State Spotlight: North Dakota - Information Security is Top Priority
In a discussion of his agency's top priorities, Karsky discusses:
Tim Karsky is a North Dakota native with an extensive background in the financial industry. He began his banking career with the Federal Deposit Insurance Corporation in January 1982, and joined the Department of Banking and Financial Institutions in the fall of 1986 as Chief Examiner.
In 1989, Karsky was appointed Assistant Commissioner for the Department. He served in that capacity until 1997, when he moved into a new role as a loan officer for a Bismarck financial institution. Karsky returned to the Department as Assistant Commissioner in 1999, was appointed Commissioner in July, 2001, and is Chairman of the State Banking Board and State Credit Union Board, which oversees the state's state-chartered banks and credit unions. The Department of Financial Institutions also supervises consumer finance companies, money brokers, collection agencies, and deferred presentment providers.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. I am talking today with Tim Karsky, who is the Commissioner of the North Dakota Department of Financial Institutions. Tim, thanks so much for joining me today.
TIM KARSKY: Well, thank you for having me.
FIELD: Tim, we would love to get your perspective on some state issues, but first of all why don't you tell us a bit about your agency, how many institutions you oversee, and how you typically interact with them.
KARSKY: Okay. Well, we are the Department of Financial Institutions. We are a state agency here in North Dakota. We regulate state chartered banks, and we have 80 of those at this time, 31 state chartered credit unions, and then we also regulate what we call our Consumer Finance Division, and we regulate payday lenders or deferred presentment providers, mortgage lenders, money brokers, collection agencies, consumer finance companies and money transmitters. The total of employees in our agency is about 28, and I think total of the consumer licenses and things that we license is at about 850 at this time.
FIELD: And, boy, you haven't been busy for the past year have you?
KARSKY: Oh, with what is going on in the banking environment and the Congress and federal legislation, we have been extremely busy.
FIELD: Tim, I have got to ask you this up front because just a week or so ago we got this Supreme Court decision about Coumo v. Clearing House. As a commissioner at a state regulatory agency, how do you receive that decision?
KARSKY: Well, we have had a lot of these types of issues in the Supreme Court, and to be real honest this is one of the first victories -- we will call it a victory that we have had in success and is going to give the states the ability to regulate and enforce some of their consumer laws in states, which we think is a major plus.
I think that, hopefully, going forward states will continue to have the ability to regulate not only their laws on their own entities that they license, but also to enforce those even onto national banks and such going forward.
FIELD: Now give us a sense of what are some of the major regulatory issues that you are focused on this year in North Dakota.
KARSKY: Well, one of the big things really is a non-banking issue for as far as state-chartered banks, which is still probably what takes the majority of our time. The Congress passed a Safe Act last year and gave the states the authority now to regulate mortgage companies nationwide, and they instituted a national database that is going to operated by the conference instead of bank supervisors.
So in North Dakota we have to pass our legislation to gear up for that Loan Originator National Licensing Act and for the past, since January of this year, we have introduced, drafted our legislation and we were successful in getting it passed, and now we are working on the implementation, so that on January 1 of 2010 all loan originators in North Dakota will have to be licensed and registered on that national database.
And the other thing that we are doing with that, because we are going to have a lot more emphasis put on mortgage regulations, we are developing an examination and a system so that we can better regulate the mortgage industry here in North Dakota, and I think you will see that effort nationwide.
FIELD: Sure. Now how frequently are you examining institutions for safety and soundness issues?
KARSKY: For state-chartered banks we are on about a 24-month exam cycle. Credit unions we are running 18 to 24, and then the other entities that we license some of them are consumer-complaint driven, but like payday lenders or deferred presentment providers, we are examining them about every two years. In state collection agencies, that is about the same type of frequency that we are doing on those too.
FIELD: Well, in terms of all of these institutions you are overseeing, what do you find to be the major information security issues that your agency is focused on?
KARSKY: Well, one of the big things, whether it is on the bank side or even in the consumer division on the collection agencies, the mortgage companies, it is going to be information security. Keeping that information that those companies have secure, so that somebody can't break into those systems, get that information or maybe hurt someone's consumer identity. That is always going to be an issue going forward and we examine for those ... but I think that is going to continue to be on top of our priority list to make sure that we are on top of that and that the industry is on top of it.
FIELD: If you could generalize some, Tim, where would you say that your banking institutions are strongest in terms of information security?
KARSKY: Well, on the bank side, just because that industry generally has more money for training and infrastructure, they have the ability to train their personnel and get the security measure software or whatever it takes to prevent those types of things. They hire out, they are required to get audits and do penetration testing, so their strong point is just the ability to stay on top of technology, where some of the smaller agencies that we regulate -- they can be mom and pop shops here in North Dakota or just regional; they don't always have that type of money and the ability to stay on top. They probably react more than the banks are always on the forefront.
FIELD: Now that is interesting because that is what we hear from the FTC in terms of Red Flags compliance is a lot of the smaller organizations just weren't aware of what they had to do and what the regulations were. Have you found that to be the case specifically with Red Flags compliance?
KARSKY: Red Flags is still, even though it has been on the books and we have been [reviewing] on the credit union side for quite some time. When the first enforcement issue and we stepped up our efforts, we probably saw some minor issues, but the credit union industry here in North Dakota, the Credit Union Leagues and training did a really good job of getting the word out to the credit unions -- and we have a lot of small credit unions. I am talking credit unions less than $5 million dollars in assets or $10 million dollars, so they needed the help of their Credit Union Leagues and training, and they did a very good job for that.
On the bank side we are looking at that, but again the industry through the associations has done a very good job of getting that information out. And then the banks' ability to send people to those types of training and be able to afford that, I think overall it has done a pretty good job.
FIELD: That's good. Now where do you find that institutions are most challenged in terms of information security when you examine them?
KARSKY: Well, the big institutions -- and in North Dakota that is going to be $100 to $150 million or larger -- they do a pretty good job and again because they have an adequate number of employees to do that. The smaller institutions are challenged because a lot of them don't have the resources to designate a full time person to IT or to just work with us on a day-to-day basis, and again they wind up reacting more than they can to prevent some of those problems.
FIELD: Well you make a good point because you get a lot of people in those smaller institutions who are wearing multiple hats.
KARSKY: Exactly. I mean you can be a Compliance Director, you can be the IT Guy, you might be the guy who shovels the sidewalk in the winter and then the small loan or installment person, too, so in the smaller institutions they all wear multiple hats.
FIELD: Have you found that your institutions have been affected just like everybody else has by breaches such as TJX most recently Hannaford?
KARSKY: Well, the TJ Maxx issue I was surprised by the number of cards and people that we had affiliated with that. I think our banks that had those types of cards reacted very promptly, and they cancelled cards and issued new cards, and alerted their customers right away. I think again, they did a very good job of trying to prevent future problems.
So even though they are out there, I think people are aware of them. So far our institutions have done a very good job in handling those breaches and notifying their customers when there has been one and telling them what they need to do.
FIELD: But, boy, I bet your customers are just as sick as anybody of getting these calls.
KARSKY: They are, and you know quite frankly I think I even got one in the mail too where they said that. Yeah you do pay attention and check your credit report and I also think that a lot more people are utilizing some of those services nowadays to monitor their credit and credit reporting agencies to check for irregularities.
FIELD: That is interesting because in talking with other banking leaders, you find that the story in banking is always that nobody opens their paper statements, but everybody is going online to check every transaction.
KARSKY: That's right. And I think most people now instead of reconciling their checkbook they probably sign on everyday and just look at what cleared their bank account yesterday and if it makes sense they are happy with it.
FIELD: That's it exactly.
KARSKY: They are probably not recording everything in the check register, but I do think people pay attention to it.
FIELD: I've got one last question for you, Tim, as you talk to banking and security leaders in North Dakota, what would you rally like to see them pay the most attention to as we go into 2010?
KARSKY: Well, information security, you know, and I am not going to tell you that I am the IT guru of the world, but I know that you are going to have to have somebody in your institution that wears that hat and you are going to have to spend some money on training and keeping those people up to date on what is going on so that they can prepare your institution and what they need to do going forward. That is always, I don't care if it is in commercial lending or whatever, but IT especially, you need to spend some dollars and resources on training and keep your people abreast of what is going on.
FIELD: That's well said. Tim, I appreciate your time and your insight today.
KARSKY: Okay. Well, have a good day.
FIELD: We have been talking with Tim Karsky the Commissioner of the North Dakota Department of Financial Institutions. For Information Security Media Group, I'm Tom Field. Thank you very much.