Interview with Doug Johnson of the American Bankers Association
Prior to joining the American Bankers Association, Doug spent ten years as Assistant Director of the Florida Division of banking where he oversaw the supervision and regulation of Florida’s domestic and international banking industry. During that time, Doug served as an advisor to the US Congressional Office of Technology Assessment, assisting in their study of the use of information technologies for the control of money laundering. He also spent time in Miami as a planning analysis for Royal Trust Bank Group as a bank consultant for First Research Corporation. He has a bachelor’s degree in Economics from the University of Florida and masters in finance from the Florida State University.
The ABA was founded in 1875 and represents banks of all sizes on issues of national importance for financial institutions and their customers. The ABA, on behalf of the more than two million who work in the nation’s banks, brings together all categories of banking institutions to best represent the interest of this rapidly changing industry. And Doug, we’re going to go right into the questions. First, hello.
DOUG JOHNSON: Well, good morning.
LINDA MCGLASSON: All right. Doug, as the Senior Policy Analyst of the largest banking association in the nation, what’s your take on how well the industry is responding to the regulatory changes we’ve seen in the past eight years in regards to information security? And is there more that we could be doing as an industry?
DOUG JOHNSON: Well, Linda, first of all, I think as bankers we’re accustomed to regulatory change. We have to deal with it in everything that we do in terms of bank operations. And information security is really no different than – and let’s face it, as an industry we have to take it seriously. Because if we don’t take it seriously we’re really not fulfilling our fiduciary responsibilities, because safeguarding customer information is really part and parcel of our obligation to not only affect payments and transactions for our customers, but also keep the information they have entrusted with us secure.
So, having said that, the last eight years have been pretty challenging. Let’s face it, we’ve tried to adapt and I think we’ve adapted pretty well to those changing regulatory environments. Part of it was, frankly, what congressional folks viewed as a trade off that we needed to really accomplish between increased responsibilities or authorities that we’ve had under Gramm Leach Bliley (GLBA) and because of those increased authorities the ability that we had to really have greater levels of customer information across securities insurance and banking products that we were providing our customers. And so, the privacy and the information security requirements of Gramm Leach Bliley I think were really the start of the eight years that you really alluded to. And so, insuring that customers are aware of how we’re using information and aware of how we’re securing that information was first and foremost but obviously after Gramm Leach Bliley we’ve seen a series of regulatory guidance which has come out vastly emanating in our necessity for stronger levels of authentication, which are all bankers are very well in the throws of, if not completely compliant with it at this standpoint.
I think that what we’ve seen is an increased dialogue, if you will, between ourselves and the regulatory community, particularly as it relates to stronger authentication. What we’ve seen is the ability, or the capacity really, of our regulatory agencies to listen to the concerns of the banking community as they put out new guidance and address those concerns so the guidance which we put in place does not get unnecessarily prescriptive and tie bankers hands, particularly as it relates to evolving technology.
That’s the one thing that we’re particularly mindful of as we go through these changes is that guidance should be – and generally has been – dealing with the risk profile as opposed to dealing with technological fixes. Because those technological fixes are going to change over time. And I think with the stronger authentication that that’s particularly what we’ve seen is that the agencies have really backed away from saying this is the type of technology you should use and gone back to the standard of banks need to be sure that they are properly apprising what their risk profile looks like and addressing that risk profile through putting in stronger measures of security where that security is necessary. And so, I think that’s how we really adapted and responded over time and how the agencies have responded as well.
LINDA MCGLASSON: Well, as a follow up question here, the ABA represents its members, as well as the rest of the industry on a number of levels with those same government regulatory agencies we were just hearing about. And have you seen the correlation between the increased data breaches since I think early 2005 and the buzz that we’re hearing about what coming down in terms of a national data protection disclosure law. And what can we expect to see in the law – what have you been hearing when it does get passed in Congress?
DOUG JOHNSON: Well, sure, Linda, obviously 2005 and the breaches, which we see in 2006 into 2007 as well, impact the landscape of what security breach laws ultimately will look like and we fully anticipate the security breach laws will be entertained by Congress again this year during the legislative session.
First and foremost, I think it’s become abundantly clear that a national solution to this problem is important. I was particularly struck when I was speaking to a group of bankers and others in my home state, which is Florida, about this issue and it was at an FDIC event, and what really was clear is that that’s the best state to use as an example. Because if you’re a banker in the state of Florida, you’ve got customers that are essentially choosing their home state from states throughout the nation. And so, say you’re a banker in Florida and you have a breach necessarily – let’s say it’s through no fault of your own. Let’s say it happened to a third party but you have customer notification requirements, you’ve got to look at every single state that your customer has claimed as a primary residence to come to some conclusions of what the security breach notification law is in that state, and that’s going to get worse. That’s not going to get better as we see additional states. And we’ve got over 30 states now that have put these kinds of laws in place. So, a national solution is absolutely key, but also a solution that raises retail operations and other third parties to the level of security the bankers already practice.
There’s a lot of work that’s being done in this area outside of the legislative arena and ABA clearly thinks that having a platform of law which deals with breaches across all commercial and other operations, government as well obviously, is what’s absolutely key so that we can address these issues in a consistent manner which will actually benefit the consumer because it will cause less consumer confusion rather than consumer has different requirements based upon different states.
I think that one of the things that we’ll see is the administration’s identity theft task force recommendations, which we anticipate potentially coming out in February, will somewhat set the stage for what law ultimately will look like. Also, obviously the various laws which were entertained last year set the stage as well. And part and parcel of that national solution is also a preemption of state provisions so that you do have that national solution. So that is going to be a key provision within the law. And national solution should really take its basis from the safeguarding customer information – the customer response program provisions actually that have come out of the Federal Bank Regulatory Agencies. There has been a recognition that financial services is really taking the lead in terms of those provisions and adherence to those provisions. And what those provisions do is really give the bank the opportunity to make determinations as to what level of harm to the potential customer is going to be as a result of any breach which has occurred. And we feel that’s very important because one of the things which we do not want to have happen is for customers to get anesthetized.
I think, frankly, that customers are already anesthetized regarding the privacy notifications that they get on an annual basis. I don’t know how carefully you read yours. I know how carefully I read mine. And I really fear and we become concerned that as a trade association that the one thing we don’t want our customers to feel is that oh, this is just another security breach notice, nothing has ever happened to me in the past when I’ve got these things, so therefore, I don’t have to pay attention to this one. You know there’s going to be no way, unless we manage to create an environment where when a customer gets one of those they know that it’s an important document. That’s a very important environment to put in place. And so, we’re very cognizant of the fact that that needs to happen in any legislative proposal.
Lastly, I would say that we need to have a clear regulatory environment as well. And that’s to make sure that we have the Federal Regulatory Agencies that we’re already accustomed to working with on this, the agency that we’re responsible to reporting to and is responsible for taking action to the extent that we don’t fulfill our responsibilities as bankers.
LINDA MCGLASSON: Okay. Going back – we were talking about the national versus state laws in terms of the data protection and disclosure. Is there one state in particular that did an especially good job in drafting their bill that you would recommend that the federal bill kind of emulate?
DOUG JOHNSON: I would really recommend that the federal bill emulate the Federal Regulatory Guidance in this manner. Because that federal guidance really recommends some of the stuff which I just stated. It sets up a process whereby an institution does have an immediate obligation to inform his regulator that a breach occurred. And then what that creates I think is a really good dynamic, a really good partnership between the institution and the bank because the bank is informed, the regulator – the regulator has knowledge as to the breach, and also has knowledge of other breaches that has occurred in other institutions and can help the bank think through the process of whether or not customer notification is necessary. I think frankly that some of those that oppose the process of banks being able to make determinations of whether their customers are at risk really are not appreciative of the fact that this determination is not made in vacuum. Essentially, these institutions are making that determination in concert with their regulatory agencies, they’ve informed their regulatory agencies, and they have a very serious obligation with those agencies if they determine not to inform customers of a breach. If no, why not? And I think that’s a good dynamic to really put in place.
So, Linda, I would really say let’s look to the federal guidance; let’s not look to the individual state laws. Because the individual state laws that I think are best are the ones – and there’s about 12 of them, at least, that have said if a bank, or if an entity has a federal regulatory overlay that requires the notification of breaches that should really supercede the state law. So, I think that’s important.
LINDA MCGLASSON: Federal before state then?
DOUG JOHNSON: Exactly.
LINDA MCGLASSON: Okay. Well, moving on to another area or questions. In your estimation, Doug, how far have the information security and financial services industry come in the “total security†package? And how much farther do you think we have to go?
DOUG JOHNSON: Well let me ask you the question of how – different people have defined total security in different ways. How are you really looking at that issue? How would you define that?
LINDA MCGLASSON: That would – if I were a bank?
DOUG JOHNSON: Yes.
LINDA MCGLASSON: I would be thinking that my data’s secure, my customers are happy, and everything is working, and my regulators are happy as well.
DOUG JOHNSON: So everybody’s happy. That’s a good thing. We like that as well. I think that really what we’re talking about here is a process as opposed to a destination. Because when you’re talking about something like total security I think you’re talking about something like eternal vigilance. You know, I think that institutions are continually aware of the fact that new threats are presenting themselves and have set processes and procedures in place to make sure that they’re aware of those risks and correspond new technology to the extent that that’s part of the solution associated with it. I think we can always do better.
I think that there – because this is a process and not a destination, I think that we always have to keep our eye on the ball and make sure that we are working closely in concert with our partners in the information security industry to ensure that the solutions which are being put in place are those that really deal with the risks that we’re seeing specifically within our institutions. And because of that I think that the collaborative efforts that we have under way with organizations like the Financial Services Technology Consortium, and organizations like that, that we are very much involved in lead us towards that process of really making sure that we’re making our customers as happy as we can and our regulators as happy as they can be, which makes us happy. Because really at the end of the day it’s all about making sure that the consumer understands – or feels that their information is secure.
And so much of that in this world – I don’t have to tell you – is really revolving around whether or not we are making that data secure, not only in our own institutions but in third parties that we have contractual relationships with and with parties that we don’t have any particular contractual relationship with but have to do business with or that have customer information because they conduct retail transactions and the like. So I think that there needs to be a real recognition by not only information security companies and financial services industry companies, but retail concerns and couriers and the like that we are all in this together, and that if we are not all in this together, from the standpoint of trying to create an environment where our customer feels secure, all of our business cases are in jeopardy.
And so, I think that’s really the ball that we need to keep our eye on is recognizing that in large part these are not competitive issues – that generally are not competitive issues; they’re issues that we need to work on in a collaborative fashion.
LINDA MCGLASSON: All right. Going on to a pretty serious question. The events of 9/11 and some of the other events that followed afterward showed us that our industry was dependent upon other critical infrastructures. What is the ABA doing to help focus attention on the “big picture†for business continuity within our industry? And how will this help the regular financial institutions out there plan for the next Katrina or other events such as the predicted Avian flu pandemic?
DOUG JOHNSON: Linda, that’s a great question. A lot of what we do as part of that process is – and this is where the trade association I think really works best – most effective from the standpoint of my biases and my position, is taking information, which we learn from some institutions and make sure that the entire environment of financial institutions benefits from that information and can help protect themselves. And one of the mechanisms that we do become involved in, which does this is called the Financial Services Sector Coordinating Council, and we’re extremely active in that council and to spend one minute defining it: the council is really the organization of trade associations, exchanges, payments, utilities, and other companies in financial services across insurance securities and banking that is really organized only for the purpose of helping our critical infrastructure protect itself from major events. And for instance, specifically, the FSSCC as we called it, has put out a set of guidance that is designed to help financial institutions think through how to revised their business continuity plans to envision a potential pandemic. Now, that document was put in place – or devised through consultation with institutions which were going through that process so that we could take that information to some institutions we’re already devising and make it universally available to the industry overall as they conduct their pandemic planning. And that really does help us focus on the big picture. It helps us look for what the next event is going to be and how we can protect ourselves from that event. And as you suggested, so much of that really revolves around the interdependency that we have with other critical infrastructures, be that energy, be that telecom, or other parts of the infrastructure. Heck, even water. And these coordinating councils exist in telecommunications; they exist in energy; they exist in transportation. And really we have an active process of communicating across individual companies and across these coordinating councils to work our interdependencies.
And I think, going back to the pandemic, a really good example of that would be the process which we’re currently going through with the telecommunications industry to really try to determine whether our work-at-home assumptions associated with telecommunication during a pandemic are valid or not.
And a specific example of that would be an exercise, which we’re currently involved in with telecom companies, their council and national communication system in Homeland Security and Treasury to really look at New York and Boston first and try to figure out where our bottlenecks are going to be in those cities, Chicago actually as opposed to Boston. And then from those lessons learn how we can revise our assumptions based upon what we can – what we see there, understand what kind of actions we need to take in terms of frankly potentially shutting down certain services that might be available on the Internet during a pandemic. Gaming sites would be one example. I’m not saying that that’s what we’re going to do, but it’s something that we need to discuss in terms of whether or not we need to look at restricting certain traffic.
I think that lastly, that whole process of recognizing that these are not competitive issues, again, and that we need to work on a collaborative basis really help us. I think Katrina, from financial services standpoint was a good example of success. I was astounded at our ability to recover as a financial services industry from Katrina. That doesn’t mean that particularly New Orleans is not having some continual difficulties associated with Katrina, but one of the things that really knocked my socks off was the fact that five days after Katrina there were only about 20 financial institutions among the over 200 that were affected that weren’t completed their ACH work on a daily basis. And about a week after Katrina there were only five, and within a couple of days after that there were only two.
Now, when you think about breadth of that event, the fact that we had so many institutions able to conduct their electronic payments and their ACH work so quickly after Katrina, I think speaks very well for the industry. And it also speaks well for electronic payments, which goes back to some of the information security issues that we’ve been talking about. If we do not – if we’re going to depend upon these electronic payments going forward, and we do see that they provide a lot of added value to our customers when we have these major events, because I would suggest an evacuee that’s in Houston was much more better served by his financial institution if he didn’t have to go chasing checks around, if he could conduct his banking on an Internet basis, if he could have direct deposit into his accounts, all those things need to work during those events. And that’s what these coordinating councils were all about is making sure on a cross-sectoral basis that they do.
LINDA MCGLASSON: I like to always throw a little curve ball in here. If you were to name on thing that keeps you up at night in regards to the future of our industry what would it be?
DOUG JOHNSON: I think it’s that you don’t know what you don’t know. You always – the known knowns we do a very good job of protecting ourselves against, but the next best thing that the folks are coming up with that choose to do us harm is the thing that keeps me up at night. And are we really getting the intelligence on a business continuity basis, on an information security basis that we need in order to have a better understanding of really what we don’t know. That’s the thing that keeps me up at night, Linda, more than anything else at this point.
LINDA MCGLASSON: It’s the fear of the unknown.
DOUG JOHNSON: Exactly right.
LINDA MCGLASSON: What do you see for 2007, 2008 in terms of new regulations or guidance coming out of our federal agencies?
DOUG JOHNSON: I think there are two areas that – and we haven’t gotten formal indication that we’re going to see guidance in these areas, but we know that there’s active discussions about them. One is mobile payments or just mobile in general. Mobile technologies are getting a lot of attention by our bankers. You know the use of RFID, the use of wireless technology in our banks, that kind of stuff is gaining a lot of attention.
They’re defining it – they meaning our bankers – very broadly. As I just described, mobile is anything wireless essentially, to them, whether or not they’re using it internally or their customers are using it externally, and whether or not there’s the proper level of security associated with that. And now that we see it being deployed to a great extent I would not be surprised that the agencies seek to revise their existing guidance as it relates to mobile technologies. We met with the agencies two weeks ago to – at their request to discuss emerging technologies and the kinds of things that we saw down the horizon, and mobile was a large part of the conversation.
Another piece is encryption. And I do think that there is a lot of discussion about what encryption can do and what encryption can’t do. One of the things which I found not surprising based upon the security breaches that have occurred is last year around September when the agencies put our their newly revised information security handbook, in previous versions of the handbook there was a requirement to encrypt data that was in transit but in transit was really meant to mean if it was being transmitted electronically. They’ve changed that to really include data tapes and other things that are in transit. So there is now an expectation on an examination basis that if you are transmitting information by – or transporting, I should say, by courier or otherwise, that that data on tape is encrypted as well. And what that is doing is that’s causing a lot of institutions to really look at well, if I’m going to have to encrypt it on tape why don’t I just find a way to more effectively transmit the data electronically in an encrypted fashion, even though it might be a lot of data. Because the cost of putting in the encryption in place and transmitting large amounts of data electronically now becomes less prohibitive because of the fact that we are able to cut out some of our risk associated with third party couriers.
Now, if you’ve got that kind of environment which is being put in place I think what you run into is really a desire on the part of the agencies to really look at encryption more closely. Now, as I said, there’s encryption but just like in the process of devising stronger authentication guidance, the one thing that we would not want the agencies to do is to get too immersed in the techno speak and prescribing technological solutions in the encryption space. Because obviously the market’s going to push that a lot because as institutions become more concerned about various encryption products the market is going to become more refined for those products. And I think that’s what’s going to push some success in making those products even more secure than they are today.
LINDA MCGLASSON: And of course, we always have to worry 20 years from now who has the keys to –
DOUG JOHNSON: Absolutely.
LINDA MCGLASSON: -- unencrypt our files. Well, going back, we were talking before about online banking. In your estimation, in terms of customers’ trust in the financial services industry, especially in regards to online banking, are we facing the crisis with the influx of crimeware and phishing, and obviously I refer back to the latest incident, which didn’t happen here in the US but over at a large bank in Sweden where phishers took, I think an estimated $1.1 million from customer accounts through phishing.
DOUG JOHNSON: Linda, I think that I would not term it a crisis, first of all, to directly answer your question. Because, particularly in the US, when those kinds of things occur there’s always a desire to make the customer whole, even if they’re on a retail basis was, frankly, some negligence on the part of the customer. Of course in the commercial space that’s a little bit different in some instances. But I think one of the reasons why we do that, obviously, is the fact that we don’t want to create a crisis of confidence where people do not trust the channel. If people end up not trusting the Internet banking channel and electronic transactions, well then we’re two steps back as opposed to one step forward, because the whole effort here is to try to lessen cost and expedite transactions by accomplishing those on electronic basis.
But having said that, there’s no question that, particularly you allude to crimeware where it used to be called spyware, used to be called spam, these guys that are creating that stuff are now doing it for profit. And now has been over the course of the last two years, essentially an escalation of it. I think one of the most interesting things that I heard is that you now see the crimeware traffic be at its highest levels from nine to five. These guys are using this as a day job. And that’s just a fascinating little statistic to me. They’re punching in and punching out practically, from the standpoint of this is their job. And it is not an unprofitable job because if it wasn’t profitable they wouldn’t be doing it. But it’s impacting us as financial institutions. This is not to say that there isn’t customer inconvenience, but it’s impacting us as financial institutions from the standpoint of profitability. And so, to the extent that we can sit there and again, using the collaboration model, there’s any number of efforts that are out there that attempt to not get one step ahead of them. As much as we would like to, that’s a difficult thing to do.
But to make sure we have as many known knowns as possible. The anti-phishing working group is a really great example of that. There’s any number of other groups, including FSTC, like I’ve indicated before, that we collaborate with to help institutions help themselves and help their customers. I’ve actually been very impressed with the ability of the consumer to not lose confidence in the channel. Obviously there has been some chinks in that armor, to some degree some of the surveys show. But other surveys show that the customer is continuing to gravitate toward electronic transactions.
You know, to put a closing point, one of the ways that I look at this is the last thing a customer wants to do is to go back to paper because paper is where the identity theft really does tend to occur. And I recommend that customers look at, and bankers stress to customers, that the Internet and these channels are their friend because they don’t have to patiently wait for their statement every month. They’re going to get their – they can look at their transactional history at any point and time whenever they choose to. And so – and they can put in certain alerts and the like into that process. And so, I think that to the extent that a customer gets that, and I think a lot of customers do get that, we’re still going to see success in the channel, but that doesn’t mean that we need to – that we don’t need to be eternally vigilant here to try to insure that this doesn’t become a crisis of confidence and that customers don’t all of the sudden lose confidence in the channel.
LINDA MCGLASSON: Doug, in closing, do you have any last words that you would like to offer in terms of advice to the financial institutions out there that are struggling with all these issues that we’ve just discussed?
DOUG JOHNSON: Well, I recognize, Linda, that to a large degree that based upon the nature of our audience that I’m singing to the choir in large part, because the folks that have gotten – if they’ve listened this long I’m particularly singing to the choir, but from the standpoint of recognizing that they are in this together, and I think frankly, that your initiative with BankInfoSecurity.com and the like, these kinds of things are designed to be collaborative in nature. And I hate to keep using that word but I think it’s really important for individual practitioners in this space of information security to share and compare and really understand what each is doing because without that they’re operating in a vacuum and that vacuum is not going to increase their knowledge base. And I think you guys in the choir get that as well.
You know it’s really the process of us all working together to ensure that our customers have the greatest faith and confidence possible in accomplishing these transactions at our financial institutions no matter which channel they try to – or attempt to use. And also, to insure that are third parties are being as diligent and as vigilant as we are as financial institutions in protecting that data.
And lastly, I think my last piece of advice would be when a customer comes to you and they’ve got a problem and the problem may not be necessarily related to a transactional account at your institution. Sometimes they just come to you because you’re their primary financial institution. It’s up to us to own the problem. You know, they’ve come to us for a solution and we should be prepared and trained all the way through our financial institution to understand that we need to own that problem and help that customer regardless of whether or not it’s an account at the primary financial institution that has been impacted.
LINDA MCGLASSON: Doug, I would like to close. And thank you again for spending this time with us on BankInfoSecurity.com’s podcast series. And we will look for more projects coming out of the ABA in 2007 and we will look for all the good information coming from ABA. Thanks again.