National Credit Union’s AI regulatory oversight is limited in guidance, authority, GAO finds

The National Credit Union Administration is lacking two critical tools that hinder its ability to monitor how the financial institutions it regulates are using artificial intelligence, a new watchdog report found.

An independent federal agency charged with chartering and overseeing credit unions and insuring the savings held in those financial institutions, the NCUA employs model risk management guidance that the Government Accountability Office said is “limited in scope and detail.” 

The GAO also noted that its recommendation to Congress a decade ago to grant the NCUA regulatory authorities to examine technology service providers has gone unheeded, “despite credit unions’ increasing reliance on them for AI-driven services,” the report noted.

Without those two arrows in the NCUA’s quiver, the agency is hamstrung in its supervisory duties in a way that its federal financial regulatory counterparts — the Federal Reserve, the Federal Deposit Insurance Corp., and the Office of the Comptroller of the Currency among them — are not.

In the GAO’s view, the NCUA’s lackluster model risk management is an addressable flaw in the agency’s oversight system. Financial institutions use models — including those that leverage AI — to assess risk, guide investments and gauge creditworthiness. But models aren’t foolproof, and bugs in those systems can lead to bad decisions.

The NCUA falls short in overseeing credit unions’ models because its risk management guidance only addresses interest rate risk modeling, according to the GAO. Other financial regulators have broader guidance that includes AI models. 

That shortcoming is partly a matter of timing: the NCUA last updated its model risk management guidance in October 2016, prior to the AI revolution and at a time when interest rate risk modeling was “the most common type of modeling used by credit unions,” the report stated.

The NCUA’s guidance is also lacking in “sufficient detail to ensure examiners and credit unions follow key risk management practices,” the GAO noted, without clear instructions on how examinations should be conducted based on model uses and related risks.

The watchdog recommended that the NCUA’s chair update the agency’s model risk management guidance “to encompass a broader variety of models used by credit unions and provide additional details on key aspects of effective model risk management.” The agency “generally agreed” with the recommendation, telling the GAO that it would “review contemporary sound practices on model risk management,” including that of its banking regulatory peers, and provide more details to examiners and credit unions.

The lack of congressional authorities is a thornier issue for the NCUA. The GAO concluded in a 2015 report that “granting NCUA the authority to examine third-party service providers would enhance the agency’s ability to monitor the safety and soundness of credit unions.” But Congress hasn’t acted on the watchdog’s recommendation to modify the Federal Credit Union Act to provide the NCUA with that authority.

“Credit unions’ increasing reliance on third party technology services — which may include AI-related services — underscores the need to grant NCUA this authority,” the GAO stated. “This would, in turn, enable NCUA to more effectively monitor and mitigate third-party risks, including those associated with AI-service providers, and ensure the safety and soundness of credit unions.”

Though lawmakers haven’t moved on the GAO’s recommendation, NCUA Chairman Kyle Hauptman indicated that he may not be on board with that change, telling the watchdog that there are risks that would come with that authority, “including a possible reduction in the quality and quantity of services provided to credit unions and financial and operational risks for credit unions.”

“However, we maintain that examination authority over third-party service providers would enhance NCUA’s ability to monitor and address third-party risks and ensure the safety and soundness of credit unions,” the GAO concluded.

Internally, the NCUA is pursuing a handful of AI initiatives. The GAO said the agency is researching AI applications that assess a credit union’s financial wellness, and has used AI analyses that predict a credit union’s likelihood of dipping below minimum capital ratio requirements before pursuing a supervisory action.