Last month, NCUA chairman Todd M. Harper delivered his “State of the (Credit) Union” during the 2023 Governmental Affairs Conference. Harper covered multiple areas of interest to credit unions including:
- The State of the Credit Union System
- Credit Risk
- Interest Rate Risk
- Liquidity Risk
- Consumer compliance
- Minority institutions, and
- Community development
But in this post, we’ll focus on 3 topics directly related to information security: cybersecurity risk, the need for centralized vendor authority, and Fintechs.
- Cybersecurity Risk – Ransomware, social engineering, phishing, and other known risks continue to keep him (and many CU admins and ISO’s) awake at night, but the unknown threats are the biggest concern. He encourages CU’s to continue to assess their cyber threats and control maturity levels by utilizing the Automated Cybersecurity Evaluation Toolbox. The NCUA also recently approved the new cyber incident notification rule that sets parameters for what constitutes a reportable incident, and the minimum notification requirements.
- Vendor Authority – Unlike the other federal regulators, the NCUA does not have the ability to examine significant third-party providers. Called the Report of Examination (or RoE) by the FDIC, OCC, and Federal Reserve, this report is very similar to the IT examination that non-CU depository financial institutions undergo. In fact, it is based on the exact same FFIEC URSIT methodology. Chairman Harper strongly believes that the NCUA should be granted the authority to supervise credit union service organizations and key vendors.
- Financial Technology – This is closely related to vendor authority; the chairman believes critical third-party Fintechs have insufficient oversight by regulators, and that the agency should have the ability to enforce Fintech compliance with laws and regulations. This is largely consistent with what the Treasury Department recommended late last year.
The chairman also referred to recent changes in how the NCUA will conduct examinations. A summary of those changes is here. Simply put, this new supervisory initiative will be tailored to your credit union’s size and complexity.*
When you consider the pending third-party risk management guidance expected to drop later this year, it would seem there is rapidly becoming a regulatory consensus on the need for increased scrutiny of third-parties providing services to financial institutions. This is an area we are watching closely, and proactive Credit Union information security officers should plan to prepare for deeper dives by the NCUA into how they are managing their significant third-parties as well.
* Perhaps ironically, this “size and complexity” approach also provides the most effective defense against examination findings that may apply to larger CU’s, but not necessarily smaller institutions.