SENATE BILL INTRODUCED TO GRANT VENDOR EXAMINATION AUTHORITY FOR NCUA OVER ALL CREDIT UNION VENDORS

Several weeks ago we alerted you to the action in the US House of Representatives to include an amendment to the National Defense Authorization Act (NDAA) to provide for NCUA’s long yearned for authority to go on site and examine any business (vendor) that your credit union has a contract with.

Quite a few of you wrote letters or sent emails to your US Senators in opposition to the vendor authority amendment being added to the NDAA.

Well, there is now a new development in that three United States Senators (Senator Jon Ossoff – D-GA; Senator Mark Warner – D-VA; and Senator Cynthia Lummis – R-WY) have today introduced a separate NCUA vendor authority bill at the request of NCUA.

S 4698 is basically a wholesale vendor examination authority bill without some of the few restrictions (must consult with the FFIEC first before initiating an exam of a credit union vendor) that were included in the NDAA amendment which passed the House on a 329-101 vote two weeks ago.

So, here’s the status on the issue in the Senate.

NCUA is making some progress with their push for unlimited vendor authority.  Chairman Todd Harper is utilizing every political chit he has from his 25-plus years in Democrat circles on Capitol Hill and is getting some traction.

The question is whether either the NDAA amendment with its limitations or the virtually unlimited vendor authority language of S 4698 gets any Republican support.

In a 50-50 Senate, no bill can pass without the 60 votes it takes to end a filibuster.  Therefore, either the NDAA vendor authority language or the S 4698 language is going to need at least ten Republicans to go along with the 50 Democrats – provided all Democrats support this unprecedented expansion of NCUA authority without limitations on what type of vendors they can examine and how extensive the examinations can be.

Nothing is likely to happen until September 2022. Then the NDAA will be voted upon.  Perhaps the House amendment is kept in the bill.  Perhaps the S 4698 language is substituted for the House amendment.  Or perhaps there is not enough support in the Senate for the vendor authority language to make its way into law at all in 2022.

But the issue remains very much alive.  And many credit unions (in fact, I know of none who feel the ability of NCUA to examine their national and local vendors simply because they do business with a credit union is good public policy) are quite concerned.

NACUSO and NAFCU are leading a significant effort in the Senate to try to stop vendor authority or, at least, to further restrict the vendor authority language if it does survive.

It will be an interesting battle in the Senate because not only are credit unions almost unanimously against it out of concern over the potential for abuse as well as the cost of this new authority to the NCUA that credit unions support through their exam fees and NCUSIF overhead transfer, but there does not seem to be any support for vendor authority other than from NCUA itself.

Does NCUA has enough stick to get such a major expansion of agency authority through Congress?  If so, it is a major victory for NCUA as an agency – and for Chairman Harper in particular – to defeat the industry on such a far reaching piece of legislation.

The primary credit union concern, as stated above, is about how far the agency could go in examining credit union vendors. Will they stay limited to national vendors with direct access to member data which would be the focused approach if cyber security is the true reason NCUA wants the authority?

Or will they use their examination authority over vendors to show up on the doorstep of local vendors when a credit union pushes back against a DOR or LUA and begin asking for copies of financial reports from the local business because they do business?

Is vendor authority a hammer that can make every contract or vendor relationship a nail?

With the number of credit unions now down below 5000, there are some critics of this requested authority who have stated their belief that it is an attempt to increase regulatory and supervisory authority over businesses other than credit unions in order to keep building an agency that once regulated and examined 15,000 credit unions with a smaller staff than they have today.

As we stated in our last Client Update on this issue, whether you agree with these concerns or feel they are overstated, recognize that NCUA has been pushing for unlimited vendor authority for over twenty years. They want it somewhat as a matter of regulatory agency jealousy because FDIC and OCC have a more limited version of vendor authority. (Interestingly, NCUA as a member of the FFIEC can access FDIC and OCC exams of vendors that serve banks and credit unions anyway.) But, up until now, they have never even gotten a committee vote on their request.

Well, now they have their House approval with the NDAA amendment.  They have a Senate bill introduced. They have not gotten this far in over twenty years and are going to push this harder than ever before in hopes of action in 2022.

If you have reservations about the significant grant of agency examination authority to your regulator and/or insurer, it would be important for you to contact your Senators in August to let them know of your concerns.

Either the NDAA amendment or S 4698 will likely pass if there is no opposition and the only lobbyists that the Senators hear from are those representing NCUA.  Vendor authority for NCUA could well  happen if the agency’s advocacy is stronger than the industry’s.

So a strong outpouring of concern from credit unions, CUSOs, trade associations and small businesses could very easily sink the NDAA amendment as the Senate is going to be suspicious of so many questionably non-defense related amendments being added to a bill that is intended to make the nation’s defense stronger and more robust.

And the far-reaching and non-restricted language of S 4698 could be a tough pill for 60 senators to swallow if they become concerned about the ability of NCUA examiners to go into your local lawn contractor or check printer because they don’t like how you responded to their last exam finding.

A large number of credit unions are making those points.

So, as we offered in our last Client Update on this subject, we offer below two template approaches to your letters to your US Senators from your state if you wish to write them or send a message through their website portals.

Feel free to cut and paste these comments or edit them to fit your own thoughts.

First, if your Senator is a Republican, we have found that the most effective approach would be along the lines of the following:

On behalf of ABC Credit Union, I would like to express our concerns about S 4698 and Section 5403 of the National Defense Authorization Act (NDAA) to grant unlimited examination authority to the National Credit Union Administration (NCUA) over any and all businesses that contract with or provide products/services to federally insured credit unions. 

This significant agency authority expansion would increase the size of NCUA as an agency because they lack the expertise to examine every type of vendor that does business with a credit union, thus demanding more exam fees and share insurance fund dollars through the overhead transfer to hire the staff and provide the training for this dramatic increase in agency authority.

 Likewise, we are concerned about the possibility that such unlimited authority to examine any credit union vendor could result in overreach far beyond the national core processors that have direct access to member data and extend those examinations to local vendors that provide services and products to a credit union on a day-to-day basis. We see considerable reputation risk to our credit union if the NCUA is authorized to show up and ask for financial statements from local companies simply because they do business with our credit union.

 Lastly, we submit that NCUA can already obtain access to exams of the national core processing firms – which are the types of vendors with direct access to member data most often cited by NCUA in requesting this expanded agency authority in the name of cyber security – from other federal financial regulatory agencies that already conduct such exams.

 As a member of the Federal Financial Institutions Examination Council (FFIEC), NCUA can request exam reports from other FFIEC agencies that conduct exams already of the larger core processors of which most serve banks and credit unions. It is duplicative to believe a separate NCUA examination is going to provide more data security than the exams already taking place with FDIC, the OCC and the Federal Reserve.

 We encourage you to defeat S 4698 and remove Section 5403 from the NDAA when it comes to the Senate. This is an unnecessary, unjustified and unrelated expansion of federal agency authority that is not good public policy.  . 

 Thank you for your consideration.

 Now, if your Senator is a Democrat, we have found that the most effective approach would be along the lines of the following:

On behalf of ABC Credit Union, I would like to express our concerns about S 4698 and Section 5403 of the National Defense Authorization Act (NDAA) to grant unlimited examination authority to the National Credit Union Administration (NCUA) over any and all businesses that contract with or provide products/services to federally insured credit unions.

 Despite the concerns about cyber security that have been presented as a justification for this amendment, we are concerned about the possibility that such unlimited authority to examine any credit union vendor could result in overreach far beyond the national core processors that have direct access to member data and extend those examinations to local vendors that provide services and products to a credit union on a day-to-day basis. We see considerable reputation risk to our credit union if the NCUA is authorized to show up and ask for financial statements from local companies simply because they do business with our credit union.

 This authority, if it were to be granted at all and we do not believe that it should be, would be much more targeted to cyber security if it were limited to those national vendors with direct access to member data. 

 In fact, we submit that NCUA can already obtain access to exams of the national core processing firms – which again are the types of vendors with direct access to member data most often cited by NCUA in requesting this expanded agency authority in the name of cyber security – from other federal financial regulatory agencies that already conduct such exams.

 As a member of the Federal Financial Institutions Examination Council (FFIEC), NCUA can request exam reports from other FFIEC agencies that conduct exams already of the larger core processors of which most serve banks and credit unions. It is duplicative to believe a separate NCUA examination is going to provide more data security than the exams already taking place with FDIC, the OCC and the Federal Reserve.

We encourage you to defeat S 4698 and remove Section 5403 from the NDAA when it comes to the Senate. This is, in our view, an unnecessary, unjustified and unrelated expansion of federal agency authority that is not good public policy.  . 

Thank you for your consideration.

As we have been, we will continue to monitor this issue for you.  Please don’t hesitate to let us know if we can provide you with more information or be of support to your advocacy efforts on this issue.

Until next time.

Dennis Dollar