BITS: Tackling Fraud in 2012Collaboration, Best Practices Needed to Mitigate Risks
One way: by bringing key thought-leaders together. "We provide many forums for discussion," Carlson says in an interview with BankInfoSecurity's Tracy Kitten [transcript below]. "That will help us solve these different problems."
Another area is in the development of best practices and strategies for how to solve cybersecurity and fraud issues. BITS expects to target specific industries for building collaborative partnerships - working to identify and mitigate problems affecting financial institutions.
"Lastly, which I think really has been a hallmark of BITS, is a constant collaboration with regulators and other government officials around trying to solve these problems, not in a lobbying context but in a context of, 'Here's an issue, here's a threat, what's the most productive way for us to work in partnership to solve this problem?'" Carlson says.
BITS is focused on improving the identity-proofing process, or "know your customer."
Carlson says BITS will continue working with the government and other parties to determine ways to improve KYC, "particularly in situations where you may never actually meet your customer face-to-face."
During this interview, Carlson discusses:
- The focus regulators will place on risk assessments;
- Security challenges posed by emerging technologies such as mobile and cloud computing;
- Resources BITS and other entities will provide in 2012 to help banking institutions update strategies for cybersecurity improvements.
Carlson on Dec. 1 was named executive vice president of fraud prevention and cybersecurity for BITS. In addition to overseeing BITS cybersecurity and fraud-prevention initiatives, Carlson has been tasked with leading public-private collaborative efforts for BITS on the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security. Before rejoining BITS, Carlson served as a managing director of Morgan Stanley in New York City, where he focused on supplier risk management, new product approval, environmental risk and standardization of board-approved policies. Before Morgan Stanley, Carlson served in a variety of roles at the Office of the Comptroller of the Currency, including director of bank technology. He also worked at the U.S. Office of Management and Budget, Federal Reserve Bank of Boston, and United Nations Center for Human Settlements.
Cybersecurity and Fraud Prevention
TRACY KITTEN: Cybersecurity and fraud prevention are obviously hot topics, but could you tell us a bit about the specific role you'll be playing where cybersecurity and fraud prevention for BITS are concerned?
JOHN CARLSON: What we've done at BITS is we've combined the cybersecurity and fraud program under my leadership, and what we're doing is taking two very strong programs that have been kind of the core focus areas for BITS for many years and we'll continue them as separate entities but we'll find ways to collaborate where there's an intersection between security, cybersecurity issues and fraud.
KITTEN: Now this is a newly created position, is that correct?
CARLSON: Yes it is, but it's building on two existing programs that BITS has had for many years with a lot of strong member input and a great forum for collaboration with the federal government to the regulators, the service provider community and others as we strive to try to deal with the cybersecurity issues and reduce fraud in the financial services industry. We're doing this really for the benefit of our customers, the customers of our financial institutions that are members of BITS and to ensure that we have a safe and sound banking system.
Financial Risks Facing the Private Sector
KITTEN: You previously worked for BITS overseeing regulatory management security and crisis management. Now that you've come back to BITS from Morgan Stanley, where you focused on risk management and policy standardization, what can you tell us about financial risks facing the private sector?
CARLSON: There are many risks particularly in the technology space. The industry is certainly dealing with new threats on the cyber front, also new types of fraud that are being perpetrated by fraudsters, and in many cases are international challenges. We also are seeing some challenges with emerging technologies such as the use of mobile devices, social media, cloud computing, and of course there's always the reliance on third-party providers. Ensuring strong controls overseeing those third-party providers has been an ongoing challenge for the industry. And last, but certainly not least, has been an increasing regulatory environment in which new rules, new requirements, stronger oversight by the financial regulators and others, are ensuring that financial institutions are operating in a safe-and-sound manner.
2012 Focal Points for Regulators
KITTEN: Your previous roles include regulatory experience, and this perspective gives you some insight about regulatory compliance and perhaps some of the concerns regulators are and will be focused on. From an ACH and online fraud perspective, what do you expect to be focal points for regulators in the coming year?
CARLSON: In the coming year, they'll be focusing on ensuring institutions are implementing or responding to the FFIEC, that's the Federal Financial Institutions Examination Council guidance on authentication, which was updated earlier this year and will require institutions to continue to strengthen their authentication programs, including those programs covering automated clearing-house transactions.
I think closely related to that has been a concern that the industry and the regulators have had with respect to fraud on various channels, including ACH and account takeover, which has been an issue for the industry and the industry has been working hard to respond to it.
KITTEN: What role will BITS play in addressing some of those risks?
CARLSON: Our future focus going into next year is going to be a combination of developing the best practices papers for our member companies to address issues in the fraud space, from mortgage fraud to remote deposit capture, to looking at social media and how that's being used, and new ways to perpetrate fraud. We'll also continue to collaborate with a lot of different parties in order to solve different issues.
There's also our leadership in a council called the Financial Services Sector Coordinating Council which BITS has been a founding member and very active over the last ten years, and that is in areas of cybersecurity to improve information sharing around cyber threats and events, as well as some long-term research and development initiatives to improve identity proofing so that we have greater confidence in the people that are doing business with financial institutions or even people that are customers of financial institutions.
There are a lot of different initiatives that BITS is involved in, that the security and the fraud teams, as well as others within the BITS community, including the regulation and some of the supplier-risk groups, are going to be focusing on in order to reduce fraud and to try to make the cybersecurity environment more secure.
KITTEN: Now you've mentioned the FFIEC guidance and you've also talked about some of the public-private partnerships, but I wanted to go back to ask a little bit more about the regulatory perspective. Can the industry expect more cybersecurity and fraud prevention mandates in the coming year?
CARLSON: I think the regulators currently have a tremendous amount of authority and have issued a great deal of guidance and regulations in the cybersecurity, supplier risk, identity theft and fraud areas. They currently have a very strong foundation with existing rules and supervisory guidance. I think the focus going forward is probably going to be more along the implementation and the constant updating of the risk assessments as those risks change, and ensuring that financial institutions are following through and making adjustments to their programs.
I think there will also be a broader effort that you'll see throughout the government working with BITS and financial institutions and others in the private sector to enhance information sharing, to develop some common standards around breach notification and other areas including research and development and other proposals that are currently being debated in the U.S. Congress. I think the regulators working with the Homeland Security Department, Congress and the industry will be working very hard over the next year or two to try to develop some rules, some new capabilities, in order to mitigate some of the cybersecurity and fraud-related issues. I think that's part of the challenge of what we're trying to do. The challenge that we're dealing with is that we have what we call an ecosystem that we all use in the cyber environment and there are a lot of threats in that environment and our approach is to try to address as many of those threats as we possibly can through collaboration and best practices, and if we need to develop new rules and requirements then we'll work in partnership with our government officials to try to develop rules that make sense and solve the problem.
Cybersecurity and Fraud Prevention in 2012
KITTEN: And how do you expect to help financial institutions as they outline plans for cybersecurity and fraud prevention in 2012?
CARLSON: We do that through a number of means. One of them is we provide many forums for discussion in which we bring in key people that will help us solve these different problems. Another area is through the development of best practices and strategies for how we will solve issues. Another is to target particular industries where we know we need to work in partnership and to structure collaborations in a way that's going to solve the problem, or at least identify the problem and work in a way where we can try to solve it, given that we may come from different perspectives.
Lastly, which I think really has been a hallmark of BITS, is a constant collaboration with regulators and other government officials around trying to solve these problems, not in a lobbying context but in a context of, "Here's an issue, here's a threat, what's the most productive way for us to work in partnership to solve this problem?" I think that partnership has been very helpful for both the government as well as the private sector to solve some of these problems.
The challenges continue. As technology advances forward and people use new technologies and the world becomes a more global marketplace, we realize we have new issues we've got to deal with, either on an international level or at a local level. That's what's unique about BITS. It provides a forum for talking about those issues and trying to solve them. Of course we're representing financial services so we have a certain perspective, but that's really what BITS was founded for and what we're continuing to do.
Gaps in Fraud Prevention
KITTEN: This is probably a loaded question, but I'm going to go ahead and position it anyway. Where do you see most financial institutions missing the mark where fraud prevention is concerned?
CARLSON: I think the challenge is this dynamic of trying to follow the market, meeting customer needs, customer demands, and then making sure there are strong controls that follow it. Often times, there will be a push to move into a new technology, new market or a new way to deliver products and services without necessarily having all the necessary controls in place to manage the risks. I think that's just been an ongoing challenge in the technology space, and I think the financial services industry is in a position where we have a tremendous amount of liability and reputational risk that we have to manage. That's an ongoing issue and certainly the regulators understand that and they put a lot of pressure and are conducting examinations of financial institutions to make sure they have adequate controls in place.
KITTEN: When we talk about risks, we often talk about online security. But I wanted to ask about other channels such as the mobile channel, ATM, branch and even the call center. What vulnerabilities do you see in those channels and how will you be addressing those vulnerabilities in the coming year?
CARLSON: In the past we've issued a number of papers on things having to do with mortgage fraud, ACH-type fraud, and we'll continue to update those types of papers to help our members manage those types of risks. We'll also continue to look forward in terms of how mobile devices are being used, how social media is being used in a way to provide financial institutions ... advice or other types of services that customers are demanding. We'll have to look for ways that fraudsters are manipulating systems or weaknesses in the systems and try to find ways to address them.
One of the long-standing issues we've been working on, as I mentioned earlier, is trying to improve the identity-proofing process of knowing who your customer is. That's a regulatory requirement. It's really a necessity in terms of managing a program that's not rife with fraud. We'll continue to try and work with the government and other parties to figure out ways to improve the identity-proofing process, particularly in situations where you may never actually meet your customer face-to-face. It will be done online and you have to rely on government-issued credentials or other documents to validate who a person is. That's just one example of where we'll continue to work with the government partners and others to try to solve a very difficult problem in the cyberspace arena.
Mobile Fraud Prevention
KITTEN: You mentioned emerging technology and I wanted to ask about mobile because it's a growing area of concern. How focused over the next year will BITS be on fraud prevention that touches the mobile channel?
CARLSON: I think we'll continue to stay closely focused on mobile. BITS had convened a number of different forums over the years, including one conference last year, and we're in the process of writing up a paper that looks at the landscape in the mobile environment and where there are potential vulnerabilities. I think that will drive future work in terms of how we will go about mitigating some of those vulnerabilities. Right now we're in what I would regard as the research stage in terms of understanding the landscape, how the landscape is evolving very rapidly and then we'll drive towards trying to mitigate some of the risks once we understand what they are.
KITTEN: Before we close, what final advice could you offer to financial institutions where cybersecurity and fraud prevention are concerned?
CARLSON: My advice is to continue to make the investments that institutions are making in strengthening security and fraud programs. I think one of the best ways for us to tackle the challenges and some of the problems that we're dealing with today and in the future is through collaboration, including, hopefully, very pragmatic, flexible approaches that the regulators will continue to sanction as we move forward, hopefully to make progress on the work that we're doing with the government and other officials to solve some of these problems in the cyber ecosystem. And that includes working with the Internet service providers, working with law enforcement and hopefully strengthening some of those partnerships that we have today.