Bank regulators are likely to take further action to force banks to upgrade their cybersecurity processes as hackers continue to find ways to penetrate institutions' defenses, a former top New York bank supervisor said Tuesday.
Speaking at the American Banker Digital Currencies + Blockchain conference, Benjamin Lawsky, who stepped down as head of the New York Department of Financial Services in June, called cybercrime "a huge threat to our financial system."
It "is increasing in sophistication every day and more and more I am amazed by the ingenuity of hackers and the dangers they present," he said. "The hacking phenomenon is not going away."
He predicted that regulators will step up efforts to combat cybercrime.
"You are going to see a lot of action around cybersecurity and the regulation in that area," he said.
But cybersecurity is just one of the mounting regulatory challenges that banks face, he said.
Financial institutions also struggle with tightening Bank Secrecy Act and anti-money-laundering requirements that at times could apply pressure to other compliance controls. For example, banks are required to collect and hold massive amounts of data to comply with Know Your Customer requirements, making sure that they are not banking with people who are engaging in illicit activity.
However, databases loaded with valuable customer information could be alluring to hackers. Lawsky said that, while banks need to balance cybersecurity and money-laundering protections, they often retain extra customer information that they should dispose of.
"Sometimes financial institutions are sitting on a lot of personal information they don't need to sit on and are not required to sit on and oftentimes do not even know they are sitting on," Lawsky said.
He added that if a bank is still keeping holdover customer information from leftover mergers or decades past that "you want to purge that [information] if you don't need it."
Still speaking on anti-money-laundering issues, Lawsky was somewhat critical of regulators' approach to making sure bankers are keeping illicit activity out of their institutions.
"One thing that [regulators] need to do a lot of thinking about going forward is in the past regulators really focused on the results of firms' AML efforts," Lawsky said.
He noted that if an institution missed a lot of red flags, regulators start an investigation and force banks to look back at all their transactions.
But "regulators have not spent enough time actually looking at the filtering systems themselves and beforehand analyzing if a bank's filtering system is adequate," he said.
During his tenure, Lawsky was best known for being an aggressive regulator who was willing to use his power as one of the top state regulators to levy enforcement actions unilaterally. He also created a state license for cryptocurrencies.
Considered Lawsky's brainchild, the framework has been sharply criticized in the bitcoin community for its potential to squelch innovation through regulation. But Lawsky objected to that characterization.
"The best regulator to me is one that looks a lot like an NBA referee," he said. "Typically when they're doing their job well, you don't notice them that much. People are allowed to play their fullest. You want to let companies innovate, compete and race against each other."
When it comes to New York's BitLicense, which has received mixed reviews, Lawsky said "the proof will be in the pudding."
If a number of companies apply for the license and are able to attract consumer and investment dollars, it will be a sign that regulation is doing its job.
"My hope is that will see a flood of companies overtime that want to be regulated because of the good that it brings," Lawsky said.
As for his own role in that space, he expects it to be very limited.
"I'm doing no work in the virtual currency space at all," Lawsky said. "It's a space I care about, but it's not who my clients are today."
Lawsky made the decision to avoid virtual currency somewhat official. He said he has a "lifetime ban" on anything he handled while heading the Department of Financial Services. That essentially blocks his new firm, Lawsky Group, from working with digital currency companies that would require DFS-related consulting.
For example, he can't be hired to help someone apply for and obtain a BitLicense. Shortly before Lawsky departed the Department of Financial Services, the agency approved a final version of a regulatory framework for digital currencies.
However, in tune with the theme of American Banker's conference, Lawsky suggested that blockchain technology could be one of the new innovations that could help the industry with its AML efforts.
"I've heard some people say that in the long term the [blockchain public] ledger could be a regulator's, law enforcement's, transparency's best friend," he said. "When you start to hear about companies, for example, developing great software for picking up red flags for money laundering on the blockchain - if that gains currency, that could end up being a huge boom for digital currencies."