Financial regulations provide a framework seeking to promote legal and ethical behavior within the industry. However, scandals over the last fifteen years have revealed broken regulations and poor enforcement. In each scandal’s wake, lawmakers passed legislation to either amend the existing standards and enforcement mechanisms or create new. As a key pillar in a nation’s economic foundation, the U.S. relies on a stable financial industry. Financial standing determines a nation’s standing on the international stage. China’s emergence as an international power, for example, derives partially from its economic strength.
The sheer volume of assets, the financial industry manages presents a highly lucrative target for criminals. Insiders engage in fraud, deceiving investors for ill-gotten profit, and others use complex financial systems for illicit purposes such as money laundering. Also damaging is the near-constant assault from cyber criminals. In order to protect consumers and ensure transparency, U.S lawmakers have empowered several regulatory bodies with oversight authority. Still, responsibility for regulatory compliance and safeguarding financial assets remains with individual institutions. Regulations create a diverse set of compliance environments that display some similarities, yet contain differences in focus and intent. Improving cybersecurity in the financial industry requires a critical evaluation of the merits and issues of compliance present in each environment. Only then can cybersecurity policy makers recommend regulations that promote efficiency while protecting the industry and its customers.
Analysis of Compliance Issues
Due to the financial sector’s complex nature, compliance with federal, state and local laws provide a monumental challenge. Cybersecurity further complicates the issue. As former Federal Bureau of Investigation Cyber Division Assistant Director Gordon Snow (2011) explained, “Cyber criminals have demonstrated their ability to exploit our online financial and market systems that interface with the Internet.” Since the financial sector depends heavily on information technology, regulatory compliance becomes a critical cybersecurity component. Because a large portion of assets exist on paper rather than physically, protecting asset data serves as a driving force for regulation.
Ensuring coherent and active cooperation with other financial entities serves as a key to achieving compliance. The Gramm-Leach-Bliley Act (GLBA), for example, dictates how institutions collect and share information. GLBA’s provisions require strict confidentiality and security for personal information institutions collect, such as account numbers, social security numbers and credit histories. Key to understanding GLBA is that the term “financial institution” carries a broad definition, including “check-cashing businesses, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, professional tax preparers, and courier services” (Bureau of Customer Protection, 2006). The Federal Trade Commission’s (FTC) Safeguards Rule sets additional standards, requiring that organizations identify personnel to oversee a security program, design and implement a safeguards program, and select service providers able to maintain implemented safeguards. Since many of the aforementioned organizations might not possess such capabilities, these regulations present a tremendous hurdle.
Compliance issues also arise at the state level. California's Notice of Security Breach Act (NSB) bears significant ramifications for the financial industry, requiring that organizations make public notifications when negligence or a cyber attack results in data loss. Passed in 2002 and the first of its kind, NSB led to other state and federal breach notification laws. Yet, it stands out in its call for “notification when unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person” (Stevens, 2012). The implied requirement is encryption of personal identifiable information, both in transport and at rest.
Data retention regulations also pose compliance issues for financial institutions. The Electronic Fund Transfer Act, Regulation E, spells out data retention requirements for institutions that hold customer accounts or provide electronic fund transfers. ATM transfers, telephone bill payments, and preauthorized transfers to or from accounts all fall under its purview. This presents another financial sector cybersecurity compliance issue, requiring secure storage for transaction information.