AGAIN IN 2024 THE HOUSE AND SENATE HAVE BOTH PASSED NDAA WITH NO NCUA VENDOR AUTHORITY INCLUDED DESPITE AGENCY PUSH

Following a ransomware attack that temporarily left about 60 credit unions with limited services for a period earlier this month, NCUA leaders utilized that unfortunate event as they have with every cyber event from TJ Maxx to Target to the federal government’s Office of Personnel Management to go back to Congress and try to make the case that they could protect the nation in general – and the credit union industry in particular – from such attacks if Congress would only give NCUA the authority to regulate and examine all vendors who do business with federally insured credit unions.

Having previously outlined the potential impact unlimited vendor authority would have going forward on dramatically increasing NCUA budgets as well as the potential for abuse by examiners having the authority to show up at local or national vendors who do business with a credit union that the examiner wants to put pressure on regarding a pending exam dispute, the issues have been well explained in previous Client Updates.

But NCUA keeps pushing although they have been unsuccessful for over 20 years in persuading Congress to grant them this unlimited and, frankly, unwarranted extension of federal agency authority to regulate and examine not just the credit unions they are charged with keeping safe and sound – but also every entity, vendor or organization that does business with a federally insured credit union.

Because both parties in Congress are quite hesitant to expand a federal agency’s authority in such a manner without a justifiable reason why, NCUA continues to use any example possible to try to make the case to justify their desire for this expanded authority which would go beyond even what FDIC and the OCC have to examine the bank like functions offered by vendors through bank holding companies.

Thus far NCUA has not been successful.

One of their strategies over the last two years has been to try to get an amendment to the National Defense Authorization Act (NDAA) which must pass every year to keep our nation’s military and defense authorized and funded.

They have tried to make the case that authorizing NCUA to examine and regulate all businesses that have a contract with a credit union, regardless of how large or small, would enable the agency to protect the nation’s security by preventing cyber attacks on the homeland through credit unions.

Everyone in credit union land understands the absurdity of this argument and sees the potential danger of having an NCUA examiner authorized to show up at the door of every vendor of a credit union and ask to see their financials.  So, apparently, does Congress.

Just last week both houses of Congress passed the NDAA without including the NCUA vendor authority provision that the agency had been pushing so hard to have included.

This makes 20 consecutive years that Congress has met and not granted this additional authority to NCUA despite the agency’s best efforts to get the House and Senate to act on their vendor authority request.

The final NDAA bill for 2024 is over 3100 pages long.  It was 4000 pages long last year.  Needless to say, this bill has a lot of ornaments on the Christmas tree in the way of amendments for various legislative priorities that congressmen and senators had that would never pass in stand-alone legislation.

But unlimited vendor authority for NCUA was not included in the final NDAA bill – either last year or this year.

Credit unions, CUSOs and their vendors have once again avoided the potential for overreach and increased NCUA budgets to fund that unlimited authority to regulate and examine all credit union vendors could bring.

As it has been for twenty years now, this is a big win.

Of course, NCUA will come back next Congress and try again.  They want this authority so badly.  To be sure, it is a powerful tool, although not justified by any empirical data of widespread credit union risk caused by unregulated, non-examined vendors and certainly the agency lacks enough agency staffing and resources currently to have sufficient expertise in every area of business that credit unions contract with vendors to provide.

But they are currently citing any and all cyber attacks as a justification for their request as if the tens of thousands of bad actors seeking to get around expensive firewalls and constantly monitored protection programs by American business – large and small – would stay away from any business that dares do business with a credit union because NCUA conducts an examination of those businesses once every few years.

No federal agency has been able to totally prevent cyber incidents, either at their own agencies or among their contractors, from the Defense Department to the State Department and beyond.   NCUA seems to be making the case that they could do so among credit unions, which they already have the authority to examine, and their vendors, which they do not currently have the authority to examine, if it were only unlimited vendor authority was granted by Congress.

Even the best cyber security companies, ranging from top-of-the-industry players like SEI Sphere on down to the Nortons of the world, do not claim that they can stop all cyber attacks.  The strategy of these firms is to implement a program that will take so many multiple attempts to break through their protections that the bad actors quit trying and move on to easier targets.

Cyber security is rightly a focus of NCUA for the credit unions they regulate and insure.  However, the utilization of cyber security concerns as a justification to seek the authority to examine every single vendor that does business with a credit union is a costly overreach that will provide minimal, if any, results in stopping cyber attacks but will certainly increase the agency’s budget and staffing as it creates the opportunity of stepping beyond their credit union safety and soundness mission into an attempt to regulate and examine small and large businesses – even those without direct access to member data – simply because they happen to do business with a credit union.

Credit unions, CUSOs, vendors and trade organizations such as NACUSO, America’s Credit Unions, and others will continue to oppose vendor authority for NCUA because unnecessary and burdensome regulatory overreach will never have a constituency outside of the agency wanting the authority itself.

Congress has been responsive to that opposition again this year.  It will continue, as will NCUA’s efforts to secure the additional authority.

We will continue to monitor and keep our clients in the loop on the action or lack thereof on this important issue.

Until next time.

Dennis Dollar