HOUSE FINANCIAL SERVICES COMMITTEE CHAIRWOMAN MAXINE WATERS HAS PREPARED A BILL FOR COMMITTEE CONSIDERATION THAT WOULD ALLOW NCUA UNLIMITED REGULATORY AND EXAMINATION AUTHORITY OVER ALL CREDIT UNION VENDORS

HOUSE FINANCIAL SERVICES COMMITTEE CHAIRWOMAN MAXINE WATERS HAS PREPARED A BILL FOR COMMITTEE CONSIDERATION THAT WOULD ALLOW NCUA UNLIMITED REGULATORY AND EXAMINATION AUTHORITY OVER ALL CREDIT UNION VENDORS

It was pretty much inevitable that a new NCUA Chairman from the same political party as the one controlling both houses of Congress would renew with great gusto the longtime effort by NCUA to try to get Congress to extend the agency unlimited authority to regulate and examine all businesses that do business with a credit union. It is called NCUA vendor authority, and it has been controversial in credit union circles for years.

Well, as expected, it looks like vendor authority is coming up for air again in this Congress.

House Financial Services Committee Chairwoman Maxine Waters (D-CA) has prepard for introduction in the House a bill that would grant NCUA this long sought authority. With a Democrat majority in both the committee and the full House, the odds are better than they have been in over two decades that Democrat NCUA Chairman Todd Harper may be able to bring this long contentious proposal home for the NCUA staff that has so long coveted it.

Even though the only real constituency for giving this type of expansive authority over non-credit union businesses (simply because they provide a product or service to a credit union) is at NCUA headquarters, the NCUA has been relentless for over thirty years in begging Congress for this authority.

And to date Congress has steadfastly chosen not to extend unlimited vendor authority to NCUA – under both Democrat and Republican control.

But NCUA keeps pushing. The credit union community as a whole does not support it. I hear from credit unions constantly about their fear of examination overreach if their NCUA examiner is able to show up at one of their local vendors door asking for financials simply because the credit union does business with them.

NACUSO, the trade group for CUSOs and the credit unions that own them, has led a successful and valiant fight for over a decade to defeat any effort to expand NCUA regulatory and examination authority to all credit union vendors. Why?  Because CUSOs are almost without exception credit union vendors.

NACUSO does not want to see the collaborative savings and non-interest income earning power of CUSOs to be stymied by excess regulation or overzealous examiners that might not like the investment a credit union made in a CUSO.

NAFCU has long opposed vendor authority, most concerned about the impact on the NCUA budget of having to hire or contract with the level of expertise that will be necessary to effectively regulate and examine every type of business a credit union has a contract with – from data processors to check printers to marketing agencies to lawn care companies. Their opposition remains in place.

CUNA has been more open to vendor authority for some reason. Perhaps they have not heard from as many of their members about their concern of examiner overreach as we have. But even CUNA seems to prefer that any vendor authority, although they are no longer against it, should be limited to those vendors that actually have direct access to member data.

In other words, since cybersecurity is the primary reason NCUA is today citing for their need for vendor authority, why not limit to authority to vendors with direct access to member financial data – not to the company that works on the drive-thru canisters or the pest control company that sprays for bugs at the branches.

While that position of CUNA is not as anti-vendor authority as NACUSO’s or NAFCU’s, even it recognizes that there is danger in regulatory and examination overreach if the authority is not limited in some manner.

Credit union vendors certainly do not support it. The small business community that is subject to examiners showing up at the door solely because they do business with a credit union does not support it.

Yet, NCUA wants it so badly they can taste it.

And it appears that Chairman Harper, who has strong political chops on Capitol Hill as a result of his over twenty years there as a House staffer before coming to NCUA, has enough credibility to get it on the list for consideration in the House Financial Services Committee through his fellow Democrat Maxine Waters.

Couple this with the fact that the two Republican NCUA Board Members who serve with Chairman Harper have never registered a position against vendor authority even though it is a major expansion of a federal regulatory agency’s ability to overreach beyond its stated mandate to keep credit unions safe and sound (and not to become the Federal Trade Commission of the credit union industry to start examining every business that has a contract with a credit union), it is quite possible that the legislation could get some headway in Congress.

The two Republicans on the NCUA Board, Vice-Chairman Kyle Hauptman and Board Member Rodney Hood, have enough stick with the GOP that they could very likely slow down or halt the dash to new expanded authority for NCUA over businesses – large and small – that do business with credit unions. After all, the Senate is evenly divided so the Republicans could likely stop it if they pick up one pro-credit union Democrat (and there are many Democrats that credit unions have supported and have good relationships with.

But the Republicans on the NCUA Board have to be willing to oppose their Democrat chairman and override the fervent wishes of their agency staff if they are going to stop. At this moment, there does not appear to be any stated interest on the part of either Hauptman or Hood to play hardball on this issue.

All of this is to say that the odds are perhaps greater at this point in time than they have been at any time since NCUA lost its very limited Y2K vendor authority in 2001 – some twenty years ago.

Therefore, since you are certain to be hearing and reading about the issue a great deal in the weeks and months to come, we’d like to provide you with some background on this issue and encourage you to understand it sufficiently to discuss it appropriately with your state league, your trade association, your credit union colleagues and with your member of Congress if the opportunity avails itself.

Even though some NCUA Chairmen (Matz and Harper) have pushed their stated support for vendor authority harder in Congress than others did (Hood), I can assure you that the staff pressure at NCUA on this issue is relentless.  Every chairman is pushed hard by staff to use their political influence to try to get unlimited vendor authority for NCUA passed by Congress.

As the Chairman who single-handedly put a stake in the heart of the last time NCUA had temporary and limited vendor authority during the pre-Y2K period when I went to Congress and asked that they allow the previous limited authority to expire in 2001, I know how badly the staff at NCUA would like to have this additional tool to use when supervising credit unions.

They pushed me hard for extending their previously limited authority during Y2K into the post-Y2K world. As a former credit union CEO who could see the potential for abuse and overreach in making NCUA into the “Federal Trade Commission of the Credit Union Industry as I heard one staffer say to me in supporting the authority,” I stood up to the staff’s push on me as Chairman and asked Congress to let it expire. Which they did.

And vendor authority then became, since 2001 and beyond, the top item on NCUA’s congressional wish list – at least from a staff perspective.

The ability to extend an examination beyond a credit union and into those businesses with which the credit union has a relationship is a powerful hammer that can make almost anything a nail. There is much reputation risk at stake, as well as a virtually impossible challenge to agency authority, for any credit union that pushes back against an examiner finding and soon finds examiners showing up at the doors of several of the credit union’s most important vendors.

It is a big issue. And we have addressed it in the past through earlier Client Updates every time something happens that might could put vendor authority back on the congressional consideration list. Therefore, with the Waters bill bringing vendor authority into the news again and the stars aligning for possible action by the Democrat majority in Congress supporting a Democrat NCUA Chairman, the timing seems right for another review on the issue. So, here we go.

Let’s look at the unlimited vendor authority for NCUA issue more completely and in-depth. As always, this is a complex issue and necessitates a longer than usual Client Update. However, in going deep into this issue with our unique perspective on it as a former credit union CEO, former NCUA Chairman and current credit union consultant, it is our hope to again remind you of the long range impact of the issue and to put you in a better position to engage – if you choose to do so – in the advocacy work that is sure to come again and again on this matter as NCUA continues at every opportunity it can to make its push for broad expansion of its authority from Congress.

THE NCUA VENDOR REGULATORY AND EXAMINATION AUTHORITY ISSUE FROM AN OVERALL PHILOSOPHICAL PERSPECTIVE

Balanced regulation that guards against taking unnecessary risk but still allows management of necessary risk is the standard our industry should seek. Excessive regulation kills innovation and stymies investment in improved products and services.  Balanced regulation encourages the extension of necessary credit but requires the risk to be offset through proper underwriting and sufficient capital to cover losses. Excessive regulation paralyzes innovation and the extension of credit by making credit unions hesitant to take any risk other than that which is virtually no risk.

We need, as an industry, effective regulation to maintain our position as a trusted source for the American people to turn to in their search for financial self-sufficiency. However, over-regulation in the credit union industry can lead to weaker, not stronger credit unions. The inability to compete in the marketplace and to meet the needs of the consumer for available credit during an economic downturn can have more negative safety and soundness ramifications for credit unions than taking excessive risk. No margin, no mission.

There is a belief among many credit unions that NCUA has had a tendency over the years – interrupted by a few market-oriented chairmen of which former Chairman Hood and myself were two – to try to regulate our industry out of any potential crisis, rather than to empower the industry to grow itself with effective risk management out of the financial doldrums we find ourselves in.

One of the many indicators that continues to spur this belief is the seemingly never-ending efforts by NCUA asking Congress for expanded and unlimited regulatory authority over credit union vendors.

While this seemingly innocuous request might make sense to some based upon the credit union/vendor inter-relationships that are so common and the claim that the FDIC already has this authority over banking vendors, the reality is that this is a very complex issue with a number of potential ramifications that should be considered by credit unions, CUSOs, trade associations, leagues – as well as companies and organizations that provide products and services to credit unions.

In view of the post-financial crisis regulation that credit unions are still today operating under (see Dodd-Frank, even though the crisis is over by more than a decade and credit unions themselves as not-for-profit, member-owned financial cooperatives had nothing to do with causing it in the first place), any expansion of regulatory authority that is going to still be in place twenty or thirty years from now – particularly if justified by a today’s potential crisis like COVID or cyber security that will certainly be replaced by another justification of crisis proportion and then another to follow that one in short order – should be viewed with some degree of skepticism by those who must deal with the consequences of the regulation.

Today’s crisis, whatever it may be, will always eventually pass (although it seems COVID has been with us for years – it has only been a year). But, when it does, the laws, rules and regulations enacted in response to this crisis will still be on the books. Remember that government regulation always creeps, often leaps but seldom retreats.

Whether you eventually believe that NCUA examination and regulatory authority over credit union vendors is good or bad policy, we want to make sure you recognize that it has great significance and will, if enacted, impact the credit union community for years to come.

VENDOR REGULATORY AUTHORITY FOR NCUA – LET’S LOOK IN DEPTH

As previously stated, other than during the Dollar administration at NCUA, every chairman since Norman D’Amours has requested Congress to expand NCUA’s regulatory and examination authority beyond that of credit unions and to the businesses who have a vendor relationship with a credit union. While Congress has never agreed to do so other than on a temporary and restricted basis during the Y2K period as a means to ensure compliance from core processors, the agency officially and strongly supports this expansion of their authority.

As it would basically transform NCUA from being exclusively a credit union regulator/insurer into what we referred to earlier as the substantial equivalent of the Federal Trade Commission of the entire credit union movement, those concerned about growth of NCUA as an agency and supervisory overreach during the current economic crisis should not lightly disregard this proposal as a “logical extension of a regulatory agency’s authority in these troubled times.” This proposal has been brought forward practically every year since 1993, troubled times or not.

The true purpose, while being promoted in the name of efficiency because the agency feels it is easier to examine a vendor than every credit union that utilizes the services of that vendor, is in actuality an attempt to do what regulatory agencies do – expand their authority, enhance their viability as an agency, validate their mandate, grow their budget and protect themselves from possible elimination or consolidation.

While almost none of us in credit union land would like to see NCUA split up or consolidated into one of the banking agencies, the best way to avoid such an outcome is for NCUA to be an effective credit union regulator and for credit unions to respond with safe and sound performance – not necessarily for NCUA to begin regulating and examining entities other than credit unions.

It is quite possible that the potential liability that would inevitably come from NCUA not having uncovered a problem at a broker/dealer, core processor or card servicer during a vendor examination poses a greater risk to NCUA’s future than its current role which is exclusively tied to the credit unions they regulate and/or insure.

WHAT IS UNLIMITED VENDOR REGULATORY AUTHORITY?

The vendor authority sought by NCUA has historically been the ability to promulgate regulations impacting and perform supervisory examinations at any company, organization, association, partnership, LLC or other entity that regularly conducts business with federally insured credit unions. This would involve the ability to establish rules for the credit union/vendor relationship and require vendors to allow NCUA access to financial data and on-site examinations for any entity that does business with credit unions and wishes to continue to doing so – in the discretion of the NCUA.

The authority has never been requested to be limited in any way by the type of vendor (those with access to member information, for example, versus those that do not) or the purpose of the vendor’s relationship (a CPA firm, for example, versus a lawn service company). Therefore, their request has been and continues to be for unlimited authority to regulate and supervise any and all credit union vendors, in their discretion.

While the agency has stated often that it has no intention of intervening in the relationship between a credit union and a local printing company or advertising agency (and I believe the good intentions of the current NCUA leadership in this regard), the requested authority NCUA is seeking from Congress does not have those types of limits attached.

Unlimited vendor authority could be used to promulgate regulations and conduct examinations of marketing firms, core processors, check printers and processors, ATM networks, shared branching, insurance providers, bond providers, brokerage houses, consulting firms, statement processors, collection agencies, HVAC contractors, lawn service companies…the list is virtually endless.

Often justified by NCUA’s statement that the FDIC and OCC have similar authority over banking vendors, the reality is somewhat different. In fact, more than somewhat different.

The FDIC’s vendor authority authority is based upon the holding company structure of many banks and empowers FDIC’s ability to penetrate the holding company structure only as it relates to vendors that perform “essentially banking services” under contract. So is the OCC’s vendor authority limited in its scope of what type of vendors they can oversee.

The FDIC and OCC’s vendor authority is, therefore, not unlimited as is what NCUA is asking for. For the NCUA authority to be even remotely similar to the FDIC authority, it would have to be limited dramatically.

Interestingly, the NCUA is not the only regulatory agency in the financial services arena that does not have vendor authority, limited or unlimited. The Federal Housing Finance Board does not have vendor authority. The Farm Credit Administration does not have vendor authority.

So, NCUA is hardly alone with Congress telling them to “stick to their knitting.” In other words, regulate and supervise credit unions. You don’t need to increase your size, hire more staff and expand your authority to start examining every small business that works with a credit union. Keep your eye on the credit union ball.

WHO WOULD BE CONSIDERED VENDORS?

The list in the previous section is just a starting point if Congress were to grant NCUA regulatory and examination authority over vendors in the form being requested by the agency. Let’s look at some of those examples and see where they take us.

Every credit union has bond coverage, property and casualty insurance and most offer credit life and credit disability. Therefore, insurance companies are vendors. It’s obvious that, from the scope of this proposed authority, supervisory examinations of CUNA Mutual, Mass Mutual and other insurance companies providing such services would be a virtual certainty – even though they are already regulated by state insurance regulators. They would certainly raise the question of what expertise NCUA has in the property and casualty insurance field, let alone in bonding decisions. But they could be subject to examinations from NCUA nonetheless. Might this drive some insurance companies away from credit union business?

Investment brokers, already regulated by the SEC, would now face the potential of an NCUA examination.  Would some of them drop credit union clients rather than face examinations? What about Co-Op, PSCU, CUDL, TMG, Harland, CU24 and almost every statement processor in America? These industry leaders wouldn’t drop credit unions because they are crucial to the success of their business model, but the impact and cost of regulation and supervisory examinations would certainly be passed on to their credit union customers.

What about CUNA, NAFCU and the state leagues? Don’t they have service organizations that would qualify as credit union vendors? Certainly. Could that present a convenient way for a regulator to attempt to cower a trade association’s position on one of the agency’s decisions? That would never happen NCUA says…but could it?

Every core processor from Fiserv to Jack Henry and every ALM or HR module that is sold to interface with an open platform would then be subject to an NCUA examination. Would NCUA pre-approval be required before companies could enter the credit union market? How about before they unveil a new product? Could their next update be delayed because it hasn’t received NCUA clearance?

While it is unlikely that NCUA would use this authority take on the credit union attorney or CPA firm and states its intention not to seek to examine hometown copier companies, building contractors, internet providers or lawn service firms, the possibility to do so would clearly exist under the proposed authority. It is unrestricted as proposed.

Such authority, although the agency says this would never happen, could be a strong leverage move by the agency if, for example, a credit union is challenging a NCUA supervisory action and suddenly finds its local vendors calling with “who are these NCUA guys and why do they want to see my financials?” Two weeks later a vendor finds that an NCUA examiner is coming to visit and a possible charge for an examination fee – either to the vendor or to the credit union – comes with him.

Talk about potential reputation risk in the local economy.  When the local businesses with which your credit union does business begins to feel the pressure your regulator is hoping to extend to you, that’s when credit union talk around town hits a new level of risk.

Alarmist? Perhaps. Possible? There is nothing in the NCUA request for unlimited vendor regulatory and examination authority to prevent it. There are no rules currently promulgated, nor promised, to limit the authority as the FDIC authority is limited.

To extend NCUA authority to all credit union vendors would result in the largest expansion of the agency’s regulatory and examination powers in the history of the agency – a result which would bring about increased NCUA budgets for credit unions to fund and larger examination staffs for credit unions and their vendors to deal with.

WOULD MY CUSO BE CONSIDERED A VENDOR AND NOW BE REGULATED?

CUSOs are not currently directly examined by NCUA. That would change upon congressional approval of NCUA vendor authority. Almost every CUSO offers products to other credit unions – thus, they are a vendor.

Not only will there be fewer CUSOs following vendor authority because the cost of regulation and examination will drive away some CUSO investment, but there will be less innovation by CUSOs for fear that their next examination will bring NCUA concerns. Therefore, fewer new products and less return to the credit union owners of CUSOs. As much of credit union industry innovation comes through the collaborative power that CUSOs have generated, this will be a real and direct loss to the industry.

For any credit union with any ownership interest in a CUSO, the prospect of NCUA direct regulatory and examination authority over that CUSO as a credit union vendor should be reason enough to oppose any legislative action by Congress in this regard.

NCUA already has in place a CUSO rule adopted in 2013 with the authority to “review” CUSOs and to compile a data base on all CUSOs through a CUSO Registry. While some considered that action itself outside the scope of the agency’s statutory authority, it proceeded with the rule nonetheless.

In an effort to work with NCUA on the question, most CUSOs are cooperating fully (although somewhat begrudgingly since the required data and extent of “reviews” seem to get more extensive each year – again demonstrating regulatory and supervisory “creep”) with the new CUSO rule.

There have been minimal documented cases of significant CUSO losses since 2013. Those losses before were limited to a small handful of credit unions and CUSOs, many of which stemmed from credit union (not CUSO) decisions that were already under the purview of NCUA.

It seems quite clear that any potential risks in the CUSO world can be appropriately mitigated through the existing NCUA authority over the credit unions that own CUSOs and the new CUSO rule (even with its questionable legal authority). Direct regulatory and examination authority over CUSOs will only result in more regulatory costs, significant increased supervisory burden and a less vibrant and dynamic CUSO marketplace.

WHY DOES NCUA SEEK THIS AUTHORITY?

Although we are admittedly quite concerned about the potential ramifications of unlimited NCUA vendor authority and have long opposed it on grounds of it being an unnecessary extension of the authority of an agency designed specifically to regulate credit unions and credit unions alone, we do not ascribe devious motives to those who propose this authority.

Under balanced agency leadership and appropriate congressional oversight, this authority – for example, if limited to those vendors with actual access to credit union member data, thus creating a cyber security vulnerability – would not necessarily be a worst-case scenario. However, with no assurance of balanced agency leadership or appropriate congressional oversight, there is no protection from a worst-case scenario if Congress ever grants NCUA unlimited vendor authority.

Without question, it would undoubtedly be more efficient for NCUA’s experts in IT to go on site at Fiserv or Jack Henry to learn the intricacies of their systems without having to ask the same questions at the hundreds of credit unions who use the core processing systems of these industry leaders. And, if numerous complaints come forward about a particular broker-dealer from some credit unions doing business with the firm, it might protect other credit unions if NCUA could examine that one broker-dealer and save all of the clients some headaches.  So, it is not fair to say that there are no positives in a tightly restricted approach to vendor regulatory and examination authority.

However, when the potential negatives are factored in, the thought of unbridled vendor authority in the hands of an activist chairman with a restrictive industry agenda that is negative toward credit union growth and would like to slow down third-party vendors from providing growth-oriented solutions to credit unions can make an industry shudder.

Sure, there may be some efficiencies for NCUA in limited vendor authority specifically for vendor accessing member data for cyber protection purposes. However, that is not what NCUA is asking for.

NCUA is asking for unlimited vendor authority, and the new legislation proposed by Chairwoman Waters does not include any restrictions other that what the NCUA Board defines as a vendor.

We have to realize that there are times when the small amount of good that could come from a new Pisa mayor having the intention to shore up the town’s tower and, with a solution in search of a problem, finds its action resulting in huge amount of damage that could come if the crew goes too far, destroys the foundation and turns the Leaning Tower from a major tourist attraction to the ruins of a once great wonder.

There are enough safety and soundness issues for NCUA to focus upon in the credit union industry as a whole for them to have their agency attention diverted by implementing an examination program for every type of business that serves those credit unions as a vendor.

In fact, there has never been a cited case by NCUA of credit unions failing to provide information about their vendor relationships when questioned by a NCUA examiner. Again, like straightening the leaning town in Pisa, this seems to be a solution in search of a problem.

DO OTHER FINANCIAL REGULATORS HAVE VENDOR REGULATORY AUTHORITY?

As stated earlier, the FDIC has vendor examination authority through its regulatory oversight of holding companies for vendors offering “essentially banking services” under contract. OCC has restricted vendor authority for those vendors offering bank-like services as well, much of which they have restricted themselves through regulation and their own established operational procedures, over certain types of vendors such as core processors.

No federal regulatory agency has unfettered statutory authority over vendors as NCUA is asking for. The reason is simple – expertise.

Financial institution regulators know financial institutions. They don’t have expertise in insurance, brokerage, marketing, human resources, check printing, ATM switches and other fields that their regulated institutions contract with for support and products.

There are state insurance regulators, the SEC, the FTC, state consumer protection agencies and others that handle abuses in those areas. Financial regulators have historically stayed in their area of expertise. When they need information on areas impacting their regulated institutions from those in other fields, they cooperate with the appropriate regulatory authorities or demand the information from their regulated – who are normally willing to get the information from their contracted partners in order to satisfy their regulators.

In short, there have been few, if any, financial regulators that have been unable to take necessary safety and soundness actions regarding their regulated institutions because they are being stonewalled by a vendor who will not provide needed information to the regulated credit union when the regulator asks for it from the bank or credit union they regulate.

Vendor examination authority is, frankly, unnecessary for financial institution safety and soundness regulation. The greater fear (and the reason why FDIC and OCC have limited their use of their own authority) is that the regulatory agency might have to defend itself from being charged as potentially liable in some way for a FI losing money to a bad broker-dealer or a data breach from a non-compliant core processor because they did not adequately examine and therefore prevent their regulated from doing business with those guys.

It is a sticky wicket that most financial regulators are very careful in how they use. For some reason, despite this fact, NCUA is seeking this authority without limitations.  They may not know exactly what they are asking for because, if they lack the expertise to effectively supervise and examine all credit union vendors, they would best be served by having no regulatory authority (or potential liability) over any of them.

DIDN’T YOU SAY NCUA HAD VENDOR AUTHORITY AT ONE TIME?

Interesting question that we happen to know a lot about since we were on the front lines. Yes, NCUA was provided with temporary and limited vendor examination authority in 1999 that expired in 2001. It was not renewed by Congress and allowed to expire.

What was the reason for a temporary extension of this expanded and limited authority and then to allow it to expire? The answer – Y2K.

And the authority was limited to Y2K related technological issues and vendors.

I mentioned this earlier in the Client Update, but here is the complete behind-the-scenes story. While serving on the NCUA Board during the chairmanship of Norman D’Amours, I was approached by Chairman D’Amours and Board Member Yolanda Wheat (who hardly ever agreed on anything) and asked to join them in going to Congress to ask for vendor examination authority because it would make it much easier for the agency to examine all core processors for Y2K compliance than to examine every credit union that utilized their processing product.

My two Democrat colleagues needed my support because I was a Republican, the GOP controlled both houses of Congress and the Senate Majority Leader Trent Lott was from my home state and in a position to either make or break their legislative proposal.

My relationship with Rep. Spencer Bachus (R-AL), then a good friend somewhat suspicious of NCUA and until just a few years ago my congressman here in Birmingham, also came into play.  Rep. Bachus was chairman of the Subcommittee on Financial Institutions in the House Financial Services Committee at that that. Let’s just say that, with these strategic supporters, it is quite possible that Board Member Dollar was very likely in a position to stop the bill in either the Senate, the House or both if I chose to do so.

Even though I was extremely concerned about the reasons I have cited herein whereby unrestricted vendor authority could lead long after Y2K was behind us, I recognized that the ability to examine core processors could greatly enhance the agency’s ability to ensure Y2K compliance with the most efficiency and fewest additional staff.

I agreed not to oppose and to support their request with Majority Leader Lott and Chairman Bachus if, an only if, the authority was passed with a “sunset” provision which would cause the authority to expire at the end of 2001 if Congress did not act to extend the authority. My colleagues wanted the authority so badly that they accepted the agreement, certain that Congress would reauthorize the vendor authority before 2001 expired. From my perspective, my hope was that a new GOP president – if elected in 2000 – might elevate me to the chairmanship and put me in a position to keep that from happening.

We all know the history. When President Bush was elected in 2000 and elevated me to the NCUA chairmanship in 2001, vendor authority was dead. When the GOP Congress contacted me about whether they should reauthorize NCUA’s vendor regulatory authority, my response on behalf of the agency was that we needed that authority only to ensure Y2K compliance. It had served its purpose.

However, now that Y2K was over, we saw no additional need for the authority. With no push from the agency because the chairman (who is the official spokesperson for the agency) had said it was not needed indefinitely, NCUA vendor regulatory authority expired. It has not been reauthorized since that time even though every Chairman since I left NCUA that has formally asked Congress for the authority. Thus far, no go.

This is interesting behind-the-scenes history, but it has not quenched the desire of NCUA for this authority.

Claiming that they had the authority at one time and handled it responsibly, NCUA pushed all the harder for this expanded authority in the 2008-2012 tough economic climate in which regulators being “asleep at the switch” were blamed for some of the financial crisis problems.

However, even with the financial crisis as a backdrop, Congress did not grant NCUA their request for unlimited vendor authority. It has still not been approved by Congress despite these ongoing efforts.

In recent years, the latest reason cited most often for asking for unlimited vendor authority is to protect against cyber security threats.

Folks, as long as there is NCUA wanting to expand the agency’s authority in an era where the diminishing number of credit unions is putting the agency in some political jeopardy of consolidation, the effort to secure vendor authority by NCUA will not go away. It can only continue to be defeated if the industry determines that the expansion of regulatory authority is unwarranted and will serve to stifle the innovation needed to keep the industry competitive in a rapidly changing marketplace.

Vendor authority for NCUA is never dead if the agency continues to push it and if there are members of Congress who believe additional financial industry regulation is a good thing.

Therefore, if NCUA vendor authority is not considered a big enough issue for the industry to expend political capital to defeat, the agency will prevail because it sounds innocuous and other agencies have something similar.  The dangers of where such authority can creep or leap in the future is seldom discussed when such crisis-promoted regulation is put into place. Only the industry can raise that issue and engage in a strong advocacy campaign in Congress to defeat vendor examination authority.

CUNA and NAFCU were both against vendor authority at points in the past. As stated earlier, CUNA is now open to what they would prefer to be more limited vendor authority. NAFCU continues to strongly oppose it. And, as stated earlier, NACUSO, the National Association of CUSOs, has perhaps been the most vocal and effective trade association in leading the fight against unlimited vendor authority. They have taken the issue directly to Congress itself with a well-constructed argument about the potential damage that such an extension of agency authority could generate for credit unions and CUSOs alike. And they have had great response on both sides of the aisle.

NACUSO and NAFCU may together be able to stop this legislation if they can generate enough credit union industry opposition to bring congressmen and senators from both parties to hear their concerns.

But the challenge is perhaps at its toughest at this point with Chairwoman Waters leading the charge.

Let’s look at some of the pros and cons you will hear about this issue should as it continues to develop.

WHY WOULD NCUA VENDOR AUTHORITY BE A GOOD IDEA FOR CREDIT UNIONS?

It is hard to come up with much good, frankly, that would come from this extensive extension of agency authority.  But, in fairness, NCUA wants it badly. So I will do my best to fairly express their reasons why they feel it is so crucial to their mission.

They maintain it would put them on an equitable par with other federal banking regulators like FDIC and OCC who have this authority – although the other regulators have vendor authority that is limited in scope.

NCUA also maintains that they can be more effective and efficient if they can examine one vendor rather than fifty credit unions that utilize the vendor’s services or products.

Therefore, it perhaps could be argued that if credit unions could negotiate support or opposition in Congress to vendor authority with the agency in return for some other issue where the agency could make the pivotal difference by successfully weighing in with their influence with Congress – such as a major FOM expansion (not tinkering around the edges) or supplemental capital authority for all credit unions – some credit unions might be willing to accept the downside of vendor authority for the upside of broader FOM authority or capital modernization.

Of course, it would be hard to assure that both will happen if one is passed and the other has to wait. This would be an extremely difficult and delicate quid pro quo.   In our opinion, such an agreement could never be reached in a manner that would satisfy Congress, credit unions and NCUA. Therefore, we believe using vendor authority as a negotiating tool is frankly a stretch considerably beyond reasonable, but some might be willing to try such a negotiation since anything is possible in Washington.  We have found few credit union leaders who truly believe this scenario can or is likely to take place.

The other reason NCUA vendor authority might be a good thing for credit unions is that some examination issues could conceivably be easier to deal with for credit unions if the agency has already gone into several of the credit union’s vendors and been satisfied as to their operations and financial position.

Of course, as we will discuss in the following sections, NCUA can already get vendor exam reports from the FDIC and OCC through the exam sharing of the FFIEC. Therefore, if the argument is addressing a vendor concern at a credit union whose vendor also services banks (as most that access member data do) in order to more effectively address a supervisory issue, asking for a copy of another agency’s vendor exam report is much more efficient than going out and doing NCUA’s own exam.

Also, while talking efficiency such as NCUA often does when it asks for unlimited vendor authority, let’s recognize that the agency will need to hire a significant number of subject matter experts in the areas of vendor management in order to achieve the efficiency and effectiveness they claim will come with their ability to regulate, supervise and exam every vendor that does business with a credit union.

And, even if it is not utilized to justify an increase in the agency budget in the short term, what is there to assure that a this or a future NCUA Chairman may not use this authority as a justification for a major agency personnel or budget expansion in the future that all credit unions will have to pony up to pay for.

In fact, what would the size of the agency have to be to sustain a full-fledged comprehensive vendor examination program nationwide?

All of these are questions that should be answered before the industry buys any argument that such authority will be good for credit unions because it will lead to a more efficient NCUA.

WHY WOULD NCUA UNLIMITED VENDOR AUTHORITY BE A BAD IDEA FOR CREDIT UNIONS?

NCUA will be a larger agency with more staff and a much, much higher budget if it becomes a supervisor and examiner of any entities other than credit unions. Credit unions will pay for the expanded agency with higher fees on federal credit unions and larger overhead transfers from the NCUSIF to finance the agency.

Even though NCUA has implemented a “review” process of CUSOs under the 2013 CUSO rule, the biggest change that this unlimited vendor authority being granted by Congress would bring for CUSOs is that they will now be directly regulated and supervised.

I have asked the following question before in a speech to CUSO audiences. What is a regulatory agency “review”? The answer is: an examination that the agency does not have the authority to conduct but does anyway.

Direct regulation of CUSO could hamper development of the segment of the credit union industry that has driven some of its most innovative products, services, and delivery systems. The income credit unions earn from the success of their CUSOs will certainly be impacted by increased regulatory compliance costs and likely impacted by the dilatory impact of “what will the NCUA examiners think” decisions becoming part of the process on every new CUSO collaborative innovation, essentially putting the regulator in the driver’s seat on decisions that rightly should be left to credit unions and CUSOs.

Some vendors will avoid the credit union space rather than face potential regulation, supervision, and examinations. While core processors have faced FDIC and OCC exams for years and endured them successfully, there are some investment advisors, broker-dealers, insurance companies, advertising agencies, consulting firms and other vendors that might elect to offer their products and services in other industries if they were to face an overly aggressive NCUA that attempted to drive their business model through an onerous examination process.

A credit union’s vendors could become a leverage point in a credit union’s examination issues. A DOR could become a LUA if the agency elects to go beyond the credit union’s operations and begin to pry into its vendor relationships. Vendors could hurt their credit union customer’s case by failing to cooperate to the agency’s satisfaction or could even be pressured into providing negative information about the credit union to NCUA in order to get them off of the vendor’s back. The likelihood of such abuse would be described by its agency supporters as totally farfetched; however, without restrictions, it is not outside the realm of the possible.

Vendor products and services will cost credit unions more because the examination and supervisory costs the vendors will face from NCUA will be passed on to the customer – the credit union. Sure, there have been instances where an occasional indirect lending company or a broker-dealer needed to be reigned in. And NCUA has reigned them in with their existing authority.

But to indict all credit union vendors as in need of supervision and examination by the agency that regulates their credit union customers is out of bounds.  NCUA has brought down credit union vendors with their existing authority over credit unions. Additional authority is overkill that could be used as harassment at worst and costly regulatory burden at best.

Liability for vendors who are bad actors now becomes partially an NCUA issue.  What credit union attorney would not include in a legal action a detrimental reliance claim that the credit union believed the broker-dealer was okay or the core processor was compliant because NCUA has authority over them and should have caught them if they were not.

It’s hard to accept the examination authority and then claim that due diligence is solely a credit union’s responsibility before they contract with a vendor. I would expect countless Freedom of Information Act requests by credit unions for copies of NCUA exam reports on vendors the credit union is considering. What should the credit union infer from a good exam…a bad exam…or no exam??

The world of credit union vendors is extensive. As stated previously, NCUA would become the FTC of the credit union industry. Granting vendor regulatory authority to NCUA would extend the agency’s arm beyond the 5000 federally insured credit unions to the over 45,000 estimated companies and organizations that serve them. The potential impact is huge. So will be the agency attempting to implement this authority.

HAS THERE BEEN ANY SUPPORT FOR NCUA BEING GRANTED VENDOR AUTHORITY OUTSIDE THE AGENCY ITSELF? 

Very little. The support base for NCUA unlimited vendor authority is pretty much limited to its headquarters on Duke Street in Alexandria, Virginia. Even the IG report issued last year supporting the need for vendor authority was from NCUA’s own Inspector General, not that of some agency independent of NCUA.

The primary outside source the agency has offered in the past to push its vendor authority agenda is the General Accounting Office (GAO), the auditing arm of Congress, which issued a report in 2015 on cyber security challenges for all federal financial regulatory agencies.

This GAO report, highly touted by NCUA, focused on the cyber security issue and included in its recommendation to Congress that NCUA be granted vendor authority over technology vendors. Note – it was not recommended by GAO for NCUA to have unlimited vendor authority. It was only recommended to be considered for technology vendors – in other words, those vendors that directly access member data.

Therefore, it is quite possible that the GAO report, even as NCUA hailed it at the time as a victory for the agency’s demand for unlimited vendor authority, actually hurts the NCUA’s case when it goes to Congress waving the report as third party corroboration of their need for vendor authority – which all credit unions recognize is little more than a justification for a continued large and expanding agency when the number of regulated and insured credit unions are dramatically falling at an average of one merger per business day.

By the time the end-of-year 2025 rolls around, industry projections are that there will be approximately 4000 federally insured credit unions remaining. That is down from around 12,500 only fifteen years ago. To continue as an agency of its size and a staff with its considerable benefits as a result of a very advantageous labor agreement between the public employees union at NCUA and the agency’s current leadership, NCUA must find something to do beyond merely regulating and examining credit unions. Hence the push for CUSO regulation (of which the agency had questionable authority when it passed the 2013 CUSO rule) and its much more far-reaching cousin unlimited vendor authority.

But we digress. Back to the GAO report findings and recommendations.

Even though NCUA is making a case for unlimited regulatory and supervisory authority over all third-party credit union vendors from the core processor to the cleaning crew at the branch, it is important to note that the GAO report did not recommend unlimited vendor authority for NCUA.

In fact, the GAO was very specific that its recommendation was for NCUA to have vendor authority specifically over technology vendors. Very restricted.

The GAO did not buy the case, certainly being pushed by NCUA to the GAO when they were interviewed for the report, that the agency had any compelling reason to have unlimited regulatory and examination authority over all credit union vendors.

Believe me, the GAO is never shy about its recommendations. If they had felt NCUA needed unrestricted vendor authority, that would have been the GAO recommendation.

The GAO tailored its recommendation very carefully to vendor authority over technology vendors only.

This is important because NCUA is basing its entire case for the need of unlimited vendor authority on the issue of cyber security. They do not mention just how far reaching this requested authority would be over every other type of vendors and how it could be abused by examiners creating reputation risk for credit unions when their local vendors are visited by a NCUA examiner with demand letter authority.

Congress and the Administration should be quite suspicious during a time of worldwide pandemic of requests for permanent unlimited regulatory and examination authority by any federal agency. If there is a legitimate desire beyond lip service to any type of governmental efficiency, Congress should try to avoid duplication of agency authority that forces small business to face bureaucratic burden from multiple agencies asking for the same information over and over at considerable cost to the business. Particularly in the COVID era where people need red tape removed to get the economy rolling again, not wrapped around another level.

Here is where NCUA has a problem. While NCUA currently lacks authority to examine technology vendors, the FDIC and OCC do not. Neither does the Federal Reserve. And all three of those agencies sit on the Federal Financial Institutions Examination Council (FFIEC) with NCUA.

The statutory purpose of the FFIEC is to coordinate examination findings and approach in the name of consistency and to avoid duplication. The entire concept behind the FFIEC is that NCUA should be able to request the results of an examination of a core processor from either the FDIC or OCC without having to send another exam team from NCUA to look at the same firewalls and security protections.

However, rather than asking for a copy of the most recent FDIC or OCC examination of Fiserv or Jack Henry, NCUA wants to go into Fiserv with another examination team, spend several months on site and likely duplicate the findings of the FDIC or OCC when they went it.  What is the likelihood that six examiners from NCUA are going to find a major cyber security risk that the FDIC and OCC examiners did not find? Little to none.

The GAO report, because it limits its recommendation of NCUA vendor authority to technology firms, actually gives Congress ammunition to oppose unlimited vendor authority to NCUA and to encourage them to use the FFIEC to gain access to the examinations of major technology companies already being examined by FDIC and OCC.

Most of the leading technology firms (admittedly, not all but certainly most of the larger players) in the financial services industry sell their products to both banks and credit unions. They are already examined by other FFIEC agencies. NCUA, as a member of FFIEC, has every right to request copies of those examination and they will be delivered within a day. That is what the FFIEC is all about, avoiding duplication and sharing in the examination process of financial institutions.

It is going to be a tough sell for NCUA to go before a congressional hearing and present the GAO report’s recommendation for very limited and specific vendor authority and then ask for unlimited and unrestricted vendor authority. So they are unlikely to mention it. Or, if they do, it will be selectively referenced.

And it would be equally tough to go before the committee and state a willingness to settle for what the GAO recommends (with a “get a foot in the door” strategy of just asking for authority over technology vendors) when NCUA already has access to the overwhelming majority of those examinations through the FFIEC.

Yes, NCUA will continue to push for unrestricted vendor authority. And, yes, credit unions will rightfully oppose it because of how it could be abused over the years. Certainly, any reasonable credit union vendor will oppose it for the obvious reason of avoiding unnecessary regulatory burden.

What will Congress do now that there is a bill before them? That is the million-dollar question. (Or, in the case of its impact on future NCUA budgets, the hundreds of million dollars question.)

My prediction is that credit unions and their vendors prevail on this issue and that NCUA goes home from Congress with empty hands again in 2021 as they have every other time they have gone to Congress since the 1990s asking for this unrestricted authority.

But never say never when it comes to Congress. Stranger things have happened.

And with Chairman Harper’s Democrats in charge of the House and Senate, the odds are greater than ever.

However, if it happens, it will not be because of some IG or GAO report that NCUA is currently touting with a cybersecurity focus. If anything, these reports’ recommendations make the agency’s sales pitch much tougher for Congress to swallow.

If unlimited NCUA vendor authority comes out of this legislation in 2021, it will be because credit unions and their trade associations, leagues and representatives did not take the issue seriously enough to let their congressmen and senators know about the downsides of the legislation.

WHAT SHOULD CREDIT UNIONS, CUSOs OR VENDORS DO IF THEY WANT TO SUPPORT OR OPPOSE UNLIMITED VENDOR AUTHORITY FOR NCUA?

This issue cannot be settled in the NCUA Headquarters in Alexandria. Vendor regulatory and examination authority for NCUA can only be granted by an act of the US Congress, signed into law by the President of the United States. The outcome of the vendor authority issue will rest with the advocacy efforts, or the lack thereof, by America’s credit unions.

Is this an issue that concerns credit unions enough to utilize some of the industry’s political capital on the Hill to stop? Or is it a fight not worth bleeding for? The trade associations, leagues, CUSOs, credit unions and, frankly, the vendor community will have to weigh the issue and determine what the cost/benefit analysis will say about spending capital – both political and financial – to stop this legislation.

As stated earlier, if credit unions are not prioritizing their efforts to stop the legislation, Congress is more likely to follow the lead of the agency responsible for safety and soundness of the credit union industry – whether the additional authority is needed or not.

Our history with the issue makes us quite concerned about where it could lead, should it ever be enacted.

And, since it seems that NCUA is going to continue to revive this issue every couple of years until they get the authority they seek, it is our hope that this Client Update helps you better understand the issue and position you to better make your decisions about where you stand on NCUA vendor authority as a credit union leader.

It should also help you at least be informed and perhaps involved about the issue to the point where you can get involved in advocacy efforts to help defeat, pass or refine the legislation that is now before the Congress.

Please do not hesitate to contact us if you need additional information or insights into this issue. As always, we are here to assist you on this or any other matter of importance to you.

Until next time.