How Banks Must Prepare for Dodd-Frank

Dave Mader of Booz Allen Hamilton on What Banks Should be Doing Now
How Banks Must Prepare for Dodd-Frank
It's been well over a year since the passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act. How should banking institutions prepare for the hundreds of new regulations expected to come as a result of this landmark legislation?

Dave Mader, senior vice president at Booz Allen Hamilton, says even without firm new regulations, financial institutions of all sizes are already undergoing change.

"What's happening - and I think it's the right reaction by the industry - is [banks] read the bill just as you and I read the bill, and they're starting to take steps in anticipation of those ensuing regulations."

Part of this preparation is just understanding the bill, Mader says. And part of it is securing the right counsel - in-house or out-of-house - to understand the regulatory mandates to manage business and risks going forward.

"People are going to have to spend the time to understand the significant impact of the various provisions of this bill and how it's going to translate into how they do business going forward," Mader says. "Because [business] will be very different in some cases."

In an exclusive interview about Dodd-Frank and its impact on banking institutions, Mader discusses:

  • Changes we have seen so far in the banking landscape since the passage of Dodd-Frank;
  • How Dodd-Frank most impacts banking/security leaders and organizations;
  • What milestones we are likely to see in the next year.

As a Senior Vice President at Booz Allen Hamilton, Mader leads the firm's business in support of U.S. Department of Treasury, Freddie Mac and Fannie Mae, as well as the Executive Office of the President, Congress, Office of Management & Budget, Office of Personnel Management, General Services Administration and Government Accountability Office.

Mader is a lecturer for the Change Management Advanced Practitioner program at Georgetown University's McDonough School of Business. He is also the recipient of both the Distinguished and Meritorious President Rank Award the Treasury Secretary's Honor Award.

Formerly employed as an IRS assistant deputy commission, he was part of a team that researched techniques for effecting real change in government. TOM FIELD: Let's tackle this topic right from the start. What changes have we seen so far in the banking landscape since the passage of Dodd-Frank?

DAVE MADER: It's very interesting. I don't think a day goes by that you don't pick up either The Wall Street Journal, The Washington Post or The New York Times and see a story about Dodd-Frank. The fact is it's been 14 months since the passage of the legislation and I think sometimes we forget that the legislation basically is going to require over 300 new regulations to be written and enacted. Thus far, 14 months after enactment, we've only seen really a handful of those regulations being actually issued and implemented. I think what's happening though, and I think it's the right reaction by the industry, is they read the bill just as you and I read the bill, and they're starting to take steps in anticipation of those ensuing regulations. But I think we need to keep in mind that it's going to take another year or so for the full impact of this legislation to take hold in various segments of the industry. People are preparing. People are assuming the regulations will be issued one way or the other and they're acting and reacting accordingly.

FIELD: Well along those lines, let's talk about the different types of reactions from large institutions versus smaller community institutions. What do you see is the difference in the impact?

MADER: There's no question that the breadth and depth of this legislation is going to have an impact on all-size institutions, from smaller community banks to the large, "too big to fail" banks. A lot of that impact thus far is spending the time to understand exactly what these regulations could possibly mean to how an institution conducts its business with regard to the types of deposits, the interests that they may pay and the increasing complexity of the rules and regulations that they're going to have to comply [with].

In the case of a community bank, what you're seeing is they have complied with existing statute. Now they are looking at these additional requirements and they are saying, "I need to retain or hire additional individuals who will help me manage the risk and manage the compliance. I'm going to have to change some of my business practices to comply with these upcoming regulations and, oh by the way, it also may impact my relationship with my current base of customers." People are going to have to spend the time to understand the significant impact on the various provisions of this bill and how that's going to translate into how ... they do business going forward because it will be very different in some cases.

FIELD: One of the things that we've focused on at BankInfoSecurity is the impact of Dodd-Frank on information security leaders and organizations. Where do you see that impact?

MADER: I see a couple of impacts. For the industry, I think [it's] a continued emphasis on maintaining the privacy and confidentiality of the information that they secure from their customers and potential customers, and you only need to pick up the paper and see stories almost every day and certainly every week around the malicious intent of hackers to attack institutions, whether it's the government or the private sector. I think as our society has moved over, in particular the last ten years, to much more electronics, that raises a huge risk to the financial institutions. Dodd-Frank talks about financial transactions and derivatives, but I actually think that there's as much risk going forward around an institution failing because their data security has been compromised, which would result in not only a loss of revenue but certainly the loss of confidence of their customers, and that can actually cause a bank to have some serious consequences.

This whole movement over the last ten years to electronic transactions increases some vulnerability that's probably not sufficiently addressed by Dodd-Frank. I think for the government, on information security, the regulators under Dodd-Frank now are going to be collecting more data from the private sector. The whole creation of the Office of Financial Research in support of the FSOC [Financial Stability Oversight Council] really is the culmination of, "How do I bring together all of the information from the various regulators today and how do I supplement that with additional open-market information?" It really puts the premium to your point on, "How do I maintain the integrity of that data?"

FIELD: So far in this conversation you talked about the work that needed to be done, the regulations yet to write. As we look ahead into 2012, what milestones, if any, are we likely to see met in terms of Dodd-Frank?

MADER: Clearly the industry is waiting for a lot of regulations. We know that next summer the institutions that have been characterized under the legislation as "too big to fail" need to provide what's called in the bill a living will. How would the government disaggregate one of those large institutions if they needed to? That I think is going to be one of the major milestones, but there are, for community banks and for all institutions, a series of these regulations that are going to roll out over the next 12 months that are going to cause them, as I mentioned earlier, to change how they do business and will change some of the relationships they have with their customers.

FIELD: Do you see any factors that could derail the progress that we're talking about?

MADER: When you have legislation that's this expansive, just getting an agreement between the various regulators at the federal level because there are interdependencies between these regulators now under Dodd-Frank. Getting them all to agree on a set of regulations is going to be a challenge. I don't think it's a derailleur but it's certainly a challenge. Then we are entering the presidential election and who knows what the next 24 months will bring on the political landscape.

FIELD: That's a fair point. Earlier in the conversation you talked about what institutions are already doing in anticipation of regulation. If you could boil down your advice to financial institutions, what should they be doing now to prepare for the changes that Dodd-Frank ultimately is going to bring?

MADER: One of the things that I've learned and that we have learned as a firm in dealing with clients both on the defense as well as the internal security markets is, "How do you effectively conduct scenario planning?" And certainly in the defense and the [intelligence] community, those organizations have been doing it for years. I do think that because of the breadth and depth of the regulations that Dodd-Frank requires, financial institutions really need to sit down and do that kind of scenario planning, because in the passage of the legislation there are numerous interests that were working to ensure that we didn't have a repeat of 2008 and 2009. But nobody I think really understands how those 300 regulations would actually interact in real operation, and I think the use of very specific scenario planning would help institutions both large and small in modeling what the implications could be to their particular business model.

Until an institution looks at it holistically, simultaneously, nobody will know and unfortunately you could sort of wind up with unintended consequences. I would encourage the community to seriously consider conducting those kinds of scenario planning activities because we know that they have proved successful in other theaters.


About the Author

Information Security Media Group

Information Security Media Group (ISMG) is the world's largest media company devoted to information security and risk management. Each of its 37 media sites provides relevant education, research and news that is specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud. Its yearly global summit series connects senior security professionals with industry thought leaders to find actionable solutions for pressing cybersecurity challenges.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.