-
-
-
The Governance & Culture Reform hub is designed to foster discussion about corporate governance and the reform of culture and behavior in the financial services industry.
Need to file a report with the New York Fed? Here are all of the forms, instructions and other information related to regulatory and statistical reporting in one spot.
The New York Fed works to protect consumers as well as provides information and resources on how to avoid and report specific scams.
-
-
-
The New York Fed provides a wide range of payment services for financial institutions and the U.S. government.
The New York Fed offers the Central Banking Seminar and several specialized courses for central bankers and financial supervisors.
The New York Fed has been working with tri-party repo market participants to make changes to improve the resiliency of the market to financial stress.
-
-
-
We are connecting emerging solutions with funding in three areas—health, household financial stability, and climate—to improve life for underserved communities. Learn more by reading our strategy.
The Economic Inequality & Equitable Growth hub is a collection of research, analysis and convenings to help better understand economic inequality.
The Governance & Culture Reform hub is designed to foster discussion about corporate governance and the reform of culture and behavior in the financial services industry.
-
Remarks by Edward Miller
Senior Vice Chairman
The Chase Manhattan Corporation
at
The Conference on Electronic Security in the Payments System
Sponsored by the Payments Risk Committee
March 17, 1997
Thank you and good afternoon. It is a privilege to join you for this valuable and timely meeting on electronic security in the payments system.
Like Bill McDonough, I believe this is an issue of tremendous significance for the financial community, one that must be addressed at the highest levels of both the public and private sectors -- as we are doing today.
We all should commend Ernie Patrikis for his role in forming the Payments Risk Committee and sponsoring this conference. And while I may not be the most objective observer, I want to commend Ernie for his choice of Dick Matteis as the PRC's first chairman. Given Dick's drive and experience within the industry, it was an inspired choice.
If there is a single theme underlying this conference today, it is a call to a new level of awareness, knowledge and vigilance regarding electronic risk in all its forms:
-- Awareness of the ongoing transformation within the payments industry;
-- What and who can hurt us, and how;
-- The competitive challenges we face which, particularly on the retail side, are significant.
-- Knowledge at the senior management level of the vulnerability of data and of the systemic repercussions of breakdowns in the financial pipeline and finally,
-- Increased vigilance regarding risk and with it, increased emphasis on putting the processes in place to identify potential problems earlier rather than later and manage them for minimum disruption.
My own sense of urgency is grounded in the exponential growth we have seen in the volume and velocity of funds moving through the international payment system.
This is driven primarily by increases in foreign exchange and capital markets trading, particularly cross-border transactions, as well as the globalization of trade and changing consumer patterns.
Over the past decade, the value of payments over the U.S. high value payment systems has grown many times faster than GNP and, in fact, weekly payment flows exceed annual GNP in most OECD countries. These double-digit increases in funds flows are expected to continue.
Industry analysts have commented -- and I think we all agree -- this growth could not have taken place in the absence of a well functioning payments environment.
However, the magnitude, speed, interdependence and complexity of what is taking place by its very nature increases the chances of cracks occurring in the pipeline.
To quote one observer, the system is not necessarily riskier; the stakes have become much higher. In turn, we need to manage the payments infrastructure with even more deliberation than in the past.
This is true on both the wholesale and the consumer sides of the payments industry. Confidence in our international payment systems is the backbone of international trade, and of market soundness. Consumer confidence in the security and privacy of consumer payments is vital to the continuing health and vitality of the economic system.
All of which is our charge: to keep these systems safe, secure and private at a time when the pace of change on all fronts is accelerating.
Fueling that pace, of course, is technological innovation: successive new generations of products and instruments; faster and more efficient processing platforms and most important, far greater connectivity.
Moreover, information technology is still in its infancy: its capabilities remain virtually boundless. Almost everyday we see quantum advances in computer power, storage, in communications speed and capacity.
The rapid pace of improvements in semi-conductors is driven by "Moore's Law," which translates into the doubling of the price/performance ratio every 18 to 24 months.
To illustrate this a little more vividly, if the automobile industry had advanced at the same pace over the past twenty years, the average automobile -- let's say a Ford Taurus -- would get approximately 250,000 miles per gallon and would retail for $50!
Technology is also changing the configuration of the industry itself. As the cost of entry and of continuing investment grows, the field is narrowing, resulting in concentration among those scale players with the resources, global and customer reach and operational scope to compete.
At the same time, payments is seen as an attractive, high return-on-equity business, and we are seeing the entry of nontraditional, nonfinancial competitors -- including software providers and third party suppliers -- particularly on the retail side.
These firms bring technological prowess, as well as new and advanced operating platforms but lack direct experience in high volume daily settlement.
As a banking executive who has been on the frontlines for a while, I can attest to the value of long-term operating experience and hands-on crisis management. All the more so, because of our increased reliance on technology, and ever greater connectivity between systems.
Indeed, these great enablers -- technology and connectivity -- also enable ever greater threat. There has been much discussion -- rightly -- of international organized crime breaking into payments networks. But let's not forget, our vulnerability to creative and highly skilled hackers, who invade payment systems for fun as well as profit! And, as highly precise as our platforms are today, they remain susceptible to human error and local crises.
Perhaps some members of this audience can remember the power failure that affected southern Manhattan during the summer of 1990.
Although some Wall Street facilities were without power for as many as six days, the industry through ingenuity and the use of contingency sites successfully managed the crisis.
I know Dick Matteis remembers that experience because with his colleagues, he caucused at the old Chase headquarters for the entire stretch, in constant contact with the Fed until power was restored.
This is a key point -- maintaining the integrity of the system under all and any conditions -- because at stake is the health of the financial system, as well as the public trust.
As you know, there has been a great deal of public focus recently on the issues of security and privacy.
In fact, two weeks ago, Reserve Chairman Greenspan, at a conference on electronic payments systems in the information age, said that security and privacy are crucial, "... if confidence is to be established in these new systems."
Historically, the payments arena has been a fundamental component of the banking franchise, not only because banks have built-up the necessary infrastructure and experience, but because the banking industry is first-and-foremost charged with maintaining the public trust.
Before I get in trouble, I want to stress that banks have always done this in partnership with their regulators, central bankers or each other.
Each participant has a defined role to play. Our central bankers are, of course, charged with the overall safety and soundness of the payment pipeline, payment finality and overall liquidity.
Commercial banks, on their side, are responsible for market efficiency, responsiveness to customer needs, as well as credit and risk management.
But active partnership is more important than ever before, in order to more fully leverage the specific strengths and experience of each.
Forums for cooperative efforts, to name a few, include the Payments Risk Committee, of course; the New York Clearing House, the G20 and S.W.I.F.T. All have done a terrific job of staying vigilant to escalating risk while maintaining the smooth operation of key systems.
You may be aware, as well, of the various initiatives underway within the Bankers Roundtable concerning payments, both on the wholesale and the retail side.
I am personally involved in several of these projects, including the recent formation of the Banking Industry Technology Secretariat or BITS. In many ways, the formation of BITS can be seen as a wake up call to the industry.
BITS was created to develop meaningful industry-wide standards and guidelines regarding electronic commerce and payments, to promote customer acceptance of electronic banking and develop the reliability, security and privacy on which customers can depend.
As you can see, we are on the same wavelength with Chairman Greenspan!
Underlying these and other ventures is the understanding, as I noted before, that as the volume and velocity within the system grows, so too, does the magnitude of risk involved.
I want to spend a few moments discussing "virtual" fraud, perpetuated by highly sophisticated, professional criminal elements. These are not brainy college students sitting in the basement of a fraternity on a Friday night trying to crack passwords for lack of something better to do!
Virtual fraud is a real concern because the cost of entry is low -- a terminal and a phone line, in many cases -- the expertise exists and in this world of global linkage, very little is invulnerable.
In fact, to enhance awareness, Chase recently hosted, on behalf of the FBI, a conference for law enforcement representatives from 39 countries on computer fraud and joint cooperation. One issue that meeting revealed is the difficulty of prosecuting computer-based crime -- especially crimes that move across national borders and involve firms in many different legal jurisdictions.
The obvious questions, then, are how to identify, quantify, manage and control all these risks?
My own experience tells me that the first thing you need is awareness, commitment and involvement from the top of the organization. And that involvement must be based on a real knowledge of the issues, and cost factors involved.
Personally, while I have always been involved in the strategic development of both our large value and retail payments businesses, over the past several years, I have had to climb up the learning curve rapidly as a result of the pace of change.
These days, life in the Office of the Chairman involves large doses of decision-making on electronic commerce and alternative delivery of banking services; on the best use of the Internet; keeping proprietary information proprietary and customer information secure. From my perspective, it is clear that larger participants in the payments business certainly need to consider creating a dedicated electronic security structure that is both independent enough to take an organization-wide perspective and, thoroughly integrated with the business units and their objectives.
This approach, which we use at Chase, enabled us to formulate and distribute organization-wide information technology policies, soon after the merger, as well as security guidelines and practices on a business-by-business basis.
Implicit in a vigilant security effort are strong management disciplines, including bench-marking and accountability. Needless to say, you need an experienced professional staff that can work with and train operating, line and administrative personnel. Finally, you need the analytic tools to monitor and assess risk.
Again, I am speaking from personal experience. At Chase, our size and scale, technology infrastructure and position in the payments business makes electronic security a priority.
More than US $l trillion flows through our payments system every day. Every night, we process more than 14 million checks.
At present count, we have more than $3.6 trillion in assets under custody, and it goes without saying that our customers and business managers are demanding increased connectivity, capabilities and access to new delivery channels.
At the same time, we must ensure the security and smooth operation of an extensive technology infrastructure and international network across five continents.
Our own security mandate flows from the Office of the Chairman to the Chief Information Officer -- Denis O'Leary, who so many of you know.
In turn, Denis chairs the Business Technology Management Council, Chase's senior technology planning and review board, representing both the information technology and operations and the business units.
Finally, there is a designated information security team responsible for coordinating security efforts among the business and functional areas, as well as focusing on specific risks to our infrastructure and systems.
My point is not that Chase has all the answers -- far from it -- but that we have adopted an activist stance in regard to information security in the payments business. That includes making it clear to business managers that data security and risk management are part of their responsibilities.
Again, our approach comes from long experience at the center of the payments pipeline, understanding that changing markets and technology demand disciplined action and that the magnitude of risks requires growing vigilance.
Finally, our approach is based in the realization that significant public trust requires diligent efforts to preserve it.
This afternoon, we will have the opportunity to hear from some of the leading experts in the field. They will discuss the most recent developments in electronic security; coping with serious breeches in security; control of cross border information and the challenges of data security when multiple services are outsourced.
As organizations, we have a responsibility to safeguard our assets and those of our customers. As participants in the global payments system, we have a deep, shared obligation to preserve the integrity of the financial pipeline.
Our presence here today is proof of how seriously we regard that shared obligation.
Again, I want to thank the committee and the staff of the New York Fed for putting together today's conference, and my own colleagues, including Dick Matteis and Yawar Shah, Denis O'Leary, Bill Moran and Dan Nealis, who have certainly raised my own awareness and my own learning curve.
To paraphrase Eric Hoffer, 'In times of great change, those who continue to learn inherit the earth while the learned find themselves beautifully equipped for a world that no longer exists.'
On that note, I thank all our speakers and I look forward to an interesting and provocative program.
