NCUA's Fenner to Congress: Give Us More Authority For Data Security

WASHINGTON – NCUA general counsel Robert Fenner testified before the House Financial Services' Subcommittee on Financial Institutions and Consumer Credit on May 18 that the agency needed more authority over third-party vendors in order to help protect against the ongoing risk of card data security breaches. "One continuing area of concern to NCUA is our lack of examination authority to review the operations of third-party vendors that provide services, such as loan processing and Internet banking, to credit unions," Fenner said in prepared testimony. "The Government Accountability Office (GAO) has noted this lack of authority on at least two occasions and recommended that NCUA pursue this issue with Congress. The authority currently exists for the other federal financial institution regulatory agencies and it temporarily existed for NCUA prior to expiring on December 31, 2001." Fenner noted a number of different types of card security breaches that have had an impact on credit unions in the last 18 months, including phishing scams, point-of-sale software breaches, and the theft of hard drives and computers from both credit unions and vendors. In the absence of this additional authority, NCUA has occasionally experienced difficulty in obtaining the full cooperation of vendors, and in obtaining key documents, such as financial statements and audit reports, Fenner said. He also noted that the evolving situation may require an expansion of authority. "While credit unions and other financial institutions are carefully regulated with respect to the issue of data security as a result of [current legislation], the examples in the first part of my testimony raise the question whether merchants and other parties should be subject to comparable requirements," Fenner said.