New York's superintendant of financial services wants financial institutions to stop depending on their passwords, boost their cyber defenses, and require more of their security providers. In a wide-ranging speech at Columbia University, Ben Lawsky also said banks aren't doing enough to monitor suspicious transactions, and defended his own aggressive role in going after wrongdoing at the banks he regulates.
He said state regulators "should not be afraid to speak up and act if we spot new risks emerging in the market" and should be willing to sometimes go further than federal regulators "if we think that current approaches to enforcement and prosecution are not effectively deterring wrongdoing on Wall Street."
Lawsky, a former federal prosecutor who has led New York's Department of Financial Services since it was created by Gov. Andrew Cuomo in 2011, has flung his regulatory muscle across the financial world. The DFS has extracted large settlements and fines from the international banks whose New York-chartered operations it oversees, like Standard Chartered and Credit Suisse, and insisted that the chief operating officer of France's BNP Paribas and the chair of the large Atlanta-based mortgage servicer Ocwen leave as part of regulatory settlements.
"Corporations are made up of people. If there is wrongdoing at a corporation, that wrongdoing was committed by people," Lawsky said. "But more and more often it feels like we are discussing a corporation's wrongdoing without detailing who exactly did what wrong."
The large settlements the Justice Department and regulators have reached with banks over their marketing and sales of mortgage-backed securities have had eye-catching numbers attached to them — $16.65 billion for Bank of America, $13 billion for JPMorgan — but have not included charges against specific bank executives.
"In my opinion, if in any particular instance we cannot find someone, some person, to hold accountable, that just means we have stopped looking," Lawksy said.
Lawsky also proposed new preventative measures to stop banks from facilitating money laundering, which has been a major focus of his enforcement efforts. In one of Lawsky's first major actions, he fined the British bank Standard Chartered $340 million after threatening to pull their charter to operate in New York over accusations that it had concealed billions of dollars of transactions with Iran in violations of American sanctions.
Lawsky said that DFS is "considering random audits of our regulated firms' transaction monitoring and filtering systems" to ensure that banks' systems for catching illegal transactions are actually working.
When an independent monitor installed at Standard Chartered alerted DFS that the bank's monitoring systems weren't catching illegal transactions, DFS filitrered the transactions themselves and compared the results with Standard Chartered's. DFS fined Standard Chartered another $300 million last year for "failures to remediate anti-money laundering compliance problems" that it had identified in 2012.
"We believe there are likely widespread problems with transaction monitoring and filtering systems throughout the industry," Lawsky said.
He also called again for banks and financial institutions to be more vigilant about hacking and cyberattacks, saying that he was concerned about the potential for an "armageddon-type cyber event that causes a significant disruption in the financial system." While large banks tend to have sophisticated cyber defenses, the vendors they work with can provide a way in for hackers if they have weak defenses.
He said that DFS is thinking about mandating that the banks it oversees "receive robust representations and warranties from third-party vendors that those vendors have critical cyber security protections in place."
He also said that the regulator was considering doing away with usernames and passwords as the primary method for bank employees to verify their identities. The New York Times reported in December that the massive theft of personal information from JPMorgan was possible because hackers stole a JPMorgan employee's credentials and one network server did not require two-factor authentication.
"That simple, extra step can actually prevent a significant amount of hacking. And it is something all firms should do," Lawsky said. "We are currently considering regulations that would mandate the use of multi-factor authentication for our financial institutions. We would be the first financial regulator to take this step."
Lawsky is far from alone in calling for an end to simple password-based security. In January a senior Obama administration official told reporters that "continuing to rely on simple usernames and passwords as the primary means to secure what we're doing in cyberspace is not all that effective."