The Office of the Comptroller of the Currency comptrollerThomas J. Curry (pictured) said financial institutions need betterpreparation for new payment system cyber-risks at the Emerging Payments Forum,hosted by BITS, the technology policy division of the FinancialServices Roundtable.

Curry said financial institutions need to be better prepared toaddress the cyber-risks associated with rolling out new paymentssystems.

“The same technologies many of you in this room have employed toprovide new and efficient delivery channels for your customers arealso being used aggressively by hackers and criminal elements,which brings me to the all-important question of cybersecurity,”Curry told executives at the forum. “Cybercriminals will also probeemerging payments systems for vulnerabilities that they can exploitto engage in money laundering, which has broad national securityimplications.”

Curry also emphasized, “I believe banks have an advantage overmany of their non-bank competitors in the cybersecurity andanti-money laundering arenas in part because of the regulatoryregime that they operate in and the industry's collective interestin protecting the security of the payments system.”

In addition to ensuring that banks adhere to various regulatorystandards and policy guidance, Curry said regulators provide anadditional set of highly trained eyes during the process ofdetermining what risks financial institutions face and how wellthey manage those risks. He also said regulators provide technicalexpertise that is particularly important to community banks.

Banking institutions must be well-informed about the risks tiedto emerging retail and wholesale payments methods, such as mobilepayments and digital currencies. He called for more regulatoryoversight of non-bank payments players, such as ApplePay and Google Wallet, with which banking institutionshave already built payments-related relationships.

“Regulation adds significant value in the areas that we'rediscussing today,” he said. “Efforts are well under way to bringe-commerce and emerging payments systems deployed by non-bankplayers under greater regulatory scrutiny.”

Curry also said banks and credit unions must take steps toensure cybersecurity throughout the payments chain, including atmerchants. Banks represent “the industry's collective interest inprotecting the security of the payments system,” he added.

By employing authority granted by the Dodd-Frank Wall StreetReform and Consumer Protection Act, banking regulators can do moreto oversee e-commerce and emerging payments players to ensure amore level playing field and protections for customers ofnon-banks, Curry said.

The FFIEC is recommending use of the self-assessment tool, oneof six key cybersecurity recommendations it announced in March thatit planned to include in updates and supplements to the InformationTechnology Examination Handbook.

“Banks have been the source of so many of the innovativeproducts and technologies of recent years,” he added. “Banks of allsizes are playing important roles as pioneers and partners in thedevelopment and adaptation of emerging payments technologies. Banksare engaged in organizations such as BITS and the Bank InnovatorsCouncil, through which they share brainpower and financialresources. Some banks are setting up innovation incubators, wherethey have the freedom to pursue, implement and field-test newtechnologies.”

Coincidental to the remarks was the latest breach report fromthe San Diego-based Identity Theft Resource Center that shows asignificant jump of nearly 58% in the number of breaches in thebanking/credit/financial sector over the same period last year.Next comes a 42.1% hike in the Educational sector and a 23.1%increase in the business sector. In contrast are the dramaticdecreases in the number of breaches in the government/military andhealthcare/medical sectors, down 45.2% and 27.1%, respectively.

Banking represents only 9.1% of the total of 103,340,565breached records recorded by the ITRC. That still accounts for403,531 records.