The CUSO Guru’s Vision for 2020

As I thought about what I would write as my vision for 2020, I looked back to see what I wrote as my vision for 2019.   Many economists were expecting higher interests rates and an economic slowdown in 2019.   Did not happen.  The year of 2019 has been a very good year for credit unions and our 401(k)’s.  Yes, Guru’s have 401(k)’s and we need them.   The cost of Uber Eats deliveries to the mountain top is not going down.

The prevailing forecast for 2020 is for continued growth.   Now we should be worried.  As to whether the financial forecast for 2020 is right, John Kenneth Galbraith, the famous economist, said it best.   “There are two kinds of forecasters, those who do not know and those who do not know that they do not know.”

Vendor Authority

In 2019, I predicted that there would be a battle with NCUA over vendor authority.  There was and that battle is intensifying.  NCUA wants Congress to give it vendor authority.  NCUA is justifying its most recent request in order prevent cyber-security threats that vendors could pose to credit unions.   Cyber-security issues pose a significant risk to all of us, especially for financial institutions.   Our argument is that – since most vendors that offer technology services to credit unions also offer them to banks regulated by the OCC and/or insured by the FDIC, cyber-security issues at those firms can be dealt with by the Federal Financial Institutions Examination Council (FFIEC) which examines IT vendors on behalf of the aforementioned federal financial institution regulators.  NCUA, like the Federal Housing Finance Agency (FHFA) and Farm Credit Administration (FCA) have not been given vendor authority by Congress.  However, as a member of FFIEC, NCUA could be added to the list of regulators that can receive examination information on IT vendors from the FFIEC.  Using one entity, the FFEIC, to review cyber-security issues is much more efficient, effective and less costly than if every financial institution regulator also examines the IT vendors.  This is preferable to extending unlimited regulatory and supervisory authority over all credit union vendors to NCUA, as has been proposed by the agency to Congress.  (It should be pointed out that even the OCC and FDIC do not have unlimited vendor authority as NCUA is asking for.  The oversight authority for OCC and FDIC is through the Bank Holding Company Act and only gives them limited vendor authority when a contracted vendor is performing bank-like activities on behalf of the bank or its holding company).

If NCUA is given examination authority for cyber-security purposes, is that really limited to just the core IT providers?   Any vendor with a computer can potentially infect a credit union.   The infamous Target breach was caused by a hack of Target’s HVAC provider.  Cyber-security as a reason for examinations is a gift that keeps on giving to those who want to expand the regulatory authority of NCUA.  Once inside a vendor, is there any doubt that non-cyber-security issues will be the subject of inquiry on “safety and soundness” basis ?  Who pays for this extra expertise at NCUA – credit union members, of course.  NCUA downplays the extra cost aspect.  Have government cost estimates are ever been right or under budget?

In 2020, NACUSO will continue to fight vendor authority, especially as it applies to CUSO’s.  As our Government Affairs Guru, Dennis Dollar, so eloquently states:

“Innovation has never been enhanced by regulation.”  

Credit unions need CUSO’s as the innovation incubator for credit unions.

The challenge in this fight is the political perspective.    As we know, it is impossible to completely defend against cyber-attacks.  Even the federal government’s secured servers have been hacked.   Bad headlines will occur no matter how many resources you throw at the problem.  Credit unions will suffer cyber-security breaches.   When the headlines of a credit union breach occur, a politician wants to be able to say that he or she did all they could to protect us by voting for more oversight.   And if the politician does not have to raise any taxes to spend on cyber-defense for credit unions (NCUA is funded by credit union members), it is a no-brainer of a political calculus.

In order to prevent the extension of full regulatory authority over vendors and CUSO’s, Congress has to be educated on the following:

  1. Cyber-security is very important and the resources to do that should be concentrated in one organization (the FFIEC) and not spread out among multiple agencies. Collaboration works.
  2. Giving NCUA authority to regulate all vendors, including the credit union’s landscaper and insurance agency CUSO, is absurd. Credit unions generally have about 200 vendors.  The number of credit unions NCUA currently regulates and/or insures is 5,281 which means that there are approximately 1,056,200 credit union – vendor relationships that would be subject to NCUA’s regulatory authority.
  3. Burdening credit union members with these additional regulatory costs will render credit unions less competitive to Fintech’s that do not have this burden and reduce the capital in credit unions to withstand economic downturns.
  4. CUSO’s are already subject to NCUA’s oversight. NCUA has all the information and power it needs through CUSO reporting obligations and the credit union owners to effectively deal with safety and soundness issues that may arise in a CUSO.

Vendor authority  would adversely affect the regulatory climate that has fostered so much innovation and generation of net revenue through CUSO’s.   NACUSO has engaged additional advocacy resources to prevent or contain vendor authority.  The support of credit unions and CUSO’s in this effort will be essential to prevail.

CUSO Trends

One trend that we see is that more and more vendors are forming CUSO’s.  The reasons vary.  In some situations, the vendor is owned by an entrepreneur who is near retirement age.   The credit unions want to insure that the vendor will be around to continue to serve them and the entrepreneur wants a retirement exit strategy.

In other situations, an entrepreneur wants to raise capital to serve credit unions.   Credit unions are very desirable investors.   They are also the users of the CUSO’s services so that means a flow of  income to the CUSO.  Credit unions are long-term investors that do not need a short-term window to cash out.  In fact, most of the benefits to a credit union investor tend to be from the enhanced services the CUSO provides to the credit union.

The third category is a vendor that wants its credit union customers to remain customers.  Often, these vendors serve banks as well as credit unions.  So they form a CUSO that is co-owned by the vendor and the credit unions.  The CUSO serves the credit union market.  If the vendor is ever sold, there is a means for the credit union owners to share in the sales proceeds so there is a reward for helping to build the vendor’s business.

We have seen an uptick in the formation of CUSO’s involved in some form of technology services.  Credit unions understand that they need to fight to stay ahead of the curve in technology.   CUSO’s that advise and provide services to build out a credit union’s technology platform are getting traction.

Forecast for the Next Decade

Keeping in mind the wisdom of John Kenneth Galbraith about no one begin able to accurately forecast, I will forecast with the knowledge that if I am wrong, I will not care.  In 2029 I will be on a beach with an umbrella drink in my hand.

With that caveat in mind, here we go.  As of September 2019, the 5,281 federally insured credit unions break down as follows:  1,352 credit unions under $10 million, 2,343 credit unions $10 million to $100 million, 1,012 credit unions $100 million of $500 million, and 574 credit unions $500 million or greater.   In 2029, we will no longer have a category of credit unions under $10 million as there will not be any.   Sadly, those credit unions will have to grow or merge.  If the credit union industry continues to shrink at the rate of 3% per year, that means that in 2029 there will be a little less than 4,000 federally insured credit unions.  I  believe that at least 25% will be above a billion in assets.

There are approximately 1,000 CUSO’s and about one-third of credit unions have a CUSO ownership relationship.   Given the challenges facing credit unions that CUSO’s can help address, the number of credit unions with a CUSO relationship will be 95%.  Those credit unions who do not use CUSO’s will cease to be competitive.

On April 30, 2027, the number of CUSO’s will exceed the number of credit unions.  Really?   Well maybe, but I really enjoyed making that prediction.

What I cannot predict is whether NCUA will continue to exist.  Will there be a drive to combine financial regulators for efficiency and costs savings?  Will 4,000 credit unions be enough to justify a separate regulator?    I do know that it is in NCUA’s interest to encourage credit unions to collaborate to preserve as many charters as it can.   Will there be an NCUA Office of Collaboration Development?   If I were running things there would be.   But that is hard to do from a beach chair.

ABOUT THE AUTHOR: Guy Messick, the CUSO Guru, is General Counsel to NACUSO and a partner in the law firm of Messick & Lauer  & Smith P.C. Guy and former NCUA Chairman Dennis Dollar will join again this year in what has become one of the most popular panel discussions of the NACUSO conference.  With a special emphasis on regulatory actions both current and anticipated, Messick and Dollar team up to provide over fifty combined years of insight into what is happening at NCUA, CFPB and other agencies with an impact on credit unions and CUSOs.