Apple Pay a Systemic Risk? Banker Warns About Nonbank Players

Register now

The growing influence of nonbank companies poses a risk to the financial system, and perhaps a national security threat, the chief executive of BB&T Corp. said.

Commenting on the impact of technology on the industry, Kelly King said that bankers should recognize the potential dangers posed by nonbank players, particularly in the payments industry.

"Think about this: If we're down the road two or three years, and three-fourths of the banks and three-fourths of the merchants are on Apple Pay or whatever system," he said at the Clearing House trade group's annual meeting in Manhattan Thursday. "If you're a smart terrorist, what better way to get in to disrupt the financial condition of the United States of America than go to one of their back rooms."

(Apple did not immediately return a reporter's call Friday. The tech giant has emphasized security in its design of Apple Pay, which adds EMV chips, tokenization and fingerprint authentication to what would otherwise be a swiped magnetic-stripe payment. Apple also requires the use of a bank-issued credit or debit card, and the company has been putting in additional security methods after the theft of celebrities' selfies from iCloud.)

King's remarks were part of a wide-ranging discussion among CEOs of four of the Clearing House's large-bank members — U.S. Bancorp, Citigroup, Deutsche Bank and BB&T. The conversation tied together some of the most important — and fraught — issues in banking today: from looming cyber vulnerabilities, to mounting regulatory burdens, to the growing divide between big and small banks, to nimbler competition from nonbanks.

Competition is a welcome benefit of having new firms in the market, King said. But "unequal competition" between firms that are subject to different levels of regulatory scrutiny could hinder the industry's ability to prevent future crises.

"If those folks want to play in the financial services area, and in the payment system, they might well be deemed a SIFI" — a systemically important financial institution — "and let them understand what real regulation is," King said. (With $137 billion in assets, BB&T is deemed a systemically important domestic bank, and hence subject to heightened supervision standards.)

One of the most impassioned portions of the hour-long discussion came in an exchange between King and Richard Davis, CEO of U.S. Bancorp, who talked about the ways cybersecurity is changing the industry.

"It's a big damn deal, it's a big deal," Davis said. "We are so far from solving it."

The two CEOs urged their colleagues to join the Financial Services Information Sharing and Analysis Center, an industry organization whose threat-notification system is used by banks to notify each other when data has been compromised.

The network notifies member banks of cyberthreats within seconds, and also provides information about the scale of an attack, Davis said. That, in turn, allows banks to put up the proper defenses.

It's like "calling down to Scotty in the main room, and saying, 'Scotty, give me all you got!' And we put up the force fields," Davis said, in a joking reference to Star Trek. It was a rare moment of levity in an otherwise ominous discussion.

Davis acknowledged that the network can give the false illusion that "we've corralled this thing." Cyberattacks such as denial-of-service exploits have inconvenienced customers, he said, but the industry has yet to see an attack that has resulted in theft.

"That's when this thing becomes real," he said. "That's why we're so hot on getting all of the banks involved."

King made a plea for small banks to join the network, again pointing to national security dangers of not having the industry work in tandem.

"We have a real challenge because smaller banks don't know much about this, and don't care about this, and don't think they can afford it," he said." But we'll never have the whole system secure regardless of how much we spend, until we close the back doors."

Not having all banks on the FS-ISAC network leaves the entire industry vulnerable to an attack, King said.

"I really believe that the most likely threat for us is that a terrorist goes into a small bank somewhere, comes in through a fed wire, goes to a major bank, wires that billion dollars of capital, and the next morning we wake up and have a financial crisis," he said. 

King and Davis acknowledged that investing in technology — from cybersecurity to back-office accounting systems — is a challenge for banks, since many of the returns take a long time to materialize.

"I think we're in a different period now where the major investments in technology are not giving us the reductions in inefficiency." King said. "The reason is because a lot of it is being driven by new layers of regulatory requirements."

And, he added, customers are demanding technological advancements that they can use for free.

Davis agreed with King, noting that investing in technology requires bankers to take a long-term view of their investments.

"We're in this transitional period where we don't get the benefits yet, but we have to stay competitive to get the outcomes," he said.

An important aspect of investing in technology, Davis added, will be learning how to coordinate responsibilities with outside vendors, and account for oversight when considering technological investments.

U.S. Bancorp was hit in September with a $57 million fine from federal regulators, over add-on products that were offered to consumers through an outside vendor.

"And let me just throw in the reminder that technology is often third-party, and third-party is now a four-letter word," he said. "And so our responsibility to understand them better, and oversee them more tightly, is intensely more scrutinizing than it was before, and that does make it more expensive than it used to be."

For reprint and licensing requests for this article, click here.
Fintech Law and regulation Consumer banking Cyber security