A Federal Reserve Bank of Atlanta report following a series of ransomware attacks on credit unions last year noted that the National Credit Union Administration has no enforcement authority over third-party service providers.
Details: In a report on third-party risks and credit unions, the Atlanta Fed noted that while banking agency guidance states that use of third parties does not diminish banks’ responsibility to operate safely and soundly, the NCUA’s temporary authority over credit union service organizations and other third-party vendors expired in 2001.
ICBA View: As ICBA has testified before Congress, it supports allowing the NCUA to directly examine and regulate CUSOs, core providers, and other third-party providers. During the 117th Congress, a bipartisan group of senators introduced ICBA-supported legislation to grant the NCUA such authority, as recommended by the Government Accountability Office, Financial Stability Oversight Council, and NCUA Inspector General.
Grassroots Resources: Community bankers can use ICBA’s Be Heard grassroots action center to call on their members of Congress to hold a hearing on the NCUA’s lax oversight. Additional resources on credit union policy—including state fact sheets, a messaging playbook, and a customizable op-ed—are available on the ICBA website.