U.S. financial industry regulators have long struggled to catch up with the rapid pace of technology, especially cybersecurity technology.
The gap is widening as bad actors advance their assaults on financial firms and their customers, and FSIs embrace more cutting-edge technologies to fight back. More and more U.S. financial services institutions (FSIs) and their third-party providers rapidly continue to employ artificial intelligence (AI), biometric authentication, cryptocurrency and blockchain technology to support their fraud-fighting and risk mitigation efforts, the farther regulators are falling behind in how they oversee data protection and digital identity and authentication, according to OneSpan’s second annual Global Financial Regulations Report, released Wednesday.
The United States lags well behind most other developed-country peers in creating a “national date protection framework, a national digital identity infrastructure, or an open banking system,” according to the report. “The pandemic opened up financial fraud by a wide margin,” said Michael Magrath, vice president of global regulations and standards for OneSpan, which released the report that pointed out these findings.
“Regulators are making strides in traceability.” As cryptocurrency in particular is becoming more mainstream, FSIs and their supporters are pressing for an audit trail and other elements that would bring crypto-payments in line with more traditional, regulated payments. Today, the pandemic has driven virtually everyone digital. Smaller U.S. banks have been forced to embrace digital access and services because their branches were long closed.
“In the United States, things have been progressing so slow,” Magrath said, particularly with the Treasury Department and the Federal Reserve holding back. “The banks here are in a wait-and-see position.”
Financial regulators here are still attempting to “get their arms around the use of AI for risk management,” as well as a host of other emerging technologies, according to Magrath. He expected U.S. regulators will issue guidance “within the next year” on managing risk with AI. The use of burgeoning technology in identity verification begs even more compliance concerns.
And, when FSIs must consider the implications of how these security technologies may conflict or at least overlap with rapidly changing state-by-state consumer privacy regulations, this issue becomes even more complicated, according to the findings from OneSpan’s report. The report is based on a recent survey this fall of 172 bank executives in the United States, France, Mexico and the United Kingdom — 68 of whom were U.S. FSI executives —representing institutions with $5 billion or more in assets.
“It’s pretty much a mess,” said Magrath. He pointed out that at least three U.S. states — California, Colorado and Virginia — have put in place their own stringent privacy laws, based on the European General Data Protection Regulation, implemented in May 2018.
For cybersecurity providers, the confusing and complex web of state-by-state customer privacy rules, which often fly in the face of emerging security tools, is making the fraud fight all the more difficult for FSIs. A current bill before Congress would create a “privacy office,” which presumably would coordinate with FSIs and cybersecurity providers to create compliant, secure access. All this is to say nothing of how cybercriminals are descending upon emerging digital currency technologies, with little to hold them back. Automated teller machines that deal in cryptocurrencies like Bitcoin are seeing more than a 4,000-plus percentage spike in recent months in cyber breach attempts as bad actors are taking advantage of new services, married with existing technologies, and little oversight to control them.
However, FSIs are committed to being compliant in their digital offerings. For example, the “top challenges” banks are facing to comply with government regulations include reducing or preventing cyberattacks (53%); safeguarding sensitive data (47%) and keeping pace with changes in consumer privacy laws and industry regulations (41%), per the OneSpan report. And, to comply with evolving industry regulations, almost half of banks are putting digital remote identity verification and biometrics in place.
At the federal level, Magrath said, there’s “not a lot of activity,” owing to the massive dissonance between legislators in Congress. More recently, there is a growing push among U.S. FSIs and supporting organizations to force cryptocurrencies to come around to a more compliant stance — with an audit trail and more conventional aspects.
The U.S. Federal Reserve is planning to soon release a report addressing risks and opportunities in cryptocurrency.