CUNA opposes legislation giving NCUA third-party vendor authority

August 4, 2022

CUNA wrote Sen. Jon Ossoff, D-Ga., asking him to reconsider his Improving Cybersecurity of Credit Union Act, a bill that would give NCUA authority over third-party vendors.

“We are concerned that extending supervisory authority over these firms to NCUA could require the agency to increase its budget to hire personnel with appropriate expertise,” the letter reads. “This is a concern to credit unions because credit union member resources fund the agency, and credit unions question why they should be required to send more of their members’ savings to NCUA when the agency has demonstrated it is doing a good job absent this authority.

“If Congress conveys this authority to NCUA, the agency should commit to funding this new authority by reducing expenditures elsewhere,” it adds.

CUNA notes that—while NCUA has requested this authority for years—it hasn’t development a clear vision for the scope of the authority or how it would be implemented.

“It is possible that extending this authority to NCUA could, over time, lead to a reduction in credit union costs if such supervision leads to reduced losses to the National Credit Union Share Insurance Fund (NCUSIF) or reduces credit unions due diligence requirements for engaging vendors subject to NCUA supervision,” the letter reads. “Not knowing how the agency will use this authority makes it difficult for us to see this as a probable outcome.”

The League of Southeastern Credit Unions shared CUNA’s concerns.

“While we share and appreciate Senator Jon Ossoff’s interest in strengthening cybersecurity, we know the broad scope of this legislation is not the solution,” said Samantha Beeler, president of the League of Southeastern Credit Unions. “Credit unions are concerned that expanding the authority of the NCUA would likely result in lengthier exams with less in-depth audits. As the role of the NCUA is to regulate federally chartered credit unions, we affirm the agency should focus on examining credit unions and simply ensure that credit unions are up to date with cybersecurity standards and following new guidance as it is proposed. Furthermore, credit unions should not be burdened with funding the NCUA’s third-party vendor authority for organizations that may not even be examined.”