From the Editor: Cyberattacks Require Response from AML Pros
September 23, 2016
By Kieran Beer
Proposed regulations from the New York State Department of Financial Services and guidance from the Central Bank of Ireland released this month should prod compliance officers to talk more about the growing elephant in the room: cybersecurity.
While a recent spate of headline-grabbing cyberattacks—both financial and political in consequence—have already drawn the attention of IT and fraud departments, the role of anti-money laundering (AML) professionals in cybersecurity has yet to be determined at many financial institutions.
Audience polling at the ACAMS moneylaundering.com conference in London in May indicated that 40 percent of respondents’ financial institutions had taken steps to bring IT, fraud and AML together in some way to address cybercrime and that 23 percent had at least discussed the issue, leaving 37 percent reporting that their institutions had done little or nothing in response to the threat.
Both the New York regulator’s proposal and Central Bank of Ireland guidance would require the institutions to create policies and procedures for preventing cyberattacks. Each also emphasizes the sophistication and ever-changing nature of the threat by requiring reassessments of risk and testing of controls and technology, with the NYSDFS mandating them “annually” and the CBI “periodically.”
A 45-day comment period follows the release of the New York plan, while CBI promised to check for the implementation of its cybersecurity policies by regulated institutions in the course of it ongoing supervisory role.
Echoing NYSDFS’s new requirement that a board member or senior executive annually certify their institution’s AML program, financial companies regulated by the state will have to do the same with regard to their cybersecurity measures. The first round of AML certifications is expected to be filed in April 2018, while cybersecurity certifications must be submitted for the first time in January 2018 under the current proposal.
Failures to comply with the CBI guidance will inform supervisory decisions, including the imposition of mitigation programs. New York’s rule will be enforced “pursuant to, and is not intended to limit, the [NYSDFS] superintendent’s authority under applicable law.”
The plans include other features unique to each. New York, for example, would require the appointment of a chief information security officer “responsible for implementing, overseeing and enforcing its new program and policy.”
CBI’s guidance places more emphasis on disaster recovery and business continuity planning, which is unsurprising when viewed in the context of the regulator’s conclusion that “firms should assume they will be subject to a successful cyberattack or business interruption.”
The 19-page proposal and 28-page guidance can be read here and here, respectively.
The CBI also sometimes takes a chiding tone in its guidance, with the regulator citing what it found to be lacking in its examinations and surveys of regulated entities to date.
High on the central bank’s list is the general failure by institutions to take an enterprise-wide approach to cybersecurity, which presumably would involve getting personnel from all departments in the same room to discuss the issue. Exacerbating the problem, according to the guidance, is the fact that “firms are not fully aware of all the hardware, software and data assets on their networks and, as such, cannot assess the associated risks in a holistic manner.”
Thinking about a holistic approach circles us back to the question: What role should AML play in cybersecurity?
The answer may vary from institution to institution, though one thing’s clear: In addition to being savvy analysts and effective financial crime investigators, AML professionals must also become better technologists, if only to have a seat at their firm’s cyberattack prevention and response team.
email@example.com Follow me @KieranBeer on Twitter