Remarks by

William J. McDonough
President
Federal Reserve Bank of New York

Conference on Electronic Security in the Payments System
March 17, 1997


I would like to begin by welcoming everyone here and thanking you for coming to this conference, sponsored by the Payments Risk Committee. For those traveling from out of town, I would also like to welcome you to one of the great places to be on St. Patrick's Day -- New York City. Although our "festivities" won't match those in the streets and bars today, this promises to be an exciting and timely conference.

The Payments Risk Committee, which comprises senior executives from several banks that are very active in the payments business, has been meeting at this Bank and considering ways to reduce risk in the payments system for several years. Their past work includes a helpful examination of Federal Reserve daylight overdraft pricing and an analysis of cross-border risks in securities settlement.

Electronic security is a particularly good issue for the Payments Risk Committee to tackle, particularly in light of some of the trends in banking and the payments business that I will discuss briefly. Our gathering today also provides me an opportunity to describe what the Federal Reserve is doing to try to improve electronic security both in the payments services we provide banks and through our supervisory role and to place our efforts in the context of national efforts to protect critical financial and economic infrastructures.

As President of the New York Fed and the Chairman of the G-10 Committee on Payment and Settlement Systems, I naturally take a great interest, like the rest of you, in ensuring the soundness and vitality of the payments system. At the international level, we are most concerned about systemic risk, and we have tended to focus much of our efforts on the related credit and liquidity risks. Operational risks, including electronic security, are also vitally important and they clearly deserve more of our attention. If a major payments system or a major clearing bank went down from operational failure -- either malicious or accidental -- it would create significant systemic problems.

While we have long recognized the importance of electronic security in reducing operational risk, changes in the financial sector specifically and the economy more broadly highlight the increased need for effective electronic security:

1) The combination of growing volume and complexity of financial market transactions, technological advances and the never-ending drive toward greater efficiencies have spawned increased reliance on automated systems for processing. In particular, we have seen the development of sophisticated straight-through-processing systems at many institutions. As financial institutions now rely so much more heavily on electronics to store and transmit essential information, their vulnerability to electronic security threats inevitably increases.

2) The financial sector is undergoing an electronic transformation with remote, electronic delivery systems that allow customers to access accounts and effect payments through personal computers either with a direct connection or, as is becoming increasingly common, through the Internet. These systems will allow firms to provide services at a lower cost and will increase access for their customers. But, just as opening a bank vault each morning creates risk, opening the electronic vault exposes firms to a threat that must be managed carefully.

3) With the growth of the Internet and electronic commerce, there has been much greater public attention paid to electronic security protections and, in particular, encryption technology. From hacker discussion groups on the Internet to textbooks that detail encryption techniques for the layperson, it is surprisingly easy to develop a sophisticated understanding of major electronic security protections. This increases the imperative that firms incorporate the most advanced protection methods and remain at least one step ahead of potential perpetrators.

4) Computer software has become progressively more complex as users demand more functions and increases in processing power allow ever greater amounts of computer code to be added without sacrificing operating speed. The Year 2000 problem highlights how seemingly innocuous computer programming practices can become a hidden threat. But the problem created by complex software extends beyond the Year 2000. The recently publicized security flaws in commercial versions of Internet browsers show that even the best software designers do not always provide the level of security that they claim.

5) The value of large-value electronic payments has grown much more rapidly than the rest of the economy over the past two decades, increasing the consequences of any major operational failure. The nation's largest funds payment system transferred value equal to the U.S. GDP every six days during 1996 -- that's almost six times as rapid as twenty years ago.

6) The nature of threats to our society is changing. Terrorists seeking to damage a nation's economy could choose to attack part of its payments system. And, when a popular novelist writes about the potential for an attack on a vital securities settlement system, it reinforces the importance of investing in off-site backups and redundancies for key systems.

These are just a few of the trends that highlight the importance of electronic security. Last year, the CPSS led an extensive research effort on one aspect of these trends, publishing a report on the security of electronic money that was put together under the direction of Israel Sendrovic from this Bank. What we found is applicable to all areas of electronic security -- that measures exist which enable the risks to be controlled, but that no single security measure or set of measures can provide a guarantee of complete protection. Indeed, it is the combination of security measures within an overall approach to risk management together with the rigor with which the measures are implemented and administered that serves to reduce risk most effectively.

Bringing the issue closer to home, the Federal Reserve views maintaining the security of payments services we provide as one of our most fundamental missions. Fedwire has three levels of contingency. Each of these levels of contingency is supported by backup arrangements for telecommunications and electrical power. We believe that Fedwire is such an essential part of our financial markets that even a relatively brief down time is not acceptable. In addition, we are working on improving our already high encryption standards to provide an even greater level of electronic security.

We have also formed our own information security team at the New York Fed to evaluate and issue guidance on information security in the financial services industry. This team has recently started its work and is in the process of analyzing how information security is being applied at the financial institutions we supervise. Our goal is to provide guidance to the financial sector through supervisory policy, examiner training and conferences involving bank and financial services professionals.

We view our efforts to improve electronic security in the Second District as complementary to broader national efforts. In July 1996, President Clinton formed the President's Commission on Critical Infrastructure Protection, which has identified banking and finance as one of seven infrastructure elements that are critical to the nation. The Commission intends to identify major physical and cyber threats to the infrastructure and recommend investment strategies to mitigate the effect of these threats. In addition, the National Security Telecommunications Advisory Committee's Information Assurance Task Force is also in the process of assessing the security of the nation's financial services infrastructure. We look forward to incorporating their findings into the work we are completing.

If one point emerges from the work we have completed so far, it is the need for senior management to treat electronic security as a dynamic, evolving challenge. Systems and procedures that provide comfort today will be insufficient tomorrow as technology changes and as threats to your systems change. Along the lines of the sophisticated approaches designed to measure and manage market-based risks, firms will have to develop dynamic methods of evaluating the adequacy of electronic security.

I am also convinced that it is a mistake for senior management to view electronic security as a black box. It is critical for all key decision makers to understand the capabilities and the limitations of the technology being employed.

We are lucky to have presenters today who can give us a great deal of practical guidance from their own or their firms' experiences. I would like to thank Dick Matteis, Chairman of the Payments Risk Committee, and his colleagues on the Committee for sponsoring this conference. I will now turn the podium over to Dick, who will lead us through the afternoon events.

By continuing to use our site, you agree to our Terms of Use and Privacy Statement. You can learn more about how we use cookies by reviewing our Privacy Statement.   Close