Vendor exam authority for NCUA falls short in Senate

AUG. 6, 2015 -- An amendment to give NCUA exam authority over third party vendors – including those providing cyber security practices – fell short of being added to cyber security legislation under consideration by the Senate Wednesday.

Under the amendment offered by Sen. Elizabeth Warren (D-Mass.) to the Cybersecurity Improvement Act (CISA, S.754, sponsored by Sens. Richard Burr, R-N.C., and Dianne Feinstein, D-Calif.,) NCUA would have regulation and examination authority over any service providers to credit unions.

“If an insured credit union that is regularly examined or subject to examination by the Board, causes to be performed for itself by contract or otherwise, any service authorized under this Act, or in the case of a State credit union, any applicable state law, whether on or off its premises,” the amendment stated in part, adding “such performance, including any cybersecurity practice, shall be subject to regulation and examination by the Board to the same extent as if such services were being performed by the insured credit union itself on its own premises.”

NASCUS supports the agency obtaining examination authority over technology service providers (TSPs) that provide services to FISCUs -- provided that any such authority requires NCUA to rely on state examinations of such service providers where such authority exists at the state level.

Senate leaders considered more than 70 amendments to be added to CISA, ultimately deciding on 21 -- 10 Republican and 11 Democratic additions. Warren’s amendment was not among the Democratic amendments. Further action on the bill is not expected until September.

News Story Archive