It will be some time before we know how the financial services regulatory reform bill signed into law by President Obama last week actually will be implemented, but the sweeping legislation has some possible information security implications, industry experts said.
The Dodd-Frank Wall Street Reform and Consumer Protection Act, spurred by the 2008 banking crisis, includes the creation of a new consumer protection agency at the Federal Reserve, gives regulators new powers to safely liquidate failed financial firms, and imposes new rules for transparency in derivatives markets.
Federal banking regulators will write the regulations to implement the law, a process that experts expect will be long and drawn out. Still, while the details remain to be seen, the law is another regulation that information security professionals will need to get their arms around, said Rocco Grillo, a managing director in the security/privacy practice at Protiviti Inc., a Menlo Park, Calif.-based risk consulting and internal audit firm. IT security has evolved in the past 10 years from an IT-centric control to more of a compliance control in order to meet increased regulatory requirements such as the Red Flags Rule, he noted.
"It's a lot more compliance," he said of the financial services regulatory reform law. "You'll see more financial institutions increase their compliance departments."
Michael Brauneis, a director in Protiviti's risk and compliance practice, said a provision in the law related to the creation of the consumer protection agency could lead to data security and privacy issues. The law calls for regulations that would allow a consumer to ask their financial institutions for any information they have in their systems about transactions with him or her.
"That's not a privacy issue per se, but it could lead to a huge degree of identity theft risk if the regulations and the processes financial institutions put in place [to comply] don't ensure effective controls around security when those requests come in and make sure the person requesting the information is actually the consumer and not someone trying to steal an identity," he said.
Overall data management may become a huge issue under the financial services regulatory reform law. The legislation includes the concept of a systemic risk regulator that would gather information from the industry at an aggregate level in order to prevent another banking meltdown, said Fritz McCormick, senior analyst at Aite Group LLC, a Boston-based research and advisory firm. Specifically, the bill -- when it was being finalized -- put forth the idea of an office of financial research that would collect data round forward-looking risk sensitivities, he said.
"How this gets played out is the big question," McCormick said. "To me, this reads like a massive amount of data that would need to be collected, collated and analyzed."
If such an office comes to fruition, "it will be contingent on the risk and compliance folks to get this information together from across the enterprise and report it to regulators," he said.
A report by Deloitte LLP on financial reform cited data aggregation and reporting as one of the top implications of the new law. The new data and reporting requirements likely will take quite a while to be implemented, which gives the industry "an opportunity to work with the regulators to develop reporting requirements, formats and timetables that are practical to implement," Deloitte wrote, adding that the requirements will probably be burdensome and expensive.
The security of data as it's transferred to regulators has been a concern for lawmakers, Protiviti's Brauneis said, noting that several provisions in the reform legislation call for the creation of standards and controls to ensure security and confidentiality in the transfer of information.
For those in financial services, the regulatory reform -- described as the biggest since the Great Depression -- is an "earth-changing" event, Brauneis said. Industry reaction has been mixed; some of the largest financial institutions relieved that the final legislation was stripped of more restrictive requirements for them, while small financial institutions are upset the law doesn't take their size into consideration.
"Their position is we didn't cause this crisis. …Yet we're facing thousands of pages of new regulations," he said. "There are differing points of view across the industry on how bad the bill is."
However, the timeline for changes from the reform bill is long, Brauneis said. "People expect the switch is going to be flipped upon President Obama signing the bill. It will be a multi-year process before these changes take effect," he said, adding that the regulatory agencies have a lot of discretion in shaping the final requirements.
"The sky isn't falling, but at the same time, it's one more regulation that we need to get our arms around," Protiviti's Grillo said. "Only time will tell whether that translates into expanded staff or bringing additional controls into place over the next eight to 12 months or longer."