On cyber, Trump team needs this Dodd-Frank piece to succeed
The U.S. Treasury’s common sense regulatory initiative, “A Financial System That Creates Economic Opportunities Banks and Credit Unions,” includes a cybersecurity initiative that would have financial regulatory agencies standardize cyber security regulations. It also includes using a “common lexicon” to aid in that effort.
Lexicons are dictionaries of words. In cyberspace, lexicons are also dictionaries of data components. Data, more so than the words in the regulation, needs standards, particularly for identifying financial market participants in order for regulators’ words to be transformed into computer languages.
The most critical data standard in financial cyberspace is that which describes the identity of large scale financial market participants. They, as well as corporations and other commercial users, use large payment systems to conduct business and pass value payments between themselves.
{mosads}A unique, unambiguous and universal identity code is critical as the first line of defense in preventing cybersecurity breaches. Hardening that identity so that it is unalterable, using encryption, public/private keys, hashing and other more advanced cryptology techniques should follow. A hardened, singular identity code can assure finality of payments without being vulnerable to hackers stealing either the identity of the participant or the payment itself.
To this end, the Office of Financial Research’s (OFR’s) legal entity identifier (LEI) initiative is well on its way to becoming that underlying identity code, giving impetus to implementing Treasury Secretary Mnuchin’s cybersecurity initiative.
The OFR was created through the Dodd-Frank Act, which House Republicans want to replace with The Financial CHOICE Act. This act would eliminate the OFR. The rationale for eliminating the OFR focuses almost exclusively on its economic analysis function which, it is claimed, is duplicative of analysis done by multiple federal agencies.
This rationale fails to recognize the OFR’s key role in driving data standards throughout the financial system, a fundamental requirement for organizing data — particularly, identity data — to prevent cybersecurity breaches. The OFR is headed by an independent director who is appointed by the president to serve a six-year term, subject to the advice and consent of the Senate. Mnuchin wants to make the OFR director accountable to him alone and eliminate the director’s six-year tenure in favor of removal at will.
Data standardization has more benefits than just providing tools for cybersecurity. It is critical to replacing the costly, risk-prone, decades-old interoperability models that dominate the financial industry. This model requires separate reconciliation and mapping processes between each connection point, leaving the system vulnerable to hackers. Now, new technologies, specifically those that underpin Bitcoin — distributed ledger technology (DLT) and its immutable blockchain encryption technique — are presenting a solution.
DLT is a distributed database that acts like a huge ledger (a single but decentralized book-of-record) that records every transaction and distributes this information across computer nodes that are connected to the internet. It is a single immutable ledger shared by all. It has tremendous promise to remove many of the hundreds of databases that intermediaries and financial market utilities use to store their own versions of this same data. Reconciling separate, non-standard ledger data kept by each financial institution is one of the major causes of the financial system’s vulnerability to cyberattacks.
Blockchain’s other attribute substitutes cryptography and rapid mathematical encryption (aka hashing) and deciphering (aka mining) to confirm validity of the transaction and the identity of the paying or receiving party. Encryption creates a digital imprint of an identity code and the associated transactions’ data components including its value. However, without the underlying identity code being standardized, there can be no use made of this secure, less vulnerable encryption technique.
Today, the global financial system operates with different coded data identifiers that have to be mapped together to connect between systems. Where they differ, they need to be reconciled manually. Individual firms and their commercial clients, in turn, are connected through a myriad of networks that too need to reconcile a financial market participant’s identity at each data handoff point and through vulnerable legacy systems at its end points.
Because of its incremental unplanned design, the financial system is one of the most vulnerable systems subject to cyberattacks. Not only because it conveys high value transactions but because of the age of these systems that rely on mapping multiple identifiers and reconciling different identifiers manually when they do not match up.
To enable manual reconciliation, there are significant time lags built into regulations and associated processes between when transactions are entered into, when they are validated and when value is transferred. This time lag leaves the overall system, whether within different business units in a single firm, or across multiple firms, vulnerable to cyberattacks.
Cybersecurity issues are exposing the vulnerability of the financial system to its lack of security over its participants’ identities and the timing of the finality of payment. Hackers, in a recent series of thefts, stole participant identities to use in gaining entry to the trillion-dollar-a-day SWIFT money transfer network and leveraged the week-end time lags between orders placed and finality of payment to steal over $100 million.
Cybersecurity starts with hardened standard identifiers, the ones the OFR is spearheading here in the U.S. The OFR’s identity standardization initiative needs to be sustained. It is the starting point in ensuring cybersecurity in the financial system, as well as in bringing efficiency to financial markets through this and its other data standards initiatives.
Allan Grody is the president of Financial InterGroup Advisors — strategists, consultants and researchers in financial services with particular focus on bank regulation and the design and implementation of innovative enterprise solutions. Grody is also an editorial board member of the Journal of Risk Management in Financial Institutions. His work, writings and research focus on the intersection of risk, regulation, data and technology.
The views expressed by contributors are their own and not the views of The Hill.
Copyright 2023 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.