Thank you Dean Chapnick for that kind introduction.
The topic of this speech today is “Financial Federalism” and the catalytic role states can play in Wall Street regulation.
So, what exactly do I mean by the term “Financial Federalism?”
The best way to describe it is probably by describing why we think that “Financial Federalism” can – at times – play a helpful and necessary role in regulating Wall Street.
***
As many of you know, financial regulation is primarily handled at the national or even international level.
In most circumstances, that is a good thing. And the right approach.
Where possible, we should strive for consistency and harmony in our application of the rules of the road for financial companies.
Doing so provides greater certainty for businesses as they sell their services, explore new markets, and create new jobs.
That said, regulatory harmony is certainly not the only – or most important – principle at stake for financial regulators.
In fact, pleas for “consistency” or “harmony” are often subtle instruments that some on Wall Street use to try and weaken key financial reforms.
To try and play one regulator off another.
To try to get regulators – in the interest of “consensus” – to settle for watered-down rules.
They poke and they prod until they succeed in producing Swiss cheese regulations riddled with loopholes.
Moreover – and I think this is something that nearly everyone has acknowledged – there have been times when regulation of Wall Street has not proven effective: During certain periods, market practices that endangered consumers and threatened the stability of our entire economy went virtually unchecked.
Now, to be clear, we have a great deal of respect for our counterparts.
At the federal level, they very often have expertise and resources that state regulators simply cannot match.
And the people who work at the federal regulatory agencies are exceptionally talented.
But there have been instances – and, again, I think this is something most people will admit – when certain aspects of financial regulation went off track.
We saw this problem perhaps most acutely in the lead up to the recent financial crisis.
A false sense of security bred by more than 60 years of relative financial stability and economic prosperity made regulators slow to respond to emerging risks and new consumer abuses.
It also helped propel a gradual (and then accelerating) move to dismantle key regulatory protections.
***
Now, when all that happens – when our system of financial regulation becomes unmoored from many of the important principles that helped guide us since the aftermath of the Great Depression – a course correction is necessary.
And that is one example of when financial federalism can play an important role.
Most of you here today I’m sure are familiar with Louis Brandeis’ well-known idea that states can act as “laboratories of democracy.”
Indeed, state governments can often serve as incubators for new approaches to vexing policy problems.
States can experiment.
Try new things.
And if their ideas prove effective – and rise to the top of the crowded marketplace of ideas – those policy proposals may be adopted beyond their borders.
In many areas, whether it is the progressive reforms of the early 20th century.
Or, more recently, the health care reforms imported from Mitt Romney’s Massachusetts to President Obama’s Washington, DC.
We have seen this phenomenon time and time again.
However, the “laboratories of democracy” concept is not typically applied in the context of financial regulation.
To be fair, there are some reasonable explanations for that.
In an increasingly mobile and global financial landscape – where money moves around the world in a matter of milliseconds – there are risks associated with fragmentation in financial regulation.
Market actors can potentially try and move their operations to dark, unregulated corners of the globe – a concept known as regulatory arbitrage.
But, again, regulatory harmony is not the only principle at stake.
Especially if regulatory harmony is simply a means of defining regulatory deviancy down to the lowest common denominator.
Ineffective regulation can sometimes be worse than no regulation at all since it breeds a false sense of security. And, as we saw during the financial crisis, it is everyday consumers and workers who usually end up paying the biggest price.
***
State financial regulators, then, can and should play a similar role to the state-level reformers of the early 20th century.
We should strive, of course, for a collaborative and cooperative relationship with our federal partners.
That is certainly our goal at DFS.
But states also should not be afraid to speak up and act if we spot new risks emerging in the market.
If we believe that certain regulatory protections are not sufficiently robust to root out reckless behavior that threatens the health of our economy.
If we think that current approaches to enforcement and prosecution are not effectively deterring wrongdoing on Wall Street.
It should be noted that federal regulators have to deal with an extremely broad expanse of issues. Put simply, no matter how well intentioned, they have a lot on their plate. So there is a risk that certain issues fall through the cracks.
Financial federalism can help address that issue.
Of course, state regulators by no means have a monopoly on the truth.
And there is a risk that they will become captured by and beholden to the industries they regulate.
Or create fragmented rules across jurisdictions.
Indeed, it is important that states proceed with an appropriate sense of humility.
But if we get things right, if our efforts prove effective, we can perhaps serve as positive examples and help spur a race to the top.
***
Of course, some may argue that financial federalism is no longer necessary more than six years after the financial crisis.
They may say that the destruction wrought by the crisis served as shock therapy for federal regulators.
And that we now inhabit an era of hyper-regulation and hyper-enforcement on Wall Street.
In other words, after a period of light-touch regulation in the run-up to the crisis, they argue that the pendulum has now swung too far the other way.
There is something to the idea that we live in an era of heightened regulatory scrutiny – certainly relative to the early part of the last decade.
That said, we still believe that financial federalism can play an important role in today’s environment.
Notwithstanding Dodd-Frank, there is still a very robust and unresolved debate occurring right now about what our post-crisis regulatory architecture is going to look like. The new rules are still being written.
We are also still debating the most effective ways to hold those who engage in wrongdoing to account and deter future misconduct.
Indeed, I don’t think anyone – at the federal or state level – would argue that we have completely figured out how to prevent a repeat of the 2008 crisis.
Or that we already have all the right rules, regulations, and oversight structures in place.
In truth, that is an ongoing project that will never be complete.
And simply having the right rules on the books is not enough if we are unwilling to enforce them effectively and aggressively.
As such, the need for financial federalism has by no means disappeared.
***
So, I have described, in broad terms, what we mean by Financial Federalism.
I would now like to turn to some concrete examples of that principle in action.
- First, I would like to discuss Wall Street accountability in the wake of the financial crisis.
- Second, helping prevent money laundering in the financial sector.
- And third, strengthening cyber security in the financial markets.
Wall Street Accountability in the Wake of the Financial Crisis
Let me start with Wall Street accountability.
In the wake of the financial crisis, many Americans have been deeply disappointed by efforts to hold individual, senior executives on Wall Street accountable for misconduct.
That is not simply the opinion of far-left commentators. It is a decidedly mainstream view.
For example, Senator Chuck Grassley – Republican Chairman of the Senate Judiciary Committee – has repeatedly and forcefully decried the lack of criminal prosecutions against individual bank executives on Wall Street.
Senator Richard Shelby – Republican Chairman of the Senate Banking Committee – recently expressed concerns that Wall Street executives were trying to “buy their way out of culpability” by instead having their corporations simply pay big fines.
Former Treasury Secretary Timothy F. Geithner has also, for one, written that “there was an appalling amount of mortgage fraud during the credit boom.” And that the American people “deserved a more forceful enforcement response than the government delivered.”
Another former Treasury Secretary, Larry Summers, signed onto an important report the Center for American Progress released last month that noted:
“Current procedures for dealing with misconduct by financial-sector participants are manifestly inadequate as evidenced on the one hand by the pervasiveness of malfeasance in areas ranging from money-laundering controls, to market manipulation, to mortgage marketing, and foreclosure implementation and, on the other, by the almost total absence of successful prosecutions of individuals.”
Indeed, we almost always see bank settlements where a corporation writes a big check to the government without any individual Wall Street executives held to account.
It should come as little surprise then that we continue to see fraud, after fraud, after fraud on Wall Street – since the individuals who engaged in the wrongdoing rarely, if ever, face any real consequences.
Now, real deterrence, in our opinion, means a focus not just on corporate accountability, but on individual accountability.
After all, if you think about it for a second, what is a corporation? It is just a group of people.
The corporation itself is just a legal fiction. It hasn’t acted.
Corporations are made up of people. If there is wrongdoing at a corporation, that wrongdoing was committed by people.
Of course, penalties imposed at the corporate level are often an important and necessary tool in our enforcement tool belt – particularly as it relates to organization-wide failures of oversight or compliance.
But more and more often it feels like we are discussing a corporation’s wrongdoing without detailing who exactly did what wrong.
And, in my opinion, if in any particular instance we cannot find someone, some person, to hold accountable, that just means we have stopped looking.
Moreover, even if there are certain circumstances where the misconduct does not rise to the level of criminal fraud, civil financial regulators can also play a role in imposing individual accountability.
While NYDFS does not have authority to bring criminal prosecutions, it has taken a number of actions to expose and penalize misconduct by individual senior executives – including all the way up to the C-Suite, when appropriate.
For example, NYDFS required the Chief Operating Officer of France’s largest bank, BNP Paribas, and the Chairman of one of the United States’ largest mortgage companies, Ocwen Financial, to step down as part of enforcement actions brought against those companies.
The Department has also banned multiple senior executives from participating in the operations of NYDFS-regulated institutions for engaging in misconduct.
I by no means claim that our agency has squared the circle on enforcement. I doubt we get it right in every case.
But we have sought increasingly to move toward individual accountability in the resolution of these settlements.
And it is our hope that it will help spur others to do the same.
Preventing Money Laundering (Transaction Monitoring and Filtering Systems)
So, we need more individual accountability after misconduct occurs to help produce real deterrence.
But there is also more we can do to prevent some of the most serious misconduct we have seen, which brings me to my second topic: The somewhat obscure but vitally important issue of transaction monitoring and filtering systems.
That sounds like a dry issue, admittedly. But improving those systems is critical to stopping dangerous criminal activity, including terrorism.
And it is our hope that our actions in this area will help encourage other regulators to consider similar measures.
Let me explain: Every day, hundreds of millions of transactions through the bank payments system move hundreds of billions of funds around the globe.
Naturally, bank employees cannot manually check every one of those transactions for evidence of criminal or illicit activity. The volume is just too high.
As a result, banks rely heavily on automatic transaction monitoring and filtering systems to help flag suspicious payments for further review by compliance personnel.
Transaction monitoring works by running transactions through various detection scenarios that are designed to create alerts that show patterns of money laundering or red flags, such as high-volume transaction activities.
But – and this is a truly frightening question to ask – what if those monitoring and filtering systems are flawed or ineffective?
That would create a gaping loophole in our financial system that terrorists, drug dealers, and other violent criminals could exploit.
Problems with transaction monitoring and filtering systems can be the result of one of two situations:
First: Through inadequate or defective design, or programming of the monitoring and filtering systems, faulty data input, or a failure to regularly update these detection scenarios, which may be attributed to lack of sophistication, knowledge, expertise, or attention by the management and/or employees.
Or two, perhaps more disturbingly, willful blindness or intentional malfeasance by bank management, or employees – who, for example, turn down the sensitivity of the filters so the systems do not generate enough alerts and therefore suspicious transactions go undetected.
We have already seen an example of faulty filters at one large bank we regulate – when an independent monitor we installed found that the firm failed to flag millions of suspicious transactions. As a result, last year, we brought a significant enforcement action against that bank for those failures.
We basically ran the company’s transactions through our own filtering system and compared the results. This was a new approach. In the past, regulators have largely relied on self-reporting by firms that discover – one way or the other – that banned transactions occurred for some reason. What regulators have not done is actively tested the effectiveness of the filtering systems banks are using. That needs to change.
A whack-a-mole approach – simply bringing enforcement actions when we find problems – is not, by itself, enough. Particularly because we believe there are likely widespread problems with transaction monitoring and filtering systems throughout the industry.
As such, we need a more holistic solution. Something needs to be done.
And the stakes are incredibly high.
Money is the oxygen feeding the fire that is terrorism. Without moving massive amounts of money around the globe, international terrorism cannot thrive.
Accordingly, we are considering a number of measures to address this issue.
First, we are considering random audits of our regulated firms’ transaction monitoring and filtering systems, employing the same methodology our independent monitor used to spot deficiencies.
Second, since we cannot simultaneously audit every institution, we are also considering making senior executives personally attest to the adequacy and robustness of those systems.
This idea is modeled on the Sarbanes-Oxley approach to accounting fraud.
We expect to move quickly on these ideas and – to the extent they are effective – we hope that other regulators will take similar steps.
Cyber Security in the Financial Sector
The final topic I would like to discuss is cyber security in the financial markets.
At DFS, we believe that cyber security is likely the most important issue we will face in 2015 – and perhaps for many years to come after that.
A question we often get as financial regulators is: “What keeps you up at night?”
The answer is “a lot of things.” But right at the top of the list is the cyber security at the financial institutions we regulate.
I am deeply worried that we are soon going to see a major cyber attack aimed at the financial system that is going to make all of us to shudder. Cyber hacking could represent a systemic risk to our financial markets by creating a run or panic that spills over into the broader economy.
Indeed, we are concerned that within the next decade (or perhaps sooner) we will experience an Armageddon-type cyber event that causes a significant disruption in the financial system for a period of time – what some have termed a “cyber 9/11.”
And we worry that, when that major cyber event happens, we will all look back and say, “How did we not do more to prevent it?”
Of course, the question, then, is: What should we do to help prevent that nightmare scenario?
We do not profess to have all the answers at DFS. But we are spending a lot of time working on concrete actions to help strengthen cyber security at our regulated institutions.
In particular, we are focused on ways to incentivize market participants to do more to protect themselves from cyber attacks.
This issue is also clearly at the top of the agenda for federal regulators. Sarah Bloom Raskin – the Deputy Treasury Secretary – in particular has been a leader on these issues.
But I believe this area is one example where – even though federal regulators are very focused on the problem – there is still room for financial federalism at the state level in experimenting with various solutions.
Given the magnitude of the problem, we need all the ideas and proposals we can get.
With that in mind, I would like to briefly outline several DFS initiatives in this area.
First, we are revamping our regular examinations of banks and insurance companies to incorporate new, targeted assessments of those institutions’ cyber security preparedness.
The idea is simple: If we grade banks and insurers directly on their defenses against hackers as part of our examinations, it will incentivize those companies to prioritize and shore up their cyber security protections.
Indeed, institutions care deeply about their examination grades since those scores can impact their ability to pay dividends, or enter new business lines, or acquire other companies.
Second, we are considering steps to address the cyber security of third-party vendors, which is a significant vulnerability.
Banks and insurers rely on third-party vendors for a broad-range of services – whether it is a law firm that provides them with legal advice or even a company that is contracted to run their HVAC system.
Those third-party vendors often have access to a financial institution’s information technology systems – which can provide a backdoor entrance for hackers.
In many ways, a company’s cyber security is only as strong as the cyber security of its third-party vendors.
As such, we are considering mandating that our financial institutions receive robust representations and warranties from third-party vendors that those vendors have critical cyber security protections in place.
In other words, those third-party vendors will have to strengthen their cyber security or risk losing out on business from those financial institutions.
That is tough medicine, but we believe it is likely warranted given the risks that cyber hacking presents to the stability of our financial markets and economy.
Third, I would like to discuss something called “multi-factor authentication.”
Our Internet architecture has grown up over the years with a username and password system for verifying our identities.
That has proven to be a very vulnerable system.
The password system should have been dead and buried many years ago. And it is time that we bury it now.
All firms should be moving towards – and many of them already are – a multi-factor authentication system.
In a multi-factor authentication system, you still have a username and a password, but there is also a second layer of security.
For example, when you attempt to log in, you could receive an immediate, randomly generated additional password that is texted to your phone.
As a result, if someone steals or guesses your password, they would not be able to get into the system unless they also have your cell phone.
That simple, extra step can actually prevent a significant amount of hacking. And it is something all firms should do.
In fact, we are currently considering regulations that would mandate the use of multi-factor authentication for our financial institutions. We would be the first financial regulator to take this step.
We still have some work to do when it comes to crafting our new cyber security examinations, as well as any potential regulations related to multi-factor authentication and third-party vendors.
In particular, we need to be careful to make sure that they do not place an undue burden on smaller institutions, such as community banks.
But if we get the balance right, perhaps these steps can serve as a positive model for other regulators as we all confront this critical issue.
We will never eliminate the risk of cyber hacking entirely. But we must do everything we can so that we do not look back years from now – after a devastating attack – and ask ourselves: “Why didn’t we see this coming? And why didn’t we do more?”
Conclusion
To conclude, I have just discussed three areas – (1) Wall Street accountability; (2) money-laundering prevention; and (3) cyber security – where I believe financial federalism can play a constructive role.
It is worth stressing again, however, that we do not profess to have a monopoly on the truth in these or other areas.
As a state financial regulator, it is important that we proceed with an open mind, consider feedback, and course correct when necessary.
And just as we hope that federal regulators will consider our ideas – we will always humbly consider federal regulators’ points of view when formulating our policy proposals.
Financial regulation is an incredibly difficult and dynamic endeavor.
Our resources are not unlimited. And regulators are all too often outmatched and outgunned by the firms we oversee.
We will always run slightly behind them – it is just a matter of how far.
As such, we need all hands on deck – at all levels of government – to help secure the stability of our financial markets and our economy.
Thank you – and I look forward to answering your questions.