
“There may be additional costs to such added supervision, but … the cost factor must be weighted against the potential harm to the consumer and the tremendous loss to the institution, passed on to the consumer, should an event occur that just maybe could have been prevented,” Michael Fryzel, a former NCUA board member, said via email.
The FHFA factor
The inclusion of the FHFA in the task force’s draft legislation is notable in that it expands the scope of any lawmaking beyond just credit unions.
“Anytime other agencies get involved in any type of legislation, any type of oversight they’re looking for, it adds credence and credibility to it,” said Geoff Bacino, a former NCUA board member and industry consultant.
Donovan suggested the discussion draft may have been made public in order to get stakeholders’ input because it involves the FHFA, a higher-profile agency than NCUA. But he stopped short of suggesting FHFA’s inclusion will make a difference in moving the issue forward.
“We’re still at the very beginning of a process that could take Congress a very long time to get to the end of,” he said. “I don’t think there are very many people in Washington that expect Congress will enact meaningful privacy or cybersecurity legislation before the end of this Congress. Most people realize this is a multi-Congress effort.”
Still, the fact that draft legislation exists at all can be seen as a significant step forward. Most observers concede that if a bill is introduced it is unlikely to move forward on its own, and would probably wind up tacked on to a broader piece of legislation. But even if that dies in this Congress, it’s not uncommon for bills to be resurrected later on. Some observers have also suggested that this type of bill could face better prospects if the Democrats retake the Senate in 2020.
The current NCUA board has been divided across party lines on many issues, but may find common ground here. Chairman Rodney Hood has already reiterated the agency’s request for vendor oversight in congressional testimony earlier this year, and board member Todd Harper said during his confirmation hearing earlier this year, “For me, consistency across regulators is an important thing.” Banking regulators already have oversight of the third-party vendors that banks work with.
Harper’s argument is backed up by one of the industry’s most vocal critics — the American Bankers Association.
ABA representatives testified on this topic during last week’s congressional meeting, though the group’s letter to the task force didn’t broach the credit union side of the issue. Rather, an ABA representative said, it’s in consumers’ best interest to ensure all regulators are on a level playing field.
“This is just another example of a lack of parallel regulatory authority between bank regulators and credit union regulators that makes credit unions less safe and sound,” said Ken Clayton, EVP of legislative affairs and chief counsel at ABA. “Importantly, in this case, the regulator is the one bringing the request.”
Jim Bray, SVP of business development at Redstone Consulting Group, a CUSO of Huntsville, Ala.-based Redstone FCU, called third-party breaches the biggest threat facing the industry, and said expanding protections for credit unions ought to be a no-brainer.
“You make a choice: You do it the hard way and have the breach happen or you do it the easy way and pass guidelines and recommendations and enforce them. That’s the key — enforcing them,” said Bray.
Those feelings aren’t universally shared across the industry.
William Kennedy, CFO at Maryland-based SecurityPlus FCU, said there simply isn’t evidence that credit unions face enough of a credible threat for NCUA to be granted these new powers.
“It’s your big companies that are targets for things like this; these companies that have boatloads of money,” he said. While his credit union does have enterprise risk management in place, does internal testing and performs due diligence on all its vendors, “we count on it that we’re not one of the bigger fish to take down, so we’re not as concerned.”
That’s not to say attitudes on the issue aren’t evolving.
Donovan said that while the trade group has officially opposed this type of legislation for the last several years, CUNA’s advocacy committee revisits the issue every year, and conversations on the topic have evolved from absolute opposition to “being more open to the question of whether this might have some virtue.”