When asked what keeps me awake at night, I say two things — cybersecurity and the restoration of
A lot has changed since then. Cybersecurity risk has spiked. There are now many more credit union service organizations and third-party vendors operating within the credit union sector with little to no oversight. My fear is that this lack of oversight could lead to systemic financial disruption and a loss of public confidence in the credit union system.
Increasingly, activities fundamental to credit union operations, such as loan origination, lending and deposit services, cybersecurity infrastructure development and maintenance, Bank Secrecy Act or anti-money-laundering compliance, and financial management, are outsourced to unregulated third-party vendors. In fact, roughly 90% — close to $2 trillion — of industry assets are touched or managed by third-party service providers.
Credit unions additionally use third-party vendors to provide technological services, including information security and mobile and online banking. Member data is also stored on vendors' servers — including on servers not utilizing standard protections like multifactor authentication. And, some third-party vendors outsource services to fourth- or fifth-party providers or have technology service providers located in foreign countries. This outsourcing results in multiple layers of third-party relationships and risks when credit unions acquire a single tool or product.
Given the additional risk of insuring an industry that, more and more, offloads essential business operations to unregulated third-party service providers, the NCUA board, as an insurer, may need to think about changes to the normal operating level of the Share Insurance Fund to protect against these risks.
The credit union system's dependence on technology and outside service providers is, moreover, a recipe for significant concentration risk. A commonly used core processor brags in an ad that its clients hold 90% of the credit union system's assets. It's almost as if they're daring nefarious cyber actors and fraudsters to target them.
A disruption or coordinated attack at this and other service providers could lead to a catastrophic scenario, causing hundreds if not thousands of credit unions and tens of millions of their members to lose access to funds simultaneously — which would have a systemic impact far beyond the credit union sector.
This concentration underscores the importance of the NCUA's need for third-party vendor authority as a preventive measure, designed to protect the financial security of 141 million Americans who rely on credit unions for their financial services.
The case for vendor authority became even more pressing after a smaller core service provider for credit unions experienced a multiday outage. Last November, the NCUA received cyber incident reports from multiple small credit unions stating that their core service provider had experienced a system outage. Dozens of credit unions, primarily small credit unions serving rural and low- to moderate-income communities across 40 states with aggregate assets of nearly $1 billion and almost 100,000 members experienced an interruption of vital services such as basic account inquiries, withdrawals and deposits, loan payments and disbursements.
The third-party vendor involved described the attack as an "isolated cyber security incident." But, the attack was amplified by influencers on social media who stoked fears of runs by encouraging members to withdraw funds from their accounts.
NCUA's lack of authority over credit union vendors and third-party service providers resulted in a delayed and less effective response. Insufficient information sharing hampered coordination efforts among key stakeholders at both the federal and state levels. What's more, the lack of information and cooperation from the third-party vendor made determining the scope and damage more challenging.
More important was the impact it had on the members of these affected credit unions. For several days, the vendors were unwilling to provide the NCUA with information on the number of credit unions affected. Eventually, a third party voluntarily shared a partial list of affected credit unions. Further, other federal financial services agencies could not assist us because the technology service product only supported credit unions and not banks.
The fallout of this cyber incident demonstrates how a single vendor's problems can quickly metastasize into a crisis for multiple credit unions, their members and the overall system. Thanks to the quick thinking and collaboration between NCUA staff and the affected institutions we ultimately contained this breach. Nevertheless, this event serves as a wake-up call underscoring the NCUA's need to regain vendor authority.
We likely won't be so lucky in the future.
The absence of vendor authority will grow in importance as credit union service organizations and third-party vendors capitalize on financial institutions' increasing use of artificial intelligence and real-time payment services. And, because credit unions are an integral part of U.S. critical economic infrastructure, this regulatory blind spot is an additional vulnerability in the defense of the U.S. homeland against hostile foreign nations.
The Government Accountability Office, the Financial Stability Oversight Council and the NCUA's Office of Inspector General all support this request. When Congress grants the necessary authority, the NCUA will establish a risk-based prioritization plan for third-party vendors. This plan will concentrate on services provided by vendors with access to member information related to information security, cybersecurity, the BSA/AML compliance, consumer financial protection and other areas that pose a systemic risk.
It's finally time to close this growing regulatory blind spot. Why are we still waiting?
