Regulation: Getting Banks Involved
BITS Steps Up Regulatory Influence on Capitol HillBITS, the technology policy division of the Financial Services Roundtable, recently named Nicole Muryn its director of regulatory and legislative affairs. In her new role, Muryn is charged with ensuring banking institutions' concerns are heard, as regulators craft new rules, especially as they relate to Dodd-Frank.
See Also: Using the Netskope HIPAA Mapping Guide
Muryn says she will spearhead and oversee BITS' increased efforts around regulations and legislation related to cybersecurity. "We believe that, going forward, it will be necessary for the financial sector to continue to provide input," Muryn says in an interview with Information Security Media Group's Tracy Kitten (transcript below).
For banks concerned about existing and pending legislative and regulatory initiatives, "the most important thing to do is to actively engage in the regulatory and legislative process," Muryn says. "If institutions are engaged in this, they won't be caught off guard."
By collaborating with BITS, banks can ensure their voices are heard and represented, Muryn says, giving regulators and Congress perspective about what financial institutions are interested in doing to protect consumers.
In this interview, Muryn also discusses:
- Steps BITS member banks are taking to address cybersecurity risks surrounding emerging technologies, such as mobile banking and mobile payments;
- How legislation and regulatory mandates are affecting financial institutions' investments in fraud prevention and detection;
- How BITS is working to keep banks and others actively involved in the legislative process.
BITS is the technology policy division of the Financial Services Roundtable, which comprises representatives from the banking, securities, investment and insurance sectors. The Roundtable's mission is to protect and promote the economic vitality and integrity of the U.S. financial system.
Muryn, in her new role at BITS, directs comment-letter development and regulatory response. She also advocates for effective legislation on financial technology issues. Before being named director, Muryn assisted BITS with regulatory and legislative research.
Regulatory Priorities
TRACY KITTEN: You've been with BITS, the technology policy division of the Financial Services Roundtable, since 2008. You'll now be leading BITS' regulatory program. What priorities have you identified?
NICOLE MURYN: It will be really important going into this year and continuing through this year to emphasize the technology and operations influence that any final rules or proposed rules of Dodd-Frank have for our member institutions. We'll continue to have this as a major focus. Outside of Dodd-Frank and all of those impending pieces of rulemaking, we'll also be looking into and working with several initiatives around privacy, both through the Federal Trade Commission as well as with the administration, specifically the Department of Commerce.
KITTEN: BITS is taking on a more active role in legislative affairs. Can you tell us why BITS is taking on this new direction, and what will the focus be?
MURYN: Beginning last summer, BITS became more involved in legislation and the legislative process, especially around the cybersecurity discussion. You may remember last May the administration came out with a legislative proposal for cybersecurity, and at that point we became very engaged and we wanted to take the opportunity to leverage our members and our relationship with the subject matter experts at our member companies to look in-depth at these proposed pieces of legislation and use their knowledge to clearly communicate what this will do to the financial services industry with any impending piece of legislation. This legislation includes information sharing, increase of criminal penalties, increased research and development, as well as defining critical infrastructure or a subset known as the covered critical infrastructure.
KITTEN: How do you expect to work with BITS' financial institution members?
MURYN: We'll continue to work with our members through the traditional channels, holding regular conference calls to get their input on these different policies. We'll also be ensuring they have the opportunities to provide input anytime we're providing public comments through the comment letter process. We'll also continue to collaborate with other associations. This has been a big emphasis, especially around cybersecurity legislation. We've been actively working with the American Bankers Association, as well as the Financial Services Sector Coordinating Council, and we'll continue to engage them within cybersecurity legislation and amongst our other efforts.
Engaging in Legislation
KITTEN: I wanted to ask: why now? What about the current regulatory environment made the time right for BITS to name a director of regulatory and legislative affairs?
MURYN: I think here in Washington there has been a recognition both amongst the regulators and Congress that cybersecurity is a major issue for our national security, as well as our economic security. We've seen this change as progression over the last year and we found it beneficial for us to be engaged in these conversations and we believe that going forward it will be necessary for the sector to continue to provide input into these different venues and to provide input into the legislation so that all are aware not only of what's required of financial institutions but also the current structure that exists for the financial services sector, and that we can continue to use this whereas some of the other sectors may have a differing structure. We want to continue to use our existing structure and by engaging more actively in the legislative affairs we'll be able to communicate that more effectively.
Top Cybersecurity Concerns
KITTEN: What would you say are the top cybersecurity concerns as you see them today as well as into the future?
MURYN: As always, any of the emerging technologies continue to be of top concern to our member institutions and how to manage those risks around these emerging technologies. Of course that includes our different projects on mobile banking and mobile payments, as well as cloud computing. I'm not really the best person to talk on those issues. We really have some strong cybersecurity folks around the office that have a lot more to provide, but what I'll really be focusing on is how the legislative and regulatory landscape will look to conform to that environment of these new emerging technologies.
KITTEN: How well prepared are most banks when it comes to dealing with some of these emerging technology or emerging legislative concerns?
MURYN: When we talk to our financial institutions, they really are looking hard before they adopt any of these emerging technologies. They're looking at the risks. They're evaluating the risks and looking at the benefits so they can really manage any risk that's coming down the line. So I think they're very well equipped to deal with the security concerns and they're very cautious because they recognize their responsibility to their consumer and they have that at the forefront when they're looking at any new technologies and cybersecurity concerns.
KITTEN: What are you hearing from some of the banks that you work with? What are some of the specific areas that they're targeting or have concerns about?
MURYN: The areas of mobile banking will continue to be of concern as well as mobile payments, especially given that in these markets they really rely on a lot of different sectors. It's not core to the financial services. A lot of sectors are playing in this space and understanding how we can all work together and create a secure environment for the end consumer.
Legislative Impact
KITTEN: What impact are regulatory and legislative initiatives directed at cybersecurity expected to have on banks over the course of the next 12-18 months?
MURYN: I think right now we're in a really unique time where it's kind of hard to look into the crystal ball and predict the future, especially with Dodd-Frank coming up on its anniversary. There are a lot of regulatory issues that will be implemented at that time, as well as legislation at a lynchpin right now on the hill, whether or not it will be passed. I think our members are actively engaged in these processes. They're looking at how they need to adapt their internal processes to respond to any initiatives going forward.
KITTEN: Would you say that most banking institutions are ready and able to comply and conform when it comes to upcoming and or expected mandates?
MURYN: I think they are. One thing that we've noticed is that at the end of the day, Congress, regulators and financial institutions have the same goal. We're all looking to secure the customer. So when something new comes up and there are new requirements, often institutions just have to amend what they currently do so that it complies, but it's not a drastic change because they're still looking for the same outcome.
For example, last January the FFIEC agencies came out with a supplement to their Authentication Guidance and this January they started doing exams looking for compliance with it. We have found that our members have passed these exams. They're looking good. We have had some informal discussions with regulators noting that there hasn't been any strong negative feedback to these exams and that I think this is a great example of how our institutions are always looking to respond to these risks and that we're in alignment with our regulators on how to secure the consumer.
Advice
KITTEN: Before we close, I wanted to ask what advice could you offer to institutions that are concerned about existing, as well as pending, legislative and regulatory initiatives?
MURYN: I think the most important thing for institutions to do is to actively engage in the regulatory and legislative process. There's a very formal process in place here in the U.S. and if institutions are engaged in this, they won't be taken off guard by anything that's coming out and finalized. It also provides the opportunity for institutions to educate and really share their knowledge and what they have in their toolkit, giving an inside viewpoint of what institutions can do, want to do and will do to protect the consumer.