Debbie Matz, the Chair of the National Credit Union Administration, recently called for greater vendor regulation and oversight for credit unions in the U.S, out of a fear that vendor vulnerability could compromise credit union data. Her fear is founded, since vendor vulnerability has been the cause of multiple major data breaches, but credit unions have spoken up against greater regulation saying it could be both costly and an undue burden.
NCUA calls for more regulation
The National Credit Union Administration oversees the regulation of 6,350 credit unions in the U.S., and as head regulator for the NCUA, Debbie Matz has a vested interest in cybersecurity and credit unions. In a recent interview with Reuters, Matz states that what keeps her up at night is the idea that a cybercriminal could find a security vulnerability with a credit union vendor and exploit it, compromising a large (and largely unprepared) network of financial institutions. This is not out of the realm of possibility, as Matz knows. It’s reported that Target’s massive data breach in 2013 was, in fact, the result of an exploited data connection with its heating and ventilation systems contractor. Home Depot’s data breach was a result of hackers using the stolen credentials of a third-party payment system vendor.
Adding more credibility to Matz’s nightmare scenario, she remarks that there is a huge amount of dependence on a small number of vendors. According to Matz, five IT vendors serve over fifty percent of credit unions, leading to “tremendous inter-relationship and the possibility of contagion.” Even though there hasn’t been a breach with a third-party credit union vendor yet, there have been some close calls. Even the Office of the Comptroller of the Currency, a regulatory agency with the power to examine bank vendors, has also expressed concern with the dearth of resources and know-how dedicated to preventing cyber-threats at the community bank level.
What Matz wants to combat these issues is for Congress to grant the NCUA the authority to monitor and police these third-party vendors to ensure their compliance with security standards that protect credit union data. The NCUA is the only federal banking regulator that doesn’t currently have that authority over third-party vendors.
Objections from the other side
It’s easy to imagine why third-party vendors would object to more oversight in their dealings with credit unions, but credit unions themselves are also vehemently objecting and lobbying Congress against what they believe is over-regulation. Alicia Nealon, the Director of Regulatory Affairs for NAFCU (National Association of Federal Credit Unions), objected to Debbie Matz’s call for vendor regulation in a letter to the editor of Credit Union Times. She explains that the NCUA already has regulatory power over credit unions and their vendors, so additional regulation would be overreaching on the part of the NCUA. It would also “increase credit unions’ already excessive regulatory burden” without actually ensuring a safer environment. She writes, “Simply put, expanded authorities do not always equate to better outcomes.”
Expense is likely the key issue. Credit unions are responsible for the cost of their federal regulators, so if there are more resources dedicated to regulation, they will be assessed higher costs.
Meeting in the middle
What both credit unions and the NCUA can agree upon is higher standards for data security. In light of recent data breaches, both have called for stricter policies on the storage of data, notification of breached data, and policy disclosure. There has also been a stronger push from both sides to shift responsibility for data breach costs onto the retailer or vendor whose data was breached. Currently, credit unions and banks incur huge costs from retail data breaches due to credit card replacement fees and similar customer service issues resulting from breaches.
Matz is facing a lot of pushback from credit unions and vendors in her call for more regulation, but not necessarily because credit unions are unaware of the dire state of data security. It’s clear that policies and tools for collaboration with third-party vendors need to be improved, but it will require a partnership between the NCUA and credit unions under mutually agreed-upon terms.