New York bank regulators are considering massive programs to audit large banks’ cybersecurity and anti-money-laundering (AML) systems, The Wall Street Journal reported.
In a speech at Columbia University on Wednesday (Feb. 25), N.Y. superintendent of Financial Services Benjamin Lawsky proposed the AML and security audits, and also raised the prospect of demanding that bank executives personally attest that their AML systems work effectively, insisting on third-party certification of banks’ network security, and requiring multifactor authentication for bank customers.
The proposed audits of AML systems would follow the pattern of Lawsky’s investigation of Standard Chartered Bank where, as part of a 2012 money-laundering settlement, a monitor was installed at the bank to make sure new AML controls worked properly. They didn’t — the upgraded system still failed to catch millions of suspicious transactions that the monitor found. “We basically ran the company’s transactions through our own filtering system and compared the results,” Lawsky said.
Doing that for every large bank in New York isn’t practical, he said, but it could be done on a spot-check basis even for banks that aren’t under a cloud, as Standard Chartered was. And for all banks, executives should be required to personally attest to the effectiveness of the systems, the way they attest to the accuracy of financial statements, he suggested.
Just how useful widespread AML audits would be isn’t clear. AML efforts currently catch only a small fraction of 1 percent of money-laundering transactions, which means even catching 10 or 100 times as many laundering transactions would hardly make a dent in the problem.
Lawsky also floated a possible requirement for replacing conventional static passwords with more effective authentication, such as one-time passwords that would be sent to a customer’s or employee’s phone as the individual was attempting to log in to bank systems. “The password system should have been dead and buried many years ago, and it is time that we bury it now,” he said in the Columbia speech.
Regulators may also beef up bank examinations by adding assessments of each bank’s cybersecurity preparedness, Lawsky said. That comes in the wake of last summer’s data breach at JPMorgan Chase, which affected accounts for 76 million households.