NCUA should rely on state exams
of 3rd party tech service providers

JULY 7, 2015 -- NCUA should rely on exams of third-party technology service providers that are already administered by state credit union supervisory agencies “to the maximum extent feasible,” NASCUS President and CEO Lucy Ito said today in response to a recommendation made by the Government Accountability Office (GAO) in a July 2 report.

In the report released last week, the GAO recommended that Congress should consider granting NCUA authority to examine third-party technology service providers for credit unions. The GAO reasoned that bank regulators directly address the risks posed to their regulated institutions from third-party technology service providers, but that NCUA lacks the authority. Authorizing NCUA to routinely conduct such examinations, GAO stated in the report, could help the agency “better ensure that the service providers for credit unions also follow sound information security practices.”

But Ito noted that three out of every four state credit union regulators already have the power to examine CUSOs that are third-party technology providers.

In a statement, Ito said NASCUS has been on record in support of NCUA’s desire to obtain examination authority over technology service providers since year 2000, and the concern about the Y2K date changes.

However, she noted that NASCUS supports this authority over technology service providers to the extent that the agency will rely on exams of these entities that are already administered by state credit union supervisory agencies to the maximum extent feasible.

“This would reduce system redundancy, minimize regulatory burden, and foster interagency cooperation and coordination while also strengthening cybersecurity across the industry,” she stated.

Ito statement on GAO recommendation

GAO Study: CYBERSECURITY -- Bank and Other Depository Regulators Need Better Data Analytics and Depository Institutions Want More Usable Threat Information

News Story Archive