New payments systems like Apple Pay could offer an opening to terrorists, and should be regulated like banks, the CEO of a major bank said at a payments industry forum this month.
“Think about this: If we’re down the road two or three years, and three-fourths of the banks and three-fourths of the merchants are on Apple Pay or whatever system,” said Kelly King, CEO of BB&T, during a panel at the annual meeting of ACH network the Clearing House in New York on Nov. 20. “If you’re a smart terrorist, what better way to get in to disrupt the financial condition of the United States of America than go to one of their back rooms.”
King, whose bank has $137 billion in assets, is deemed a systemically important domestic bank and thus subject to heightened supervision standards to protect the financial system. But nonbank companies don’t face the same level of scrutiny.
“If those folks want to play in the financial services area, and in the payment system, they might well be deemed a SIFI [systemically important financial institution] and let them understand what real regulation is,” King added, according to American Banker.
But nonbank payments players aren’t the only potential points of attack on ACH networks and other parts of the financial system, according to other members of the panel, which also included the CEOs of U.S. Bancorp, Citigroup and Deutsche Bank. Small banks, while regulated, are also a risk.
“We have a real challenge because smaller banks don’t know much about this, and don’t care about this, and don’t think they can afford it,” King said. “I really believe that the most likely threat for us is that a terrorist goes into a small bank somewhere, comes in through a fed wire, goes to a major bank, wires that billion dollars of capital, and the next morning we wake up and have a financial crisis.”
King and U.S. Bancorp CEO Richard Davis said it was critical for players besides big banks to join the Financial Services Information Sharing and Analysis Center (FS-ISAC), whose threat-notification system is used by banks to notify each other within seconds when data has been compromised, including information on the scale of an attack, which allows banks to put up proper defenses.
It’s like “calling down to Scotty in the main room, and saying, ‘Scotty, give me all you got!’ And we put up the force fields,” Davis said. While FS-ISAC isn’t perfect and cyberattacks have inconvenienced customers, he added, the financial system has yet to see a direct attack that has resulted in theft.
“But we’ll never have the whole system secure regardless of how much we spend, until we close the back doors,” King said.