OIG: NCUA, where allowed, checks most boxes on third-party vendor oversight, but it needs statutory authority

A “self-initiated” review by the inspector general’s office of the federal regulator of credit unions concludes that the agency should continue to seek statutory authority for direct examination and enforcement authority over credit unions’ third-party vendors and service organizations.

The National Credit Union Administration (NCUA), the report notes, complies with statutory, regulatory and policy considerations related to third-party vendor supervision. But unlike federal banking regulators, it lacks direct statutory authority over those vendors, just as it lacks direct authority over credit union service organizations (CUSO) – entities in which a federally insured credit union has an ownership interest or has extended a loan.

The OIG report, dated Sept. 1, also notes that such direct authority for the NCUA is backed by the Financial Stability Oversight Council (FSOC), created under the Wall Street Reform and Consumer Protection Act (Dodd-Frank) enacted in 2010 in response to the 2008 financial downturn.

The NCUA does exercise some oversight of third-party vendors through its regulation and supervision of credit unions: its own rules require any federally insured credit union with an investment in or a loan to a CUSO to enter into a written agreement with the CUSO that it will provide the NCUA with complete access to its books and records and the ability to review the CUSO’s internal controls. However, the OIG report notes that the agency cannot enforce recommendations to vendors to address problems that might lead to credit union losses and losses to the National Credit Union Share Insurance Fund (NCUSIF).

Between 2008 and 2015, it says, nine CUSOs caused more than $300 million in direct losses to the NCUSIF and led to the failures of credit unions with more than $2 billion in aggregate assets. It said one of the CUSOs caused losses in 24 credit unions, some of which failed. It warned that lack of direct third-party vendor authority could allow a recurrence.

The NCUA did have temporary authority over credit unions’ third-party vendors and CUSOs under the 1998 Examination Parity and Year 2000 Readiness for Financial Institutions Act, but that authority expired in 2001. The agency has been asking Congress to reinstate that authority permanently since around 2004, amid opposition from the credit union industry.

For a time, the agency participated in the Federal Financial Institutions Examination Council (FFIEC) interagency supervisory program for technology service providers (from the early 2000s until about 2009), federal banking agencies eventually pushed back on that over concern that vendors, because the NCUA had no statutory authority over them, would no longer allow the reviews at all. A banking agency legal opinion later determined that the NCUA was not statutorily authorized “and could only participate in the program with written permission from the third party service provider under examination,” according to the OIG report.

Other findings note a lapse in vendor reviews by the agency itself, due in in part to the fact that leadership and direction of the vendor program was split between the NCUA Office of Examination and Insurance and the Office of National Examinations and Supervision, with neither directorate pursuing reviews.

The OIG said the NCUA should pursue statutory examination and enforcement authority over credit unions’ third-party vendors “to the same extent as if they were an insured credit union.”