Technology Service Providers and Credit Unions

link to page 1



May 10, 2024
Technology Service Providers and Credit Unions
This In Focus summarizes issues regarding the
vulnerable to hacking and malware breaches relative to
cybersecurity risks posed by third-party vendors that
their larger counterparts. Hence, many credit unions, which
provide credit unions with technology services. It begins
are generally smaller relative to many small banks, are
with background on the reliance on technology service
arguably more vulnerable. Figure 1 illustrates number and
providers (TSPs) by depositories (i.e., credit unions and
asset size differences between small credit unions and small
commercial banks) and the ongoing concerns of their
banks, defining small as $1 billion or less in assets.
primary federal regulators. Next, the regulatory authorities
Although small credit unions outnumber small banks, they
that the National Credit Union Administration (NCUA), the
collectively hold significantly fewer assets relative to the
primary federal regulator of credit unions, has over TSPs
small banks. (For more information on similarities and
are compared to those of the three federal bank regulators—
differences between credit unions and banks, see CRS In
the Federal Reserve, the Office of the Comptroller of the
Focus IF11048, Introduction to Bank Regulation: Credit
Currency, and the Federal Deposit Insurance Corporation
Unions and Community Banks: A Comparison, by Darryl E.
(FDIC). Specifically, the bank regulators have the authority
Getter.)
to supervise TSPs used by banks, but the NCUA does not
have the authority to supervise TSPs used by credit unions.
Figure 1. Small Credit Unions and Small Banks:
The NCUA has requested that Congress grant it authority
Number of Firms and Total Assets
similar to the banking regulators’ authority. A discussion of
2004-2023
additional technology adoption challenges with
implications for the credit union system follows.
Background
As more financial transactions are conducted online,
financial institutions that lack in-house technological
expertise increasingly rely on third-party TSP vendors.
TSPs develop software and interfaces for customer
accounts and payment services, as well as cloud computing
services for data storage. A survey of financial institutions
released in 2023 shows a 91% increase in the adoption of
cloud services since 2020.
Credit unions have participated
in this trend. With growing reliance on TSPs, the NCUA (as
well as the federal bank regulators) is increasingly
concerned with operational risks—the risk of loss having to
do with failed internal controls, people, systems, or external
events. Operational risks in the form of cyber-related
disruptions (e.g., unauthorized access to customer data) can
occur at either a depository or a TSP and may weaken
public trust and confidence in the financial system.
Operational risks can also increase the potential of systemic
risk
—widespread panic runs on depositories, especially
under circumstances when multiple depositories rely on the
same TSP that experiences a breach. On November 26,
2023, for example, the NCUA announced that a credit

union TSP experienced a ransomware attack on its cloud
Source: CRS using data provided by the FDIC and NCUA.
services, affecting reportedly 60 credit unions and
approximately 100,000 credit union members.

Regulatory Authority Over TSPs
Bank regulators have a broad set of authorities to supervise
According to the U.S. Treasury’s Office of Financial
vendors, such as TSPs, that have contractual relationships
Research, the percentage of businesses affected by
with banks. The Bank Service Company Act (P.L. 87-856)
ransomware attacks rose from 79% to 87% in 2023.
provides bank regulators with the authority to examine and
Furthermore, small depositories, which have limited
regulate TSPs that provide services to banks, including
resources for data security and rely more on TSPs, face
check and deposit sorting as well as posting, preparation of
heightened vulnerability compared to larger depositories.
statements, notices, bookkeeping, and accounting.
The NCUA cited a report noting that small depositories
Therefore, using vendors does not reduce a bank’s
with less than $35 million in annual revenue are extremely
responsibility to ensure that the actions of contractors are
performed in a safe and sound manner. Activities conducted
https://crsreports.congress.gov

Technology Service Providers and Credit Unions
through a TSP must meet the same regulatory requirements
Credit union trade groups, however, have opposed restoring
as if they were performed by the bank itself. For example,
NCUA’s authority over credit union TSPs. The opposition
bank regulators may conduct formal on-site examinations
arises due to an anticipated increase in costs for the NCUA
of bank TSP cloud providers, as the Federal Reserve did in
to hire specialized examiners, which would be covered by
April 2019.
levying additional fees on credit unions unless the
legislation provided another funding source. The trade
By contrast, NCUA lacks the same authorities held by the
groups recommend that the NCUA use its existing authority
banking regulators. In a March 2022 report, the NCUA
to obtain information from CUSOs, which are already
discussed not having examination, enforcement, or
owned by credit unions. In addition, they argue that the
corrective action authority over TSPs, including credit
NCUA—as a member of the Federal Financial Institutions
union service organizations (CUSOs) that are wholly or
Examination Council, an interagency body of federal
partly owned by credit unions and provide financial support
financial regulators including the banking regulators—
services for credit unions and their members. The report
should be able to gain access to TSP examinations
notes that the Examination Parity and Year 2000 Readiness
conducted by other council member agencies when a TSP
for Financial Institutions Act (P.L. 105-164) gave the
serves both credit unions and banks. If the NCUA is not
NCUA temporary authority over TSPs and CUSOs as part
granted access, they argue that Congress should compel the
of Y2K readiness, which expired on December 31, 2001.
other regulators to provide them with access.
On October 27, 2021, the NCUA expanded the list of
permissible activities and services that CUSOs can perform,

Legislation has been introduced to address these issues. In
thus increasing the need for greater vendor authorities.
the 117th Congress, S. 4698, the Improving Cybersecurity
of Credit Unions Act, was introduced and referred to the
Section 501 of the Gramm-Leach-Bliley Act (P.L. 106-102)
Senate Banking, Housing, and Urban Affairs Committee. In
requires financial institutions to ensure the security and
the 118th Congress, H.R. 7036, the Strengthening
confidentiality of customer information. Therefore, despite
Cybersecurity for the Financial Sector Act of 2024, was
its lack of authority over TSPs, the NCUA uses its
introduced on January 18, 2024. These bills would give
supervisory authority over credit unions to help mitigate
NCUA the authority to regulate TSPs, among other things.
cybersecurity risks through requirements and guidance. For
example, NCUA has adopted a cyber incident notification
Additional Technology Challenges
framework, which includes requirements for credit unions
Small financial institutions—particularly those providing
to follow when a cyber incident occurs. In addition, NCUA
financial services primarily to underserved communities,
provides credit unions with guidance on how to evaluate
which would include mission-driven credit unions—face
third-party TSP relationships. NCUA also provides updated
significant challenges when attempting to acquire new
information about ransomware threats and attacks.
technologies. The Government Accountability Office notes
that some small mission-driven institutions are unable to

Despite these efforts, the NCUA still seeks the restoration
offer online checking and payment services to customers,
of previous authority that would be similar to that of the
accept online loan applications, conduct automated
banking regulators over TSPs. Without this authority, the
underwriting, or submit data electronically. For this reason,
NCUA notes that operational risks increase—not only for
the NCUA provides technical assistance grants to eligible
credit unions but also for the National Credit Union Share
credit unions to support increased technological capacity
Insurance Fund, which is the federal deposit insurance fund
and train support staff. Nevertheless, the costs to adopt
for credit unions. The ability to supervise TSPs would
technologies, which must also be updated continually to
potentially reduce possible losses to the fund that would be
mitigate cybersecurity risk vulnerabilities, are likely to
borne by the credit union system and taxpayers. The
continue increasing.
Financial Stability Oversight Council also recommends that
Congress pass legislation providing adequate examination

Darryl E. Getter, Specialist in Financial Economics
and enforcement powers to the NCUA, along with other
Paul Tierno, Analyst in Financial Economics
relevant agencies (e.g., the Federal Housing Financing
Agency), to oversee TSPs that interact with regulated

IF12665
entities.


https://crsreports.congress.gov

Technology Service Providers and Credit Unions


Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.

https://crsreports.congress.gov | IF12665 · VERSION 1 · NEW