Since the NCUA’s ability to have direct oversight over vendors sunset over twenty years ago in the aftermath of Y2K, the agency has consistently made the case internally and in testimony to Congress to regain such authority. The NCUA has most recently cited cybersecurity concerns as justification for vendor oversight authority. Instead of addressing any potential cybersecurity threats to the credit union ecosystem by limiting vendor authority to vendors that have direct access to member information, the proposed Strengthening Cybersecurity for the Financial Sector Act of 2022, HR 7022, would grant the NCUA authority to regulate and examine all vendors that do business with a credit union.
The House Committee on Financial Services recently advanced, by a count of 24-22, the proposed bill for full consideration at the House of Representatives. The proposed bill was marked up to have the NCUA first seek out any information “prior to conducting an examination of a credit union organization” from (1) “any Federal regulatory agencies that supervise any activity of that credit union organization,” and (2) “any Federal banking agency that supervises any other person who maintains any ownership interest in that credit union organization.”
We will continue to monitor the progress of this legislation and will continue to provide commentary on its potential impact on the industry. If you have any questions, feel free to contact us.