OCC: Cyber-Risks to Payments GrowingComptroller Calls for Tighter Controls, More Regulatory Scrutiny
He also calls for closer regulatory scrutiny of non-bank financial services and payments providers. At the June 3 Emerging Payments Forum, hosted by BITS, the technology policy division of the Financial Services Roundtable, he hinted that retailers should be more closely monitored as well.
"The same technologies many of you in this room have employed to provide new and efficient delivery channels for your customers are also being used aggressively by hackers and criminal elements, which brings me to the all-important question of cybersecurity," Curry told banking executives at the forum. "Cybercriminals will also probe emerging payments systems for vulnerabilities that they can exploit to engage in money laundering, which has broad national security implications."
Banking institutions must be well-informed about the risks tied to emerging retail and wholesale payments methods, such as mobile payments and digital currencies.
And he called for more regulatory oversight of non-bank payments players, such as ApplePay and Google Wallet, with which banking institutions have already built payments relationships.
"Regulation adds significant value in the areas that we're discussing today," he said. "Efforts are well under way to bring e-commerce and emerging payments systems deployed by non-bank players under greater regulatory scrutiny."
Curry also said banks and credit unions must take steps to ensure cybersecurity throughout the payments chain, including at merchants. Banks represent "the industry's collective interest in protecting the security of the payments system," he added.
Role of Dodd-Frank
Using authority granted by the Dodd-Frank Wall Street Reform and Consumer Protection Act, banking regulators can do more to oversee e-commerce and emerging payments players to "ensure a more level playing field and protections for customers of non-banks," Curry said.
"In addition to ensuring that banks adhere to various regulatory standards and policy guidance, regulators provide an additional set of highly trained eyes to the process of determining what risks banks face and how well they manage those risks," he added. By bringing more regulatory oversight to other financial players, regulators can help to better ensure risks they face are being adequately addressed, he explained.
The Office of the Comptroller of the Currency in 2013 established the Payments Systems Risk Policy group, which is led by Kathy Oldenborg and is part of the OCC's Operational Risk Division. The group provides examination support, training, and guidance to OCC examiners and acts as an educational resource for banking institutions that need to learn more about traditional payment structures and their cybersecurity risks across the retail and wholesale payments landscape, Curry noted.
"We also established a Critical Infrastructure Policy group, which develops and coordinates the OCC's cybersecurity policy initiatives," he said. The creation of that group has been an important component of Curry's role with the OCC and as acting chairman of the Federal Financial Institutions Examination Council, of which the OCC is one of five regulatory agencies. He said the group was created to "address the risks that cyberthreats pose to individual banks and the banking system."
"We created an interagency Cybersecurity and Critical Infrastructure Working Group under the FFIEC umbrella to increase cybersecurity awareness, promote best practices in the industry, and to strengthen regulatory oversight of cybersecurity readiness," Curry added.
Cyber Assessment Tool
Curry also pointed out that the FFIEC would soon release a Cybersecurity Self-Assessment Tool that community banks and others can use to evaluate inherent cybersecurity risks within their infrastructure and emerging payments areas and assess their risk management policies.
The FFIEC is recommending use of the self-assessment tool, one of six key cybersecurity recommendations it announced in March that it planned to include in updates and supplements to the Information Technology Examination Handbook.
Enhancement of incident analysis, crisis management protocols and cyberthreat training also are expected to be outlined in the FFIEC's revised handbook, as are expanded guidelines for vetting technology service providers' cybersecurity and recommendations for better collaboration with law enforcement.
"We at the OCC are continuing to improve our collaboration with other agencies and communicate the importance of cybersecurity awareness and best practices among financial industry participants and regulators," Curry said.
Payments Pose Growing Risk
Karen Webster, CEO of technology consultancy Market Platform Dynamics, who also spoke at the BITS event, said too many U.S. merchants still don't understand why enhanced payments security features, such as EMV, are necessary. She, like Curry, said the financial industry has an educational role to play to ensure merchants fully understand emerging payments risks.
The banking industry must take steps to ensure that EMV can meet the needs of merchants, she said. Curry also stressed that banks need to help merchants understand the escalating cyberthreats they face, and come up with ways to improve their security.
"Banks have been the source of so many of the innovative products and technologies of recent years," he said. "Banks of all sizes are playing important roles as pioneers and partners in the development and adaptation of emerging payments technologies. ... Banks are engaged in organizations like BITS and the Bank Innovators Council, through which they share brainpower and financial resources. Some banks are setting up innovation incubators, where they have the freedom to pursue, implement and field-test new technologies."