Business Challenges Facing Financial Institutions

Media reports about financial institutions experiencing a data breach are not unusual:

• In 2019, Capital One reported a data breach involving sensitive information from over 100 million people. The hacker was a former employee at a cloud computing company used by Capital One.
• Equifax, a national credit reporting agency, reported a data breach in 2017. Hackers stole Social Security numbers (SSNs) and other personal information of 143 million Americans.
• In 2013, U.S. authorities arrested seven people who were part of a hacking network that targeted financial institutions around the world. The thieves used the data that they stole to withdraw over $45 million in cash from ATMs around the world.
• Heartland Payment Systems reported that hackers accessed its computer systems in late 2008. This company processed 100 million payroll and credit card payments per month for more than 250,000 businesses. The hackers might have had access to the system for a couple of weeks. The company reported over $170 million in losses from the breach.²
• A Wyoming bank employee accidentally sent an electronic file to an incorrect email address in 2009. The file contained the personal information of 1,300 bank customers.

Financial institutions collect and use sensitive consumer financial information and face many challenges in protecting this data. These challenges come from external threats such as hackers, as well as from insiders, and include malicious and nonmalicious actions. Scams that target financial institution customers include:

• Phishing scams designed to steal banking account credentials
• Identity theft schemes that borrow money or pass counterfeit checks in the victim’s name
• Mortgage foreclosure scams designed to defraud customers of money
• Investment scams with high-pressure sales tactics
• Tax scams from attackers demanding money for overdue taxes

Consumers demand that financial institutions protect their data and their money. They also want financial institutions to protect them from financial harm if this data is disclosed or stolen.

Consumers are not the only victims of identity theft. Financial institutions become identity theft victims when thieves use a consumer’s financial information to do business with the institution. Identity thieves can open bank accounts in the victim’s name and write bad checks, create counterfeit checks to use on a victim’s account, or take out loans in the victim’s name. Many bank rules and regulations force financial institutions to bear the cost of many of these actions. A recent study estimated that the global banking industry had over $18 million in cybercrime-related costs in 2018.³

The financial industry is highly regulated. These institutions must follow regulations designed to protect the security and privacy of data that they collect and use, which place a compliance burden on financial institutions.