Credit unions battle their regulator over cyber securityReprints
(Reuters) — A common question asked of people in positions of power is what keeps them up at night.
For Debbie Matz, the head regulator for 6,350 of the nation's credit unions, it's an easy answer: a cyber hacker sneaking in through a credit union vendor, cracking through to the larger U.S. financial system and wreaking havoc along the way.
For years, Ms. Matz has warned about a general vulnerability of third-party vendors in U.S. financial markets, with little success.
But the rise of cyber attacks, particularly the massive breach at Target Corp. that reportedly exploited a data connection between the retailer and its heating and ventilation systems contractor, has given new urgency to Ms. Matz's call.
Her primary plea is for Congress to give her agency, the National Credit Union Administration, the power to examine and police these vendors, which range from payment systems firms to companies that help with social media.
“Vendors are such an integral part of the financial services industry,” Ms. Matz said. “We feel like our hands are really tied.”
The NCUA is the only federal banking regulator that does not have the power to examine third-party vendors, which range from large companies such as Fiserv or Diebold, to small companies that only serve credit unions.
To date, Ms. Matz's efforts to win such authority have been thwarted.
The primary resistance is coming from credit unions themselves and their third-party vendors. Trade groups representing the credit unions and the vendors are aggressively lobbying Congress against the idea, calling it a regulatory overreach.
Carrie Hunt, a senior vice president for government affairs at the National Association of Federal Credit Unions, said her group opposes more oversight “unless there is a compelling need,” noting that it would be “incredibly expensive.”
Because credit unions are assessed for the cost of their federal regulator, more oversight would likely mean higher costs.
The National Association of Credit Union Service Organizations (NACUSO), which represents credit union vendors, late last year launched an “advocacy fund” to hire people to spread its message.
Guy Messick, NACUSO's general counsel, said that while he also wants safe data networks, the group opposes the agency's call for more power.
“But what we see with this argument for vendor authority is to want to latch onto the issue of the moment to try to get that authority, and then to overstate their position.”
Ms. Matz is hoping that the recent string of high-profile data breaches will get Congress to see things her way, even though both chambers are controlled by Republicans, who tend to be wary of greater regulation.
In the past 18 months, JPMorgan Chase as well as Target suffered a massive data breach.
For credit unions, Ms. Matz said the vendor-related risk is acute.
“Five (information technology) vendors serve over 50% of all credit unions, so there is tremendous inter-relationship and the possibility of contagion,” she said in an interview with Reuters.
Sen. Jack Reed, a Rhode Island Democrat on the powerful Senate Banking Committee, told Reuters in a statement that lawmakers are “taking a close look at it because there might be an opportunity here to avoid future losses and improve the safety and soundness of credit unions.”
Third party vendors are targets
To date, there has been no publicly known breach of a credit union vendor that has caused significant damage, but Ms. Matz says the warning signs are there.
In 2011, for instance, a criminal ring penetrated the payments technology firm Fidelity National Information Services and managed to reap $13 million in unauthorized ATM transactions.
David Kennedy, a former chief security officer at Diebold who now runs his own firm, TrustedSec, said he was hired last year by one credit union to test its online banking system. He said he easily managed to gain access to sensitive customer data at dozens more credit unions, all of whom shared one common third-party vendor.
“When it comes to most credit unions, security is barely existent, if at all,” he said.
The Office of the Comptroller of the Currency, which has the authority to examine and punish bank vendors, has similarly warned that community banks may not have the resources or know-how to tackle vendor-related cyber threats.
The most critical vendors are visited at least once a year by the OCC and the other two federal bank regulators, and in most cases far more frequently. Less risky firms get tested once every two years at a minimum, and even smaller ones every three or four years.
Long fight for power
In December, Ms. Matz spoke about the issue during a meeting of the Financial Stability Oversight Council, a federal regulator whose mandate includes spotting emerging risks to financial stability. Ms. Matz, who is a voting member, described how the lack of oversight of credit union vendors puts the whole financial system at risk.
It's not clear how much traction she got.
Ms. Matz also said the NCUA is meeting with lawmakers, drafting proposed legislation, and updating a 2013 white paper arguing for authority to examine third parties to include details about cyber risks.
Adding to Ms. Matz's challenges is dissent within the NCUA.
J. Mark McWatters, the NCUA's Republican member, said in an interview that the NCUA already requires credit unions to follow due diligence protocols in their relationships with third parties.
“Is vendor authority the most important thing to the credit union community today? ... I don't think so,” Mr. McWatters said.