“…Because That’s Where the Money Is.” OCC Head Highlights Oversight of Cybersecurity for Financial Industry—Will All Vendors Cooperate?

Why are banks often tempting targets for criminals and terrorists alike? Thomas Curry, the head of the Office of the Comptroller of the Currency (OCC), recently reminded us: “…because that’s where the money is.” But what most worries the Comptroller is not a modern-day Bonnie & Clyde or John Dillinger attacking banks from without, but rather scofflaws, “hacktivists,” terrorists and foreign regimes exploiting vulnerabilities in the financial industry’s cybersecurity and striking from within. Over the last few months, Mr. Curry has taken to the speaking circuit, venturing from the Consumer Electronics Show (CES) Government Conference last April to the New England Council in May to raise the question of how vulnerable the nation’s financial sector is to cyber-attack. Mr. Curry noted that while consumers are rightfully concerned about the security of the financial tools they use on a daily basis—from credit card readers at the mall to Internet bill pay and online banking—many do not consider “what goes on behind the scenes” to process these transactions. “Yet the impact of a cyber-attack on those systems could be even more disruptive than a data leak at a large retail store,” Mr. Curry told the CES. “It’s one thing to worry about whether someone is making charges on your credit card . . . . It’s quite another to worry about whether the accounts that hold your life savings are secure.” Some of that vulnerability in the system comes from the “banking industry’s significant reliance on technology and telecommunications,” as well as the interconnectivity between banks and their third party vendors. Comptroller Curry mentioned that third party vendors providing necessary support to large, small and community banks have been an area of concern for the OCC for some time. Because many third party vendors “have connections to other institutions and servicers . . . . each new relationship and connection provides potential access points to all of the connected networks, thereby introducing new and different weaknesses to into the system.” Further, the degree that banking institutions are relying on foreign vendors to support critical activities and granting third parties access to sensitive bank and customer data poses a particular threat to the industry’s security and reputation. While all of these risks can be managed, “what concerns [the OCC] is that risk management practices haven’t always kept pace with the risks [financial] institutions take on.” Mr. Curry’s speeches mark the latest effort by federal regulatory agencies to address the vulnerabilities of financial institutions due to the industry’s reliance on third party vendors to handle critical business tasks. As we have addressed before, both the OCC and the Federal Reserve issued new guidance in late 2013 regarding financial institutions and their third-party relationships. The Consumer Financial Protection Bureau issued similar guidance in 2012 with even broader applicability. One implication of these new rules is that while financial institutions can hire third party vendors to manage certain business tasks, they cannot delegate “the consumer protection, operational, and reputational risks related to third party activities conducted on their behalf;” thus the banks bear both the risks and the burdens of errors that their third party vendors make. Consequently, banks are now expected to continuously monitor the activities of third party vendors throughout the life of the relationship, and outside vendors are required to comply with the regulations that their banking partners would be subject to had the banks chosen to instead handle those delegated tasks themselves. Potential for Conflicting Priorities At their heart, Comptroller Curry’s remarks and the new guidance from both the OCC and the Federal Reserve seem most concerned with making the banking industry more secure so that the integrity of the financial system is protected. But in the post-Snowden world, companies, particularly those in the technology industry, are finding that there is a great incentive to be seen by customers as safe custodians of their personally identifiable information (PII)—not only from nefarious intruders, but from the government as well. Last May the Electronic Frontier Foundation (EFF) published its fourth-annual “Who Has Your Back?” report, which ranked the efforts of major Internet companies and service providers in protecting consumer data from government requests. One of the major stated goals of the report “is to allow users to make informed decisions about the companies with whom they do business” based upon how well those companies will resist and disclose governmental data collection efforts. The EFF report highlighted that, in the year following Edward Snowden’s revelations of vast U.S. governmental surveillance of persons around the globe, many of the companies reviewed had made significant strides in protecting user privacy, resisting government requests for user data, and informing consumers when the government comes calling for user PII – moves made no doubt over consumers’ concerns over governmental access to their information. There is a potential for conflict between increased vendor oversight by financial institutions – which may include requiring a vendor to submit to examination by the bank’s regulators – and the desire by technology companies’ to restrain government access to information they control. For the nation’s banking institutions, the increased focus by the financial regulators highlight the massive importance that data security has for their businesses. “For an industry in which reputation means everything, a single data breach . . . can be extremely costly,” Mr. Curry reminded both the CES and the New England Council. “Banks are particularly vulnerable to events that erode trust, and once an institution’s reputation is damaged, it can take years to repair.” That seems to be the lesson that the companies examined in the EFF’s report have heard as well, evidenced by their increased commitments to user privacy. And banks may ultimately find that the rules requiring greater oversight of third party vendors are critical not only in plugging security gaps that compromise their business, but also in protecting their most important commodity—consumer trust. In any number of relationships between financial institutions and third parties, however, the third party may also have its own relationship with the customer, and hence its own interest in protecting access to the customer information that it rightly considers as its own. It remains to be seen to what extent government regulator access to information held by vendors or partners to financial institutions becomes an issue in commercial arrangements such parties and banks. Stay tuned to the PrivSec blog and Davis Wright Tremaine’s  Payment Law Advisor for more information on the financial regulators’ efforts to regulate third-party relationships in the financial industry, as well as for future developments on this topic.   Please contact Christin McMeley with any inquiries at 202.973.4264.