Companies and organizations ranging from the U.S. Chamber of Commerce to banking technology provider Fiserv have submitted comments on a proposed rule from three federal agencies regarding enhanced cyber risk management standards.
The agencies seeking comment on the proposed rule are the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corp.
The advance notice of proposed rulemaking (ANPR) is directed at financial institutions and their service providers. The enhanced standards, according to the announcement, are intended for “large and interconnected entities” under the agencies’ supervision, as well as those entities’ service providers.
The agencies said that they are considering enhanced standards to mitigate against the impact of technology failures and cyberattacks on one of those entities.
While any resulting rule is unlikely to apply to payment facilitators at this point, that doesn’t mean they should ignore it, said Scott Talbott, senior vice president of government relations at the Electronic Transactions Association.
“If regulators aren’t knocking on payment facilitators’ door with this particular proposed rule, they’re on your street,” Talbott said, noting that any ANPR provides insight into the issues that are concerning regulators, and areas they might continue to focus on.
Indeed, the notice announcement outlines the increasingly significant role technology is playing within the delivery of financial services, and ultimately the importance of cybersecurity to the stability of the financial system.
“With advances in financial technology, financial institutions and consumers alike have become increasingly dependent on technology to facilitate financial transactions,” the announcement reads. “In addition, the largest, most complex financial institutions rely heavily on technology to engage in national and international banking activities and to provide critical services to the financial sector and the U.S. economy. As technology dependence in the financial sector continues to grow, so do opportunities for high-impact technology failures and cyber-attacks.”
While President Trump has shown antipathy toward federal regulation, he also has spoken in general terms about cybersecurity being a priority of his administration, so how that position might affect attempts at rulemaking is not yet clear. Last month, the White House cancelled plans to issue an executive order regarding the government’s need to secure its own computer networks.
The New York State Department of Financial Services also recently issued a proposed rule on cybersecurity, requiring banks, insurance companies and other regulated entities to maintain cybersecurity programs.
“New Yorkers must be confident that the banks, insurance companies and the other financial institutions that they rely on are securely handling and establishing necessary protocols that ensure the security and privacy of their sensitive personal information,” said Financial Services Superintendent Maria T. Vullo.
So while the scope of this particular ANPR doesn’t mean alarm bells should be ringing for payment facilitators, Talbott said, it may well be an indicator that the security of financial transactions is on regulators’ minds, making it a priority area where the industry should be able to demonstrate the ability to regulate itself.
“Payment facilitators should use this as an opportunity to evaluate their programs and strengthen their own internal resources around cybersecurity,” Talbott said.
After an extension to allow more time for public input, the ANPR comment period ends Feb. 17.