During the wholesome years of banking (the old "3-6-3 Rule") the only IT concern was how far off the mark the nightly posting run would compute after the reconcilers did their audit. The task of satisfying the bank examiners was considered a walk in the park and everyone knew it. Now, even after a dramatic transition from batch processing to online and sometimes real-time, plus all the influences that the Internet's double-edge sword has rendered, IT exams are still a walk in the park. But data security in banking is like the Mississippi River. Just when you think it's under control, new threats appear from places unknown, and seasons past, even though it's not raining where it's flooding.
Here's the problem, folks. Bank IT examiners examine, but they don't enforce with vigor. The process, on paper, sounds effective. They show up at a bank unannounced. A team disperses with access to any piece of the bank. Some exams are more intense than others for reasons only the examiners know. The team writes a report of its findings, including some flimsy recommended corrections. The report is submitted directly to the Board of Directors, thus assuring that would-be perpetrators (aka bank employees) would be side-stepped. And then the process is repeated a year or two later, depending on adequate appropriations granted by the Congress. Previous deficiencies linger in the examiners' reports, but they are overcome by all the yada yada yada. Bottom line, the whole thing is a ceremonial non-event, but no one's complaining.
For all parties concerned, this process feels good. Bank examiners feel good about documenting their discoveries. Their bosses can claim effectiveness if ever challenged -- "We warned them!" Directors enjoy telling management to shape up, thus showing they're on top of things. Management responds by claiming that theoretical perfection is typical of bureaucratic idealism without regard for investment goals expected by stockholders. Everyone goes home happy.
Looking at this ineffective oversight from 30,000 feet, one gets the feeling that worse things could happen in banking than to worry about system interception. And they're right. There is no record of any bank, big or small, ever failing because of a data security breach. Would that the same could be said for 366 banks that failed in the past three years as a result of financial defaults.
But in the spirit of caring about one's own turf, let me suggest that bank CIOs can do better by becoming their own examiners. The times demand a more aggressive approach to data security. Just look at mobile banking -- wider access to the banks' data vaults from billions of new users, using an inexpensive device, operated from anywhere, encouraged by banks to "do your own thing and save us the trouble," and new breeds of unethical users having learned proven techniques that were given up by previous-generation hackers. In this one massively popular movement alone, potential data breaches become a whole new threat for any bank. Thus the risk gets bigger almost overnight with every million new users added. And based on research and press reports citing bankers who are leading the charge and welcoming the unbanked to enter the fray, does this sound a bit like subprime lending, where the excluded could now own their own homes, no money down? The walk in the park should become more of a trek through the jungle.
This is what I would do right now as CIO of any bank. I call it CYS (Cover Your System):
CLARIFICATIONS: The old "3-6-3 Rule" was based on giving 3 percent interest on accounts, charging 6 percent interest on loans, and the banker being on the golf course by 3 p.m.
I have dealt with examiners of all kinds for about 41 years, and not just in banking. As a consultant I have worked for the IRS, DOJ Antitrust Division, FDA, State Department, Medicare HCFA, and DOL CEP. I like examiners because there's one theme that runs through the fabric of what they do -- "We want to make sure you carry out your responsibilities according to the laws of the U.S." Who can argue with that? And why wait until one of the Big Four takes a hit, or maybe the Big Three (where was Citi?) now that they have put their mobile payments eggs in one basket (ClearXchange).