Credit unions face three key threats, regulator says – and calls again for oversight of third-party vendors

Credit unions are facing increasing risks from rising interest rates, shallow liquidity, and threats to cybersecurity, the board chairman of their federal regulator said Monday as he outlined agency responses to assist the financial institutions in addressing the threats – and in winning authority for oversight of third-party vendors.

In remarks to a credit union conference in Washington, National Credit Union Administration (NCUA) Board Chairman Todd Harper also said his agency will be asking Congress to restore the agency’s Central Liquidity Facility (CLF) expanded borrowing authority and provide the agency with oversight of credit union service organizations (CUSOs) and third-party vendors. Harper has made calls for Congress to act in those areas repeatedly in the past.

Regarding rising interest rates, Harper told the Governmental Affairs Conference (GAC) of the Credit Union National Association (CUNA) that credit unions “must remain nimble” as interest rates rise, raising the risk of short-term liquidity events possible. “And, in recognition of the rapidly changing rate environment, the NCUA has updated its guidance for examiners on how to work with credit unions exposed to market risk,” Harper said. “These changes to the supervisory framework for interest rate risk increased clarity and flexibility for both examiners and credit unions.”

On liquidity risk, Harper advised credit unions to monitor their risk levels and balance sheets. He linked that to his legislative goal of broadened borrowing authority for the CLF (which he asserted acts as a liquidity backstop for credit unions, like the Federal Reserve’s discount window). “And, while the CLF is an effective mechanism for managing liquidity risk, legislative enhancements would provide the NCUA with greater flexibility to respond to future liquidity events,” he said.

On cybersecurity risk, Harper called it threat that keeps him up at night. He said this year the agency will use its new Information Security Examination procedures. “This new supervisory initiative is tailored to your credit union’s size and complexity, to help you prepare for, withstand, and recover from cybersecurity threats,” he said.

He also noted that the NCUA Board, at its meeting two weeks ago, approved a cyber incident notification rule that sets parameters for what constitutes a reportable incident and the minimum notification requirements. “Through these notifications, the NCUA will be better able to work with other agencies and the private sector to respond to cyber threats before they become systemic,” he said.

Once again voicing support for NCUA oversight of third-party vendors, Harper sounded a contentious tone. “To those who believe the NCUA already receives third-party vendor information from the banking regulators, this is false because our lack of vendor authority prevents the sharing of such information,” he said.

“To those who contend the NCUA’s examiners lack the necessary experience to supervise vendors, this is also false because many vendors perform essentially the same services as credit unions that the NCUA already examines for. And, to those who claim vendor authority is simply an excuse for the agency to increase its budget, this is also false because a risk-focused review of vendors would not necessitate the hiring of scores of additional exam staff.”

Harper additionally contended that NCUA’s supervision of CUSOs and vendors “will bolster our nation’s economic security, and it will enhance your competitiveness.

“The NCUA therefore is committed to engaging with the new Congress on this vital issue,” he said.

NCUA Chairman Todd M. Harper Remarks at the 2023 Governmental Affairs Conference