In her December 9th testimony, NCUA Chairman Debbie Matz stated:
"NCUA is the only regulator subject to the Financial Institutions Reform, Recovery and Enforcement Act of 1989 that does not have authority to perform examinations of vendors which provide services to insured institutions. Credit unions are increasingly relying on third-party vendors to support technology-related functions such as internet banking, transaction processing, and funds transfers. Vendors are also providing important loan underwriting and management services for credit unions. The third-party arrangements present risks such as threats to credit risk, security of systems, availability and integrity of systems, and confidentiality of information. Without vendor examination authority, NCUA has limited authority to minimize risks presented by vendors."
The Government Accountability Office (GAO) back in 2003 expressed concerns writing that "the lack of such authority could limit NCUA’s effectiveness in ensuring the safety and soundness of credit unions."
In fact, GAO's warnings became a reality in recent years. For example, third-party vendors were cited as playing a role in several high profile credit union failures -- Cal State 9 CU, Norlarco CU, and Huron River Area CU.
It seems prudent that NCUA should be granted this authority to examine third-party vendors.
Credit unions are making greater reliance on these third-party vendors. Without the ability to examine these entities, credit unions are increasingly exposed to operational and reputational risk.
Until NCUA is granted this authority, NCUA should put in place a moratorium on granting new authorities for third-party vendors such as CUSOs.