NCUA STEPS UP ITS PUSH IN CONGRESS FOR LEGISLATION THAT WOULD ALLOW NCUA UNLIMITED REGULATORY AND EXAMINATION AUTHORITY OVER ALL CREDIT UNION VENDORS

You may have read in last week’s credit union trade publications that four former NCUA Chairmen – Mike Fryzel, Deborah Matz, Rick Metsger and Mark McWatters – jointly signed a letter requested by current NCUA Chairman Todd Harper that called for Congress to consider favorably a long sought piece of legislation that has failed to pass a congressional vote on its own for twenty-plus years to grant NCUA dramatically expanded regulatory and examination authority over any vendor that does business with a federally chartered credit union.

I have great respect for my colleagues as former chairmen. They served effectively as chairmen and their views on NCUA vendor authority are totally consistent with the positions they took when they were at NCUA. I see nothing wrong with each of them continuing to maintain the position on this issue that they had as chairmen and to respond favorably to support the current NCUA Chairman in his efforts to revitalize this oft-defeated piece of legislation.

However, for the record, I likewise continue to take the position on unlimited NCUA vendor authority that I took while I was NCUA Chairman. I was against it then and remain opposed today.

Personally, I do not believe having the authority to examine every type of enterprise that does business with a credit union is within the scope or ability of NCUA as a federal agency charged with the safety and soundness of credit unions and credit unions alone.  That is the position I took as NCUA Chairman and that I still take today.

From my experience as a NCUA Chairman myself, I do not believe NCUA has the expertise to examine every type of business and that they should stick to what they do best – examining and making sure credit unions are safe and sound.

To get enough expertise to examine every type of entity that does business with a credit union would require a dramatic increase in the agency budget and be a major expansion of the agency’s authority. Credit unions are also very concerned about the potential overreach of utilizing the authority to force credit unions to take actions they might not otherwise need to take through coercion of their vendors.

Granting additional regulatory and examination authority to a federal agency to go beyond their congressionally mandated safety and soundness responsibilities is not, in my view, a good public policy decision.

NCUA has a stellar record in protecting the insurance fund and keeping credit unions a safe and sound contributor to the American economy and impacting positively the financial lives of over 120 million credit union members nationwide. In my view, that should remain their focus and not trying to become the Federal Trade Commission of the credit union industry.

One of the primary reasons NCUA has cited for desiring this expanded authority is to try to protect against cyber attacks through third party vendors. Cyber security is always a concern even though there are over forty federal agencies with cyber responsibilities today. I just cannot see how having one more agency expanding its authority, budget and staffing to focus, as they have indicated is their primary reason for seeking the expanded authority, on cyber risks is going to make any real difference that the other forty agencies have not achieved.

NCUA already has authority over cyber security issues at credit unions, and they are correct to focus on cyber security at credit unions. There does not seem to be a need, in my view, to have NCUA examiners taking time from examining credit unions to go into data processors, check printers, advertising agencies, copier companies, lawn care companies and garbage disposal contractors.

Interestingly, NCUA as a member of the FFIEC can work with their fellow federal financial regulators to access information from their exams of the most impactful vendors that work with banks and credit unions such as core processors and credit card companies.

So, NCUA is not at all impotent in the cyber security risk arena as they can examine credit unions – their primary responsibility – and can access information through their fellow regulators on the largest vendors with direct access to member data.

NCUA has always coveted this expanded authority, and Congress – under control of both Democrats and Republicans- has not granted it for over twenty years of asking. The reason is simple. Congress does not easily and in a bipartisan manner expand regulator authorities without a compelling reason that cannot be accomplished within existing authority, particularly if it is to expand federal agency authority over private businesses and especially small businesses.

I have had the staff from members of Congress offices contact me since last week’s joint letter to ask why my signature was not on the letter, and I have told them the same thing I did when I opposed vendor authority as NCUA Chairman.

I believe unlimited vendor authority will take the agency away from their primary safety and soundness focus, have a dramatic impact upward on the NCUA budget, has the potential to be abused on individual vendors of all sizes by examiner overreach and the most important information is from vendors that serve banks as well as credit unions and therefore can be cooperatively gained through partnership with other FFIEC agencies.

From those discussions and my interactions with members of Congress on this issue over recent years, I don’t personally think there is an appetite in Congress for expanding the authority so dramatically for a smaller agency like NCUA just because they’d like to have it. That could change, but Congress has been very consistent in its failure to even vote on expanded vendor authority for NCUA over the past twenty-five years.

Everyone is entitled to his or her own opinion on the vendor authority question, but the scope of federal agency authority is a major policy issue for Congress that they will take very seriously in such a closely divided environment. As stated above, from what I have learned in discussions with both congressional officials and staff over recent years about this issue, I think it’s going to be a tough sell in Congress.

But it is important that credit union leaders understand the issue and what all is involved in extending this additional authority to NCUA.

Several years ago when this issue was raised by a previous NCUA Chairman before Congress, I wrote a lengthy Client Update with the background on this issue and addressing all of the arguments pro and con.

Many of you have already read this previous Client Update and can stop right here if you don’t need a refresher. However, we have so many new credit union clients since I last went in-depth on vendor authority that I thought it might be beneficial for those who may not have studied the issue to have some additional perspective.

So below is a thorough (code word for lengthy) look at the NCUA vendor authority issue. I hope you find it beneficial in understanding the issue.

THE NCUA VENDOR REGULATORY AND EXAMINATION AUTHORITY ISSUE FROM AN OVERALL PHILOSOPHICAL PERSPECTIVE

Balanced regulation that guards against taking unnecessary risk but still allows management of necessary risk is the standard our industry should seek. Excessive regulation kills innovation and stymies investment in improved products and services.  Balanced regulation encourages the extension of necessary credit but requires the risk to be offset through proper underwriting and sufficient capital to cover losses. Excessive regulation paralyzes innovation and the extension of credit by making credit unions hesitant to take any risk other than that which is virtually no risk.

We need, as an industry, effective regulation to maintain our position as a trusted source for the American people to turn to in their search for financial self-sufficiency. However, over-regulation in the credit union industry can lead to weaker, not stronger credit unions. The inability to compete in the marketplace and to meet the needs of the consumer for available credit during an economic downturn can have more negative safety and soundness ramifications for credit unions than taking excessive risk. No margin, no mission.

There is a belief among many credit unions that NCUA has had a tendency over the years – interrupted by a few market-oriented chairmen of which former Chairman Hood and myself were two – to try to regulate our industry out of any potential crisis, rather than to empower the industry to grow itself with effective risk management out of the financial doldrums we find ourselves in.

One of the many indicators that continues to spur this belief is the seemingly never-ending efforts by NCUA asking Congress for expanded and unlimited regulatory authority over credit union vendors.

While this seemingly innocuous request might make sense to some based upon the credit union/vendor inter-relationships that are so common and the claim that the FDIC already has this authority over banking vendors, the reality is that this is a very complex issue with a number of potential ramifications that should be considered by credit unions, CUSOs, trade associations, leagues – as well as companies and organizations that provide products and services to credit unions.

In view of the post-financial crisis regulation that credit unions are still today operating under (see Dodd-Frank, even though the crisis is over by more than a decade and credit unions themselves as not-for-profit, member-owned financial cooperatives had nothing to do with causing it in the first place), any expansion of regulatory authority that is going to still be in place twenty or thirty years from now – particularly if justified by a crisis like COVID or cyber security that will certainly be replaced by another justification of crisis proportion and then another to follow that one in short order – should be viewed with some degree of skepticism by those who must deal with the consequences of the regulation.

Today’s crisis, whatever it may be, will always eventually pass. But, when it does, the laws, rules and regulations enacted in response to this crisis will still be on the books.  Remember that Dollar-ism that government regulation always creeps, often leaps but seldom retreats.

Whether you eventually believe that NCUA examination and regulatory authority over credit union vendors is good or bad policy, we want to make sure you recognize that it has great significance and will, if enacted, impact the credit union community for years to come.

VENDOR REGULATORY AUTHORITY FOR NCUA – LET’S LOOK IN DEPTH

As previously stated, other than during the Dollar administration at NCUA, every chairman since Norman D’Amours has requested Congress to expand NCUA’s regulatory and examination authority beyond that of credit unions and to the businesses who have a vendor relationship with a credit union. While Congress has never agreed to do so other than on a temporary and restricted basis during the Y2K period as a means to ensure compliance from core processors, the agency officially and strongly supports this expansion of their authority.

As it would basically transform NCUA from being exclusively a credit union regulator/insurer into what we referred to earlier as the substantial equivalent of the Federal Trade Commission of the entire credit union movement, those concerned about growth of NCUA as an agency and supervisory overreach during the current economic crisis should not lightly disregard this proposal as a “logical extension of a regulatory agency’s authority in these troubled times.” This proposal has been brought forward practically every year since 1993, troubled times or not.

The true purpose, while being promoted in the name of efficiency because the agency feels it is easier to examine a vendor than every credit union that utilizes the services of that vendor, is in actuality an attempt to do what regulatory agencies do – expand their authority, enhance their viability as an agency, validate their mandate, grow their budget and protect themselves from possible elimination or consolidation.

While almost none of us in credit union land would like to see NCUA split up or consolidated into one of the banking agencies, the best way to avoid such an outcome is for NCUA to be an effective credit union safety and soundness regulator and for credit unions to respond with safe and sound performance – not necessarily for NCUA to begin regulating and examining entities other than credit unions.

It is quite possible that the potential liability that would inevitably come from NCUA not having uncovered a problem at a broker/dealer, core processor or card servicer during a vendor examination poses a greater risk to NCUA’s future than its current role which is exclusively and rightly tied to the credit unions they regulate and/or insure.

WHAT IS UNLIMITED VENDOR REGULATORY AUTHORITY?

 The vendor authority sought by NCUA has historically been the ability to promulgate regulations impacting and perform supervisory examinations at any company, organization, association, partnership, LLC or other entity that regularly conducts business with federally insured credit unions. This would involve the ability to establish rules for the credit union/vendor relationship and require vendors to allow NCUA access to financial data and on-site examinations for any entity that does business with credit unions and wishes to continue to doing so – in the discretion of the NCUA.

The authority has never been requested to be limited in any way by the type of vendor (those with access to member information, for example, versus those that do not) or the purpose of the vendor’s relationship (a CPA firm, for example, versus a lawn service company). Therefore, their request has been and continues to be for unlimited authority to regulate and supervise any and all credit union vendors, in their discretion.

While the agency has stated often that it has no intention of intervening in the relationship between a credit union and a local printing company or advertising agency (and I believe the good intentions of the current NCUA leadership in this regard), the requested authority NCUA is seeking from Congress does not have those types of limits attached.

Unlimited vendor authority could be used to promulgate regulations and conduct examinations of marketing firms, core processors, check printers and processors, ATM networks, shared branching, insurance providers, bond providers, brokerage houses, consulting firms, statement processors, collection agencies, HVAC contractors, lawn service companies…the list is virtually endless.

Often justified by NCUA’s statement that the FDIC and OCC have similar authority over banking vendors, the reality is somewhat different. In fact, more than somewhat different.

The FDIC’s vendor authority is based upon the holding company structure of many banks and empowers FDIC’s ability to penetrate the holding company structure only as it relates to vendors that perform “essentially banking services” under contract. So is the OCC’s vendor authority limited in its scope of what type of vendors they can oversee.

The FDIC and OCC’s vendor authority is, therefore, not unlimited as is what NCUA is asking for. For the NCUA authority to be even remotely similar to the FDIC authority, it would have to be limited dramatically.

Interestingly, the NCUA is not the only regulatory agency in the financial services arena that does not have vendor authority, limited or unlimited. The Federal Housing Finance Board does not have vendor authority. The Farm Credit Administration does not have vendor authority.

So, NCUA is hardly alone with Congress telling them to “stick to their knitting” as it has done for the past twenty-plus years.   In other words, regulate and supervise credit unions. Keep them safe and sound.  Protect the taxpayers through a well-managed insurance fund.  You don’t need to increase your size, hire more staff and expand your authority to start examining every small business that works with a credit union. Keep your eye on the credit union ball.

WHO WOULD BE CONSIDERED VENDORS?

 The list in the previous section is just a starting point if Congress were to grant NCUA regulatory and examination authority over vendors in the form being requested by the agency. Let’s look at some of those examples and see where they take us.

Every credit union has bond coverage, property and casualty insurance and most offer credit life and credit disability. Therefore, insurance companies are vendors. It’s obvious that, from the scope of this proposed authority, supervisory examinations of TruStage (formerly CUNA Mutual), Mass Mutual and other insurance companies providing such services would be a virtual certainty – even though they are already regulated by state insurance regulators. They would certainly raise the question of what expertise NCUA has in the property and casualty insurance field, let alone in bonding decisions. But they could be subject to examinations from NCUA nonetheless. Might this drive some insurance companies away from credit union business?

Investment brokers, already regulated by the SEC, would now face the potential of an NCUA examination.  Would some of them drop credit union clients rather than face examinations? What about Velera (formerly Co-Op and PSCU), Origence (formerly CUDL), TMG, Harland, CU24 and almost every statement processor in America? These industry leaders wouldn’t drop credit unions because they are crucial to the success of their business model, but the impact and cost of regulation and supervisory examinations would certainly be passed on to their credit union customers.

What about America’s Credit Union with the former service bureaus that CUNA and NAFCU offered before and after the merger?  And certainly almost all of the state leagues off service entities to their credit unions? These service organizations certainly qualify as credit union vendors? Certainly. Could that present a convenient way for a regulator to attempt to cower a trade association’s position on one of the agency’s decisions? That would never happen NCUA says…but could it?

Every core processor from Fiserv to Jack Henry to Correlation and every ALM or HR module that is sold to interface with an open platform would then be subject to an NCUA examination. Would NCUA pre-approval be required before companies could enter the credit union market? How about before they unveil a new product? Could their next update be delayed because it hasn’t received NCUA clearance?

While it is unlikely that NCUA would use this authority take on the credit union attorney or CPA firm and states its intention not to seek to examine hometown copier companies, building contractors, internet providers or lawn service firms, the possibility to do so would clearly exist under the proposed authority. It is unrestricted as proposed.

Such authority, although the agency says this would never happen, could be a strong leverage move by the agency if, for example, a credit union is challenging a NCUA supervisory action and suddenly finds its local vendors calling with “who are these NCUA guys and why do they want to see my financials?” Two weeks later a vendor finds that an NCUA examiner is coming to visit and a possible charge for an examination fee – either to the vendor or to the credit union – comes with him.

Talk about potential reputation risk in the local economy.  When the local businesses with which your credit union does business begins to feel the pressure your regulator is hoping to extend to you, that’s when credit union talk around town hits a new level of risk.

Alarmist? Perhaps. Possible? There is nothing in the NCUA request for unlimited vendor regulatory and examination authority to prevent it. There are no rules currently promulgated, nor promised, to limit the authority as the FDIC authority is limited.

To extend NCUA authority to all credit union vendors would result in the largest expansion of the agency’s regulatory and examination powers in the history of the agency – a result which would bring about increased NCUA budgets for credit unions to fund and larger examination staffs for credit unions and their vendors to deal with.

 WOULD MY CUSO BE CONSIDERED A VENDOR AND NOW BE REGULATED?

 CUSOs are not currently directly examined by NCUA. That would change upon congressional approval of NCUA vendor authority. Almost every CUSO offers products to other credit unions – thus, they are a vendor.

Not only will there be fewer CUSOs following vendor authority because the cost of regulation and examination will drive away some CUSO investment, but there will be less innovation by CUSOs for fear that their next examination will bring NCUA concerns. Therefore, fewer new products and less return to the credit union owners of CUSOs. As much of credit union industry innovation comes through the collaborative power that CUSOs have generated, this will be a real and direct loss to the industry.

For any credit union with any ownership interest in a CUSO, the prospect of NCUA direct regulatory and examination authority over that CUSO as a credit union vendor should be reason enough to oppose any legislative action by Congress in this regard.

NCUA already has in place a CUSO rule adopted in 2013 with the authority to “review” CUSOs and to compile a data base on all CUSOs through a CUSO Registry. While some considered that action itself outside the scope of the agency’s statutory authority, it proceeded with the rule nonetheless.

In an effort to work with NCUA on the question, most CUSOs are cooperating fully (although somewhat begrudgingly since the required data and extent of “reviews” seem to get more extensive each year – again demonstrating regulatory and supervisory “creep”) with the new CUSO rule.

These CUSO reviews, however, are not enforceable by NCUA directly on the CUSO.  That is because they lack vendor authority – although the NCUA examiners doing these CUSO reviews have become pretty adept at forcing the credit union owners that they do indeed have authority over to put pressure on their CUSOs.

The ability to coerce credit union action through a CUSO ownership interest or vendor relationship is a real concern that I have had expressed to me by hundreds of my credit union client.

There have been minimal documented cases of significant CUSO losses since 2013. Those losses before were limited to a small handful of credit unions and CUSOs, many of which stemmed from credit union (not CUSO) decisions that were already under the purview of NCUA.

It seems quite clear that any potential risks in the CUSO world can be appropriately mitigated through the existing NCUA authority over the credit unions that own CUSOs and the new CUSO rule (even with its questionable legal authority). Direct regulatory and examination authority over CUSOs will only result in more regulatory costs, significant increased supervisory burden and a less vibrant and dynamic CUSO marketplace.

WHY DOES NCUA SEEK THIS AUTHORITY?

 Although we are admittedly quite concerned about the potential ramifications of unlimited NCUA vendor authority and have long opposed it on grounds of it being an unnecessary extension of the authority of an agency designed specifically to regulate credit unions and credit unions alone, we do not ascribe devious motives to those who propose this authority.

Under balanced agency leadership and appropriate congressional oversight, this authority – for example, if limited to those vendors with actual access to credit union member data, thus creating a cyber security vulnerability – would not necessarily be a worst-case scenario. However, with no assurance of balanced agency leadership or appropriate congressional oversight, there is no protection from a worst-case scenario if Congress ever grants NCUA unlimited vendor authority.

Without question, it would undoubtedly be more efficient for NCUA’s experts in IT to go on site at Fiserv or Jack Henry to learn the intricacies of their systems without having to ask the same questions at the hundreds of credit unions who use the core processing systems of these industry leaders. And, if numerous complaints come forward about a particular broker-dealer from some credit unions doing business with the firm, it might protect other credit unions if NCUA could examine that one broker-dealer and save all of the clients some headaches.  So, it is not fair to say that there are no positives in a tightly restricted approach to vendor regulatory and examination authority.

However, when the potential negatives are factored in, the thought of unbridled vendor authority in the hands of an activist chairman with a restrictive industry agenda that is negative toward credit union growth and would like to slow down third-party vendors from providing growth-oriented solutions to credit unions can make an industry shudder.

Sure, there may be some efficiencies for NCUA in limited vendor authority specifically for vendor accessing member data for cyber protection purposes. However, that is not what NCUA is asking for.

We have to realize that there are times when the small amount of good that could come from a new Pisa mayor having the intention to shore up the town’s tower and, with a solution in search of a problem, finds its action resulting in huge amount of damage that could come if the crew goes too far, destroys the foundation and turns the Leaning Tower from a major tourist attraction to the ruins of a once great wonder.

There are enough safety and soundness issues for NCUA to focus upon in the credit union industry as a whole for them to have their agency attention diverted by implementing an examination program for every type of business that serves those credit unions as a vendor.

In fact, there has never been a cited case by NCUA of credit unions failing to provide information about their vendor relationships when questioned by a NCUA examiner. Again, like straightening the leaning town in Pisa, this seems to be a solution in search of a problem.

DO OTHER FINANCIAL REGULATORS HAVE VENDOR REGULATORY AUTHORITY?

 As stated earlier, the FDIC has vendor examination authority through its regulatory oversight of holding companies for vendors offering “essentially banking services” under contract. OCC has restricted vendor authority for those vendors offering bank-like services as well, much of which they have restricted themselves through regulation and their own established operational procedures, over certain types of vendors such as core processors.

No federal regulatory agency has unfettered statutory authority over vendors as NCUA is asking for. The reason is simple – expertise.

Financial institution regulators know financial institutions. They don’t have expertise in insurance, brokerage, marketing, human resources, check printing, ATM switches and other fields that their regulated institutions contract with for support and products.

There are state insurance regulators, the SEC, the FTC, state consumer protection agencies and others that handle abuses in those areas. Financial regulators have historically stayed in their area of expertise. When they need information on areas impacting their regulated institutions from those in other fields, they cooperate with the appropriate regulatory authorities or demand the information from their regulated – who are normally willing to get the information from their contracted partners in order to satisfy their regulators.

In short, there have been few, if any, financial regulators that have been unable to take necessary safety and soundness actions regarding their regulated institutions because they are being stonewalled by a vendor who will not provide needed information to the regulated credit union when the regulator asks for it from the bank or credit union they regulate.

Vendor examination authority is, frankly, unnecessary for financial institution safety and soundness regulation. The greater fear (and the reason why FDIC and OCC have limited their use of their own authority) is that the regulatory agency might have to defend itself from being charged as potentially liable in some way for a FI losing money to a bad broker-dealer or a data breach from a non-compliant core processor because they did not adequately examine and therefore prevent their regulated from doing business with those guys.

It is a sticky wicket that most financial regulators are very careful in how they use. For some reason, despite this fact, NCUA is seeking this authority without limitations.  They may not know exactly what they are asking for because, if they lack the expertise to effectively supervise and examine all credit union vendors, they would best be served by having no regulatory authority (or potential liability) over any of them.

DIDN’T YOU SAY NCUA HAD VENDOR AUTHORITY AT ONE TIME?

 Interesting question that we happen to know a lot about since we were on the front lines. Yes, NCUA was provided with temporary and limited vendor examination authority in 1999 that expired in 2001. It was not renewed by Congress and allowed to expire.

What was the reason for a temporary extension of this expanded and limited authority and then to allow it to expire? The answer – Y2K.

And the authority was limited to Y2K related technological issues and vendors.

I mentioned this earlier in the Client Update, but here is the complete behind-the-scenes story. While serving on the NCUA Board during the chairmanship of Norman D’Amours, I was approached by Chairman D’Amours and Board Member Yolanda Wheat (who hardly ever agreed on anything) and asked to join them in going to Congress to ask for vendor examination authority because it would make it much easier for the agency to examine all core processors for Y2K compliance than to examine every credit union that utilized their processing product.

My two Democrat colleagues needed my support because I was a Republican, the GOP controlled both houses of Congress and the Senate Majority Leader Trent Lott was from my home state and in a position to either make or break their legislative proposal.

My relationship with Rep. Spencer Bachus (R-AL), then a good friend somewhat suspicious of NCUA and until just a few years ago my congressman here in Birmingham, also came into play.  Rep. Bachus was chairman of the Subcommittee on Financial Institutions in the House Financial Services Committee at that that. Let’s just say that, with these strategic supporters, it is quite possible that Board Member Dollar was very likely in a position to stop the bill in either the Senate, the House or both if I chose to do so.

Even though I was extremely concerned about the reasons I have cited herein whereby unrestricted vendor authority could lead long after Y2K was behind us, I recognized that the ability to examine core processors could greatly enhance the agency’s ability to ensure Y2K compliance with the most efficiency and fewest additional staff.

I agreed not to oppose and to support their request with Majority Leader Lott and Chairman Bachus if, an only if, the authority was passed with a “sunset” provision which would cause the authority to expire at the end of 2001 if Congress did not act to extend the authority. My colleagues wanted the authority so badly that they accepted the agreement, certain that Congress would reauthorize the vendor authority before 2001 expired. From my perspective, my hope was that a new GOP president – if elected in 2000 – might elevate me to the chairmanship and put me in a position to keep that from happening.

We all know the history. When President Bush was elected in 2000 and elevated me to the NCUA chairmanship in 2001, vendor authority was dead. When the GOP Congress contacted me about whether they should reauthorize NCUA’s vendor regulatory authority, my response on behalf of the agency was that we needed that authority only to ensure Y2K compliance. It had served its purpose.

However, now that Y2K was over, we saw no additional need for the authority. With no push from the agency because the chairman (who is the official spokesperson for the agency) had said it was not needed indefinitely, NCUA vendor regulatory authority expired. It has not been reauthorized since that time even though every Chairman since I left NCUA that has formally asked Congress for the authority. Thus far, no go.

This is interesting behind-the-scenes history, but it has not quenched the desire of NCUA for this authority.

Claiming that they had the authority at one time and handled it responsibly, NCUA pushed all the harder for this expanded authority in the 2008-2012 tough economic climate in which regulators being “asleep at the switch” were blamed for some of the financial crisis problems.

However, even with the financial crisis as a backdrop, Congress did not grant NCUA their request for unlimited vendor authority. It has still not been approved by Congress for almost 25 years despite these ongoing efforts.

In recent years, the latest reason cited most often for asking for unlimited vendor authority is to protect against cyber security threats.

Folks, as long as there is NCUA wanting to expand the agency’s authority in an era where the diminishing number of credit unions is putting the agency in some political jeopardy of consolidation, the effort to secure vendor authority by NCUA will not go away. It can only continue to be defeated if the industry determines that the expansion of regulatory authority is unwarranted and will serve to stifle the innovation needed to keep the industry competitive in a rapidly changing marketplace.

Vendor authority for NCUA is never dead if the agency continues to push it and if there are members of Congress who believe additional financial industry regulation is a good thing.

Therefore, if NCUA vendor authority is not considered a big enough issue for the industry to expend political capital to defeat, the agency will prevail because it sounds innocuous and other agencies have something similar.  The dangers of where such authority can creep or leap in the future is seldom discussed when such crisis-promoted regulation is put into place. Only the industry can raise that issue and engage in a strong advocacy campaign in Congress to defeat vendor examination authority.

CUNA and NAFCU were both against vendor authority at points in the past. America’s Credit Unions has now taken over the fight.  It has taken the issue directly to Congress itself with a well-constructed argument about the potential damage that such an extension of agency authority could generate for credit unions and CUSOs alike. And they have had great response on both sides of the aisle.

NACUSO has been the leader in the fight against vendor authority, and has been incredibly successful in heading it off every time it gets a little headway going.  NACUSO, with the strength of the newly combined America’s Credit Unions, should be stop this legislation if and when it ever gets introduced if they can generate enough credit union industry opposition to bring congressmen and senators from both parties to hear their concerns.

Let’s look at some of the pros and cons you will hear about this issue should as it continue to develop.

WHY WOULD NCUA VENDOR AUTHORITY BE A GOOD IDEA FOR CREDIT UNIONS?

 It is hard to come up with much good, frankly, that would come from this extensive extension of agency authority.  But, in fairness, NCUA wants it badly. So I will do my best to fairly express their reasons why they feel it is so crucial to their mission.

They maintain it would put them on an equitable par with other federal banking regulators like FDIC and OCC who have this authority – although the other regulators have vendor authority that is limited in scope unlike the unlimited authority NCUA is asking for..

NCUA also maintains that they can be more effective and efficient if they can examine one vendor rather than fifty credit unions that utilize the vendor’s services or products.

Another reason NCUA vendor authority could be possibly considered by some a good thing for credit unions is that some examination issues could conceivably be easier to deal with for credit unions if the agency has already gone into several of the credit union’s vendors and been satisfied as to their operations and financial position.

Of course, as we will discuss in the following sections, NCUA can already get vendor exam reports from the FDIC and OCC through the exam sharing of the Federal Financial Institutions Examination Council (FFIEC). Therefore, if the argument is addressing a vendor concern at a credit union whose vendor also services banks (as most that access member data do) in order to more effectively address a supervisory issue, asking for a copy of another agency’s vendor exam report is much more efficient than going out and doing NCUA’s own exam.

Also, while talking efficiency such as NCUA often does when it asks for unlimited vendor authority, let’s recognize that the agency will need to hire a significant number of subject matter experts in the areas of vendor management in order to achieve the efficiency and effectiveness they claim will come with their ability to regulate, supervise and exam every vendor that does business with a credit union.

And, even if it is not utilized to justify an increase in the agency budget in the short term, what is there to assure that a this or a future NCUA Chairman may not use this authority as a justification for a major agency personnel or budget expansion in the future that all credit unions will have to pony up to pay for.

In fact, what would the size of the agency have to be to sustain a full-fledged comprehensive vendor examination program nationwide?

All of these are questions that should be answered before the industry buys any argument that such authority will be good for credit unions because it will lead to a more efficient NCUA.

WHY WOULD NCUA UNLIMITED VENDOR AUTHORITY BE A BAD IDEA FOR CREDIT UNIONS?

NCUA will be a larger agency with more staff and a much, much higher budget if it becomes a supervisor and examiner of any entities other than credit unions. Credit unions will pay for the expanded agency with higher fees on federal credit unions and larger overhead transfers from the NCUSIF to finance the agency.

Even though NCUA has implemented a “review” process of CUSOs under the 2013 CUSO rule, the biggest change that this unlimited vendor authority being granted by Congress would bring for CUSOs is that they will now be directly regulated and supervised.

I have asked the following question before in a speech to CUSO audiences. What is a regulatory agency “review”? The answer is: an examination that the agency does not have the authority to conduct but does anyway.

Direct regulation of CUSO could hamper development of the segment of the credit union industry that has driven some of its most innovative products, services, and delivery systems. The income credit unions earn from the success of their CUSOs will certainly be impacted by increased regulatory compliance costs and likely impacted by the dilatory impact of “what will the NCUA examiners think” decisions becoming part of the process on every new CUSO collaborative innovation, essentially putting the regulator in the driver’s seat on decisions that rightly should be left to credit unions and CUSOs.

Some vendors will avoid the credit union space rather than face potential regulation, supervision, and examinations. While core processors have faced FDIC and OCC exams for years and endured them successfully, there are some investment advisors, broker-dealers, insurance companies, advertising agencies, consulting firms and other vendors that might elect to offer their products and services in other industries if they were to face an overly aggressive NCUA that attempted to drive their business model through an onerous examination process.

A credit union’s vendors could become a leverage point in a credit union’s examination issues. A DOR could become a LUA if the agency elects to go beyond the credit union’s operations and begin to pry into its vendor relationships. Vendors could hurt their credit union customer’s case by failing to cooperate to the agency’s satisfaction or could even be pressured into providing negative information about the credit union to NCUA in order to get them off of the vendor’s back. The likelihood of such abuse would be described by its agency supporters as totally farfetched; however, without restrictions, it is not outside the realm of the possible.

Vendor products and services will cost credit unions more because the examination and supervisory costs the vendors will face from NCUA will be passed on to the customer – the credit union. Sure, there have been instances where an occasional indirect lending company or a broker-dealer needed to be reigned in. And NCUA has reigned them in with their existing authority.

But to indict all credit union vendors as in need of supervision and examination by the agency that regulates their credit union customers is out of bounds.  NCUA has brought down credit union vendors with their existing authority over credit unions. Additional authority is overkill that could be used as harassment at worst and costly regulatory burden at best.

Liability for vendors who are bad actors now becomes partially an NCUA issue.  What credit union attorney would not include in a legal action a detrimental reliance claim that the credit union believed the broker-dealer was okay or the core processor was compliant because NCUA has authority over them and should have caught them if they were not.

It’s hard to accept the examination authority and then claim that due diligence is solely a credit union’s responsibility before they contract with a vendor. I would expect countless Freedom of Information Act requests by credit unions for copies of NCUA exam reports on vendors the credit union is considering. What should the credit union infer from a good exam…a bad exam…or no exam??

The world of credit union vendors is extensive. As stated previously, NCUA would essentially become the FTC of the credit union industry. Granting vendor regulatory authority to NCUA would extend the agency’s arm beyond the 4800 federally insured credit unions to the over 45,000 estimated companies and organizations that serve them. The potential impact is huge. So will need to be the agency attempting to implement this authority.

HAS THERE BEEN ANY SUPPORT FOR NCUA BEING GRANTED VENDOR AUTHORITY OUTSIDE THE AGENCY ITSELF? 

 Very little. The support base for NCUA unlimited vendor authority is pretty much limited to its headquarters on Duke Street in Alexandria, Virginia. Even the IG report issued last year supporting the need for vendor authority was from NCUA’s own Inspector General, not that of some agency independent of NCUA.

The primary outside source the agency has offered in the past to push its vendor authority agenda is the General Accounting Office (GAO), the auditing arm of Congress, which issued a report in 2015 on cyber security challenges for all federal financial regulatory agencies.

This GAO report, highly touted by NCUA, focused on the cyber security issue and included in its recommendation to Congress that NCUA be granted vendor authority over technology vendors. Note – it was not even recommended by GAO for NCUA to have unlimited vendor authority. It was only recommended to be considered for technology vendors – in other words, those vendors that directly access member data.

Therefore, it is quite possible that the GAO report, even as NCUA hailed it at the time as a victory for the agency’s demand for unlimited vendor authority, actually hurts the NCUA’s case when it goes to Congress waving the report as third party corroboration of their need for vendor authority – which all credit unions recognize is little more than a justification for a continued large and expanding agency when the number of regulated and insured credit unions are dramatically falling at an average of one merger per business day.

By the time the end-of-year 2030 rolls around, some industry projections are that there will be approximately 3500 federally insured credit unions remaining. That is down from around 12,500 only fifteen years ago. To continue as an agency of its size and a staff with its considerable benefits as a result of a very advantageous labor agreement between the public employees union at NCUA and the agency’s current leadership, NCUA must find something to do beyond merely regulating and examining credit unions. Hence the push for CUSO regulation (of which the agency had questionable authority when it passed the 2013 CUSO rule) and its much more far-reaching cousin unlimited vendor authority.

But we digress. Back to the GAO report findings and recommendations.

Even though NCUA is making a case for unlimited regulatory and supervisory authority over all third-party credit union vendors from the core processor to the cleaning crew at the branch, it is important to note that the GAO report did not recommend unlimited vendor authority for NCUA.

In fact, the GAO was very specific that its recommendation was for NCUA to have vendor authority specifically over technology vendors. Very restricted.

The GAO did not buy the case, certainly being pushed by NCUA to the GAO when they were interviewed for the report, that the agency had any compelling reason to have unlimited regulatory and examination authority over all credit union vendors.

Believe me, the GAO is never shy about its recommendations. If they had felt NCUA needed unrestricted vendor authority, that would have been the GAO recommendation.

The GAO tailored its recommendation very carefully to vendor authority over technology vendors only.

This is important because NCUA is basing its entire case for the need of unlimited vendor authority on the issue of cyber security. They do not mention just how far reaching this requested authority would be over every other type of vendors and how it could be abused by examiners creating reputation risk for credit unions when their local vendors are visited by a NCUA examiner with demand letter authority.

Congress and the Administration, which currently have over forty federal agencies with some authority over cyber security issues, should be quite suspicious of requests for permanent unlimited regulatory and examination authority by one more federal agency to deal with a specific issue at one point in history. If there is a legitimate desire beyond lip service to any type of governmental efficiency, Congress should try to avoid duplication of agency authority that forces small business to face bureaucratic burden from multiple agencies asking for the same information over and over at considerable cost to the business.

Here is where NCUA has a problem. While NCUA currently lacks authority to examine technology vendors, the FDIC and OCC do not. Neither does the Federal Reserve. And all three of those agencies sit on the Federal Financial Institutions Examination Council (FFIEC) with NCUA.

The statutory purpose of the FFIEC is to coordinate examination findings and approach in the name of consistency and to avoid duplication. The entire concept behind the FFIEC is that NCUA should be able to request the results of an examination of a core processor from either the FDIC or OCC without having to send another exam team from NCUA to look at the same firewalls and security protections.

However, rather than asking for a copy of the most recent FDIC or OCC examination of Fiserv or Jack Henry, NCUA wants to go into Fiserv with another examination team, spend several months on site and likely duplicate the findings of the FDIC or OCC when they went it.  What is the likelihood that six examiners from NCUA are going to find a major cyber security risk that the FDIC and OCC examiners did not find?

The GAO report, because it limits its recommendation of NCUA vendor authority to technology firms, actually gives Congress ammunition to oppose unlimited vendor authority to NCUA and to encourage them to use the FFIEC to gain access to the examinations of major technology companies already being examined by FDIC and OCC.

Most of the leading technology firms (admittedly, not all but certainly most of the larger players) in the financial services industry sell their products to both banks and credit unions. They are already examined by other FFIEC agencies. NCUA, as a member of FFIEC, has every right to request copies of those examination and they will be delivered within a day. That is what the FFIEC is all about, avoiding duplication and sharing in the examination process of financial institutions.

It is going to be a tough sell for NCUA to go before a congressional hearing and present the GAO report’s recommendation for very limited and specific vendor authority and then ask for unlimited and unrestricted vendor authority. So they are unlikely to mention it. Or, if they do, it will be selectively referenced.

And it would be equally tough to go before the committee and state a willingness to settle for what the GAO recommends (with a “get a foot in the door” strategy of just asking for authority over technology vendors) when NCUA already has access to the overwhelming majority of those examinations through the FFIEC.

Yes, NCUA will continue to push for unrestricted vendor authority. And, yes, credit unions will rightfully oppose it because of how it could be abused over the years. Certainly, any reasonable credit union vendor will oppose it for the obvious reason of avoiding unnecessary regulatory burden.

What will Congress do if and when that there is actually a bill before them? That is the million-dollar question. (Or, in the case of its impact on future NCUA budgets, the hundreds of million dollars question.)

My prediction is that credit unions and their vendors prevail on this issue and that NCUA goes home from Congress with empty hands again in the future as they have every other time they have gone to Congress since the 1990s asking for this unrestricted authority.

But never say never when it comes to Congress. Stranger things have happened.

However, if it happens, it will not be because of some IG or GAO report that NCUA is currently touting with a cybersecurity focus. If anything, these reports’ recommendations make the agency’s sales pitch much tougher for Congress to swallow.

And it certainly won’t be because former NCUA chairmen who supported it when in office are still supportive after they have gone on.  The same likely applies to those of us who are former NCUA chairmen who opposed unlimited vendor authority.

If unlimited NCUA vendor authority comes out of any legislation in this Congress or future ones, it will be because credit unions and their trade associations, leagues and representatives did not take the issue seriously enough to let their congressmen and senators know about the downsides of the legislation.

WHAT SHOULD CREDIT UNIONS, CUSOs OR VENDORS DO IF THEY WANT TO SUPPORT OR OPPOSE UNLIMITED VENDOR AUTHORITY FOR NCUA?

 This issue cannot be settled in the NCUA Headquarters in Alexandria. Vendor regulatory and examination authority for NCUA can only be granted by an act of the US Congress, signed into law by the President of the United States. The outcome of the vendor authority issue will rest with the advocacy efforts, or the lack thereof, by America’s credit unions.

Is this an issue that concerns credit unions enough to utilize some of the industry’s political capital on the Hill to stop? Or is it a fight not worth bleeding for? The trade associations, leagues, CUSOs, credit unions and, frankly, the vendor community will have to weigh the issue and determine what the cost/benefit analysis will say about spending capital – both political and financial – to stop this legislation.

As stated earlier, if credit unions are not prioritizing their efforts to stop the legislation, Congress is more likely to follow the lead of the agency responsible for safety and soundness of the credit union industry – whether the additional authority is needed or not.

Our history with the issue makes us quite concerned about where it could lead, should it ever be enacted.

And, since it seems that NCUA is going to continue to revive this issue every couple of years until they get the authority they seek, it is our hope that this Client Update helps you better understand the issue and position you to better make your decisions about where you stand on NCUA vendor authority as a credit union leader.

It should also help you at least be informed and perhaps involved about the issue to the point where you can get involved in advocacy efforts to help defeat, pass or refine any legislation that ever comes before Congress.

Please do not hesitate to contact us if you need additional information or insights into this issue. As always, we are here to assist you on this or any other matter of importance to you and your credit union.

Until next time.

Dennis Dollar