Regulatory Insights: NCUA's John Kutchey on Stability and Security

Safety and soundness are issues for financial institutions of all sizes, including federally-regulated credit unions. But basic information security is also a challenge - especially for smaller, under-resourced institutions, says John Kutchey, deputy director of the National Credit Union Administration's (NCUA) Office of Examination and Insurance.

In an exclusive interview, Kutchey discusses:

Top regulatory issues for U.S. credit unions;
Information security challenges that must be addressed;
Key areas of focus for the NCUA looking ahead to 2009.

Kutchey was appointed to his current position in September 2008. As deputy director, Kutchey assists the E&I director to oversee the agency's supervision and examination program, risk management and data collection programs. Kutchey comes to the position after serving as director of Risk Management within E&I.

Kutchey joined NCUA in 1990 as an examiner in Baltimore, Md. During his NCUA career, Kutchey has held numerous positions -- problem case officer, supervisory examiner, director of Supervision in Region II, and director of Risk Management.

TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today with John Kutchey, Deputy Director of the Office of Examination and Insurance with the National Credit Union Administration. John thanks so much for joining me.

JOHN KUTCHEY: Absolutely, my pleasure.

FIELD: John I see we are coming up on your first anniversary and they have given you quite a year in your new office.

KUTCHEY: It has been nothing short of nonstop action that is for sure.

FIELD: Tell us just a little bit about yourself and your role now with the NCUA. I understand you have got a great deal of experience in the credit union industry and with the NCUA in particular.

KUTCHEY: Well at this point I am the E&I Deputy Director and that stands for our Office of Examination and Insurance. My primary role is to oversee the examination and supervision functions for the agency as well as the risk management function that also resides in our E&I office. I have been doing that now officially for about a year and unofficially for about a year and half. Prior to that I was actually the Director of Risk Management when the economy and the mortgage markets started to meltdown so I have been kind of in this full-bore since really the meltdown began in our central office here.

FIELD: So while you are really watching history being made in a lot of ways.

KUTCHEY: Absolutely. We have actually sat down as a group, our senior management, and multiple times have made the comment that our kids are going to read about this sequence of events in history books in the future.

FIELD: That is exactly right and you might be writing it.

KUTCHEY: It could be.

FIELD: John what are the biggest issues that your office is grappling with this year?

KUTCHEY: Really our top issue is and remains the corporate credit union stabilization efforts. Beginning September or so of last year my office, my staff as well as many of the senior managers in the agency have really been focused on the corporate credit union issues, the distressed mortgage assets that they hold, which has had a trickle down impact on natural person credit unions as well, and represents somewhat of a safety and soundness concern for the industry.

We have been working on a lot of different things to bring that to successful conclusion and resolve the issues with the most recent being the approval of legislation by Congress that is actually to set up a temporary corporate credit union stabilization fund, which is for lack of a better reference, more or less a second insurance fund that we now have established that is designed to help absorb the costs of the corporate credit union stabilization efforts and to help space out the premium assessments that natural person credit unions will have to pay in order to repay treasury for the stabilization funds. That would be our number on priority at the moment. Following in a close second with quite honestly the natural person credit unions, though they weren't originators of the troubled mortgages and assets that are now out there kind of choking the industry and the financial markets, they are players in it. They purchased mortgage-backed assets that have these loans as collateral and that is really a large part of what the corporate credit union problem is right now.

And then honestly just the general economic situation is going to have a residual impact on credit unions as a whole so we are seeing stress at this point and some decline in net worth strains, some operating losses, but the best thing the industry has got going for it to be quite honest with you Tom is they started this whole process with an all-time high level net worth at just about 11 percent and it is still at this point over 10 percent, which is still 300 basis points higher than what we consider a well-capitalized institution.

FIELD: That is very good. John if you step away from the safety and soundness for a minute and the economic conditions, what do you find to be the top regulatory challenges for your credit unions this year?

KUTCHEY: I guess the number one has been for the last couple of years and largely remains in place would the Bank Secrecy Act issues. It continues to get a lot of attention in relation particularly to the anti-terrorists efforts that go on both nationally and internationally so that is an area of focus that we continue to stress here at NCUA.

The SAFE Act, the Act that basically is establishing a mechanism to register mortgage brokers and mortgage originators around the country is something that we are rolling out at this point that also is one of our challenges and focuses at this point in 2009.

Quite honestly just general IT security remains a growing issue as more credit unions rely on the internet to deliver electronic services to their members it creates more and more vulnerabilities and potential areas of risk for the industry so it is something we have put a lot of resource and time into as well.

FIELD: You know it is interesting you mentioned BSA, you are the first regulator that has singled that our particularly. Is it an educational and awareness challenge for you with the credit unions?

KUTCHEY: Largely yes, you know credit unions traditionally have been an industry with fairly tight fields of membership where management has traditionally known every member that walked in the door. But that is no longer the case per se, over a quarter of all of credit unions right now are what we call community charter institutions so they who comes in as potential members is a much wider and diverse group of people now.

So there is more emphasis placed by us on that particular area and quite honestly BSA is a challenge for NCUA to regulate simply because a lot of our institutions are smaller in size and don't necessarily have the same level of expertise and the same amount of resources to pour into the BSA process as larger credit unions and banks would. So there is always a regulatory challenge that is created for us and will continue to be something that will continue to be a focus for us.

FIELD: Now John one of the things that the NCUA has started examining over the last year has been the identity theft Red Flags Rule compliance. Given what your examiners have seen out in the field, what is your sense of what is working in terms of compliance and what still needs work?

KUTCHEY: I guess the biggest thing still remains just basic computer literacy and update and maintenance by credit unions. Basic things like keeping firewall software up to date, I mean that is a classic example. A lot of time when we go out into institutions they don't necessarily have all of the current patches for their firewalls installed or their internet security software, so just really at the most basic level keeping a focus on that type of an issue.

Maintaining trained staff in the credit unions is another issue. We spend time looking at the human engineering issue for ID theft, the concept that the staff of a credit union knows who they are talking to on the other end of the phone and that there are security measures taken to identify callers who are looking for account information. So the human engineering side maintaining their current or their software as current as possible with updates and patches are probably the two things that we note the most.

FIELD: It sounds like generally the challenges of dealing with institutions where you have got people wearing multiple hats and information security is one of them.

KUTCHEY: Exactly. And that comes down to the size and the sophistication of the institution as well. Again, many of our credit unions are small in size and exactly as you just said they wear multiple hats yet they offer the same types of advanced web services that a much larger institution would offer so really it is an educational process as much as anything between our examiners and credit unions to make sure that they are securing their information and data to the fullest extent possible.

FIELD: Now one of the topics at the NCUA Board, and I know GiGi Highland [indiscernible] was very outspoken on last year, was vendor management. How are the credit unions responding to the call for improving vendor management?

KUTCHEY: I think that continues to be an area of focus and emphasis for us and will continue to be as well. The institutions themselves have taken the information that we have provided and the direction seriously. Credit unions though continue to grow in their sophistication and in their complexity as far as the types of services that they are offering their members and a lot of this requires third parties and outsourcing.

So this continues to be a challenge for credit unions to have the time to do the proper level of due diligence, not just up front when you are starting the program but ongoing maintenance of contract reviews, looking at the financial strength of the institutions and the vendors that they are using and just the general structure of the relationships. Those are things that continue to be challenges for credit unions and us during examinations we continue to emphasize that area.

FIELD: Now John given what you know now, what do you expect to be the top regulatory issues as credit unions go into 2010?

KUTCHEY: That is a good question. I think one of the top priorities or issues is going to be reforming the corporate credit union system. It is something that we have actually already started but due to the size and the complexity of that issue it is something that will definitely go and move into to 2010 as well.

We are focused right now on trying to get a proposed rule out in the 2009 timeframe and get it into the public's hands for review and comment, but it is something that I really don't anticipate or expect would be completed until the 2010 period. That has implications for not only corporate credit unions but it also has implications for natural person credit unions because since natural person credit unions basically make up the membership of the corporates, it is up to them to basically they are the ones that are going to be most impacted by whatever we implement in terms of regulation in that area, whether it is capital requirements for the corporate credit union system or a natural person credit union that is going to have to make the decision on whether they increase or they maintain their level of investment in support of the corporate. Do they increase it or do they decrease it? What level of services they are comfortable with using in the new corporate structure? So that is probably one of the biggest things that everyone is kind of anxious to see going into 2010.

The other one is not necessarily a direct impact at this point but it is going to have direct impact on NCUA, which will ultimately result in some form of an impact on credit unions, is the whole discussion that is going on right now related to a new consumer compliance agency that has been making headlines. The President discussed it in his news conference last night on national television and that has a direct impact on NCUA as well as we are responsible for consumer compliance in the credit union industry.

We have already got several staff in our central office who are dedicated to the consumer compliance function and we also have numerous examiners around the country that specialize in consumer compliance but we are looking to support this initiative on a national basis so that is something that we will continue to monitor here at NCUA and implement whatever changes and adjustments are needed in order to be supportive of this national initiative.

FIELD: Now I know that one of the issues that the NCUA has had is just having enough examiners to do the examinations, which leads me to a final question. What do you see as your office's main challenges in helping the credit unions address these issues that you have outlined for next year?

KUTCHEY: Actually you really lead into it with one of the main issues, staffing and resources is our biggest challenge right now. As the economy stays in the level of recession that it has been in, the longer it goes, the longer the mortgage market stays in the level of stress, the more difficult for all financial institutions to produce high levels of performance and results and credit unions are no different than that. So the longer the recession lasts the more stress there is on credit unions, the more supervision and oversight that will be needed by NCUA.

So really placing our resources that we have in the institutions that are feeling the highest level of stress, identifying those institutions timely and really working closely with them to resolve their problems so that at the end of this whole process the credit union system remains as robust as it was when it when in. That is really one of our biggest challenges now as we go into 2010.

FIELD: Well John I appreciate your time and your insight today. Thank you very much.

KUTCHEY: Absolutely. My pleasure.

FIELD: We have been talking with John Kutchey of the NCUA. For Information Security Media Group, I'm Tom Field. Thank you very much.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.