By Toni Lapp
Which company should be held more liable? An employee of Business A scammed customers over the course of several years, and the company’s controls failed to detect the fraud until $22 million had been stolen. Business B deceived customers about information security practices, but never experienced a breach or incident of any kind.
If you thought Business A should be more liable, think again. The Consumer Financial Protection Bureau in March fined online payment platform Dwolla (Business B) $100,000.
“Dwolla claimed its data security practices exceeded industry standards,” said the CFPB in a news release. “They claimed also that they encrypted all sensitive personal information and that its mobile applications were safe and secure… Dwolla’s data security practices in fact fell far short of its claims.”
On the other hand, JPMorgan Chase has so far not been held liable for the actions of its employee, who pleaded guilty to embezzlement and securities fraud and was sentenced in March. These two cases reveal volumes about risk management, said Steve Minsky, the developer of the Risk Maturity Model, a guide on enterprise risk management from the Risk and Insurance Management Society. He sees the Dwolla decision as a watershed moment in risk management.
“Giving a false picture of risk-management capabilities and representing something that’s not true to their customers and shareholders is negligence,” said Minsky. “Whether they (Dwolla) are doing it through fraud or accidentally, it’s the same outcome.”
In the first scenario, JPMorgan had controls in place, Minsky said. It was a rogue employee whose actions eluded industry best practices.
“Coming back to risk management,” Minsky noted, “fraud has been infrequently discovered through examining logs and audit trails. It usually comes from a tip.”
Given the rapid rate of innovations, old protections are often ineffective against new risks. For example, Minsky points to the use of red dye on currency as an outdated safeguard in an age where most money changes hands as digital currency. Also the CEO of LogicManager, Minsky sees common gaps in business risk-management approaches.
Too often, larger banks with numerous specialists in charge of specific risks collect the same information from vendors, rather than share information across the organization. He scoffs at the notion of gathering senior managers in an organization with five levels of management to discuss risks. That will only uncover the “known knowns,” rather than the “unknown knowns,” said Minsky.
The key, said Minsky, is empowering mid-level and front-line employees.
“Is risk management in people’s performance reviews? In their job descriptions? Are there systems for them to use, are they invited to the table? Or are they left out?”
Toni Lapp is senior editor of BankNews.