Eugene, OR (June 17, 2024) |
The Honorable Patrick McHenry
Chairman
Committee on Financial Services
U.S. House of Representatives
Washington, DC 20515
The Honorable Maxine Waters
Ranking Member
Committee on Financial Services
U.S. House of Representatives
Washington, DC 20515
Re: Correspondence from former National Credit Union Administration (NCUA) Chairs supporting NCUA Chairman Harper’s Request for Unrestricted Regulatory and Supervisory Authority over all Credit Union Vendors
Dear Chairman McHenry and Ranking Member Waters::
The National Association of Credit Union Service Organizations (NACUSO) is the only nationwide membership-based organization exclusively representing credit union service organizations (CUSOs). CUSOs are collaboratively owned and operated businesses that the law and regulation allow credit unions to invest in to provide services to their members, as well as to other credit unions, for the purposes of risk sharing, cost savings and income generation to better and more effectively invest in enhanced and innovative member services.
We write in response to and in opposition to a recent letter from former chairs of the NCUA on May 13, 2024, in support of legislation amending the Federal Credit Union Act to expand NCUA’s direct regulatory and supervisory authority beyond that of regulating and supervising credit unions – which it has held since the agency’s creation in 1970. Such expansive, new authorities would grant the NCUA virtually unlimited and unrestricted authority to regulate and examine any business that does business with a credit union. Labeled innocuously as “Third-Party Vendor Authority” by NCUA, this unprecedented expansion of the agency’s authority is of concern to CUSOs because of the potential impact upon the collaborative model we represent among credit unions that have chosen the CUSO structure to share the risk associated with costly innovation and to enhance the delivery of credit union services to more members from all walks of life.
In our view, NCUA lacks the expertise to regulate and examine any and all businesses that interact with credit unions. CUSOs and other vendors that service credit unions are diverse entities, offering a wide array of business services. For example, a CUSO might offer certain investment products that are already highly regulated by FINRA, the Securities and Exchange Commission, the Department of Labor, and other state regulators. NCUA has no in-house expertise in this area, and in fact, NCUA has stated that federal credit unions may not act as broker-dealers in securities or provide investment advice of the type that would render them ‘investment advisors’ under federal securities law. Thus, it would add an unnecessary and arguably inappropriate level of regulation for NCUA to get involved in examining these CUSO products. This is just one example of the various products that are already highly regulated and offered by NACUSO members, that do not fall under the NCUA’s jurisdiction or area of expertise.
The necessary investment of agency resources to hire or contract with the broad level of expertise required to examine every technology service, communications contractor, statement processor, ATM servicer, check provider, building construction company, accounting firm, advertising agency, insurance agency, broker/dealer, lawn care company, etc. that enters into a contract with a credit union will bring about a dramatic and unnecessary increase in the size, budget and staffing of this federal agency. The average number of vendors for a single credit union can easily exceed one hundred, or two hundred in the case of some larger credit unions. To be clear, these products and services are already highly regulated by a host of consumer protection, privacy, tax, insurance, and other relevant laws.
If the NCUA’s authority is expanded in this way, it is likely that hundreds of new NCUA employees would be needed to review these thousands of credit union vendors doing business with nearly four thousand eight hundred credit unions nationwide. It should be noted that, while the number of full-time employees of the FDIC has decreased in response to the shrinking number of banks, the number of full-time employees of NCUA has increased, even as the number of federally insured credit unions has decreased from 10,316 to 4,760 over the past twenty years.
NCUA is funded by assessments levied on the member-owned non-profit cooperative credit unions they regulate and insure. Accordingly, it is reasonable to assume that the cost of any such expansion at the NCUA will be borne by the credit union members themselves, who pay for the resources of NCUA. NACUSO sees this request for unlimited vendor regulatory and supervisory authority for NCUA as an unjustifiable expansion of the agency’s authority that is, frankly, not needed, can be handled in another way, and is being overseen effectively under existing authority.
NCUA promulgated a CUSO rule in 2013 that essentially gives the agency “review” authority over all CUSOs. This rule has been in effect for more than a decade under what the agency considers existing NCUA statutory authority. As a condition of the authority of a credit union to invest in a CUSO, a CUSO must provide NCUA with full access to its books and records. NCUA has repeatedly exercised this power. In addition to this established review process, the agency has at the same time developed and created a mandatory CUSO registry to require reporting of all CUSOs. This includes their individual credit union ownership, so that NCUA can gather necessary data on the performance of the CUSO through its (NCUA’s) existing supervisory authority over the credit unions with ownership interests in the CUSOs.
In our view, these regulatory and supervisory actions within its existing authority seem to indicate that NCUA is in a position to gather the data it has stated that it needs for risk evaluation purposes through the credit unions it currently regulates and supervises (that are also the owners of the CUSOs) and within its existing authority. In their letter, the former NCUA Chairs cite the “increasing reliance of credit unions on third-party vendors for critical functions,” which mischaracterizes the relationship between CUSO’s and credit unions. It is not a reliance, but rather a partnership – one built on trust, relevant expertise, and collaboration in the spirit of the cooperative movement (credit union owners of CUSOs).
If NCUA makes a determination of the risk posed by a CUSO, it has the power to compel changes through the CUSO’s owner credit unions. While NCUA has complained about the indirect nature of this authority, there is no contention that it is not effective. CUSO losses to credit unions since 2013 are virtually non-existent. There is no reason to extend statutory authority that could go far beyond what is currently required to protect the safety and soundness of credit unions. The Consumer Protection Bureau and the Federal Trade Commission (for state-charted credit unions), in addition to dozens of other regulators, already have rulemaking and regulatory authority for a variety of CUSO products and services. Trying to fit supervisory and examination authority of all of this into the NCUA is like putting a square peg in a round hole.
The stated area of concern that NCUA continues to cite, which is reiterated in the recent letter from the former NCUA Chairs, seems to be primarily limited to the area of cybersecurity. Nevertheless, NCUA continues to seek unlimited vendor regulatory and supervisory authority from Congress. While indeed cybersecurity is a recognized area of risk for all financial institutions (and, notably, there are specialized CUSOs assisting credit unions in dealing with this area of risk), concerns on cybersecurity could be addressed with a more refined approach to regulation and supervision without instituting a carte blanche approach to additional regulation and supervision of every other type of credit union vendor – many of which are CUSOs and most that are not.
In fact, NCUA concedes in past testimony before the committee that one justification for their expanded authority request to have unlimited regulatory and supervisory authority over all credit union vendors stems at least partly from a case of regulator envy with their banking counterparts, such as the FDIC and OCC, that have been allowed some self-limited vendor authority by Congress. This authority, coveted by NCUA for decades but wisely with no action by Congress to grant it despite the agency’s continued requests, enables the FDIC and OCC to examine cybersecurity issues at many of the larger and most widely utilized technology companies that serve financial institutions, both banks and credit unions. Cybersecurity is an important issue. However, experts in this area are already highly regulating the market, and there are already very specific requirements in place for NACUSO members in this area, that will not be bolstered by credit union examiners who do not have widespread experience in this area.
It remains the position of NACUSO that – if indeed cybersecurity is their primary focus, as stated at past hearings before your committee - NCUA should take advantage of its affiliation with the Federal Financial Institutions Examination Council (FFIEC) to utilize the examinations that are already being conducted by the FDIC and OCC of these technology providers. A separate examination is unnecessary because the providers also serve credit unions. One of the purposes of the FFIEC is to coordinate the examination process for financial institutions of various types to eliminate costly duplication and redundancy.
In conclusion, NACUSO sees no justification for the expansion of NCUA’s authority from the very successful and relatively efficient credit union regulatory and supervisory agency they have proven to become into a mega agency with authority over every business that does business with a credit union. This move is the very definition of unnecessary regulatory overreach when existing mechanisms and authorities have proven effective. This authority, if granted, would unquestionably increase agency costs and expand the burdensome nature of NCUA regulation and supervision outside the scope of what the agency was originally created to do: regulate, insure and maintain the safety and soundness of the credit union system. And it would do so to accomplish a stated purpose – cybersecurity evaluation – that is already taking place by other federal financial regulatory agencies in a position to share their findings with their counterparts at NCUA.
Congress, in creating credit unions, established NCUA as an important regulator and insurer. Absent considerable new spending, headcount, and authorities granted by it, at the expense of credit unions large and small, the agency is best equipped to continue its very successful oversight of the credit union safety and soundness arena. Congress has been prudent in its reticence toward such expansive new authorities by denying the agency the authority to become the Federal Trade Commission of the credit union industry by allowing them to examine every type of business, large or small, that works with a credit union as a customer or client.
For the reasons listed herein, we encourage the committee to give a very serious and cautious evaluation of this particular NCUA request for expansion of the agency’s regulatory and supervisory authority into unlimited oversight of every business that might enter into a contract with a credit union. It is, in our view, an overreach that cannot be currently justified at the level at which it is requested in order to address an issue that has other existing options the agency could utilize to achieve its purposes. We encourage the Committee to continue its historical opposition to this unnecessary proposal for major agency expansion of authority.
We thank you for your careful and studied consideration of this important matter. If we can be a source of any further information on this or any other matter of importance to the committee, please do not hesitate to contact us.
Very truly yours,
Ronaldo Hardy, President & CEO, NACUSO