Fed, State Regulators: Reform Is NeededOCC, NY DFS Call for Better Standards, Info Sharing
In the past week, both Comptroller of the Currency Thomas Curry and Benjamin Lawsky, superintendent of the Department of Financial Services for the state of New York, have noted technical and procedural shortcomings within banking institutions' monitoring and detection systems that could pose significant threats to the nation's critical infrastructure.
Their comments offer an indication that more regulatory oversight related to anti-money-laundering processes, transaction monitoring and information sharing could be on the horizon for U.S. banking institutions.
In his March 2 speech before the Institute of International Bankers in Washington, Curry highlighted the need for regulatory reform, specifically calling out the Bank Secrecy Act, which was enacted in 1970.
"The current regulatory regime provides for a process that is document-driven and that relies heavily on individual decision-making," he said. "In the time it takes to generate and investigate a suspicious activity report, the criminal or terrorist may well have changed tactics and moved on."
The OCC is reviewing ways to improve the financial system, including removing or amending regulations and requirements that may no longer be necessary or effective, Curry added. "We are also working with our colleagues to find better ways to use technology in advancing our BSA/AML goals," he said. "Without question, technology is rapidly changing the way we do business."
During a Feb. 25 speech at Columbia Law School in New York, Lawsky noted that banking regulators have historically relied on institutions to self-report suspicious activity they detect. "That needs to change," he said. "We believe there are likely widespread problems with transaction monitoring and filtering systems throughout the industry."
As a way to better mitigate those risks and detect problems sooner, Lawsky said New York's Department of Financial Services is considering whether to implement random audits of transaction monitoring and filtering systems.
"Since we cannot simultaneously audit every institution, we are also considering making senior executives personally attest to the adequacy and robustness of those systems," he added. "We expect to move quickly on these ideas and - to the extent they are effective. We hope that other regulators will take similar steps."
Impact of Cyber-Attacks
Tom Kellermann, chief cybersecurity officer at the security firm Trend Micro, says targeted and sophisticated attacks waged by nation-state and cybercrime actors against financial services organizations are getting federal and state banking regulators' attention. While the purpose of these attacks may vary, from perpetrating fraud to cyber-espionage, Kellermann says regulators understand that the overall "safety and soundness" of the financial infrastructure is at stake.
"The concerns are spurred by recent highly targeted and sophisticated attacks against the sector by Eastern European cybersyndicates," Kellermann says. "What is new is that these crews have changed their modus operandi from monetizing their presence on these networks to a campaign of burrowing deep within the networks," as was the case in the JPMorgan Chase attack.
"The use of dynamic command-and-control, steganography and sandbox evasion are hallmarks of these attacks," he added. "The clandestine seeding of the financial sector began in early summer and has been ratcheted up in parallel with increased tensions. This is reminiscent of the Cold War."
Kellermann says the regulators' call to raise cybersecurity standards is "long overdue." He calls on regulators and the private-sector to work together to "stay ahead of these aggressors."
"With threats now coming from organized crime, nation states, terrorist groups and rogue individuals, the stakes couldn't be higher," Kellerman points out in a blog he posted March 2. "More guidelines are needed for organizations to successfully thwart and proactively guard against large-scale attacks. Those set by the Federal Financial Institutions Examination Council are in need of an overdue update, to allow for better alignment with today's threats that bypass traditional security controls."
Info Sharing a Key Focus
In his speech, Curry stressed the need for more cyberthreat information sharing among the public and private sectors.
While this kind of open information sharing has raised concerns for banks in the past, Curry said the Office of the Comptroller of the Currency, as the lead agency of the FFIEC, is supporting legislative change that would provide institutions more legal protections (see Compromise on Info-Sharing Measure Grows).
"The OCC is supporting legislative measures designed to promote the information sharing that is so critical to our success," he said. "We have recommended legislation that strengthens the statutory safe harbor from civil liability for financial institutions that file SARs [suspicious activity reports]. The courts have ruled inconsistently on this subject, with some holding that banks must have a 'good faith belief' that a violation occurred to enjoy immunity from civil liability, while others interpret the law to confer blanket immunity. The legislation we are supporting would ensure that financial institutions do not expose themselves to civil liability simply for complying with federal law."
Curry also said the OCC is supporting an amendment to current laws that would extend the safe harbor for banks that share information about bad actors and financial crimes with one another.
"Under current law, a bank has immunity from civil liability if it shares information about suspected money laundering or terrorist financing," he noted. "While this immunity is an important protection, it does not go far enough, because it does not cover other crimes such as computer intrusions, credit card fraud, wire fraud and other financial crimes. We would like to see this safe harbor broadly extended to cover an array of financial crimes, to give banks maximum protection and encourage more robust information sharing."
A Higher Security Standard
Lawsky noted that compliance with ineffective federal regulations had given too many banking institutions a false sense of security.
"In an increasingly mobile and global financial landscape - where money moves around the world in a matter of milliseconds - there are risks associated with fragmentation in financial regulation," Lawsky said. "I am deeply worried that we are soon going to see a major cyber-attack aimed at the financial system that is going to make all of us to shudder. Cyber-hacking could represent a systemic risk to our financial markets by creating a run or panic that spills over into the broader economy."
Lawsky said state regulators must do more to complement and in some cases challenge the cybersecurity audits and reviews conducted by federal banking regulators. "States also should not be afraid to speak up and act if we spot new risks emerging in the market, if we believe that certain regulatory protections are not sufficiently robust to root out reckless behavior that threatens the health of our economy," he said.
Lawsky said that outdated or faulty transaction monitoring, filtering systems and intrusion detection systems have left many institutions at risk. And banks' failure to closely monitor risks posed by insiders also has resulted in unnecessary risk, he said.
"We have already seen an example of faulty filters at one large bank we regulate, when an independent monitor we installed found that the firm failed to flag millions of suspicious transactions," Lawsky said. "As a result, last year, we brought a significant enforcement action against that bank for those failures."