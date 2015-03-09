By Sarah N. Lynch and Douwe Miedema
people in positions of power is what keeps them up at night.
For Debbie Matz, the head regulator for 6,350 of the
nation's credit unions, it's an easy answer: a cyber hacker
sneaking in through a credit union vendor, cracking through to
the larger U.S. financial system and wreaking havoc along the
way.
For years, Matz has warned about a general vulnerability of
third-party vendors in U.S. financial markets, with little
success.
But the rise of cyber attacks, particularly the massive
breach at Target Corp that reportedly exploited a data
connection between the retailer and its heating and ventilation
systems contractor, has given new urgency to Matz's call.
Her primary plea is for Congress to give her agency, the
National Credit Union Administration, the power to examine and
police these vendors, which range from payment systems firms to
companies that help with social media.
"Vendors are such an integral part of the financial services
industry," Matz said. "We feel like our hands are really tied."
The NCUA is the only federal banking regulator that does not
have the power to examine third-party vendors, which range from
large companies such as Fiserv or Diebold, to
small companies that only serve credit unions.
To date, Matz's efforts to win such authority have been
thwarted.
The primary resistance is coming from credit unions
themselves and their third-party vendors. Trade groups
representing the credit unions and the vendors are aggressively
lobbying Congress against the idea, calling it a regulatory
overreach.
Carrie Hunt, a senior vice president for government affairs
at the National Association of Federal Credit Unions, said her
group opposes more oversight "unless there is a compelling
need," noting that it would be "incredibly expensive."
Because credit unions are assessed for the cost of their
federal regulator, more oversight would likely mean higher
costs.
The National Association of Credit Union Service
Organizations (NACUSO), which represents credit union vendors,
late last year launched an "advocacy fund" to hire people to
spread its message.
Guy Messick, NACUSO's general counsel, said that while he
also wants safe data networks, the group opposes the agency's
call for more power.
"But what we see with this argument for vendor authority is
to want to latch onto the issue of the moment to try to get that
authority, and then to overstate their position."
Matz is hoping that the recent string of high-profile data
breaches will get Congress to see things her way, even though
both chambers are controlled by Republicans, who tend to be wary
of greater regulation.
In the past 18 months, JPMorgan Chase as well as
Target suffered a massive data breach.
For credit unions, Matz said the vendor-related risk is
acute.
"Five (information technology) vendors serve over 50 percent
of all credit unions, so there is tremendous inter-relationship
and the possibility of contagion," she said in an interview with
Reuters.
Senator Jack Reed, a Rhode Island Democrat on the powerful
Senate Banking Committee, told Reuters in a statement that
lawmakers are "taking a close look at it because there might be
an opportunity here to avoid future losses and improve the
safety and soundness of credit unions."
THIRD PARTY VENDORS ARE TARGETS
To date, there has been no publicly known breach of a credit
union vendor that has caused significant damage, but Matz says
the warning signs are there.
In 2011, for instance, a criminal ring penetrated the
payments technology firm Fidelity National Information Services
and managed to reap $13 million in unauthorized ATM
transactions.
David Kennedy, a former chief security officer at Diebold
who now runs his own firm, TrustedSec, said he was hired last
year by one credit union to test its online banking system. He
said he easily managed to gain access to sensitive customer data
at dozens more credit unions, all of whom shared one common
third-party vendor.
"When it comes to most credit unions, security is barely
existent, if at all," he said.
The Office of the Comptroller of the Currency, which has the
authority to examine and punish bank vendors, has similarly
warned that community banks may not have the resources or
know-how to tackle vendor-related cyber threats.
The most critical vendors are visited at least once a year
by the OCC and the other two federal bank regulators, and in
most cases far more frequently. Less risky firms get tested once
every two years at a minimum, and even smaller ones every three
or four years.
LONG FIGHT FOR POWER
In December, Matz spoke about the issue during a meeting of
the Financial Stability Oversight Council, a federal regulator
whose mandate includes spotting emerging risks to financial
stability. Matz, who is a voting member, described how the lack
of oversight of credit union vendors puts the whole financial
system at risk.
It's not clear how much traction she got.
Matz also said the NCUA is meeting with lawmakers, drafting
proposed legislation, and updating a 2013 white paper arguing
for authority to examine third parties to include details about
cyber risks.
Adding to Matz's challenges is dissent within the NCUA.
J. Mark McWatters, the NCUA's Republican member, said in an
interview that the NCUA already requires credit unions to follow
due diligence protocols in their relationships with third
parties.
"Is vendor authority the most important thing to the credit
union community today? ... I don't think so," McWatters said.
