Reprinted from a white paper by: Christina Rea, Esq., Deputy Chief SME/Compliance – Regulatory
In the years since the recession, the heat has been on the financial industry to develop compliance regimes that protect consumers instead of circumventing regulations. Everyone is more than familiar with the news stories of fraud and crime: stolen consumer identities, banks failing to have sufficient regulations to investigate financial crimes, and Ponzi schemes. Less familiar are stories of a more nefarious type of financial crime: cyber crimes.
Pinpointing and reforming regulations with regards to cyber crimes and cyber fraud are challenging feats, not least of all because of the lack of black letter rules and regulations regarding criminal activity in the virtual world. One of the biggest problems with regulating cyber crime is the speed at which is evolves. As fast as controls can be put in place to block criminals (and often long before), new ways of circumventing these controls are being developed. Staying on top of virtual crime mandates new ways of problem solving, new regulations that target cyber security as a whole and how it ties into compliance, and constant diligence to stay one step ahead of criminals.
Regulators and key officials are fast recognizing the multitude of challenges with regards to cyber security and how to regulate it. In early November 2015, the New York State Department of Financial Services (NYSDFS) issued cyber security guidelines (PDF, 237KB) that will likely become the blueprint for both state and federal financial regulators.
After years of surveying the financial industry, the key issues identified are:
The NYSDFS is proposing to implement the following regulations to address identified issues:
In addition to New York State, federal agencies like OFAC, FINRA and the SEC are issuing guidance with regards to cyber security.
In late December 2015, OFAC issued regulations implementing Executive Order 13694, “Blocking the Property of Certain Persons Engaged in Significant Malicious Cyber-Related Activities” (PDF, 207KB). Effective as of December 31, these regulations are considered to be the abbreviated version and will be supplemented with more in-depth details at a later date. According to Executive Order 13694, property and interests may be blocked for anyone found to have engaged in, directly or indirectly, cyber enabled activities that harm or compromise systems or services in critical infrastructure sectors, or cause misappropriation of funds or economic resources, within the United States.
A January 5, 2016 letter issued from FINRA (PDF, 122KB) states that one of their 2016 regulatory priorities is cyber security preparedness and firms’ ability to protect the confidentiality of customer information. Examinations will cover governance, risk assessment, technical controls, incident response, vendor management, data loss prevention, training, and ability to protect sensitive information while maintaining integrity. This falls in line with their 2015 Report on Cyber Security Practices (PDF, 615KB), which provides further guidance on what measures firms should take to bulk up cyber security compliance initiatives.
In September 2015, the SEC also issued a Cyber Security Examination Initiative (PDF, 182KB) similar to FINRA, with emphasis on financial firms’ ability to ensure the integrity of the market system and protect sensitive customer data. Like FINRA, the SEC will focus on data loss prevention, governance, vendor management, incident response and resource training.
So what is the end result of all these new cyber security measures? In addition to preventing the leakage of confidential data and the compromise of critical systems, proper cyber security measures can help to prevent virtual financial crimes like money laundering, market manipulation, and even terrorism.
Hacking into a financial institution’s accounts can lead to schemes such as “pump and dump” whereby cyber criminals can buy equities and cause the hacked accounts to purchase the shares before selling them for profit. Cyber security breaches can also be indicative of other criminal activity within the bank and should be analyzed with regards to potentially suspicious activity in other departments within an institution, like AML. In addition, the technological developments of terrorists are rapidly growing. One such example is Kybernetiq, an ISIS-driven magazine that instructs its members on how to commit “cyber war.”
Now that regulators are beginning to make cyber security a top priority, financial institutions should start incorporating these regulations into current compliance. Policies and procedures need to be updated, audits need to be conducted, and compliance and IT departments must start working in tandem to ensure that every available measure is being taken to prevent financial crimes and terrorist financing.