In Wake of Revelations about Corruption and Coercion, OCC Wails about Bank Cybersecurity

Over 3 months ago, the Guardian revealed that the President reserved the right to declare “inherent right of self defense” to access private networks deemed part of our critical infrastructure in the name of cybersecurity.

2 weeks ago, the Guardian, ProPublica, and NYT reported that, to make it easier to spy on others, the NSA had “deliberately weakened the international encryption standards adopted by developers.”

Also 2 weeks ago, FP reported that “many corporate participants” in an NSA initiative to protect US critical infrastructure “say Alexander’s primary motive” in that initiative “has not been to share what the NSA knows about hackers. It’s to get intelligence from the companies.”

And just this week, Spiegel provided details of how NSA conducts Man-in-the-Middle attacks — hacks — on financial giants like VISA and SWIFT.

Yet none of those revelations prevented Comptroller of the Currency Thomas Curry to give a fairly breathtaking speech yesterday about financial cybersecurity.

In it, a member of the Executive Branch that has made everyone less security by corrupting encryption said,

The growing sophistication and frequency of cyberattacks is a cause for concern, not only because of the potential for disruption, but also because of the potential for destruction of the systems and information that support our banks. These risks, if unchecked, could threaten the reputation of our financial institutions as well as public confidence in the system.

A member of a regime that is routinely hacking financial entities said,

The global nature of the Internet means they can conduct their activity from almost anywhere, including in countries with regimes that, at worst, sponsor attacks and, at a minimum, act as criminal havens by turning a blind eye toward criminal behavior.

And a member of the government that has hacked key third party providers like SWIFT and cooperated with third party telecoms to just steal data said,

Banks not only operate their own networks, they also rely on third parties to support their systems and business activities. Some of these third parties have connections to other institutions and servicers. Each new relationship and connection provides potential access points to all of the connected networks and introduces different weaknesses into the system.

I recognize the cybersecurity threat to banks is real. I’d like to be protected against criminals trying to steal my money online and I endorse OCC including IT security among things bank inspectors review. I grant that Curry may well be operating in good faith when he says all these things. But when he talks about partnerships like this, he simply loses credibility.

Clearly, much of the responsibility for assessing cyber threats is housed in other agencies, from the Department of Homeland Security to the FBI to the National Security Agency. They are on the front lines, and they are the ones that are doing the most within government to identify, evaluate, and respond to threats in this area. However, we – the OCC, the FFIEC, and the other regulatory agencies individually – are working closely with them to strengthen the coordination and overall effectiveness of government’s approach to cybersecurity of critical infrastructure.


But this is not a problem that can be addressed by one agency alone or by any one institution acting on its own. It is a threat that we can deal with only if we work together in a collegial and collaborative way for the good of our country.

The banks’ regulators may believe he is in a position to lecture about collegiality in the face of threats. But since the government is one of the biggest of those threats, it doesn’t strike me as all that convincing.

OCC Circles Back to JP Morgan’s Money Laundering

When I first read that the government was going to investigate JP Morgan Chase ∂for money laundering, I thought this was another case where the government continued to give wrist slaps–in the form of softball fines–to banks for behavior that never really changed. And to some degree that will be the case. After all, little more than a year ago Treasury’s Office of Foreign Assets Control accused Jamie Dimon’s company of a whole slew of things, including sending Iran a ton (literally) of gold bullion. And in spite of the fact OFAC said JPMC substantially cooperated with their investigation so they could give it a softball fine, the settlement actually made it clear they had done anything but. (Though the softball fine may have also had something to do with what I suspect was cooperation on setting up the Scary Iran Plot.)

So here we are again, investigating JPMC for money laundering. Again.

But I wonder whether this doesn’t reflect an effort on the part of the Office of Comptroller and Currency, which the NYT says is leading the probe, to improve on its past willful neglect in this area.

Regulators, led by the Office of the Comptroller of the Currency, are close to taking action against JPMorgan Chase for insufficient safeguards, the officials said. The agency is also scrutinizing several other Wall Street giants, including Bank of America.

The comptroller’s office could issue a cease-and-desist order to JPMorgan in coming months, an action that would force the bank to plug any gaps in oversight, according to several people knowledgeable about the matter. But the agency, which oversees the nation’s biggest banks, has not yet completed its case. JPMorgan is in the spotlight partly because federal authorities accused the bank last year of transferring money in violation of United States sanctions against Cuba and Iran.

Since OFAC let JPMC off with a wrist slap last year, the OCC has gotten a new confirmed head, Thomas Curry, from FDIC, and gotten rid of a corrupt Chief Counsel, Julie Williams. OCC also got hammered in Carl Levin’s report on HSBC’s money laundering.

To carry out [its oversight] mission, in the words of the OCC, it conducts “regular examinations to ensure that institutions under our supervision operate safely and soundly and in compliance with laws and regulations,” including AML laws. However, the HSBC case history, like the Riggs Bank case history examined by this Subcommittee eight years ago, provides evidence that the current OCC examination system has tolerated severe AML deficiencies for years and given banks great leeway to address targeted AML problems without ensuring the effectiveness of their AML program as a whole. As a result, the current OCC examination process has allowed AML issues to accumulate into a massive problem before an OCC enforcement action is taken.

Read more