PRESCRIPTIVE REGULATION WON’T STOP THE CYBER CRIMINALS

At the FCA’s Fighting Financial Crime conference in London on 10^th November, Chief Executive Andrew Bailey highlighted the role of regulation in the battle against financial crime. Ray Pompon, Head of Information Security, North America and Asia, at Linedata, offers his thoughts:

“The proliferation of digital technology has given criminals an array of tools which can be used to exploit innocent parties. The battle against cyber-crime requires tenacity and proactivity, and the challenge for regulators is to encourage businesses to adopt effective defences in protecting ourselves and customers.

“Andrew Bailey highlighted the great debate about the role of the regulator: whether they should mandate companies to follow prescriptive rules, or whether businesses should instead be judged purely on the outcomes of their security efforts. In a vacuum, both have their advantages. Prescriptive rules are attractive because a regulator can clearly assess whether a business is compliant on a line-by-line basis. The effectiveness of this approach is reliant upon the regulator choosing the right rules in the first place.

“An outcomes-based approach is vastly more complex, and requires a large degree of interpretation and analysis. However, due to the fact that the implementation will be more flexible, it should reflect the idiosyncrasies of each business more accurately, including its particular systems, customers and processes. This, in principle, should allow companies to build the most effective approach to protecting themselves from financial crime rather than simply adhering to a set of pro-forma rules.

“The final consideration is the customer: in reality, all companies are judged by their customers. The fact that a business is totally compliant with a set of prescriptive rules holds little sway with a group of customers who have been affected by financial crime, and organisations understand that rebuilding trust is difficult, costly and time-consuming. For that reason, forward looking businesses will be judging themselves on outcomes-based criteria irrespective of the regulators input. While minimum standards are to be encouraged, and the rules-based regulation is a necessity, it is a focus on outcomes which will allow businesses to build the greatest protection and resilience.”

At the FCA’s Fighting Financial Crime conference in London on 10^th November, Chief Executive Andrew Bailey highlighted the role of regulation in the battle against financial crime. Ray Pompon, Head of Information Security, North America and Asia, at Linedata, offers his thoughts:

“The proliferation of digital technology has given criminals an array of tools which can be used to exploit innocent parties. The battle against cyber-crime requires tenacity and proactivity, and the challenge for regulators is to encourage businesses to adopt effective defences in protecting ourselves and customers.

“Andrew Bailey highlighted the great debate about the role of the regulator: whether they should mandate companies to follow prescriptive rules, or whether businesses should instead be judged purely on the outcomes of their security efforts. In a vacuum, both have their advantages. Prescriptive rules are attractive because a regulator can clearly assess whether a business is compliant on a line-by-line basis. The effectiveness of this approach is reliant upon the regulator choosing the right rules in the first place.

“An outcomes-based approach is vastly more complex, and requires a large degree of interpretation and analysis. However, due to the fact that the implementation will be more flexible, it should reflect the idiosyncrasies of each business more accurately, including its particular systems, customers and processes. This, in principle, should allow companies to build the most effective approach to protecting themselves from financial crime rather than simply adhering to a set of pro-forma rules.

“The final consideration is the customer: in reality, all companies are judged by their customers. The fact that a business is totally compliant with a set of prescriptive rules holds little sway with a group of customers who have been affected by financial crime, and organisations understand that rebuilding trust is difficult, costly and time-consuming. For that reason, forward looking businesses will be judging themselves on outcomes-based criteria irrespective of the regulators input. While minimum standards are to be encouraged, and the rules-based regulation is a necessity, it is a focus on outcomes which will allow businesses to build the greatest protection and resilience.”