IT Threats Mean Banks Need Tailor-Made Regulation
When I was growing up in the early 1980s, we were subjected to fanciful plot lines from far-fetched films, from Matthew Broderick hacking NORAD's computer system and nearly starting World War III, to Superman being called upon to defeat a computer fraud genius played by a relatively youthful Richard Pryor. I read comic books about genetically modified, computer chip-enhanced soldiers and dreamed about doors swishing to and fro as I walked alongside Buck Rogers in the 25th century….
It all seems utterly ridiculous now. After all, completing a cheque stub as adulthood beckoned made me feel properly grown-up, along with the hormones kicking in as I spent my meagre savings on the latest Bowie vinyl.
I've written four cheques this year. Three of those were to the kids' school, which is now going paperless. We're only in the 21st century but, like many others, most of my finances are conducted online or contactless or by plastic - and, occasionally, doors even swoosh.
Banks around the world are subject to constant cyber-attacks from hackers; all day, all night; every day, every night.
Banks around the world are subject to constant cyber-attacks from hackers; all day, all night; every day, every night. From teenagers shut away in their bedrooms, rediscovering the wrong Velvets and dressed in replica Nirvana rip-offs, to sophisticated, criminal gangs seeking out and exploiting weaknesses in IT systems, the nature of banks' operational risk exposures is changing rapidly.
If the private email accounts of high-ranking government agency officials can be hacked, then certainly no institution can consider themselves 100% safe. Banks and their regulators need to keep up with rapidly changing operational risks.
However, the focus of regulation since the financial crisis has been on building capital buffers and discouraging specific activities deemed to be more risky. But banks are now built on IT systems and most of their customers engage with them via IT and mobile platforms.
While the Basel Committee on Banking Supervision is due to opine on the effectiveness of existing capital rules in advance of Basel IV, we are still realistically at least a couple of years away from Europe-wide legislation to protect banking customers in the event their personal details are compromised following a hack. How relevant can such legislation be, given the speed of technological advances in payment processes, data storage and remote systems?
In a world where risks are changing fast, there is a danger that banking regulation will default to a one-size-fits-all approach. If there is a move towards a more standardised approach for even the most sophisticated banks, we risk a separation of capital assessment from risk management. Capital reserves should become more dynamic to cater for changing risks, not less so.
This creates a dilemma for regulators. Simplification of the rules for capital required to be held by the banks has much appeal - consistent measurements, comparability, and so forth. But it places less importance on good behaviour, such as effective risk management and internal controls. After all, we want our regulators to protect us, the public and the banks' customers, against bad conduct. Surely that was the fundamental lesson of the financial crisis. Regulation can put many rules in place, but cultural change comes more slowly and has to be led by the senior management.
Management guru Peter Drucker once said: "Culture eats strategy for breakfast." Regulation needs to set the framework for the more sophisticated banks to operate where capital can be flexible and serve the equally important purpose of protecting customers as well as the stability of the financial system. History tells us that the behaviour, or culture, of an organisation is just as important as the financial ratios.
Bowie's released an album shortly before his death early this year, vinyl's back in fashion and Superman will be in cinemas again this year year. Plus ça change, plus c'est la même chose.
Want to know more? You can reach Gerard on: firstname.lastname@example.org
First Published in Post Magazine on February 11, 2016