Cybersecurity | By Steve Viuker
Benjamin M. Lawsky, superintendent of financial services for New York state delivered remarks on financial regulation at Columbia Law School on Feb. 25. His message: Regulatory leadership at the state level should not hesitate to speak up if they see federal regulation as ineffective on their home turf. Here are edited comments:
Ineffective regulation can sometimes be worse than no regulation at all since it breeds a false sense of security. And, as we saw during the financial crisis, it is everyday consumers and workers who usually end up paying the biggest price. State financial regulators, then, can and should play a similar role to the state-level reformers of the early 20th century. But states also should not be afraid to speak up and act if we spot new risks emerging in the market [that are insufficiently overseen at the federal level].
It should be noted that federal regulators have to deal with an extremely broad expanse of issues. Put simply, no matter how well intentioned, they have a lot on their plate. So there is a risk that certain issues fall through the cracks.
While NYDFS does not have authority to bring criminal prosecutions, it has taken a number of actions to expose and penalize misconduct by individual senior executives – including all the way up to the C-Suite, when appropriate. For example, NYDFS required the COO of France’s largest bank, BNP Paribas, and the chairman of one of the United States’ largest mortgage companies, Ocwen Financial, to step down as part of enforcement actions brought against those companies.
… [M]y second topic: The somewhat obscure but vitally important issue of transaction monitoring and filtering systems. Let me explain: Every day, hundreds of millions of transactions through the bank payments system move hundreds of billions of funds around the globe.
Naturally, bank employees cannot manually check every one of those transactions for evidence of criminal or illicit activity. The volume is just too high. As a result, banks rely heavily on automatic transaction monitoring and filtering systems to help flag suspicious payments for further review by compliance personnel. Transaction monitoring works by running transactions through various detection scenarios that are designed to create alerts that show patterns of money laundering or red flags, such as high-volume transaction activities.
But – and this is a truly frightening question to ask – what if those monitoring and filtering systems are flawed or ineffective? That would create a gaping loophole in our financial system that terrorists, drug dealers and other violent criminals could exploit.
Problems with transaction monitoring and filtering systems can be the result of one of two situations: First: Through inadequate or defective design, or programming of the monitoring and filtering systems, faulty data input or a failure to regularly update these detection scenarios, which may be attributed to lack of sophistication, knowledge, expertise or attention by the management and/or employees.
[Additionally], willful blindness or intentional malfeasance by bank management or employees – who, for example, turn down the sensitivity of the filters so the systems do not generate enough alerts and therefore suspicious transactions go undetected. We have already seen an example of faulty filters at one large bank we regulate – when an independent monitor we installed found that the firm failed to flag millions of suspicious transactions. As a result, last year, we brought a significant enforcement action against that bank for those failures.
We basically ran the company’s transactions through our own filtering system and compared the results. This was a new approach. In the past, regulators have largely relied on self-reporting by firms that discover – one way or the other – that banned transactions occurred for some reason. What regulators have not done is actively tested the effectiveness of the filtering systems banks are using. That needs to change.
First, we are considering random audits of our regulated firms’ transaction monitoring and filtering systems, employing the same methodology our independent monitor used to spot deficiencies. Second, since we cannot simultaneously audit every institution, we are also considering making senior executives personally attest to the adequacy and robustness of those systems. This idea is modeled on the Sarbanes-Oxley approach to accounting fraud. We expect to move quickly on these ideas and – to the extent they are effective – we hope that other regulators will take similar steps.
in the Financial Sector
At DFS, we believe that cyber-security is likely the most important issue we will face in 2015 – and perhaps for many years to come after that. …
I am deeply worried that we are soon going to see a major cyber attack aimed at the financial system that is going to make all of us shudder. Cyber hacking could represent a systemic risk to our financial markets by creating a run or panic that spills over into the broader economy. In particular, we are focused on ways to incentivize market participants to do more to protect themselves from cyber attacks.
Given the magnitude of the problem, we need all the ideas and proposals we can get. [The DFS has several initiatives]. First, we are revamping our regular examinations of banks and insurance companies to incorporate new, targeted assessments of those institutions’ cyber security preparedness. The idea is simple: If we grade banks and insurers directly on their defenses against hackers as part of our examinations, it will incentivize those companies to prioritize and shore up their cyber security protections.
Second, we are considering steps to address the cyber security of third-party vendors, which is a significant vulnerability. Banks and insurers rely on third-party vendors for a broad range of services. … Those third-party vendors often have access to a financial institution’s information technology systems – which can provide a backdoor entrance for hackers. In many ways, a company’s cyber security is only as strong as the cyber-security of its third-party vendors.
As such, we are considering mandating that our financial institutions receive robust representations and warranties from third-party vendors that those vendors have critical cyber security protections in place. In other words, those third-party vendors will have to strengthen their cyber-security or risk losing out on business from those financial institutions.
Our Internet [architecture’s username and password system has proven to be] a very vulnerable system. The password system should have been dead and buried many years ago. And it is time that we bury it now. All firms should be moving towards – and many of them already are – a multi-factor authentication system [which still contains] a username and a password, but there is also a second layer of security. For example, when you attempt to log in, you could receive an immediate, randomly generated additional password that is texted to your phone.
As a result, if someone steals or guesses your password, they would not be able to get into the system unless they also have your cell phone. That simple, extra step can actually prevent a significant amount of hacking. And it is something all firms should do.
Reaction to Comments
CEO Darren Guccione of Keeper Security noted that banks’ fiduciary role as managers of the liquid and marketable securities defining our global net worth should require a zero-knowledge security architecture to protect and safeguard their sensitive information and digital assets. He recommends platforms using strong encryption that store the encryption key separate from the banking records. All major systems, for example email, banking sites, vendor sites and EMM access points, should utilize a two-factor authentication to prevent unauthorized third-party access. He recommended that vendors that are engaged to execute on banking systems or those who may have access to sensitive information should have deep expertise in cyber-security protection, threat detection and encryption, and they should also have security and confidentiality certifications including, without limitation, SOC 2 compliance, he said.
Matthew L. Schwartz, a partner in the Boies, Schiller & Flexner LLP firm’s New York City office, noted that Lawsky’s most consequential proposal by far would be to make senior bank executives “personally attest to the adequacy and robustness of anti-money laundering (AML) and transaction monitoring systems, an idea modeled on the Sarbanes-Oxley requirement that CEOs and CFOs personally attest to the adequacy of accounting and finance controls. … If this proposal is enacted, as seems likely, senior executives will personally be on the hook for faulty AML controls, a potentially scary prospect, and one that should cause them to become as personally involved in AML compliance as they are in financial reporting.”■