Proposed new cyber security regulations will be a huge undertaking for financial institutions

New York State Department of Financial Services (NYDSF) is one step closer to releasing cyber security regulations aided by the largest security hacking breach in history, against JP Morgan Chase. The attack on JPMorgan Chase is revealed to have generated hundreds of millions of dollars of illegal profit and compromised 83 million customer accounts. Yesterday (Tuesday, November 10), the authorities charged three men with what they call “pump and dump” manipulation of publicly traded stock, mining of nonpublic corporate information, money laundering, wire fraud, identity theft and securities fraud. The attack began in 2007 and crossed 17 different countries. On the same day as the arrests, the NYDSF sent a letter to other states and federal regulators proposing requirements around the prevention of cyber-attacks. The timing will undoubtedly put pressure on regulators to push through strong regulation. Under the proposed rules, banks will have to hire a Chief Information Security Officer with accountability for cyber security policies and controls. Mandated training of security will be required. Tuesday’s letter also proposed a requirement for annual audits of cyber defenses. Financial institutions will be required to show material improvement in the following areas:
  1. Information security
  2. Data governance and classification
  3. Access controls and identity management
  4. Business continuity and disaster recovery planning and resources
  5. Capacity and performance planning
  6. Systems operations and availability concerns
  7. Systems and network security
  8. Systems and application development and quality assurance
  9. Physical security and environmental controls
  10. Customer data privacy
  11. Vendor and third-party service provider management
  12. Incident response, including by setting clearly defined roles and decision making authority
This will be a huge undertaking for financial institutions. Costs have yet to be evaluated but will be in the millions of dollars. It will be very difficult to police third party security because, under the proposal, vendors will be required to provide warranties to the institution that security is in pace. The requirements are in the review stage and financial institutions should join in the debate by responding to the NYDFS letter.

Why I Support Reg E

Reg E required that banks separately and explicitly get customer permission for debit card and ATM overdrafts. This reduced the profitability of retail checking accounts by reducing NSF income to banks, making many checking accounts unprofitable. I discussed this in the Celent report, Reg, Reg Go Away: Sorry Banks, They’re Here to Stay, April 2010  I am in favor of Reg E, and actually believe it is good for the banking industry in the long run, even though as Maynard Keynes stated, “In the long run, we’re all dead.” I think transparency is a good thing for the long-term relationship between a bank and its customers. Clients who now opt in to overdraft know they did it, and are likely to pay the fees without rancor. Reg E isn’t new. Why discuss this now? I recently stayed at an Embassy Suites and saw the following message on my water bottle:

It’s In Your Hands.

Please Recycle.

Be Green.

reg-e-2 You’d think that Embassy Suites was into preserving the environment and encouraging recycling, but unlike many hotel rooms I stay in, there were no recycle bins in the room. So why the strong messaging?
Please Recycle

Please Recycle

If you look in the upper right hand corner of the label, in low contrast knock out type, you can see $4.95*. And if you attempt to read the fine print at the bottom of that label, you see (or don’t stand a chance of seeing) that if you drink this water $4.95 will be added to your room charge. While the recycling of the bottle might have been in my hands, I want to give Embassy Suites just a finger. This is exactly what banks are doing when they bury overdraft protection language in paragraph 23 of an account agreement and surprise their clients with a $33 overdraft charge. What do you create? Angry and disloyal customers. Is that any way to run a hotel? Is that any way to run a bank?

OD now DOA?

I just received a statement stuffer from one of my banks providing me “Important information for consumers about your checking account.” This is about the changes to Reg E. Consumers must opt-in to overdraft protection for one time debit card purchases and ATM transactions. This is a game changer in the world of retail banking and might spell the end of free checking. According to the FDIC, about 40% of all overdraft transactions are generated by such debit card transactions. If 50% of a retail bank’s revenue is overdraft revenue, the bank just lost 20% of its revenue. What to do? The first thing is communicate this message to your customers and find those who value the overdraft protection and will want to opt in. Banks must also understand their customers a bit better to figure out which are unprofitable today and which will be unprofitable under the new Reg E. Bundling products can help cross subsidize the current account which is typically the anchor account of the relationship. Consumers are used to paying fees for mortgages, credit cards, reward programs, etc. Can you create fee bundles for these products that make the checking account profitable? Can you negotiate across lines of business at your bank? The debit card was a game changer for the demand deposit account in a good way, lowering costs and increasing revenue via interchange. It may now become a game changer again, with few consumers opting in and revenue dropping, forcing banks to rethink the free checking business model. The big problem is that once customers have had something for free, they are unlikely to pay in the future.

The Regs They Are a Changin’

Changes to Reg E will have a dramatic impact on the economic of free checking and checking in general. Let’s first look at the main points of the new rules: 1. Consumers must explicitly opt in to overdraft charges for ATM and one time debit card transactions for both new and existing accounts. 2. These accounts may still have overdraft on checks, ACH transactions, etc. INDEPENDENT upon the decision to opt in for the ATM and one time debit card overdrafts. 3. There are no exceptions for non-real time payment lag issues. If the bank authorized the payment and at settlement the payment is now an overdraft, banks can’t levy fees. 4. Debit holds will remain as is. If a gas station places a debit hold on an account for $75, and the customer gets $40 worth of gas, the bank can make the debit hold unavailable. Regulators feel that these holds are more appropriately dealt with in payment systems rather than banking systems. What does this mean to banks? There will be less overdraft fee revenue; much less. According to the FDIC’s Study of Bank Overdraft Programs, POS/debit overdraft transactions accounted for the largest share of all insufficient funds transactions (41.0%). Banks will need to adjust their business models to make up for this revenue. Is free checking now likely to disappear? Will product bundles now become the standard offering with a credit card, line of credit or mortgage cross subsidizing the checking? I’ll be pondering these questions in an upcoming report. This also presents a compelling reason to move to real time systems. If the bank is not able to calculate available funds in real time, it now becomes the bank’s problem rather than its customers’.