Cybersecurity and Fintech: A Regulator’s Point of View

cybersecurity-2-15-18.pngAs if banks couldn’t be more nervous about the cybersecurity threats facing the industry, 2018 opens up with a new method of attack: jackpotting, in which criminals install malware to take control of ATMs to gain vast amounts of cash. It’s no wonder that Robin Wiessmann, the secretary of the Pennsylvania Department of Banking and Securities, says that cybersecurity is the top issue for her department, and that she was one of the first state regulators to create a task force to focus on the issue. In this interview, which has been edited for length and clarity, she shares her thoughts on this top risk, as well as her views on safe and sound partnerships between banks and fintech firms.

BD: As your state’s banking regulator, what are the top issues you’re looking at relative to the banking industry right now?
RW: I think the overarching goal of the department is to ensure that the industry is healthy, and viable, and competitive. Specifically, as relates to the top issues, I think the overall challenge for community banks and banks of all types is adaptation to the new banking models, and that’s driven by a number of things. One [are the changes] in technology and the way the delivery of services [is] provided, as well as banks choosing what services they want to provide to their particular marketplaces. That is a fundamental question or challenge for banks right now. Technology is changing the business models, but they also have to make a decision about how they’re actually going to utilize fintech. I don’t think it’s a question of whether or not they should or not. It’s hard to not do it.

And then the other overarching challenge is that of cybersecurity—making sure that there is confidence in our banking and our financial services sector.

So those are the three major elements: adaptation to the new banking models, changing the choice of services and the delivery of services—how they’re going to apply fintech—and how they’re going to deal with the necessity for cybersecurity.

BD: You wrote recently that cybersecurity is the word of the year for your agency. Why is this the issue for 2018 for the entities that the agency regulates?
RW: I think our role is to provide a focus on the most pressing matters of the day, as well as the long-term viability and the vitality of [the] commercial banking marketplace. And I don’t think there’s any other challenge greater at this point in time than cybersecurity. This is not obscure; it’s not theoretical any longer—it’s got real practical implications and if we can’t manage that—we know we can’t prevent it all but if we don’t manage it properly, we will not only lose the confidence of the marketplace, we can potentially lose the ability to function in our marketplace through hacking. The risk of security breaches grows exponentially every day, and it’s not only disruptive in terms of our personal information but also the very framework of our business and our economy. That’s why it’s at the top of the list.

BD: What are your expectations for bank boards around cybersecurity?
RW: I’ve been on boards previously…and I’ve seen the evolution to more focus on the audit committee which has historically been [the] bottom line of defense in terms of the reporting out of operations and actual operations. But [the audit committee has] now evolved into a broader risk management, and that’s for the business model—how economically viable it is—as well as the operations. So, I would expect that the boards today are dealing with the classification of risk management—either inside the audit committee or as a stand-alone committee, because risk management encompasses a lot.

The companies that do pay attention to this existential risk will do well, and those who don’t provide that particular focus leave themselves to be very vulnerable. We know the responsibilities [of] corporate board directors have increased and bank directors, of course, perhaps even more so. Any organization that does not recognize the threat really does risk the loss of their customer base, their partners, their vendors. So, it requires a particular focus, a separate monitoring if you will, by the board of directors.

BD: We’re seeing more partnerships between banks and fintech firms. As a regulator, what do you want to see occur to ensure that those are safe and sound relationships?
RW: What we have observed in terms of fintech companies is, they’re financial services [firms] that are driven by technology—that’s the way I think about it—but many of these fintech firms think of themselves as technology companies, so they may not be aware of how they actually are regulated in terms of whether or not they’re money transmitters, if that’s what they’re doing, or if they’re lenders, or they’re investing or any combination thereof. So fundamentally, we want to make sure that there’s knowledge and awareness of their responsibilities under the law. For the fintech firms.

Now obviously the partnerships between banks and fintech firms, they have to figure out where that balance lies. Are there requirements for separate registrations? If they’re partnering with a company—a lot of them are going to [ask], do we buy, do we build or do we partner? And each one of [those options] has a different implication, obviously. Building the technology internally is clearer from a regulatory standpoint, but it may take longer, and there may be things in the marketplace that suit their interests. I think we’re going to see a lot of buying of these technologies, because I think that’s part of the goal of some of these technologies, is to be acquired at a premium price.

But I do think there may be many, maybe most, situations where there’s real partnering, and the responsibility will ultimately rest with the bank to make sure their partners are complying with whatever laws they need to, because the partners may be doing business in 50 different states, and there are different laws and regulations applying to them.

So, it’s about due diligence, it’s about thinking through very carefully and figuring out literally where the buck stops. Because if you put the overlay of cybersecurity on top of these partnerships, then you really appreciate that if you’re partnering with someone, you want to be sure that your clients’ information is safe, so how do you create a firewall? How do you manage that information sharing while protecting the privacy of the data? And where are vulnerabilities, and under what circumstances, if there was something that happened to your partner—and we’ve seen this recently in a number of corporate situations as it relates to identifying information—if there’s something that happens to your partner, what do they have in place to handle it? Do they have policies and procedures in place, and what are their responsibilities to you as an entity, in terms of not just informing but managing the situation?

There’s great upside for business models, but there’s also great [exposure] for security and operational risk, and you just have to deal with that.

A Customer Focused Response to Data Breach: the Key to Survival

security-breach-7-13-15.pngThe unthinkable has happened: Data security measures have failed and sensitive customer information was taken. The next steps your company takes to respond are crucial. A poorly executed response to a data breach event can further anger customers, increase regulatory scrutiny, generate a media storm and have a lasting impact on customer loyalty.

AllClear ID has been working with companies to effectively prepare for and respond to data breaches for over a decade. During that time, there has been a noticeable shift in consumer expectations after a breach. Today, consumers expect—if not demand—a well orchestrated response. And they expect it to begin soon after the breach is made public. Data breaches are constantly evolving: Already in 2015, financial institutions account for about 9 percent of all data breaches, according to the Identity Theft Resource Center. That compares to about 3.7 percent in 2013. Whether that figure will hold up throughout the year remains to be seen.

The demands placed on businesses to get a breach response right are more intense than ever, as is the scrutiny when a response is perceived as mismanaged.

Because of the high pressure to get it right, a customer-centric approach to preparation is paramount. If you fail your customers, one in four may leave, according to a study from Javelin Research & Strategy. So financial institutions cannot rest upon past great customer service and relationships with clients in the event of a data breach.

When a breach is discovered, what to do? Companies that keep the focus on customers before, during and after a data breach fare far better than those that do not.

Minimize Brand Damage: With customers at the forefront of any response, it is likely that both the institution and your brand will survive long-term. Granted, that doesn’t mean an institution won’t encounter a few negative headlines from the outset. But if the response is bungled, the damage will be far greater. Unhappy customers may speak out on social media. Some may leave. And the breach could tarnish your image for years to come and ultimately can affect your bottom line.

Plan in Advance: To successfully manage a breach with a customer focus, companies must first have a plan in place. The plan should incorporate elements of crisis and or incident management such as likely breach scenarios, key decision makers, and key partners who will assist in the response. This will help diminish delays and costly mistakes during the response, and facilitate a return to normal business operations more quickly. Now that we have witnessed multiple destructive cyberattacks against U.S. companies, it’s clear that having an incident response plan in place is no longer optional. A recent blog post discussed the need for preparation in advance of a breach.

Questions to consider when preparing for a breach response operation:

  • When and how will customers be notified?
  • How will we answer customer questions?
  • Do we have the customer service capacity to manage the calls we receive from angered or fearful customers? Will we be able to train them to address customers’ concerns and alleviate their fear?
  • What identity protection will we offer?
  • How will we make things right if a customer is negatively harmed?

Quality Customer Support During a Breach: As breaches increase in scale and complexity—and 2014 was a watershed year for that as well—consumers have seen a lot of breaches, but still may react in anger or fear. Their first stop for information is the hotline and webpage you publish. Clear, consistent communication and messaging is key in restoring customer confidence. Scripts and Q&As must be available to trained, expert call center partners immediately. Responsible and knowledgeable front-line employees can do much to diffuse the situation and lessen customer anxiety.

And make it easy for your customers to have access to the most important protection – identity repair. The 2015 Javelin Strategy & Research Identity Fraud Study found the link between data breaches and identity fraud has increased. In 2014, 12.7 million consumers lost $16 billion to fraud—and two-thirds of them had received a data breach notification within the same year.

As McKinsey & Company says, “Much of the damage results from an inadequate response to a breach rather than the breach itself.”

Put yourself in the customers’ shoes: They have trusted you with their most valuable information – their identity. Whether you keep their trust depends, in part, on how they rate your performance in the face of a crisis.

Managing Operational Risk is About Managing Your Business Well

7-1-13_Sutherland.pngChinese proverb:  “If we don’t change direction soon, we will end up where we are going”…

The Basel Committee on Bank Supervision, and global regulatory momentum around the Basel Accords catalyzed an operational risk discipline by giving us a formal definition for it: “The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.” It also created a finite scope for the risk by laying down distinct event categories and descriptions of cause and effect. This meant that operational risk no longer needed to be described in the abstract or in residual terms such as “anything other than credit or market risk” (which, by the way, was never a meaningful statement at all, considering that the administration and management of credit and market risk are themselves fraught with operational risk).

Notwithstanding definitions and regulatory exhortations, operational risk has not evolved as a discipline in the last ten years since the Accords. There has been arguably material progress in measuring it (against losses, scenario and stress analysis, capital postulations), but managing it has been far from easy. Reasons include the fact that it is largely idiosyncratic (in credit and market risk debacles, you tend to sink and swim with everybody else) and asymmetric, since the risk is not passed on to your client and not priced into your products. Operational risk may also be called introspective, as likelihood and severity are both internally determined; and unbounded, as there is no upper limit to potential loss. Traditional belief has been that no portfolio view can be formed, as operational risk is not transactional. You don’t take on the risk or avoid it. It simply exists.

The basic construct of any operational risk program is as follows:

  1. Identify the major risks, as your taxonomy of risks (the Basel event categories should be fine)
  2. Position your internal control environment as a hedge or mitigation for these risks
  3. Through a regime of self-testing, reviews, audits, and risk/control indicators, establish if both the design and effectiveness of your control framework are good and fit for purpose
  4. Ask if your unmitigated risks (and control gaps) are acceptable, and within your appetite for risk

Do all this, and everybody is happy—even the regulator. Do too much, and you have wasted a lot of money, created a big bureaucracy and throttled the business. Do too little, and you have bet your whole business on one big accident.

The real key to managing operational risk lies in recognizing that it simply requires managing the business well, focusing on people, process and infrastructure optimization. This is where the risk-reward consideration, read cost-control, comes into play. A portfolio view of operational risk is in fact available, by looking at the process view of the organization, honing in on what risks arise in pursuing the business, how and where these risks arise in the process sequence, and what mix of people, process and infrastructure could optimally address these.

The implied focus therefore is in the structuring of the end-to-end control framework. This first requires you to clearly define your business objectives, service delivery standards, and compliance requirements. Next, identify the risks that arise in meeting or delivering those objectives, categorizing them along your taxonomy of risks. You can use the Basel framework. Then systematically identify which areas of your activity and processes are directly relevant to those objectives. This allows you to relate your operational risks to the specific processes and activities that carry those risks or are relevant to those risks. Focus then on defining controls where the risks are, specific to the process, in the optimal coverage amount and configuration. Maintain a dashboard of metrics that tell you if your residual (unmitigated) risks are within your risk-appetite and if the controls continue to be designed correctly and working properly. These might include some metrics of well being, similar to vital signs, that indicate business health. A second set of metrics might be smoke-detectors, by business, product, and process, with built-in lights that flash red, yellow, green against specific escalation triggers and trends.

Bottom-line, managing operational risk has never been more important than it is today, but never apparently has it been more conflicted between cost and control. It should not, and does not, need to be so! 

Credit, Compliance or Operations: What is the Biggest Risk?

Historically, credit has often been the number one risk banks faced. But with an increasing amount of regulation and new technology opening up the gateway of attacks on bank infrastructure, other sorts of risks are gaining increasing attention these days. In advance of Bank Director’s seventh annual Bank Audit Committee Conference in Chicago June 6 through June 7, we asked speakers to describe the risk concerns of their clients. We asked:

“What risks do you see financial institutions most concerned about: Operational, regulatory or credit?”

rob_fleetwood.jpgOperational and regulatory risks are more inter-related than ever before. Banks still seem extremely mindful of credit risk, but management teams have “gotten used to” those risks, and have been living with the new reality for many years. Now we are seeing a lot of activity relating to regulatory changes and how those changes affect operations. Over the next few years, it will be critical for management teams to stay on top of the regulatory changes and make sure that they are comfortable that their entity’s operations are able to respond to the ongoing regulatory changes. This includes conducting a thorough internal review of internal and external compliance function to ensure that it is appropriately staffed and receiving adequate guidance.

— Rob Fleetwood, partner, Barack Ferrazzano Kirschbaum & Nagelberg LLP

Fitzgerald_Doug.pngOperational. Since the vast majority of bank management today has operated in the gradually declining interest rate environment since the early 1980s, operating their institutions in a future that virtually guarantees rising interest rates presents a new challenge. Managing earnings without exposing their banks to the same interest rate risk pressures that nearly destroyed the thrift industry in the decade of the 80s will require dedication to sound asset-liability management processes.

— Doug Fitzgerald, partner, Wipfli LLP

Hovde_Steve.pngCredit Risk. The credit crisis magnified credit risks distinguishing good lenders from poor ones, and banks that survived strengthened internal controls to avoid a repeat scenario. While many banks have cleaned up their loan portfolios, credit risks will remain at the forefront of bankers’ minds across the country for many years to come.

— Steve Hovde, president & chief executive officer, Hovde Financial Inc.

Blaha_Brian.pngRegulatory. A strong enterprise risk management program covering all aspects of the risk spectrum is essential to managing regulatory risk today. Risk must be managed from the top -down with all members of the board of directors and enior management agreeing on the risk appetite of the organization, what level of tolerance they are willing to accept and what metrics will be utilized to monitor the risks.

— Brian Blaha, partner, Wipfli LLP

Strecker_Raymond.pngWhether one looks at the lost or disrupted business caused by recent cyber-attacks, or the massive regulatory settlements in divers areas involving Libor rigging, AML (anti-money laundering) non-compliance, or failure to supervise third party vendors offering misleading credit products, it becomes clear that financial institutions need to take operational and regulatory risks at least as seriously as they take credit risk.

Risk and compliance managers need to be more creative about uncovering the next problem rather than just establishing controls to prevent the last problem from recurring.

— Ray Strecker, special advisor, Promontory Financial Group LLC

Decker_Kendra.pngI believe the biggest risk to financial institutions today is in the regulatory arena. It seems there is something new every day with which banks must comply. It can make your head spin! Having a solid regulatory monitoring function is critical to managing this risk.

— Kendra Decker, partner, National Professional Standards Group, Grant Thornton LLP

Percy_Mike.jpgRegulatory risks are the primary concern; however, it’s not unusual for there to be elements of operational risk and/or credit risk within the regulatory risk as well.

Risks continue to evolve and the regulatory environment is very dynamic. The program that effectively managed regulatory risk last year needs to continue to evolve to be effective going forward. Regulatory risk that is managed within business as usual processes is generally more effective than processes that are added simply to assist in complying with evolving regulatory requirements.

— Mike Percy, partner, Crowe Horwath LLP

Inserra_Sal.pngOperational. There are two fronts. Given margin compression, banks are looking at cost containment. This includes reviewing the process for efficiencies and re-evaluating their delivery network. We are seeing banks take a hard look at their branch network. The second item relates to technology—both from a standpoint of delivery and risk mitigation. If we really understood the regulatory burden in our future, then it would be worth the concern. At this point, it is too nebulous which makes it impossible to address.

— Sal Inserra, partner, Crowe Horwath LLP

Pressgrove_Becky.pngIn today’s banking environment, where these types of risks are so very interrelated, it seems more difficult than ever to untie operational, credit and regulatory risk from one another and identify one as being more critical than another. From an audit committee standpoint as it relates to BOLI (Bank-Owned Life Insurance), the justification for the asset purchase, the product structure and the ongoing review of the credit of various carriers creates regulatory and credit risk challenges. Add to that additional challenges from BASEL III and Dodd-Frank, along with a tepid economic recovery coming out of the great recession, and a complete, more thorough understanding of the BOLI asset will be critical in the future.

— Becky A. Pressgrove, senior vice president and chief operating officer, Equias Alliance LLC

Coming to Grips with Operational Risk

Fraud. Bad loans. Almost anything can put your bank at serious risk. In this video presentation, William Beale, CEO of Union First Market Bankshares of Richmond, Virginia, discusses what directors need to know when analyzing operational risk.

Highlights include:

  • How to measure operational risk
  • Who should be included in an operational risk committee
  • Limiting losses from fraud

Click on the arrow to start the video.