Friday, July 3, 2015

Third-Party Technology Service Providers, Credit Unions and NCUA Oversight

The Government Accountability Office (GAO) in a July 2 report recommended that Congress should consider granting the National Credit Union Administration (NCUA) authority to examine third-party technology service providers for credit unions.

According to the report, credit unions and banks are making extensive use of technology service providers that supply them with IT processing, management, and security. The report notes that the "ability to contract for IT services typically enables an institution to offer customers enhanced services and use infrastructure comparable to that of larger institutions without the expenses involved in owning the technology or maintaining staff to deploy and operate it."

However, when credit unions rely on third-party providers, they may subject themselves to operational and reputational risks if they do not manage these providers appropriately. In addition, smaller institutions may have difficulty in managing their relationships with providers because they lack leverage in their contractual relationships to obtain information to help them determine whether providers have been performing adequately.

GAO further points out that "unlike the bank regulators, NCUA lacks authority to examine third-party service providers, such as technology service providers, on which credit unions often rely to perform critical functions."

NCUA told GAO that it has sought the congressional authority to examine third-party technology providers for a decade, but has so far been unsuccessful. The report highlights that credit union trade associations and organizations that provide third-party services to credit unions have opposed granting NCUA examination authority over third-party providers saying that giving NCUA examination authority is an unnecessary intrusion into these entities’ operations.

To address this inability to examine these third-party service providers, the agency stated it uses other means to monitor and reduce risks to credit unions arising from technology service providers, including making requests to the provider that it submit to a voluntary examination. But the report notes that some providers offering services exclusively to credit union clients have rejected NCUA voluntary examinations.

Unfortunately without supervisory authority over these providers, NCUA cannot enforce any corrective actions. NCUA can only make recommendations and present findings to the credit unions that use those providers.

This means that deficiencies in third-party service providers’ operations can quickly become deficiencies that produce financial and other harm at credit unions.

GAO concludes that to enable NCUA to effectively monitor the safety and soundness of credit unions, the agency should be granted the authority to examine third-party service providers.

4 comments:

  1. From the report: OCC (regulates 1500 banks) has 100 dedicated IT specialists; FDIC (4,000 banks) has 60 premium IT examiners, 32 IT examination analysts, and more than 100 subject-matter experts; and NCUA (6,200 credit unions) has 16 IT specialists and 40 to 50 IT subject-matter examiners. Not only is NCUA woefully unprepared, they don’t know if they have 40 or 50 subject-matter experts. They are too far behind to catch up. If you’re taking comfort in the fact that NCUA is regulating smaller institutions than OCC & FDIC, think about this from the report: “…criminals target smaller institutions because the expected payoff is greater relative to larger institutions whose systems are generally more sophisticated and harder to compromise.”

    ReplyDelete
  2. Based on the CUSO rules, one would assume NCUA had vendor examination authority. Are their requirements for CUSO reporting voluntary?

    ReplyDelete
  3. NCUA is too far behind and cannot and cannot be expected to catch up.
    Thousands (?) of credit unions are too small to afford being compliant and secure...and perhaps their vendors also.
    Trade associations are in the way and wrong headed about 3rd party over site.
    FDIC can but NCUA can't?
    Really?
    Trade associations being consistent thinking only of themselves.
    This is a nightmare waiting to occur.

    ReplyDelete
  4. Let's see.
    FDIC and occ have many more specialists and the same number of combined units.
    Wells Fargo reportedly doubling IT protection expenditure and many spending a lot more.
    Attackers according to the report prefer littler more vulnerable FIs.
    Tick, tock.

    ReplyDelete