When It Comes To CUSO Regulation, Can’t We All Just Get Along?

November 7, 2014 at 8:26 am Leave a comment

A day after the CU Times reported that NACUSO issued a call-to-arms urging credit unions to help fund regulatory and potential legal actions designed to protect CUSOs against regulatory encroachments by the NCUA, it is being reported that Home Depot’s data theft was much more serious than initially reported.  Not only were a mere 56 million credit card accounts compromised, but 53 million email addresses were also stolen.  It now appears that access to the system came from a password stolen from one of the company’s vendors.  Just how many issues does this raise?  Let me count them.

    • Look to you left, look to your right.  Then look down the hallway.  Think about the most technologically incompetent person you have working for your credit union.  Realize that your data security is only as safe as that employee can make it.  Data security starts with your employees.  Only give access to databases to those who truly need it.  The hackers are so sophisticated now that once they have access to a password, they can virtually sneak around your system and find more and more vulnerabilities.
    • I’ve said it once and I’ll say it again, and I expect NCUA will be saying it to you shortly:  your vendor contracts are absolutely crucial.  Given the explosion of technology, it is only natural that credit unions are going to turn to vendors.  If they don’t they won’t be able to provide the type of services that members expect.  But turning to the vendor doesn’t absolve the credit union of ultimate responsibility for the services the vendor is providing or the continuing need to protect member information.  Consequently, just like Warren Buffet never invests in a business he doesn’t understand, your credit union should never contract for technology it doesn’t comprehend.  Your vendor relationships must include ongoing monitoring by knowledgeable employees on your staff.  You should make sure that your vendors document on an ongoing basis that they are compliant with the latest data security standards.
    • CUSOs provide a crucial mechanism for credit unions to pool resources. Given the importance of vendor management, is it really that unreasonable for NCUA to seek a more holistic view of the CUSO industry? Personally, I don’t think so. The problem is that NCUA has sought to exercise powers it doesn’t yet have. Mandating that credit unions force their CUSOs to agree to NCUA audits is a blatant attempt to boot strap its jurisdiction.  But at the end of the day, it makes sense for NCUA to have a clear picture of what a CUSO is doing, Not only are these organizations providing services for credit unions, but their financial success or failure directly impacts credit unions’ bottom line. The middle ground is for everyone to be a lot less dogmatic and a lot more pragmatic. NCUA should seek specific legislative authority to regulate CUSOs. But it should only exercise enhanced oversight over those CUSOs that represent a truly systemic risk to the industry. This means that NCUA should base its enhanced auditing not on the type of services the CUSO provides, but on how many credit unions use its services.  In addition, NCUA should reduce its proposed risk rating for CUSOs.  Credit unions should be encouraged to use CUSOs as opposed to third-party vendors with no connection to the industry.

Entry filed under: Advocacy, Compliance, Regulatory. Tags: , .

The Day After How Smart Is Your Branch?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


Authored By:

Henry Meier, Esq., General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 442 other followers

Archives