NCUA officials are defending their decision to forward a supervisory letter on FIS to credit unions, noting that it's routine for the agency to share materials from other regulators and observing that credit unions which process with FIS needed to read the letter.
“It is a longstanding inter-agency practice to share reports, in this case produced by one of the banking agencies, with clients of record,” said Larry Fazio, Director of Examination and Insurance for the agency.
“The Federal Deposit Insurance Corporation, the Office of the Comptroller and the Federal Reserve Bank have all released this report, like other vendor reports, to their regulated institutions. NCUA, like the other agencies, is providing the report information for the sole purpose of facilitating vendor due diligence,” Fazio said.
Sources familiar with the agency's actions said officials had considered forwarding the letter “routine” and argued that the agency risked leaving credit unions unwarned if it had not sent it.
The sources, who spoke on background, pointed out that the agency had little choice but to share the letter and would have had to bear some degree of responsibility had credit unions suffered losses from risk of which the agency was aware but credit unions were not.
The sources also denied as “ridiculous” the idea that the agency was trying to drive credit unions away from using FIS when it warned credit unions to evaluate their relationship with the processor.
They pointed out that the decision to change payment processors was large enough and complex enough that neither the agency nor credit unions would be served by large numbers of credit unions going through that process at the same time.
Rather, the officials said the agency hoped that providing information to the credit unions would help bring market pressure on the processor to correct the security deficiencies as well as alert credit unions to the risk.