House Financial Services Committee Issues Statement From NCUA Office of Examination & Insurance Director Lay

WASHINGTON, May 18 -- The House Financial Services Committee Task Force on Artificial Intelligence issued the following statement by Kelly J. Lay, director of the Office of Examination and Insurance at the National Credit Union Administration, involving a hybrid hearing on May 13, 2022, entitled "Keeping Up With the Codes - Using AI for Effective RegTech":

* * *

Thank you for conducting this hearing on the effective use of Artificial Intelligence (AI) in RegTech and the opportunity to testify before you today.

My name is Kelly Lay, and I am the Director of the Office of Examination and Insurance at the National Credit Union Administration (NCUA). I started my career with the NCUA as an examiner in the field and have held various positions throughout the agency. Most recently, I was the NCUA's Director of the Office of Business Innovation and led the development and implementation of the agency's new examination platform, the Modern Examination and Risk Identification Tool, also known as MERIT.

The NCUA's mission is to protect our nation's system of cooperative credit and its member-owners through effective chartering, supervision, regulation, and insurance. To achieve this, the agency's examination program focuses on risks to the broader system and the National Credit Union Share Insurance Fund. The credit union industry is comprised of 4,942 federally insured credit unions, with 129.6 million credit union member owners, with total assets of $2.06 trillion dollars./1

In my testimony today, I will first focus on the agency's examination modernization efforts and highlight the research the NCUA has conducted in the realm of AI and RegTech. Second, I will discuss the NCUA's challenges to incorporate AI and RegTech in the credit union industry. Third, I will relay the findings of last year's request for information on the institutional use of AI. Finally, I will conclude with a legislative request for third-party vendor authority for the NCUA.

NCUA Examination Modernization and Research

In 2015, the NCUA formed the Enterprise Solution Modernization Program to help its staff regulate and supervise credit unions more efficiently. The program aims to modernize the NCUA's technology solutions to create an integrated examination and data environment and facilitate a safe and sound credit union system. This modernization initiative aligns with the NCUA's efforts to:

* Reduce the burden on credit unions and increase agency efficiency by reducing onsite examination time;

* Improve offsite supervision capabilities with better data and analytics;

* Provide consistency and standardization for the examination and supervision process with modernized, flexible applications; and

* Improve communications between the NCUA, credit unions, and State Supervisory Authorities.

As an initial step, the NCUA prioritized replacement of the legacy examination application, the Automated Integrated Regulatory Examination System (AIRES), which was over 25 years old. The agency also prioritized the need for a single point of entry for interacting with and accessing NCUA applications. The goal was to create a secure, modernized infrastructure to serve as a technical foundation for all future application modernizations.

After several pilot phases, the NCUA rolled out MERIT, including enhanced, integrated analytics utilizing a business intelligence tool, and our new, secure central user interface, called NCUA Connect, to the NCUA, State Supervisory Authorities, and credit unions in the second half of 2021. Currently, the NCUA has focused on helping users through this significant transition while deploying system enhancements.

As the NCUA's modernization efforts continue, the agency has an opportunity to integrate new technological solutions, applications, and data from other sources for centralized access and view into a credit union. There is a potential opportunity for offsite work and earlier risk identification with enhanced analytics capabilities. The NCUA has another ongoing modernization project that focuses on a virtual examination model to prepare for this potential development.

In 2017, the NCUA Board also approved virtual examination exploration and research funding. The agency's goal is to transition, within the next five to ten years, the examination and supervision function into a predominantly virtual one for credit unions that are compatible with this approach.

The virtual examination model should lead to greater use of standardized interaction protocols and enhance advanced analytical capabilities. For subject matter experts, the benefits are more consistent and accurate supervisory determinations and greater clarity about how the NCUA conducts supervisory oversight between the agency and credit union staff.

Currently, the virtual examination project is in the research and discovery phase. During this phase, staff identifies new and emerging data sources and methods to access the data, assesses advancements in analytical techniques, and considers harnessing other technologies to automate or streamline various aspects of the examination process. So far, research efforts have been focused on deploying AI solutions.

Specifically, the NCUA is in the testing phase of deploying a machine learning (ML) model to perform data validation more efficiently with quarterly Call Reports and profile submissions. This technique automatically clusters credit unions into various buckets and is more appropriate for time-series data. Further, this technique employs forecasting models comparing actual and predicted values to identify outliers. Deployment of this new technique is expected to occur in the next four quarters and should result in more reliable and consistent Call Report filing across the credit union industry.

Another AI solution under investigation is Natural Language Processing (NLP). NLP transforms unstructured data into structured data; therefore, allowing end-users to leverage the data through analysis. Applied to the NCUA's examination process, NLP could take unstructured data, such as information found in board minutes, internal and external audit reports, and file maintenance reports, and turn it into structured data. Structured data is easier to consume, evaluate, and analyze.

The NCUA is also researching whether it could utilize Process Robotics Automation to perform an array of repetitive or routine tasks during examinations. Examiners could use this tool during examinations to perform various scope steps that currently require extensive manual review or input. The NCUA could save examination time, increase productivity, and reduce human errors by deploying this technology.

Finally, the NCUA has embraced a data-driven supervisory initiative with its largest credit unions. Through this approach, the agency improves its ability to assess risk to the Share Insurance Fund. For example, the NCUA conducts stress testing of its largest credit unions annually to evaluate their capital resiliency. Throughout the pandemic and the many months of social distancing, the agency estimated the potential impact on credit unions from adverse economic conditions and changes in borrower behaviors. Data-driven supervision offers opportunities to be more efficient by conducting supervisory activities offsite. The agency can integrate financial analysis and risk modeling results into our supervisory scope. These activities are conducted offsite, reducing time and costs traveling to credit unions.

Challenges for the NCUA and Credit Unions

The NCUA recognizes the importance and benefits of technological changes and has incorporated organizational change-management strategies into our initiatives. In addition to dedicated resources for development and testing, expanding the NCUA's use of RegTech and AI would require the agency to train examiners and credit unions, as applicable, and revise our examination policies and procedures. The NCUA supports and encourages innovation and the growth of the credit union industry, while at the same time ensuring it:

* Serves the needs of credit union members;

* Protects the interests of those members in terms of privacy and security; and

* Does not compromise the commitment to the industry's safety and soundness.

More importantly, AI and ML algorithms must be tested to prevent the intrusion of underlying historical bias that may result in discriminatory practices. We must be cautious when deploying AI tools, to avoid exacerbating systemic inequities.

As a mid-sized agency, the NCUA utilizes an Information Technology Oversight Council to review proposed IT investments to align with the NCUA's strategic plan. The NCUA considers our modernization roadmap, personnel resources, other information technology requests, implementation timelines, dependencies, and costs. Advanced technologies, such as those discussed today, may have data dependencies and integration with other initiatives that must be prioritized, organized, and systematically implemented to maximize the benefits to the NCUA and our stakeholders.

Such advanced technologies can be expensive to implement and maintain for both federal agencies and regulated entities. Currently, the NCUA does not have a budget dedicated strictly for AI, and the acquisition of such technology requires immense resources.

Likewise, small credit unions face similar, if not more significant, challenges. Of note, nearly two-thirds of credit unions (3,222) are smaller than $100 million in assets, meaning they have very limited resources, and average only seven employees per institution. Of all credit unions, nearly 500 operate without a single full-time employee, and more than 100 of those credit unions operate exclusively with volunteers.

In general, credit unions are small, not-for-profit institutions and may not possess sufficient expertise to properly conduct due diligence on what is rapidly becoming a very complex ecosystem of third-party vendors. These smaller institutions may neither have the economies of scale nor the expertise necessary for sophisticated analytics. While small credit unions play a vital role in their communities, they are commonly short-staffed and may lack the resources required to keep abreast of evolving AI technologies.

Request for Information Results and Responses

Last year, the NCUA joined the Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Federal Reserve Board, and Consumer Financial Protection Bureau in a request for information on the institutional use of AI and related challenges. We collectively received responses from financial institutions, vendors, industry trade groups, academic communities, and consumer advocacy organizations.

While the NCUA received 32 comments, only four were distinct from those received by the other regulators. Three of these letters were from credit union trade associations and one was from a natural person credit union. The broad range of respondents provided information on their uses of, and challenges with, AI and ML models in operations, including consumer-facing services and compliance management.

Respondents noted that AI/ML-based tools present many benefits, including the potential to expand access opportunities for consumers and create greater efficiencies for institutions. Likewise, many commenters noted that AI/ML-based tools and models contain new and expanded risks. For example, many community financial institutions, including credit unions, may not possess sufficient resources to internally develop and manage such tools, resulting in increased reliance on third-party vendors and outsourced solutions. In addition, there is concern around the current regulatory framework, particularly regarding model bias, data quality, and fairness, as it relates to consumer facing products and services.

More work is needed to understand the impact of such innovation. Additionally, the development and deployment of innovative tools that affect consumers must be fair, protect consumers, and ensure compliance with fair lending laws.

In summary, the initial request for information provided preliminary insight into the industry and stakeholder views of how this technology should interact within the financial services sector; however, as we previously noted, the volume of responses was low. The Agencies are currently reviewing the responses they received in order to determine whether any clarification would be helpful for financial institutions' use of AI in a safe and sound manner and in compliance with applicable laws and regulations, including those related to consumer financial protection.

Third-Party Vendor Authority

Any examination of technology and the NCUA is incomplete without discussing the challenges the agency has confronted since the 2002 expiration of its third-party vendor authority. The NCUA asks Congress to enact legislation restoring the agency's examination and enforcement authority over third-party vendors, including credit union service organizations (CUSOs). The NCUA requires third-party vendor authority to safeguard not just the Share Insurance Fund, but the credit union system overall, which is a major pillar of our national economic system. The inability of the NCUA to supervise or examine third parties poses numerous systemic risks.

The NCUA, at present, has no authority to enforce third-party vendors' compliance with federal consumer financial protection regulations or prudential standards, like anti-discrimination laws, concentration limits, maximum loan-to-value ratios, minimum capital levels, and some cybersecurity and anti-money laundering efforts. While there are advantages for credit unions to use these service providers, the high concentration of credit union services within third-party vendors presents safety and soundness risks for the industry. The continued transfer of operations to CUSOs and other third parties hampers the ability of the NCUA to accurately assess the risks present in the credit union system and determine if current CUSO or third-party vendor risk-mitigation strategies are adequate.

With third-party vendor authority, the NCUA could better collaborate with vendors to streamline data collection for examination purposes and provide better analytics for identifying potential risks to credit unions and the Share Insurance Fund. We appreciate the continued support of this committee and thank Chairman Foster for introducing the Strengthening Cybersecurity for the Financial Sector Act, which restores the NCUA's third-party vendor examination authority. The enactment of this legislation would close this growing regulatory blind spot the NCUA continues to confront.

In 1998, the NCUA was temporarily granted third-party vendor authority to address the Y2K changeover, but that authority expired in 2002. Since then, the NCUA's Inspector General, the Financial Stability Oversight Council, and the Government Accountability Office have all called for the restoration of this authority./2

Moreover, on March 4, 2022, in the NCUA Inspector General's Top Management and Performance Challenges Facing the National Credit Union Administration for 2022 report, the NCUA Inspector General reiterated the need for third-party vendor authority as one of the agency's top seven challenges. Risks posed by third-party service providers ranked third of seven.

Because the NCUA lacks general statutory supervisory and enforcement authority, vendors and CUSOs can reject the agency's recommendations to implement appropriate corrective actions to mitigate identified risks. For example, several vendors have refused to implement the NCUA's recommendations to improve network security and safeguard sensitive member information due to cost concerns. By regulation, the NCUA requires federally insured credit unions to obtain a written agreement with a CUSO before investing or lending. These contractual provisions require the CUSO to provide the NCUA complete access to the CUSO's books and records, and the ability to review its internal controls, among other requirements. However, contractual enforcement alone is not optimal to perform the NCUA's oversight functions.

As such, the NCUA requests comparable authority as our counterparts on the Federal Financial Institutions Examination Council to examine third-party vendors. With such authority, the NCUA can better address the risks that arise from vendor relationships and safeguard the Share Insurance Fund.

Conclusion

In conclusion, AI and ML have the potential to improve the supervision of credit unions, but there are also challenges in implementing such technology. Thank you for the opportunity to provide input on this topic.

The NCUA also appreciates the support of the Task Force on Artificial Intelligence and the House Committee on Financial Services in promoting a robust credit union system and protecting its member owners. Again, I would like to thank the Chairman for introducing the bill to reestablish NCUA third-party vendor authority and request the members of this Task Force support the legislation when the committee considers it.

I look forward to your questions.

* * *

Footnotes:

1 See https://www.ncua.gov/files/publications/analysis/industry-at-a-glance-december-2021.pdf.

2 See U.S. Government Accountability Office, GGD-99-91 "Enhancing Oversight of Internet Banking" (July 1999) https://www.gao.gov/assets/ggd-99-91.pdf, Office of Inspector General, OIG-20-07, "Audit of the NCUA's Examination and Oversight Authority over Credit Union Service Organizations and Vendors" www.ncua.gov/files/audit-reports/oig-audit-cusos-vendors-2020.pdf. Annual Reports of the Financial Stability Oversight Council 2015, 2016, 2017, 2018, available at https://home.treasury.gov/policy-issues/financial-markets-financial-institutions-and-fiscal-service/financial-stability-oversight-council/studies-and-reports/annual-reports/fsoc-annual-reports-archive. U.S. Government Accountability Office, GAO-04-91, "Financial Condition Has Improved, but Opportunities Exist to Enhance Oversight and Share Insurance Management" (October 2003) https://www.gao.gov/products/gao-04-91.