February 25, 2015

Contact: Matt Anderson, 212-709-1690, Matthew.Anderson@dfs.ny.gov

SUPERINTENDENT LAWSKYS REMARKS ON FINANCIAL REGULATION IN

NEW YORK CITY AT COLUMBIA LAW SCHOOL
Benjamin M. Lawsky, Superintendent of Financial Services for the State of New York, is
delivering remarks today on financial regulation at Columbia Law School in New York City.
Superintendent Lawskys remarks, entitled Financial Federalism: The Catalytic Role of State
Regulators in a Post-Financial Crisis World, are below as prepared for delivery. Topics include:

Wall Street Accountability after the Financial Crisis

Preventing Money Laundering, Including Improving Transaction Monitoring and Filtering

Systems; and

Cyber Security in the Financial Sector

***

Superintendent Benjamin M. Lawskys Remarks at Columbia Law School

Financial Federalism: The Catalytic Role of State Regulators in a Post-Financial Crisis World
New York, NY
February 25, 2015
As Prepared for Delivery
Thank you Dean Chapnick for that kind introduction.
The topic of this speech today is Financial Federalism and the catalytic role states can play in
Wall Street regulation.
So, what exactly do I mean by the term Financial Federalism?
The best way to describe it is probably by describing why we think that Financial Federalism
can at times play a helpful and necessary role in regulating Wall Street.
***
As many of you know, financial regulation is primarily handled at the national or even
international level.
In most circumstances, that is a good thing. And the right approach.
Where possible, we should strive for consistency and harmony in our application of the rules of
the road for financial companies.
Doing so provides greater certainty for businesses as they sell their services, explore new
markets, and create new jobs.

That said, regulatory harmony is certainly not the only or most important principle at stake
for financial regulators.
In fact, pleas for consistency or harmony are often subtle instruments that some on Wall
Street use to try and weaken key financial reforms.
To try and play one regulator off another.
To try to get regulators in the interest of consensus to settle for watered-down rules.
They poke and they prod until they succeed in producing Swiss cheese regulations riddled with
loopholes.
Moreover and I think this is something that nearly everyone has acknowledged there have
been times when regulation of Wall Street has not proven effective: During certain periods,
market practices that endangered consumers and threatened the stability of our entire
economy went virtually unchecked.
Now, to be clear, we have a great deal of respect for our counterparts.
At the federal level, they very often have expertise and resources that state regulators simply
cannot match.
And the people who work at the federal regulatory agencies are exceptionally talented.
But there have been instances and, again, I think this is something most people will admit
when certain aspects of financial regulation went off track.
We saw this problem perhaps most acutely in the lead up to the recent financial crisis.
A false sense of security bred by more than 60 years of relative financial stability and economic
prosperity made regulators slow to respond to emerging risks and new consumer abuses.
It also helped propel a gradual (and then accelerating) move to dismantle key regulatory
protections.
***
Now, when all that happens when our system of financial regulation becomes unmoored
from many of the important principles that helped guide us since the aftermath of the Great
Depression a course correction is necessary.
And that is one example of when financial federalism can play an important role.
Most of you here today Im sure are familiar with Louis Brandeis well-known idea that states
can act as laboratories of democracy.
Indeed, state governments can often serve as incubators for new approaches to vexing policy
problems.
States can experiment.

Try new things.

And if their ideas prove effective and rise to the top of the crowded marketplace of ideas
those policy proposals may be adopted beyond their borders.
In many areas, whether it is the progressive reforms of the early 20th century.
Or, more recently, the health care reforms imported from Mitt Romneys Massachusetts to
President Obamas Washington, DC.
We have seen this phenomenon time and time again.
However, the laboratories of democracy concept is not typically applied in the context of
financial regulation.
To be fair, there are some reasonable explanations for that.
In an increasingly mobile and global financial landscape where money moves around the
world in a matter of milliseconds there are risks associated with fragmentation in financial
regulation.
Market actors can potentially try and move their operations to dark, unregulated corners of the
globe a concept known as regulatory arbitrage.
But, again, regulatory harmony is not the only principle at stake.
Especially if regulatory harmony is simply a means of defining regulatory deviancy down to the
lowest common denominator.
Ineffective regulation can sometimes be worse than no regulation at all since it breeds a false
sense of security. And, as we saw during the financial crisis, it is everyday consumers and
workers who usually end up paying the biggest price.
***
State financial regulators, then, can and should play a similar role to the state-level reformers of
the early 20th century.
We should strive, of course, for a collaborative and cooperative relationship with our federal
partners.
That is certainly our goal at DFS.
But states also should not be afraid to speak up and act if we spot new risks emerging in the
market.
If we believe that certain regulatory protections are not sufficiently robust to root out reckless
behavior that threatens the health of our economy.
If we think that current approaches to enforcement and prosecution are not effectively
deterring wrongdoing on Wall Street.

It should be noted that federal regulators have to deal with an extremely broad expanse of
issues. Put simply, no matter how well intentioned, they have a lot on their plate. So there is a
risk that certain issues fall through the cracks.
Financial federalism can help address that issue.
Of course, state regulators by no means have a monopoly on the truth.
And there is a risk that they will become captured by and beholden to the industries they
regulate.
Or create fragmented rules across jurisdictions.
Indeed, it is important that states proceed with an appropriate sense of humility.
But if we get things right, if our efforts prove effective, we can perhaps serve as positive
examples and help spur a race to the top.
***
Of course, some may argue that financial federalism is no longer necessary more than six years
after the financial crisis.
They may say that the destruction wrought by the crisis served as shock therapy for federal
regulators.
And that we now inhabit an era of hyper-regulation and hyper-enforcement on Wall Street.
In other words, after a period of light-touch regulation in the run-up to the crisis, they argue
that the pendulum has now swung too far the other way.
There is something to the idea that we live in an era of heightened regulatory scrutiny
certainly relative to the early part of the last decade.
That said, we still believe that financial federalism can play an important role in todays
environment.
Notwithstanding Dodd-Frank, there is still a very robust and unresolved debate occurring right
now about what our post-crisis regulatory architecture is going to look like. The new rules are
still being written.
We are also still debating the most effective ways to hold those who engage in wrongdoing to
account and deter future misconduct.
Indeed, I dont think anyone at the federal or state level would argue that we have
completely figured out how to prevent a repeat of the 2008 crisis.
Or that we already have all the right rules, regulations, and oversight structures in place.
In truth, that is an ongoing project that will never be complete.

And simply having the right rules on the books is not enough if we are unwilling to enforce
them effectively and aggressively.
As such, the need for financial federalism has by no means disappeared.
***
So, I have described, in broad terms, what we mean by Financial Federalism.
I would now like to turn to some concrete examples of that principle in action.

First, I would like to discuss Wall Street accountability in the wake of the financial crisis.

Second, helping prevent money laundering in the financial sector.

And third, strengthening cyber security in the financial markets.

Wall Street Accountability in the Wake of the Financial Crisis

Let me start with Wall Street accountability.
In the wake of the financial crisis, many Americans have been deeply disappointed by efforts to
hold individual, senior executives on Wall Street accountable for misconduct.
That is not simply the opinion of far-left commentators. It is a decidedly mainstream view.
For example, Senator Chuck Grassley Republican Chairman of the Senate Judiciary Committee
has repeatedly and forcefully decried the lack of criminal prosecutions against individual bank
executives on Wall Street.
Senator Richard Shelby Republican Chairman of the Senate Banking Committee recently
expressed concerns that Wall Street executives were trying to buy their way out of culpability
by instead having their corporations simply pay big fines.
Former Treasury Secretary Timothy F. Geithner has also, for one, written that there was an
appalling amount of mortgage fraud during the credit boom. And that the American people
deserved a more forceful enforcement response than the government delivered.
Another former Treasury Secretary, Larry Summers, signed onto an important report the Center
for American Progress released last month that noted:
Current procedures for dealing with misconduct by financial-sector participants are manifestly
inadequate as evidenced on the one hand by the pervasiveness of malfeasance in areas ranging
from money-laundering controls, to market manipulation, to mortgage marketing, and
foreclosure implementation and, on the other, by the almost total absence of successful
prosecutions of individuals.
Indeed, we almost always see bank settlements where a corporation writes a big check to the
government without any individual Wall Street executives held to account.

It should come as little surprise then that we continue to see fraud, after fraud, after fraud on
Wall Street since the individuals who engaged in the wrongdoing rarely, if ever, face any real
consequences.
Now, real deterrence, in our opinion, means a focus not just on corporate accountability, but
on individual accountability.
After all, if you think about it for a second, what is a corporation? It is just a group of people.
The corporation itself is just a legal fiction. It hasnt acted.
Corporations are made up of people. If there is wrongdoing at a corporation, that wrongdoing
was committed by people.
Of course, penalties imposed at the corporate level are often an important and necessary tool
in our enforcement tool belt particularly as it relates to organization-wide failures of oversight
or compliance.
But more and more often it feels like we are discussing a corporations wrongdoing without
detailing who exactly did what wrong.
And, in my opinion, if in any particular instance we cannot find someone, some person, to hold
accountable, that just means we have stopped looking.
Moreover, even if there are certain circumstances where the misconduct does not rise to the
level of criminal fraud, civil financial regulators can also play a role in imposing individual
accountability.
While NYDFS does not have authority to bring criminal prosecutions, it has taken a number of
actions to expose and penalize misconduct by individual senior executives including all the
way up to the C-Suite, when appropriate.
For example, NYDFS required the Chief Operating Officer of Frances largest bank, BNP Paribas,
and the Chairman of one of the United States largest mortgage companies, Ocwen Financial, to
step down as part of enforcement actions brought against those companies.
The Department has also banned multiple senior executives from participating in the
operations of NYDFS-regulated institutions for engaging in misconduct.
I by no means claim that our agency has squared the circle on enforcement. I doubt we get it
right in every case.
But we have sought increasingly to move toward individual accountability in the resolution of
these settlements.
And it is our hope that it will help spur others to do the same.
Preventing Money Laundering (Transaction Monitoring and Filtering Systems)

So, we need more individual accountability after misconduct occurs to help produce real
deterrence.
But there is also more we can do to prevent some of the most serious misconduct we have
seen, which brings me to my second topic: The somewhat obscure but vitally important issue of
transaction monitoring and filtering systems.
That sounds like a dry issue, admittedly. But improving those systems is critical to stopping
dangerous criminal activity, including terrorism.
And it is our hope that our actions in this area will help encourage other regulators to consider
similar measures.
Let me explain: Every day, hundreds of millions of transactions through the bank payments
system move hundreds of billions of funds around the globe.
Naturally, bank employees cannot manually check every one of those transactions for evidence
of criminal or illicit activity. The volume is just too high.
As a result, banks rely heavily on automatic transaction monitoring and filtering systems to help
flag suspicious payments for further review by compliance personnel.
Transaction monitoring works by running transactions through various detection scenarios that
are designed to create alerts that show patterns of money laundering or red flags, such as highvolume transaction activities.
But and this is a truly frightening question to ask what if those monitoring and filtering
systems are flawed or ineffective?
That would create a gaping loophole in our financial system that terrorists, drug dealers, and
other violent criminals could exploit.
Problems with transaction monitoring and filtering systems can be the result of one of two
situations:
First: Through inadequate or defective design, or programming of the monitoring and filtering
systems, faulty data input, or a failure to regularly update these detection scenarios, which may
be attributed to lack of sophistication, knowledge, expertise, or attention by the management
and/or employees.
Or two, perhaps more disturbingly, willful blindness or intentional malfeasance by bank
management, or employees who, for example, turn down the sensitivity of the filters so the
systems do not generate enough alerts and therefore suspicious transactions go undetected.
We have already seen an example of faulty filters at one large bank we regulate when an
independent monitor we installed found that the firm failed to flag millions of suspicious
transactions. As a result, last year, we brought a significant enforcement action against that
bank for those failures.

We basically ran the companys transactions through our own filtering system and compared
the results. This was a new approach. In the past, regulators have largely relied on selfreporting by firms that discover one way or the other that banned transactions occurred for
some reason. What regulators have not done is actively tested the effectiveness of the filtering
systems banks are using. That needs to change.
A whack-a-mole approach simply bringing enforcement actions when we find problems is
not, by itself, enough. Particularly because we believe there are likely widespread problems
with transaction monitoring and filtering systems throughout the industry.
As such, we need a more holistic solution. Something needs to be done.
And the stakes are incredibly high.
Money is the oxygen feeding the fire that is terrorism. Without moving massive amounts of
money around the globe, international terrorism cannot thrive.
Accordingly, we are considering a number of measures to address this issue.
First, we are considering random audits of our regulated firms transaction monitoring and
filtering systems, employing the same methodology our independent monitor used to spot
deficiencies.
Second, since we cannot simultaneously audit every institution, we are also considering making
senior executives personally attest to the adequacy and robustness of those systems.
This idea is modeled on the Sarbanes-Oxley approach to accounting fraud.
We expect to move quickly on these ideas and to the extent they are effective we hope that
other regulators will take similar steps.
Cyber Security in the Financial Sector
The final topic I would like to discuss is cyber security in the financial markets.
At DFS, we believe that cyber security is likely the most important issue we will face in 2015
and perhaps for many years to come after that.
A question we often get as financial regulators is: What keeps you up at night?
The answer is a lot of things. But right at the top of the list is the cyber security at the
financial institutions we regulate.
I am deeply worried that we are soon going to see a major cyber attack aimed at the financial
system that is going to make all of us to shudder. Cyber hacking could represent a systemic risk
to our financial markets by creating a run or panic that spills over into the broader economy.
Indeed, we are concerned that within the next decade (or perhaps sooner) we will experience
an Armageddon-type cyber event that causes a significant disruption in the financial system for
a period of time what some have termed a cyber 9/11.

And we worry that, when that major cyber event happens, we will all look back and say, How
did we not do more to prevent it?
Of course, the question, then, is: What should we do to help prevent that nightmare scenario?
We do not profess to have all the answers at DFS. But we are spending a lot of time working on
concrete actions to help strengthen cyber security at our regulated institutions.
In particular, we are focused on ways to incentivize market participants to do more to protect
themselves from cyber attacks.
This issue is also clearly at the top of the agenda for federal regulators. Sarah Bloom Raskin
the Deputy Treasury Secretary in particular has been a leader on these issues.
But I believe this area is one example where even though federal regulators are very focused
on the problem there is still room for financial federalism at the state level in experimenting
with various solutions.
Given the magnitude of the problem, we need all the ideas and proposals we can get.
With that in mind, I would like to briefly outline several DFS initiatives in this area.
First, we are revamping our regular examinations of banks and insurance companies to
incorporate new, targeted assessments of those institutions cyber security preparedness.
The idea is simple: If we grade banks and insurers directly on their defenses against hackers as
part of our examinations, it will incentivize those companies to prioritize and shore up their
cyber security protections.
Indeed, institutions care deeply about their examination grades since those scores can impact
their ability to pay dividends, or enter new business lines, or acquire other companies.
Second, we are considering steps to address the cyber security of third-party vendors, which is
a significant vulnerability.
Banks and insurers rely on third-party vendors for a broad-range of services whether it is a
law firm that provides them with legal advice or even a company that is contracted to run their
HVAC system.
Those third-party vendors often have access to a financial institutions information technology
systems which can provide a backdoor entrance for hackers.
In many ways, a companys cyber security is only as strong as the cyber security of its thirdparty vendors.
As such, we are considering mandating that our financial institutions receive robust
representations and warranties from third-party vendors that those vendors have critical cyber
security protections in place.

In other words, those third-party vendors will have to strengthen their cyber security or risk
losing out on business from those financial institutions.
That is tough medicine, but we believe it is likely warranted given the risks that cyber hacking
presents to the stability of our financial markets and economy.
Third, I would like to discuss something called multi-factor authentication.
Our Internet architecture has grown up over the years with a username and password system
for verifying our identities.
That has proven to be a very vulnerable system.
The password system should have been dead and buried many years ago. And it is time that we
bury it now.
All firms should be moving towards and many of them already are a multi-factor
authentication system.
In a multi-factor authentication system, you still have a username and a password, but there is
also a second layer of security.
For example, when you attempt to log in, you could receive an immediate, randomly generated
additional password that is texted to your phone.
As a result, if someone steals or guesses your password, they would not be able to get into the
system unless they also have your cell phone.
That simple, extra step can actually prevent a significant amount of hacking. And it is something
all firms should do.
In fact, we are currently considering regulations that would mandate the use of multi-factor
authentication for our financial institutions. We would be the first financial regulator to take
this step.
We still have some work to do when it comes to crafting our new cyber security examinations,
as well as any potential regulations related to multi-factor authentication and third-party
vendors.
In particular, we need to be careful to make sure that they do not place an undue burden on
smaller institutions, such as community banks.
But if we get the balance right, perhaps these steps can serve as a positive model for other
regulators as we all confront this critical issue.
We will never eliminate the risk of cyber hacking entirely. But we must do everything we can so
that we do not look back years from now after a devastating attack and ask ourselves: Why
didnt we see this coming? And why didnt we do more?
Conclusion

To conclude, I have just discussed three areas (1) Wall Street accountability; (2) moneylaundering prevention; and (3) cyber security where I believe financial federalism can play a
constructive role.
It is worth stressing again, however, that we do not profess to have a monopoly on the truth in
these or other areas.
As a state financial regulator, it is important that we proceed with an open mind, consider
feedback, and course correct when necessary.
And just as we hope that federal regulators will consider our ideas we will always humbly
consider federal regulators points of view when formulating our policy proposals.
Financial regulation is an incredibly difficult and dynamic endeavor.
Our resources are not unlimited. And regulators are all too often outmatched and outgunned
by the firms we oversee.
We will always run slightly behind them it is just a matter of how far.
As such, we need all hands on deck at all levels of government to help secure the stability of
our financial markets and our economy.
Thank you and I look forward to answering your questions.