Trust. This is one of the most important foundations any association is built from. Without trust there is no reason for any further discussion in building a relationship. This important concept is one of the first things parents teach their children, and something I stress with the Boy Scouts and Cub Scouts I work with every week. The very first item mentioned in the “Boy Scout Law”, which describes how a Boy Scout is expected to act in their daily lives, is “A Scout is Trustworthy”. We have been taught our entire lives that trust is sacred and once lost, almost impossible to restore.
Possibly more than any other business, Bankers are required to be “boy scouts”, which is synonymous with being trustworthy and above board with its customers. If that confidence is ever shaken, the entire institution will become vulnerable. Customers trust banks with their most important assets and expect those assets to be protected. The ICBA lists Data Security as one of the top issues currently facing banks.
Unfortunately for the banking industry, 3rd party data breaches are becoming more common every day. This means that regardless how strongly banks protect their customers assets, they can still be stolen due to security lapses at retailers, software developers, or even the government. Thomas J. Curry, the US Comptroller of the Currency, stated in a speech in Washington last year that:
“The financial services industry isn’t alone in facing the threat of cyberattacks. Almost every business sector, from newspapers to power utilities, faces similar threats. But the financial services industry is one of the more attractive targets for cyberattacks, and, unfortunately, the threat is growing. These risks will continue to increase as banks are today leveraging cloud computing, social media, mobile banking, and new payment solutions and it is impossible to guess what opportunities technology will bring ten years from now.”
While banks are usually not responsible for data breaches, they are not invulnerable, just ask JP Morgan about its feelings towards Russian hackers. Therefore, banks must be extremely proactive regarding how to protect and keep their customers’ data safe. Otherwise, they risk losing their customers’ trust. Advisen Cyber Liability Journal published an interesting article regarding tips to minimize data breach risks, below are several important points from that article:
- Complete an Annual Data Security Assessment – while this is not an easy or cheap process to complete, it is vastly less costly than having to respond to a data breach.
- Have a Plan - Organizations that plan in advance greatly reduce their legal, reputational, and financial liabilities. A plan should cover two distinct parts of a data breach — assessment of the incident and development of a response.
- Have a Team in Place – The plan above will not do much good if you don’t have people already trained and prepared to implement it.
- Update Policy and Procedures to Keep Pace with Changing Technology – As new technology such as mobile banking and remote deposit become more widely utilized their policies and security measures must not be neglected.
While I am sure everyone agrees that avoiding data breaches is the best policy, when Target or Home Depot has a breach that compromises thousands of your customers’ debit or credit cards, there has to be a proactive response from the bank. If a compromised card is used to drain a customer’s bank account, the bank will bear the brunt of the customer’s anger and frustration at the situation. This again comes back to customer trust, without it any business model will suffer. Target, which has one of the strongest brands in retail, saw earnings drop 46% after the massive data breach it suffered in 2013.
One of the reasons that 3rd party data breaches have become such an issue is that the only segments of the US economy that have regulation in place around information security are Financial Services and Health Care Services. Retailers, restaurants, hotels, or any of the other participants in the vast payment system have no legal requirements, regulation standards, or financial responsibility should a data breach occur. This means that the banking system must bear the cost of any fraud losses, not to mention reissuing millions of debit and credit cards, because of a Home Depot or Target security failure.
Until there is some movement in regulation that would hold the companies responsible for the cost associated with their lax security measures, this cost can only be expected to increase. While I am not usually a proponent of more regulations (see my article on the Durbin Amendment), I think in this case it comes down to common sense, if you broke it, you pay to fix it.
Until the day we can hold the company responsible for the breach accountable, it will remain the job of the financial industry to clean up other people’s messes. Whether those messes are compromised payment cards or fraudulent loans, customers look to their bank to help them resolve these issues. When that happens we have the chance to either lose their trust, or restore it, depending on how the situation is handled. We as bankers must remember that once that trust is lost, it may never return.
