CFPB Penalty Against VyStar Credit Union Exemplifies Consumer Impact of Tax-Exempt Industry’s Lagging Regulatory Oversight

Washington, D.C. (Oct. 31, 2024) — Independent Community Bankers of America (ICBA) President and CEO Rebeca Romero Rainey issued the following statement after the Consumer Financial Protection Bureau took action against VyStar Credit Union for harming consumers through its botched rollout of a new online banking system.  According to the CFPB, VyStar transitioned to a new, dysfunctional online banking platform in May 2022 that made it difficult for the credit union’s members to perform basic banking functions for weeks, with some features unavailable for more than six months. Affected consumers were unable to manage their accounts, were charged late fees when their online bill payments did not go through, and were often unable to access their funds.

“Today’s Consumer Financial Protection Bureau penalty against VyStar Credit Union for harming consumers via a failed rollout of a new online system exemplifies the risks posed by the National Credit Union Administration’s inability to examine credit union third-party service providers. While the CFPB has ordered VyStar to make affected consumers whole and pay a $1.5 million civil penalty to the bureau’s victims relief fund, policymakers must provide the NCUA with the same authority that bank regulators use to supervise for cyber risk.

“NCUA Chairman Todd Harper has called the agency’s lack of authority a ‘regulatory blind spot’ that means the agency doesn’t ‘necessarily know what is happening’ with credit union cybersecurity and could leave the industry as the ‘soft underbelly’ of the broader financial system. After a third-party service provider’s cybersecurity incident disrupted the daily operations of 60 credit unions last year and a separate credit union earlier this year breached the personal information of more than 1 million members during a ransomware attack, Harper recently noted that approximately 90% of the tax-exempt credit union industry’s assets are managed by third-party service providers with no NCUA oversight.

“This lack of regulatory oversight is particularly concerning given the surge in tax-exempt credit unions acquiring tax-paying community banks, with last week’s deal extending 2024’s single-year record. Bipartisan legislation introduced in the previous Congress to ensure the NCUA has the same authority as bank regulators to supervise for cyber risk is supported by the NCUA’s Harper and inspector general, the Government Accountability Office, and the Financial Stability Oversight Council, and we continue calling on lawmakers to reintroduce and pass this critical bill.

“With recent ICBA polling conducted by Morning Consult showing 61% of U.S. adults say Congress should investigate whether credit unions should be able to acquire banks given credit unions’ tax and regulatory exemptions, it is past time for Congress to take a closer look at our nation’s outdated credit union policies and the harmful impact they are having on consumers, small businesses, and local communities nationwide.”

About ICBA

The Independent Community Bankers of America® has one mission: to create and promote an environment where community banks flourish. We power the potential of the nation’s community banks through effective advocacy, education, and innovation.

As local and trusted sources of credit, America’s community banks leverage their relationship-based business model and innovative offerings to channel deposits into the neighborhoods they serve, creating jobs, fostering economic prosperity, and fueling their customers’ financial goals and dreams. For more information, visit ICBA’s website at icba.org.