On Thursday, two federal agencies announced a penalty against VyStar Credit Union over what the agencies called a "botched rollout of a new online banking system" in May 2022, caused in part by a lack of management and governance over the vendor it selected for the project, according to the agencies.
The rollout glitches caused members of the credit union, headquartered in Jacksonville, Florida, to incur nonsufficient funds fees, late fees and the like because they could not access their accounts amid outages and service degradation, according to the Consumer Financial Protection Bureau and National Credit Union Administration.
The credit union must pay $1.5 million to the CFPB's victim relief fund, set up a process to identify members who incurred fees as a result of the service disruption and reimburse those members, with interest, according to the consent order it signed with the CFPB.
The credit union must take other remedial actions in compliance with the order, including establishing contingency plans for consumer-facing banking systems, creating a committee to assess potential risks to members arising from ongoing or recurring technology issues, and writing policies and procedures for load testing its systems prior to and after release.
The penalties are the result of "careless errors" that "inflicted financial harm" on VyStar members, according to Rohit Chopra, director of the CFPB. The "management failures" that led to outages and service degradations caused "consumer harm over the course of not just weeks but months," according to Todd M. Harper, chairman of the NCUA.
"Credit unions must prioritize their members, yet Vystar's due diligence fell far short of what was required for completing a successful conversion of the credit union's mobile and online banking platforms," Harper said.
In prepared comments sent to media outlets, a VyStar spokesperson said the credit union had already "reimbursed or waived all VyStar fees" while it restored online services, started a process for reimbursing any third-party fees incurred as a result of the outage and paused credit reporting during the course of the outage.
"To be clear, VyStar proactively and voluntarily undertook this response, without regulatory prompt," the spokesperson said. "During the disruption, members maintained access to their funds and services through VyStar's extensive network of ATMs and extended hours at both its contact centers and many of its numerous physical branches."
How the rollout unfolded
VyStar started the rollout of a new virtual banking platform on May 13, 2022, according to the CFPB's consent order against the credit union. The system "crashed upon launch," according to the agency, because it "brought it online prematurely" and lacked planning.
The rollout went forward despite feedback from the project development team that the platform "was not ready for release, creating significant reputational risk," according to the consent order. The credit union had a tolerance for defects, bugs and lower standards of functionality that was at odds with its quality assurance team, and the head of that team refused to sign off on the launch, according to the consent order.
The credit union took down the online and mobile banking platforms soon after it launched them. When the credit union restored online services on May 23, the interface lacked key banking services to which members previously had access, including accessing account statements, making internal transfers between accounts, paying credit cards and loans, setting up recurring payments, and accessing full transaction histories.
Full functionality did not return until December 2022, according to the CFPB.
Additionally, the credit union's mobile banking application interface suffered greater disruptions and was fully unavailable for a month after the initial failure. As with the web interface, the mobile application slowly reintroduced features over the course of "several months," according to the consent order.
During the outages, members could less readily access their account balances, transfer funds between accounts or make payments on credit card balances. Some members' previously scheduled recurring payments were delayed or deleted, according to the CFPB. This resulted in members incurring fees, interest for late payments and negative data on credit reports related to the late payments.
VyStar agreed to comply with the CFPB's penalties "without admitting or denying any wrongdoing," according to the consent order.
For-profit banks question nonprofit oversight
The consent order the CFPB levied against VyStar "exemplifies the risks posed by the NCUA's inability to examine credit union third-party service providers," according to Rebecca Romero Rainey, president and CEO of the Independent Community Bankers of America, a trade organization for community banks.
Rainey added that policymakers "must provide the NCUA with the same authority that bank regulators use to supervise for cyber risk." The lack of oversight is particularly concerning, she said, given the surge in tax-exempt credit unions acquiring for-profit community banks.
NCUA chairman Harper has previously aired similar complaints, emphasizing that the administration lacks the same oversight ability that bank regulators have.
"The NCUA's ability to analyze and assess the risk in the entire credit union system remains limited because the agency lacks the same level of oversight of third-party service providers as the federal banking regulators," Harper said at a briefing last week about cybersecurity confronting credit unions.
