BITS: Top Security Concerns for 2012Regulations, Needed Guidance Top List
"Dodd-Frank is going to bring a lot of change," Smocer says. "From a technology perspective, Dodd-Frank is going to require a lot of additional data gathering and ... systems implementations, with regard to data gathering and data retention that have historically not been there."
Guidance is also a priority in the mobile payments and social media spaces. Pulling from existing guidance, regulators are expected to begin crafting mandates for emerging areas as well, as more financial institutions expand their use of these technologies.
"I think the industry has done a very good job of collaborating around issues that are industry-level and not competitive, and I think to continue to foster that is important," Smocer says in an interview with BankInfoSecurity.com's Tracy Kitten [transcript below].
Also going into 2012, additional work will be needed in cybersecurity and fraud prevention, two key areas.
During this interview, Smocer discusses:
- Priorities for BITS and financial services, generally;
- Why the industry can expect to see more "pointed" guidance aimed at mobile banking and mobile payments;
- The role BITS plans to play in the financial-services space now and into the future.
Smocer most recently served as executive vice president at BITS, where he led successful initiatives to enhance e-mail security and to advance practices for identifying and validating online customers.
How BITS Has EvolvedTRACY KITTEN: You've been involved with BITS for a number of years. Taking on the role of president doesn't really come as a surprise given your background in the financial services industry, as well as your history with BITS. Can you give our audience a little background about BITS and how you've seen the organization evolve, as well as change, since you first got involved with the Financial Services Roundtable?
PAUL SMOCER: BITS is an organization that is a subsidiary of the Financial Services Roundtable, so it serves 100 of the 150 largest financial institutions in the United States as its members. It's got a broad coalition of membership across various financial services industries. Members include banks, insurance companies, securities firms, payment processors, etc. It's a great place to form collaborative relationships dealing with some of the key issues that the industry faces. I think in terms of it's mission, it's well known not only to those members, but in a broader sense to the industry as a whole given the history that it's had and the work that it's done in the past, and work obviously that we will continue to do going forward.
Initiatives for 2012KITTEN: What initiatives do you deem to be priorities for BITS in the coming year?
SMOCER: I would first answer that question by noting that as a membership-driven organization, our priorities are the priorities of our membership. Certainly, in that sense, our concentration on cyber security issues, fraud prevention issues, and to a large extent the regulatory and legislative environment, are ones that we see continuing going forward. In terms of what I'd like to accomplish in the relatively near future, BITS has always been an organization that also tries to collaborate with other industry associations and leaders in the industry, and I'd certainly like to strengthen that collaboration for a couple of key reasons.
One, our members are often members of those organizations as well and I think it serves our members best when we collaborate and focus on important issues in the same way and not use resources as two or more distinct organizations trying to address the same key issues. Second, I think there's certainly a lot of expertise in other associations and it's important that we leverage as much knowledge as we can to solve the industry's issues. In a broad sense that's probably a top priority.
Secondly, we're doing a lot of work as you may know around the question of launching a financial top-level domain, one or more of those. We're working cooperatively with the ABA [American Bankers Association] in that effort and it looks like we continue to move forward with the idea of creating one or more top-level domains that will serve the financial services industry. We believe that serves the community in a broad sense in terms of making sure that a top-level domain that's primarily for financial services is one that is secure and resilient, making sure that the organizations that get to exist in that domain are legitimate organizations, and, frankly, protecting in many cases the naming rights of our members and other financial institutions to make sure that what gets put in that domain is put in a way that cost effectively protects their rights in that space.
One of the things we will be looking at is how effectively the industry and we are doing information sharing. I think that's a key emergent area, both information sharing within the industry between institutions, between the industry and the government sector, the public/private partnership and even more broadly between the industry and other sectors that play a key role in helping to protect our ecosystem.
Fraud Prevention and SecurityKITTEN: I wanted to ask a little bit about fraud prevention and security, and that falls in line with the need for more open communication. Where do you see fraud prevention and security falling in those priorities that you mentioned?
SMOCER: I didn't mention them specifically but they're clearly intertwined throughout that whole arena. Cybersecurity is something that has been important to us. Fraud prevention has been something that's important to us, and I don't see our concentration on that diminishing as we move forward in any way. As I think about collaboration, the work that BITS does and the collaborative work that BITS does both with members and across the industry, it's really important that we continue to focus on those two topics. I think we see a cybercriminal community that is very organized and it's consequently important that we, on the defensive and offensive side fighting cybercrime and cyber fraud, certainly get as organized as possible around those topics.
Emerging TechKITTEN: As we look at emerging technologies such as mobile banking and the ongoing and growing threats financial institutions continue to face when it comes to social networking sites and online banking, how do you see BITS playing a more dominant or present role in financial services and security education when it comes to some of those emerging technologies?
SMOCER: In particular around social networking, we just issued a paper not all that long ago that's available on our website. It's a public-facing paper, so anyone who cares to get a copy of it is free to go to our website and grab a copy of it. We put that paper together with recognition from our members that the whole area of social networking and social media was clearly an emergent area and clearly an area where we needed to think about risks and [solutions] to those risks as we move forward. That's one example of the kind of work that we do with our members, trying to get some clarification with regards to emergent threats, things that are starting to grow.
Mobile banking is another one you mentioned. We're currently in the midst of a project developing mobile banking security standards. This is a project that we're working with not only with our members but in some cases other sectors as well that relate to the ecosystem of mobile banking. Again, I come back to the collaboration piece. If you think of mobile banking, there is certainly an aspect of it that relates to the financial services industry, but there are aspects of it that rely on other sectors as well, such as telecom, and it's important that we collaborate across the sectors that are involved to make sure that not only is security built in from the perspective of financial services, but security is built into the ecosystem. It's a pretty clear message both from our members and from the expertise we have on staff where some of these areas are emergent that we need to collaborate to make sure that we're doing the best we can in terms of making it secure and effective for not only the financial institutions but for their customers as well.
Regulatory ComplianceKITTEN: Regulatory compliance has been a big concern for many financial institutions, especially given the fluctuating state of the economy. How do you see BITS playing a role when it comes to stronger education, helping institutions better understand and figure out more efficient ways that they can obtain regulatory compliance, while also dealing with shrinking budgets?
SMOCER: It actually starts before the education phase in that case. BITS has always been active in working with the regulatory agencies, maintaining contacts with the regulatory agencies and creating a bridge between our members and the agencies to exchange thoughts and information. When you think of how regulation comes about, there's first some consideration from the agencies with regard to areas where they might issue regulation, and we try in that case to make sure that our members' voices and input are heard as the regulators think about what the regulation might look like. We often issue comment letters to proposed regulations where we work with our members to build consensus around what those comments should be, looking particularly at things like the cost of the regulation, the importance of the regulation, where that regulation may overlap with other existing regulatory guidance, etc.
But once the regulators have actually gone to the point of issuing regulation, we serve a role in educating our members with regard to what's required under the regulation, what the impact is likely to be. We even do that quite frankly as we're starting to see the early formation, maybe before the regulation is actually officially issued. We're trying to give our members a heads-up in regard to what the implications might be going forward. That has always been a role we play pretty effectively and one that we continue to play.
We've also been heavily involved in the potential regulatory impact of the Dodd-Frank legislation. Dodd-Frank is going to have not only pure financial services but also technology implications, and we have a working group that's led by BITS working with our members looking at technology implications in that space. That's clearly been an area that we've been focusing on. Additionally, maybe not part of your question, we're also focusing much more on the legislative environment. There has been certainly a pick-up in terms of potential legislation that has been introduced on the Hill and we're looking at legislation and working with our member in terms of educating them around the requirements, and looking at what areas we as our membership can support and which ones we might have some concerns about, and communicating that as well.
KITTEN: You mentioned Dodd-Frank, and I wanted to also ask about the FFIEC guidance. What role does BITS play in helping to educate and work with financial institutions where compliance with this new guidance is concerned, especially given that the requirements for minimum compliance, the deadline is approaching, Jan. 2012?
SMOCER: I would go back to what I mentioned earlier. We actually connected some of our members initially with the FFIEC membership as they were considering the new guidance before it came out. Since the guidance has come out, when it was officially issued, we actually went through a process of educating all of our members with regard to the new requirements, particularly pointing out the changes from the prior guidance, the enhanced requirements in some cases under the guidance, and we have been continuing to work with them, particularly the cybersecurity folks, in terms of implementation of the requirements.
We've also been working with the FFIEC to connect the members and the FFIEC with regard to some of the challenges with implementation in particular around the date. The area particularly of monitoring, though a lot of members were doing it, some of the new guidance suggests maybe some enhancements in that space, and I think most of the members were, if not all the members, in compliance with the old guidance. That new piece is presenting a challenge to some smaller financial institutions, not necessarily those that are in our membership. But again, trying to speak for the industry as a whole as opposed to just our membership in many cases, we've been working with the FFIEC in terms of what the challenges are in that space.
Top Issues for 2012KITTEN: What do you see as being the top 3-5 most pressing issues banks and credit unions can expect to face in 2012, even beyond the guidance and maybe some of the budgetary issues that we've already discussed?
SMOCER: I think Dodd-Frank is going to bring a lot of change obviously. Both BITS and the roundtable as a whole have issued more comment letters in any given period related to Dodd-Frank than we have historically in the past. In particular, I think from a technology perspective, Dodd-Frank is going to require a lot of additional data gathering and probably systems implementations, with regard to data gathering and data retention that have historically not been there. That's clearly going to be a big area.
I think we'll start to see some more pointed guidance with regard to mobile financial services, particularly mobile payments. I think that the regulators today probably feel that where it's at in its evolution, they've got some existing guidance. But what often happens is where they believe they have existing guidance, they see it at an intersection of a fairly new, expansive product space. They will very specifically begin to focus guidance around that particular product space. They take the pieces of guidance that they have. They combine them. They add some new guidance and you end up with a new piece of guidance. In this case, it's probably specific to mobile financial services.
In terms of the third area, I think we'll probably see some additional guidance around the social media space as well. That's beginning to emerge in terms of usage by financial institutions and so it's likely that we will begin to see some guidance in that space. Beyond that, it's probably a question as to where the regulators want to go, but that's my sense at this point certainly.
KITTEN: Before we close, what final thoughts about your new role with BITS and security generally would you like to leave our audience with?
SMOCER: I'm certainly excited to have this new role. Borrowing from the nomenclature of leadership studies, I think I would say that I see my role as a servant leader. My priority is to serve our members and more broadly the industry in terms of meeting their needs. I think the industry has done a very good job of collaborating around issues that are industry-level and not competitive, and I think to continue to foster that is important. Certainly, cybersecurity as we talked about a little bit earlier and fraud prevention are going to be two key areas that remain in this space. I think we will continue to collaborate with other organizations that have specialties that we may not have in terms of expertise.
In particular, there may be some additional work going forward in the payments space with some other associations. Again, it's a very exciting role to be in. I think it's a very exciting time. I think we can really make a difference in terms of continuing to address these key issues, in particular cybersecurity. I'm very excited to have the role.