(Oct. 1, 2021) Other key moments of the Harper nomination hearing included:
- Harper again endorsed third-party vendor exam authority for NCUA (which would require a statutory change). “Bank regulators have authority to go into third-party vendors; NCUA does not,” Harper said in response to questions from Sen. Jon Ossoff (D-Ga.). Harper, as he has before, called lack of that authority “a blind spot” for NCUA. He told the senator NCUA is working on a white paper on the subject that Harper will provide to Ossoff if confirmed. (NASCUS supports the agency obtaining the power over technology service providers (TSPs) that provide services to federally insured credit unions — provided that any such authority requires NCUA to rely on state examinations of such service providers where such authority exists at the state level.)
- The NCUA Board chairman indicated to Sen. Tina Brown (D-Minn.) that credit unions in all communities – large and small, urban and rural – should be cognizant of risks presented by climate change. He said NCUA must consider storms and all material risks that occur as a result of climate change, including such risks as credit unions attached to a particular industry that is facing structure changes due to climate change, or credit unions in areas of high concentration of agricultural areas where crops are affected by climate change.
- A commitment by Harper for “more specialized training” of examiners working in agricultural areas to assess risks particular to those areas, in response to comments by Sen. Kevin Cramer (R-N.D.). “One of the complaints I hear from credit unions in ag lending is ‘our [NCUA] examiners, they don’t know the particular crop; they don’t know how this farm works.’ That is something certainly I would commit to you, if confirmed, to working with you to make sure that we get more specialized training for our examiners and help in our exams in that way.”
- On repeated questions about his views of a proposal that credit unions and banks report to IRS the deposits and withdrawals made by members to determine their tax liability, Harper repeatedly answered that, while he was aware of the proposal, he hadn’t looked at it in detail and indicated he couldn’t render an opinion on it. He did say there would be administrative costs – but wouldn’t characterize how big (or small) those would be. He asked if he could get back to the panel members who inquired about it after he’s had more time to study the proposal, which has been roundly criticized by credit union industry trade groups.
(Clockwise from upper left: NASCUS’ Lucy Ito joins NASCUS Executive Vice President and General Counsel Brian Knight, and NCUA Office of Examination and Insurance Director Myra Toeppe in a discussion of key issues)
(Aug. 20, 2021) The surging Delta variant of the coronavirus is putting a damper on NCUA’s plan to resume on-site operations, including exams, the agency’s top supervisor told the NASCUS S3 conference this week.
According to NCUA Office of Examination and Insurance Director Myra Toeppe, the continued phasing-in of on-site operations depends on the virus variant. She indicated a timetable still needs to be determined. However, the agency is ready (and willing) to go into a credit union whenever it sees a risk to the insurance fund, she said.
“We’ll go in where we need to go in if we see a risk to the insurance fund; we have been clear on that,” Toeppe said during a Tuesday session of the conference. (She was sitting in on the session in place of NCUA Board Chairman Todd Harper, who was unable to attend.) “We do have problem case officers that are doing things. Our regional offices, if we need to be on site, they will get with the (NCUA) executive director to determine from an insurance perspective if we need to go in. We’ve actually had to do some conservatorships during this time. Those are the exception, not the rule.”
But Toeppe emphasized that the agency would move with caution in any event. “People matter,” she said.
The agency’s top examiner also offered a strong defense for NCUA’s call for third-party vendor exam authority. “We do need it,” Toeppe, a former savings and loan regulator, said. “When I first came over to NCUA, I was stunned we didn’t have third-party vendor exam authority. I was used to always having it.” She said her former agency was never accused of abusing the authority, “and it was never a problem.”
Toeppe said NCUA sees reliance “more and more and more” by credit unions on the use of vendors and third parties to help them in a number of areas. She cited data processing and lending as examples.
The agency executive asserted that use of third-party vendors can become a source of risk to the share insurance fund. “And that’s always my focus,” she said. “We want to be sure we aren’t exposing the insurance fund to undue risk. And that’s really where it comes from; it’s a risk perspective for NCUA.”
She added that if the agency secures the authority (which will take an act of Congress to do so), NCUA would use it cautiously. She disputed some reports that the agency would be “ramping up” such as by hiring 500 additional examiners. “I think we’d use (the authority) prudently, where needed, just exactly like the state supervisors have done,” she said. “Where it’s needed, when it’s needed when we see a risk– just like the state supervisors, they’ve used it prudently. The banking regulators use it prudently. I don’t think there would be any difference.
She said that using the authority, when needed, is necessary to avoid a regulatory blind spot. “From (the perspective of) managing the share insurance fund, that makes us very nervous. That’s one thing that keeps me up at night,” she said.
In other comments, Toeppe said:
- Cybersecurity is a persistent threat; the one risk that just doesn’t go away. “We have ebbs and flows of other risks, but cybersecurity just keeps coming,” she said. “It just doesn’t stop, it’s in everything. It’s the constant ‘come at you’ thing. It’s high level, persistent.”
- NCUA is not discouraging mergers among credit unions (as opposed to banking regulators with banks, under an executive order from President Joe Biden). “We don’t tell (credit unions) no you can’t merge, but we want to make sure they are doing the right thing.”
- She has no problem with credit unions buying banks, as long as the transaction is done well and the credit union has done its homework. “Everyone thinks we rubber stamp them,” she said, adding the agency does not. She said the transaction must make sense, and that the agency has be sure of the risk that the insurance fund is taking on with the transaction.
(Aug. 6, 2021) Congress should give NCUA authority to examine (and enforce actions) over third party vendors, NCUA Board Chairman Todd Harper said in testimony to the Senate Banking Committee this week. He also urged Congress to make several improvements to the National Credit Union Share Insurance Fund (NCUSIF).
In May, Harper made similar requests before the House Financial Services Committee.
On exam authority, Harper asked Congress to give his agency exam and enforcement oversight of third-party vendors, including credit union service organizations (CUSOs). Calling the lack of authority a “regulatory blind spot,” Harper asserted that NCUA should have comparable authority as other federal financial institution regulators already have.
“While there are many advantages to using these service providers, the concentration of credit union services within CUSOs and third-party vendors presents safety and soundness and compliance risk for the credit union industry,” Harper told the committee.
He said the top five credit union core processor vendors provide services to approximately 87% of total assets held by credit unions. Additionally, he said, the top five CUSOs provide services to nearly 96% of total credit union system assets.
“A failure of even one of these vendors represents a significant potential risk to the (National Credit Union) Share Insurance Fund and the potential for losses from these organizations are not hypothetical,” Harper asserted. “Between 2008 and 2015, CUSOs contributed to more than $300 million in losses to the Share Insurance Fund alone.”
The NCUA Board chairman told the committee that the continued transfer of operations from credit unions to CUSOs and other third parties diminished the agency’s ability to “accurately assess all the risks present in the credit union system and determine if current CUSO or third-party vendor risk-mitigation strategies are adequate.”
NASCUS supports the agency obtaining the power over technology service providers (TSPs) that provide services to federally insured credit unions — provided that any such authority requires NCUA to rely on state examinations of such service providers where such authority exists at the state level. Further, NASCUS supports efforts to strengthen state regulatory exam and supervision of third parties providing services to state-chartered credit unions.
Regarding the insurance fund, Harper made three legislative requests to the committee:
- Increase the fund’s capacity by removing the 1.50% statutory ceiling on its capitalization;
- Remove the limitation on assessing premiums when the equity ratio exceeds 1.30% of equity in the fund to insured shares, giving the NCUA Board discretion on the assessment of premiums;
- Institute a risk-based premium system.
LINK:
(May 21, 2021) Giving his agency examination and enforcement authority over third-party vendors, and making key changes to the structure of the federal savings insurance fund for credit unions, were the top legislative requests made to a House committee by NCUA’s Todd Harper this week.
The NCUA Board chairman told the House Financial Services Committee – which held an oversight hearing of all of the federal credit union and banking regulators — that his agency needs the third-party exam authority because, increasingly, activities that are “fundamental” to credit unions are being outsourced to entities outside of the agency’s regulatory oversight. Those activities include, he said, loan origination, lending services, Bank Secrecy Act/anti-money laundering compliance (BSA/AML), financial management and technological services including information security and mobile and online banking.
Those third parties also include credit union service organizations (CUSOs), he said. And, he added, while there are many advantages to credit unions and members in using the service providers, “the concentration of credit union services within CUSOs and third-party vendors presents safety and soundness and compliance risk for the credit union industry.”
As examples, he pointed to the top five credit union core processor vendors which, he said, provide services to approximately 87% of total credit union system assets, and the top five CUSOs, which provide services to nearly 96% of total credit union system assets. “A failure of even one of these vendors represents a significant potential risk to the Share Insurance Fund and the potential for losses from these organizations are not hypothetical,” he asserted. “Between 2008 and 2015, CUSOs contributed to more than $300 million in losses to the Share Insurance Fund alone,” he added, referring to the National Credit Union Share Insurance Fund (NCUSIF).
Harper noted that now NCUA may only examine CUSOs and third-party vendors with their permission. He asserted that continued transfer of operations to third parties (and CUSOs) “diminishes the ability of NCUA to accurately assess all the risks present in the credit union system and determine if current CUSO or third-party vendor risk-mitigation strategies are adequate.“
NASCUS supports the agency obtaining the power over technology service providers (TSPs) that provide services to federally insured credit unions — provided that any such authority requires NCUA to rely on state examinations of such service providers where such authority exists at the state level. Further, NASCUS supports efforts to strengthen state regulatory exam and supervision of third parties providing services to state-chartered credit unions.
Regarding the insurance fund, Harper made three legislative requests to the committee:
- Increase the fund’s capacity by removing the 1.50% statutory ceiling on its capitalization;
- Remove the limitation on assessing premiums when the equity ratio exceeds 1.30% of equity in the fund to insured shares, giving the NCUA Board discretion on the assessment of premiums;
- Institute a risk-based premium system.
“These recommended changes, if enacted, would allow the NCUA Board to build, over time, enough retained earnings capacity in the Share Insurance Fund to effectively manage a significant insurance loss without impairing credit unions’ contributed capital deposits in the Share Insurance Fund,” he said. “Moreover, these changes would generally bring the NCUA’s statutory authority over the Share Insurance Fund more in line with the statutory authority over the operations of the (FDIC’s) Deposit Insurance Fund.”
LINK:
(April 23, 2021) Meanwhile, the NCUA Board did hear two briefings during its Thursday meeting: on cybersecurity and on an interim final rule (IFR) it adopted late last week on regulatory relief due to savings surges at credit unions.
Regarding the IFR, the board on April 16 announced it had adopted, by notation vote, the IFR that reduces the earnings retention requirement for credit unions classified as adequately capitalized, and permits an undercapitalized credit union to submit a streamlined net worth restoration plan if it becomes undercapitalized predominantly because of share growth during the coronavirus crisis. The rule is substantially similar to a rule adopted in May 2020 but that lapsed at year-end. The rule took effect immediately and remains in place until March 31, 2022.
In a release last week, the agency said that, due to the pandemic’s continued financial and economic disruptions, it was necessary to reintroduce the two temporary relief measures.
Under the first provision of the IFR (reducing the earnings retention requirement for credit unions classified as adequately capitalized), NCUA said those credit unions unable to meet the requirement will not have to submit a written application requesting approval to decrease their earnings retention amount.
Under the second provision (permitting an undercapitalized credit union to submit a streamlined net worth restoration plan if it becomes undercapitalized predominantly because of share growth due to the crisis), if a credit union becomes less than adequately capitalized for reasons other than share growth, it must still submit a net worth restoration plan under the current requirements in NCUA’s regulations.
A 60-day comment period, ending June 18, is also open for the IFR.
The briefing on cybersecurity provided a status update (including threats and mitigation trends). Johnny Davis, the agency’s top cybersecurity expert, focused on supply chain risk management in his presentation, noting the agency will host a table-top exercise on the issue in August. He said the agency is looking for credit unions to volunteer to participate in the exercise, to gauge if there are additional items for due diligence consideration by the agency.
Davis noted that NCUA will be working with the Treasury Department, the Department of Homeland Security, and other law enforcement and intelligence agencies to carry out the planned exercise with credit unions.
NASCUS President and CEO Lucy Ito said the association looks forward to the inclusion of state supervisory authorities in this effort and other NCUA table-top exercises to more fully capture the totality of the national credit union environment in modeling supply chain attacks and other possible cyber intrusions.
At the end of the conversation at the meeting, Board Member Hood made a pitch for NCUA to procure examination authority over vendors to credit unions. Davis, in response to Hood’s query, said doing so would require an additional eight to 11 agency staff members, and an annual budget of up to $2 million (although Hood indicated that if NCUA obtains vendor exam authority, he would favor the FDIC’s model of not increasing its budget, at least initially).
“It’s important to note that NCUA would focus only on those significant service providers in core processing and payment arenas that are not already covered in the work that we do jointly with the FFIEC and our banking (regulatory) counterparts,” Davis said.
He added that “selected entities” subject to oversight would need to pose a significant concentration risk to credit unions in regard to service and products being consumed. “Exams would not be on an annual basis; likely a three to five year life cycle,” he said, calling that “very similar to collective audit spread of security controls.”
Davis said that “lifecycle” would also give the agency a chance to continuously monitor effectiveness, noting that “operational efficiencies would occur over time.”
Regarding vendor exam authority for NCUA, NASCUS supports the agency obtaining the power over technology service providers (TSPs) that provide services to federally insured credit unions — provided that any such authority requires NCUA to rely on state examinations of such service providers where such authority exists at the state level. Further, NASCUS supports efforts to strengthen state regulatory exam and supervision of third parties providing services to state-chartered credit unions.
Later this year, NASCUS, in partnership with the Credit Union Natl. Assn. (CUNA), hosts the Sept. 3-Nov. 9 Cybersecurity eSchool, a multi-week, virtual program developed to explore latest popular and important cybersecurity topics, including strategies and tactics on how to keep credit union data safe.
LINKS:
Temporary Regulatory Relief in Response to COVID-19 – Prompt Corrective Action
April 2021 NCUA Board Presentation: Cybersecurity Update (Current Events and Trends)