February 25, 2015

Contact: Matt Anderson, 212-709-1690, Matthew.Anderson@dfs.ny.gov

SUPERINTENDENT LAWSKY’S REMARKS ON FINANCIAL REGULATION INNEW YORK CITY AT COLUMBIA LAW SCHOOL

Benjamin M. Lawsky, Superintendent of Financial Services for the State of New York, isdelivering remarks today on financial regulation at Columbia Law School in New York City.

Superintendent Lawsky’s remarks, entitled “Financial Federalism: The Catalytic Role of StateRegulators in a Post-Financial Crisis World,” are below as prepared for delivery. Topics include:

Wall Street Accountability after the Financial Crisis

Preventing Money Laundering, Including Improving Transaction Monitoring and FilteringSystems; and

Cyber Security in the Financial Sector

***

Superintendent Benjamin M. Lawsky’s Remarks at Columbia Law School“Financial Federalism: The Catalytic Role of State Regulators in a Post-Financial Crisis World”

New York, NYFebruary 25, 2015

As Prepared for Delivery

Thank you Dean Chapnick for that kind introduction.

The topic of this speech today is “Financial Federalism” and the catalytic role states can play inWall Street regulation.

So, what exactly do I mean by the term “Financial Federalism?”

The best way to describe it is probably by describing why we think that “Financial Federalism”can – at times – play a helpful and necessary role in regulating Wall Street.

***

As many of you know, financial regulation is primarily handled at the national or eveninternational level.In most circumstances, that is a good thing. And the right approach.

Where possible, we should strive for consistency and harmony in our application of the rules ofthe road for financial companies.

Doing so provides greater certainty for businesses as they sell their services, explore newmarkets, and create new jobs.

That said, regulatory harmony is certainly not the only – or most important – principle at stakefor financial regulators.

In fact, pleas for “consistency” or “harmony” are often subtle instruments that some on WallStreet use to try and weaken key financial reforms.

To try and play one regulator off another.

To try to get regulators – in the interest of “consensus” – to settle for watered-down rules.

They poke and they prod until they succeed in producing Swiss cheese regulations riddled withloopholes.

Moreover – and I think this is something that nearly everyone has acknowledged – there havebeen times when regulation of Wall Street has not proven effective: During certain periods,market practices that endangered consumers and threatened the stability of our entireeconomy went virtually unchecked.

Now, to be clear, we have a great deal of respect for our counterparts.

At the federal level, they very often have expertise and resources that state regulators simplycannot match.

And the people who work at the federal regulatory agencies are exceptionally talented.

But there have been instances – and, again, I think this is something most people will admit –when certain aspects of financial regulation went off track.

We saw this problem perhaps most acutely in the lead up to the recent financial crisis.

A false sense of security bred by more than 60 years of relative financial stability and economicprosperity made regulators slow to respond to emerging risks and new consumer abuses.

It also helped propel a gradual (and then accelerating) move to dismantle key regulatoryprotections.

***

Now, when all that happens – when our system of financial regulation becomes unmooredfrom many of the important principles that helped guide us since the aftermath of the GreatDepression – a course correction is necessary.

And that is one example of when financial federalism can play an important role.

Most of you here today I’m sure are familiar with Louis Brandeis’ well-known idea that statescan act as “laboratories of democracy.”

Indeed, state governments can often serve as incubators for new approaches to vexing policyproblems.

States can experiment.

Try new things.

And if their ideas prove effective – and rise to the top of the crowded marketplace of ideas –those policy proposals may be adopted beyond their borders.

In many areas, whether it is the progressive reforms of the early 20th century.

Or, more recently, the health care reforms imported from Mitt Romney’s Massachusetts toPresident Obama’s Washington, DC.

We have seen this phenomenon time and time again.

However, the “laboratories of democracy” concept is not typically applied in the context offinancial regulation.

To be fair, there are some reasonable explanations for that.

In an increasingly mobile and global financial landscape – where money moves around theworld in a matter of milliseconds – there are risks associated with fragmentation in financialregulation.

Market actors can potentially try and move their operations to dark, unregulated corners of theglobe – a concept known as regulatory arbitrage.

But, again, regulatory harmony is not the only principle at stake.

Especially if regulatory harmony is simply a means of defining regulatory deviancy down to thelowest common denominator.

Ineffective regulation can sometimes be worse than no regulation at all since it breeds a falsesense of security. And, as we saw during the financial crisis, it is everyday consumers andworkers who usually end up paying the biggest price.

***

State financial regulators, then, can and should play a similar role to the state-level reformers ofthe early 20th century.

We should strive, of course, for a collaborative and cooperative relationship with our federalpartners.

That is certainly our goal at DFS.

But states also should not be afraid to speak up and act if we spot new risks emerging in themarket.

If we believe that certain regulatory protections are not sufficiently robust to root out recklessbehavior that threatens the health of our economy.

If we think that current approaches to enforcement and prosecution are not effectivelydeterring wrongdoing on Wall Street.

It should be noted that federal regulators have to deal with an extremely broad expanse ofissues. Put simply, no matter how well intentioned, they have a lot on their plate. So there is arisk that certain issues fall through the cracks.

Financial federalism can help address that issue.

Of course, state regulators by no means have a monopoly on the truth.

And there is a risk that they will become captured by and beholden to the industries theyregulate.

Or create fragmented rules across jurisdictions.

Indeed, it is important that states proceed with an appropriate sense of humility.

But if we get things right, if our efforts prove effective, we can perhaps serve as positiveexamples and help spur a race to the top.

***

Of course, some may argue that financial federalism is no longer necessary more than six yearsafter the financial crisis.

They may say that the destruction wrought by the crisis served as shock therapy for federalregulators.

And that we now inhabit an era of hyper-regulation and hyper-enforcement on Wall Street.

In other words, after a period of light-touch regulation in the run-up to the crisis, they arguethat the pendulum has now swung too far the other way.

There is something to the idea that we live in an era of heightened regulatory scrutiny –certainly relative to the early part of the last decade.

That said, we still believe that financial federalism can play an important role in today’senvironment.

Notwithstanding Dodd-Frank, there is still a very robust and unresolved debate occurring rightnow about what our post-crisis regulatory architecture is going to look like. The new rules arestill being written.

We are also still debating the most effective ways to hold those who engage in wrongdoing toaccount and deter future misconduct.

Indeed, I don’t think anyone – at the federal or state level – would argue that we havecompletely figured out how to prevent a repeat of the 2008 crisis.

Or that we already have all the right rules, regulations, and oversight structures in place.

In truth, that is an ongoing project that will never be complete.

And simply having the right rules on the books is not enough if we are unwilling to enforcethem effectively and aggressively.

As such, the need for financial federalism has by no means disappeared.

***

So, I have described, in broad terms, what we mean by Financial Federalism.

I would now like to turn to some concrete examples of that principle in action.

First, I would like to discuss Wall Street accountability in the wake of the financial crisis.

Second, helping prevent money laundering in the financial sector.

And third, strengthening cyber security in the financial markets.

Wall Street Accountability in the Wake of the Financial Crisis

Let me start with Wall Street accountability.

In the wake of the financial crisis, many Americans have been deeply disappointed by efforts tohold individual, senior executives on Wall Street accountable for misconduct.

That is not simply the opinion of far-left commentators. It is a decidedly mainstream view.

For example, Senator Chuck Grassley – Republican Chairman of the Senate Judiciary Committee– has repeatedly and forcefully decried the lack of criminal prosecutions against individual bankexecutives on Wall Street.

Senator Richard Shelby – Republican Chairman of the Senate Banking Committee – recentlyexpressed concerns that Wall Street executives were trying to “buy their way out of culpability”by instead having their corporations simply pay big fines.

Former Treasury Secretary Timothy F. Geithner has also, for one, written that “there was anappalling amount of mortgage fraud during the credit boom.” And that the American people“deserved a more forceful enforcement response than the government delivered.”

Another former Treasury Secretary, Larry Summers, signed onto an important report the Centerfor American Progress released last month that noted:

“Current procedures for dealing with misconduct by financial-sector participants are manifestlyinadequate as evidenced on the one hand by the pervasiveness of malfeasance in areas rangingfrom money-laundering controls, to market manipulation, to mortgage marketing, andforeclosure implementation and, on the other, by the almost total absence of successfulprosecutions of individuals.”

Indeed, we almost always see bank settlements where a corporation writes a big check to thegovernment without any individual Wall Street executives held to account.

It should come as little surprise then that we continue to see fraud, after fraud, after fraud onWall Street – since the individuals who engaged in the wrongdoing rarely, if ever, face any realconsequences.

Now, real deterrence, in our opinion, means a focus not just on corporate accountability, buton individual accountability.

After all, if you think about it for a second, what is a corporation? It is just a group of people.

The corporation itself is just a legal fiction. It hasn’t acted.

Corporations are made up of people. If there is wrongdoing at a corporation, that wrongdoingwas committed by people.

Of course, penalties imposed at the corporate level are often an important and necessary toolin our enforcement tool belt – particularly as it relates to organization-wide failures of oversightor compliance.

But more and more often it feels like we are discussing a corporation’s wrongdoing withoutdetailing who exactly did what wrong.

And, in my opinion, if in any particular instance we cannot find someone, some person, to holdaccountable, that just means we have stopped looking.

Moreover, even if there are certain circumstances where the misconduct does not rise to thelevel of criminal fraud, civil financial regulators can also play a role in imposing individualaccountability.

While NYDFS does not have authority to bring criminal prosecutions, it has taken a number ofactions to expose and penalize misconduct by individual senior executives – including all theway up to the C-Suite, when appropriate.

For example, NYDFS required the Chief Operating Officer of France’s largest bank, BNP Paribas,and the Chairman of one of the United States’ largest mortgage companies, Ocwen Financial, tostep down as part of enforcement actions brought against those companies.

The Department has also banned multiple senior executives from participating in theoperations of NYDFS-regulated institutions for engaging in misconduct.

I by no means claim that our agency has squared the circle on enforcement. I doubt we get itright in every case.

But we have sought increasingly to move toward individual accountability in the resolution ofthese settlements.

And it is our hope that it will help spur others to do the same.

Preventing Money Laundering (Transaction Monitoring and Filtering Systems)

So, we need more individual accountability after misconduct occurs to help produce realdeterrence.

But there is also more we can do to prevent some of the most serious misconduct we haveseen, which brings me to my second topic: The somewhat obscure but vitally important issue oftransaction monitoring and filtering systems.

That sounds like a dry issue, admittedly. But improving those systems is critical to stoppingdangerous criminal activity, including terrorism.

And it is our hope that our actions in this area will help encourage other regulators to considersimilar measures.

Let me explain: Every day, hundreds of millions of transactions through the bank paymentssystem move hundreds of billions of funds around the globe.

Naturally, bank employees cannot manually check every one of those transactions for evidenceof criminal or illicit activity. The volume is just too high.

As a result, banks rely heavily on automatic transaction monitoring and filtering systems to helpflag suspicious payments for further review by compliance personnel.

Transaction monitoring works by running transactions through various detection scenarios thatare designed to create alerts that show patterns of money laundering or red flags, such as high-volume transaction activities.

But – and this is a truly frightening question to ask – what if those monitoring and filteringsystems are flawed or ineffective?

That would create a gaping loophole in our financial system that terrorists, drug dealers, andother violent criminals could exploit.

Problems with transaction monitoring and filtering systems can be the result of one of twosituations:

First: Through inadequate or defective design, or programming of the monitoring and filteringsystems, faulty data input, or a failure to regularly update these detection scenarios, which maybe attributed to lack of sophistication, knowledge, expertise, or attention by the managementand/or employees.

Or two, perhaps more disturbingly, willful blindness or intentional malfeasance by bankmanagement, or employees – who, for example, turn down the sensitivity of the filters so thesystems do not generate enough alerts and therefore suspicious transactions go undetected.

We have already seen an example of faulty filters at one large bank we regulate – when anindependent monitor we installed found that the firm failed to flag millions of suspicioustransactions. As a result, last year, we brought a significant enforcement action against thatbank for those failures.

We basically ran the company’s transactions through our own filtering system and comparedthe results. This was a new approach. In the past, regulators have largely relied on self-reporting by firms that discover – one way or the other – that banned transactions occurred forsome reason. What regulators have not done is actively tested the effectiveness of the filteringsystems banks are using. That needs to change.

A whack-a-mole approach – simply bringing enforcement actions when we find problems – isnot, by itself, enough. Particularly because we believe there are likely widespread problemswith transaction monitoring and filtering systems throughout the industry.

As such, we need a more holistic solution. Something needs to be done.

And the stakes are incredibly high.

Money is the oxygen feeding the fire that is terrorism. Without moving massive amounts ofmoney around the globe, international terrorism cannot thrive.

Accordingly, we are considering a number of measures to address this issue.

First, we are considering random audits of our regulated firms’ transaction monitoring andfiltering systems, employing the same methodology our independent monitor used to spotdeficiencies.

Second, since we cannot simultaneously audit every institution, we are also considering makingsenior executives personally attest to the adequacy and robustness of those systems.

This idea is modeled on the Sarbanes-Oxley approach to accounting fraud.

We expect to move quickly on these ideas and – to the extent they are effective – we hope thatother regulators will take similar steps.

Cyber Security in the Financial Sector

The final topic I would like to discuss is cyber security in the financial markets.

At DFS, we believe that cyber security is likely the most important issue we will face in 2015 –and perhaps for many years to come after that.

A question we often get as financial regulators is: “What keeps you up at night?”

The answer is “a lot of things.” But right at the top of the list is the cyber security at thefinancial institutions we regulate.

I am deeply worried that we are soon going to see a major cyber attack aimed at the financialsystem that is going to make all of us to shudder. Cyber hacking could represent a systemic riskto our financial markets by creating a run or panic that spills over into the broader economy.

Indeed, we are concerned that within the next decade (or perhaps sooner) we will experiencean Armageddon-type cyber event that causes a significant disruption in the financial system fora period of time – what some have termed a “cyber 9/11.”

And we worry that, when that major cyber event happens, we will all look back and say, “Howdid we not do more to prevent it?”

Of course, the question, then, is: What should we do to help prevent that nightmare scenario?

We do not profess to have all the answers at DFS. But we are spending a lot of time working onconcrete actions to help strengthen cyber security at our regulated institutions.

In particular, we are focused on ways to incentivize market participants to do more to protectthemselves from cyber attacks.

This issue is also clearly at the top of the agenda for federal regulators. Sarah Bloom Raskin –the Deputy Treasury Secretary – in particular has been a leader on these issues.

But I believe this area is one example where – even though federal regulators are very focusedon the problem – there is still room for financial federalism at the state level in experimentingwith various solutions.

Given the magnitude of the problem, we need all the ideas and proposals we can get.

With that in mind, I would like to briefly outline several DFS initiatives in this area.

First, we are revamping our regular examinations of banks and insurance companies toincorporate new, targeted assessments of those institutions’ cyber security preparedness.

The idea is simple: If we grade banks and insurers directly on their defenses against hackers aspart of our examinations, it will incentivize those companies to prioritize and shore up theircyber security protections.

Indeed, institutions care deeply about their examination grades since those scores can impacttheir ability to pay dividends, or enter new business lines, or acquire other companies.

Second, we are considering steps to address the cyber security of third-party vendors, which isa significant vulnerability.

Banks and insurers rely on third-party vendors for a broad-range of services – whether it is alaw firm that provides them with legal advice or even a company that is contracted to run theirHVAC system.

Those third-party vendors often have access to a financial institution’s information technologysystems – which can provide a backdoor entrance for hackers.

In many ways, a company’s cyber security is only as strong as the cyber security of its third-party vendors.

As such, we are considering mandating that our financial institutions receive robustrepresentations and warranties from third-party vendors that those vendors have critical cybersecurity protections in place.

In other words, those third-party vendors will have to strengthen their cyber security or risklosing out on business from those financial institutions.

That is tough medicine, but we believe it is likely warranted given the risks that cyber hackingpresents to the stability of our financial markets and economy.

Third, I would like to discuss something called “multi-factor authentication.”

Our Internet architecture has grown up over the years with a username and password systemfor verifying our identities.

That has proven to be a very vulnerable system.

The password system should have been dead and buried many years ago. And it is time that webury it now.

All firms should be moving towards – and many of them already are – a multi-factorauthentication system.

In a multi-factor authentication system, you still have a username and a password, but there isalso a second layer of security.

For example, when you attempt to log in, you could receive an immediate, randomly generatedadditional password that is texted to your phone.

As a result, if someone steals or guesses your password, they would not be able to get into thesystem unless they also have your cell phone.

That simple, extra step can actually prevent a significant amount of hacking. And it is somethingall firms should do.

In fact, we are currently considering regulations that would mandate the use of multi-factorauthentication for our financial institutions. We would be the first financial regulator to takethis step.

We still have some work to do when it comes to crafting our new cyber security examinations,as well as any potential regulations related to multi-factor authentication and third-partyvendors.

In particular, we need to be careful to make sure that they do not place an undue burden onsmaller institutions, such as community banks.

But if we get the balance right, perhaps these steps can serve as a positive model for otherregulators as we all confront this critical issue.

We will never eliminate the risk of cyber hacking entirely. But we must do everything we can sothat we do not look back years from now – after a devastating attack – and ask ourselves: “Whydidn’t we see this coming? And why didn’t we do more?”

Conclusion

To conclude, I have just discussed three areas – (1) Wall Street accountability; (2) money-laundering prevention; and (3) cyber security – where I believe financial federalism can play aconstructive role.

It is worth stressing again, however, that we do not profess to have a monopoly on the truth inthese or other areas.

As a state financial regulator, it is important that we proceed with an open mind, considerfeedback, and course correct when necessary.

And just as we hope that federal regulators will consider our ideas – we will always humblyconsider federal regulators’ points of view when formulating our policy proposals.

Financial regulation is an incredibly difficult and dynamic endeavor.

Our resources are not unlimited. And regulators are all too often outmatched and outgunnedby the firms we oversee.

We will always run slightly behind them – it is just a matter of how far.

As such, we need all hands on deck – at all levels of government – to help secure the stability ofour financial markets and our economy.

Thank you – and I look forward to answering your questions.