Whether the NCUA needs regulatory authority over vendors and how much that authoritywould cost is a matter of internal debate, board members said.

NCUA Chairman Debbie Matz said the agency intends to keep theimplementation budget neutral.

“We intend to work very hard to make sure that's the reality,and not just wishful thinking,” she said.

“We would not be hiring staff exclusively for this purpose. Wehave been, and continue to, hire subject matter examiners,particularly in the areas of information technology, businesslending and capital markets,” Matz added.

The FDIC did not increase its budget when it gained theauthority in 1999.

“I'm told by our Division of Finance staff that there was noimpact on our budget once we received this authority back in 1999under the Bank Service Company Act,” FDIC spokesman David Barrsaid.

However, NCUA Board Member Mark McWatters predicted the NCUA's budgetwould increase.

“It's problematic to suggest that the grant of vendor authoritywould not dramatically increase NCUA's already bloated operatingbudget,” he said.

“We're not just talking about cybersecurity. We're talkingabout, presumably, all vendors,” he said. “Lots of vendors and lotsof different areas of expertise beyond cybersecurity; I can't imageit won't be a substantial increase to the NCUA budget,” McWattersadded.

Matz emphasized the NCUA does not intend to examine vendors orCUSOs on a regular basis if it is granted the authority fromCongress.

“It would be on a need to examine basis when we have reason tobelieve there is something in that entity that could pose a threatto the system,” she said.

Matz said the agency is reallocating examiners to credit unionsthat hold the greatest risk.

“The examiners can also be used to examine vendors that may posea threat to a particular group of credit unions or to the system,”she said.

Matz said vendor authority is the agency's top legislativepriority. She added the agency feels like its hands are tied sinceit cannot examine or issue enforcement actions against third-partyvendors that are doing business with credit unions.

“It's been important all along but now in the age ofcyberthreats, it's absolutely critical. It's essential. We need tohave that authority to do our jobs properly,” she said.

NACUSO has created an advocacy fund with contributions from theassociation's members and retained the services of a governmentalrelations entity to communicate its opposition to Congress,including the congressional offices of members on the bankingcommittees.

“If NCUA gets vendor authority, it will be examining thousandsof additional businesses, where they don't have the expertise, andit will be very costly and ultimately the credit unions will bearthe cost of this. In a nutshell, that is why we are opposed to thisaction,” NACUSO President/CEO Jack Antonini said.

If the agency was granted the authority, Matz said the NCUAwould be on the forefront of detecting cyberthreats. She vowed toremain aggressive in advocating for the authority in meetings withlawmakers.

“Particularly in this day and age, with the trades going toCongress and the White House talking about the need for additionalprotections dealing with cybersecurity, this goes hand in glovewith those requests,” Matz said.

She continued, “Asking the president and Congress to dosomething on cybersecurity and not giving the regulatory agencyauthority that we need when we're closest to the industry and canhave the most direct impact on cybersecurity is shortsighted.”

McWatters warned vendor authority could hurt the NCUA'sreputation

“If you're granted the authority and you screw up and you don'texecute, you don't actually protect the credit unions from thesoftware that can be breached. Then the NCUA looks bad, so it's avery difficult issue,” he said.

McWatters questioned how the NCUA would be able to identify andprevent vendor security breaches.

“Does the NCUA have the expertise to actually deal with thisissue? I'm not at all convinced that the NCUA would be able toretain the services of third parties that would add much value tothe process,” he said.

McWatters said vendors are operating on a market basis and donot want their software to be breached.

“They're doing everything within their power not to bebreached,” he said. “To think that somehow the NCUA, with two orthree people, are going to be able to go in and solve the problemsand negate the risk of a hacker attacking a piece of softwarelicensed from a software provider is something I don't seehappening.”

Former NCUA Board Member Geoff Bacino said the NCUA does notneed authority over third party vendors.

“This is a new jacket on an old solution – the new jacket beingcybersecurity and my sense is, why does the agency think they cando it better than all of these other agencies that have directoversight and direct expertise in that area like the FBI,” saidBacino, who was appointed to NCUA board in 2000.

“What do they know that these other groups that have long-termexpertise in cybersecurity do not know?” he asked.

Matz said the NCUA would not be competing with the FBI or CIA,but instead working with them to combat cyberattacks.

“We intend to collaborate with them and cooperate with them andthey welcome that. A chain is only as strong as the weakest link,and the NCUA and credit unions are the weakest link because we donot have that authority,” she said. “(Other federal agencies) arevery concerned that we do not have that authority. They feel theirauthority is limited because we do not have that authority.”

Matz said a vendor examination would originate from a red flagnoticed during a normal credit union examination.

“We will have an established framework outlining thecircumstances under which we would go into a particular vendor orCUSO,” she said.

Bacino argued that a credit union would not put its reputationat risk for a vendor.

“The NCUA will tell you, 'we don't regulate the vendors.' No,but you regulate and insure the credit union. If you think for oneminute there's a credit union (leader) out there that's going toput his or her credit union, reputation, job and board at risk fora vendor, you've got to be kidding me,” he said.

McWatters said the current third party supervisory process issufficient.Matz confirmed that the agency has discussed the issuewith the White House.