In a pair of priority open recommendations, the Government Accountability Office said the Federal Reserve and the Securities and Exchange Commission have succeeded in establishing coordination mechanisms with other federal regulators and financial working groups to identify the risks posed by blockchain-related products and services. But neither the Fed nor the SEC has “regularly” convened those bodies since the GAO delivered its recommendation in August 2023.

Lacking a cadence in convening these groups, the GAO said, means both agencies are unable “specifically to identify the full range of risks and regulatory challenges of existing and emerging blockchain products and services and provide a timely response to any unaddressed risks.”

The Fed, which neither agreed nor disagreed with the GAO’s recommendation, said it “routinely engages with the other federal financial regulators on emerging risks posed by blockchain-related products and services.” The banking regulator noted that it participates in information-sharing on identifying blockchain risks with other regulators in the Digital Asset Working Group, but the GAO is pushing for “planning processes for identifying and addressing such risks” within that group. 

“Fully implementing this priority recommendation would help the Federal Reserve and other financial regulators collectively identify risks posed by blockchain-related products and services and develop and implement a regulatory response in a timely manner,” the GAO stated.

The SEC, meanwhile, told the GAO that it works to identify crypto-related risks in the agency’s work with the Financial Stability Oversight Council, the President’s Working Group on Financial Markets and some international bodies. FSOC “established a coordination mechanism” through the Digital Asset Working Group, the SEC reported to the GAO, adding that the working group “meets regularly and has discussed a variety of topics, including regulatory developments, rulemakings, risks, data collection, and market developments.”

The GAO called the Digital Asset Working Group “a positive step,” but prodded the SEC to embrace planning documents.

“Such planning documents could include (1) objectives and meeting frequency; (2) processes for identifying the full range of risks and regulatory challenges concerning blockchain-related products and services (not only those related to financial stability); and (3) processes for responding to these risks and challenges within agreed-upon timeframes,” the GAO said.

Beyond blockchain, the GAO re-upped a second priority recommendation to the Federal Reserve, which was originally delivered in 2019. The watchdog wanted the Fed, along with other banking regulators and the Consumer Financial Protection Bureau, to finalize “written communication that gives banks specific direction on the appropriate use of alternative data in the underwriting process when partnering with fintech lenders.”

The Fed teamed with the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency a year ago in issuing interagency guidance on third-party risk management, but the GAO said that the guidance falls short on specificity.

The guidance “does not include specific direction to banks that engage with fintech lenders on the appropriate use of alternative data in the underwriting process,” the GAO wrote. “Rather, the guidance broadly applies to all topics and third-party relationships. Accordingly, it does not address specific topics, such as the use of alternative data, or specific types of third-party relationships, such as relationships with fintech companies.”

The post Fed, SEC need more consistent blockchain coordination, GAO says appeared first on FedScoop.

The product, watsonx.governance, is aimed at providing organizations with “nutrition label”-like detail about where and how any AI model gets the information for its outputs, so they can meet anticipated transparency and safety regulations, the company said. 

Rob Thomas, IBM’s chief commercial officer and senior vice president of IBM Software, told reporters Monday evening that while AI presents opportunities, it also poses a problem. 

“The problem is that if AI is a black box, and people are just inserting questions and answers come out, that’s a significant issue,” Thomas said. “Because nobody really believes that we can just trust what we’re told blindly.”

The announcement comes as interest in generative AI has soared with tools like ChatGPT, and governments race to create their own frameworks for how the nascent technology should be regulated. Last month, President Joe Biden announced his much-anticipated executive order on AI safety and security.

As interest in AI has grown for both the public and private sectors, so too have concerns about how the models produce their answers. The Government Accountability Office, for example, which is in the process of developing its own large language model, recently noted that it wants to avoid an “auto magical” interface that doesn’t explain its reasoning.

Thomas on Monday said he envisions both business and government use of the tool.

“I see application at every level of government,” he said. “Federal, obviously, state, local, anywhere that an organization is going to be using AI to drive some level of productivity, or … some level of better service to citizens. You really have to have the capability to explain what is going on, and why it’s happening when it is.”

Thomas said IBM has been in conversation with government entities primarily in the U.S., including state and local governments across the country, but he noted that this will be new territory for the government. 

Where companies have over 15 years of experience in meeting reporting requirements for their systems after the financial crisis, “it’s a bit newer in government,” he said. “So I think it will take some time. It will be a bit of a learning curve, but I expect it will happen pretty quickly.”

Chris Padilla, vice president of IBM government regulatory affairs, also noted the company’s recent conversations with government entities at the Monday event.

Padilla said IBM briefed financial officials Monday, including those from the Federal Reserve, the Federal Deposit Insurance Corp., and the Treasury Department. The company will also brief officials in Europe, including the European Parliament, on Tuesday. 

Watsonx.governance will be generally available for businesses to use in early December and can be used with AI models from IBM or other providers, including open source, according to a Tuesday release.

DefenseScoop reporter Brandi Vincent contributed to this article.

The post IBM envisions government, private sector uses for new AI ‘nutrition label’ tool appeared first on FedScoop.

An investigation by minority staff on the committee alleges that the equipment was compromised while the Fed employee was detained four times by Chinese government staff during a trip to Shanghai in 2019.

Officials working for China also used threats against the individual’s family in an attempt to coerce him to provide economic information and assistance, according to the report. Information copied from the detained Fed employee’s WeChat account included contact details for other federal government employees.

The report stated that China has targeted the U.S. Federal Reserve System since at least 2013, with the intention of undermining American economic and monetary policy. A 2019 bipartisan report previously detailed how China uses talent recruitment programs, including the Thousand Talents Plan, to target science and technology sectors.

The espionage allegations emerge amid heightened tensions between the U.S. and China, and after the Chinese government earlier this week warned of “serious consequences” if a trip to Taiwan by House Speaker Nancy Pelosi, D-Calif., goes ahead as planned.

The report also comes as widespread concerns over the ability of the Chinese government to compromise U.S. government IT systems. These include the prospect that China may be leveraging American-designed semiconductors to enhance its artificial intelligence capabilities, which may have sweeping civilian and military applications.

In the realm of quantum technology, where China and other nation states have made significant recent advances, cybersecurity leaders have warned that the technology may be used to break the public-key cryptography that secures most federal systems.

Sen. Rob Portman, R-Ohio, who led the report, said: “This investigation makes clear that China’s malign efforts at influence and information theft are not limited to science and technology fields — American economic and monetary policy is also being targeted by the Chinese government.”

“I am concerned by the threat to the Fed and hope our investigation, which is based on the Fed’s own documents and corresponds with assessments and recommendations made by the FBI, wakes the Fed up to the broad threat from China to our monetary policy,” Portman added. “The risk is clear, I urge the Fed to do more, working with the FBI, to counter this threat from one of our foremost foreign adversaries.”

China’s embassy in Washington D.C. did not respond to a request for comment.

The post China allegedly tapped computers and phones of Fed employee, Sen. Portman says in report appeared first on FedScoop.

Isolation highlights the problems of organizations lacking digital onboarding strategies, especially digital authentication, when a person can’t prove their identity face-to-face, said Kaitlin Asrow, fintech policy advisor at the Federal Reserve Bank of San Francisco.

Not until a person is authenticated can financial institutions obtain their consent to open an account or transfer data on their behalf.

“We need to actually develop these networks, come to a consensus on the different pieces of information that we want to use to build identities,” Asrow said during a KNOW Identity digital forum Tuesday.

Existing means of identification like driver’s licenses weren’t thought up with the digital transfer of information in mind and must be repurposed to streamline loans and disbursements — particularly important during a pandemic, Asrow added.

Letting third-party applications access and control accounts, known as open banking, would allow budgeting or tax preparation apps to verify their owners. That verification data could then be shared with interoperable networks, said Don Cardinal, managing director of the Financial Data Exchange.

“We’ve laid a lot of the pipes that I think will do that,” Cardinal said. “We just need to get everyone else wired up to the grid, if you will.”

In some cases, financial institutions can verify data useful to government, and other times government is the authoritative source — a bidirectional relationship, said Joni Brennan, president of the Digital ID & Authentication Council of Canada.

DIACC is working with federal and provincial governments, banks, telcos, and tech companies to develop a Canadian trust framework for digital identity infrastructure. The open banking model would allow banks to request and verify information to identify customers.

“We’ll have data that will be verifiable from banks; we ultimately will have data verifiable from governments,” Brennan said. “Who can get there first? I think that’s a big question, and I do think financial institutions are positioned today to move more readily.”

But governance is still critical to determine what data those institutions can verify, Brennan added.

The U.S. needs to develop a network of verifiers, including biometrics and Internet Protocol addresses, that consumers are aware of, Asrow said.

Those verifiers must also be universal, however.

“Biometrics might be a great tool but are usually only available if you’re working on more advanced phones,” Asrow said. “These systems need to be ubiquitous. They need to be available to all of our citizens.”

The post Government needs digital identity infrastructure now more than ever appeared first on FedScoop.

The Financial Transparency Act would see eight regulators adopt data collection and dispersion standards for the information they collect, including a move to electronic forms.

Data would be made electronically searchable and downloadable in bulk without license restrictions.

A common data structure would streamline agencies’ ability to garner insights from their information, said Hudson Hollister — founder of HData and before that the Data Coalition — at the Data Driven Government event on Wednesday.

“The reason why that is huge is that this means we turbocharge the power of the analytics that regulators can deploy in order to protect their constituencies, in order to enforce their rules, in order to do their jobs,” Hollister said.

The problem of entity identification — identifying relationships between data — when datasets are dirty would no longer be a problem in financial regulation if the bill passes, he added.

Improving data accuracy will also enable the development of regulatory technology, or RegTech, and artificial intelligence applications, said Craig Clay, a president at risk and compliance solutions company DFIN, in a statement.

All eight financial regulators within the Financial Stability Oversight Council would be affected: the Board of Governors of the Federal Reserve System, Commodity Futures Trading Commission, Federal Deposit Insurance Corporation, Federal Housing Finance Agency, National Credit Union Administration, Office of the Comptroller of the Currency, Securities and Exchange Commission, and the Treasury Department.

“The benefits of applying data standards to financial regulatory information as proposed by this legislation are clear: reduced compliance costs for businesses, better information for investors, and a more efficient regulatory oversight system that can effectively identify and address bad actors,” said Nick Hart, CEO of the Data Coalition, in a statement.

Rep. Carolyn Maloney, D-N.Y., who chairs the subcommittee on investor protection, and Rep. Patrick McHenry, R-N.C., ranking member of the main committee, reintroduced the legislation.

Maloney said the bill would “bring financial reporting into the 21st century,” in the announcement.

“Technology plays a key role in how Americans pay bills, save for a home, or even start a new business — it just makes sense for financial regulators to use that same technology to make public data more easily accessible,” McHenry said in a statement.

The post This bill could ‘turbocharge’ financial regulators’ analytics appeared first on FedScoop.

As a result, CFPB hasn’t issued a Federal Risk and Authorization Management Program provisional authority to operate (P-ATO) for a cloud system supporting its Consumer Response Call Center.

The system itself wasn’t identified in the Federal Reserve Office of Inspector General evaluation of CFPB released July 1, but the agency uses five FedRAMP cloud systems: Amazon Web Services, Amazon’s Content Delivery Services, General Dynamics Information Technology’s Customer eXperience Platform, Salesforce Government Cloud, and CylancePROTECT.

“This oversight presents a heightened security risk, as this cloud system supports processes for consumers who file complaints on financial products and services,” reads the report.

The FedRAMP Joint Authorization Board issues P-ATOs allowing agencies to reuse previously evaluated cloud systems, which CFPB did in this case. But the agency must still issue its own P-ATO to accept the risk of using the system.

CFPB responded to the OIG report that a security assessment and authorization of the cloud system in question will be performed within 90 days.

FedRAMP was established in 2011 to authorize and continuously monitor cloud systems across agencies, but the OIG found that monitoring for security weakness isn’t always performed after deployment. That’s because CFPB lacked an accurate inventory of its cloud systems. However, the agency has since taken steps to automate the inventory process.

The third and final OIG recommendation is that CFPB verify sensitive bureau data is made unrecoverable when cloud providers perform electronic media sanitization — rather than taking them at their word.

CFPB plans to completely migrate to cloud infrastructure by 2022 to reduce costs, improve quality of service and ensure access to the best tech.

A second Federal Reserve OIG report is forthcoming detailing the effectiveness of bureau security for certain FedRAMP cloud systems.

The post Report: CFPB should assess risks to cloud systems before their deployment appeared first on FedScoop.

As part of its annual audit of the Schedules of Federal Debt — essentially the Treasury’s register of what the government owes to its creditors — the GAO also looks at the associated IT, which includes technology at the Treasury’s Bureau of the Fiscal Service (BFS) and also the Federal Reserve Banks. The GAO found new weaknesses in both.

At the BFS, the congressional watchdog agency reported that it “continued to identify deficiencies in Fiscal Service’s information system controls that, along with unresolved control deficiencies from prior audits, collectively represent a significant deficiency in internal control over financial reporting.” There were eight newly identified problems: Two were related to “access controls” and six were related to “configuration management,” the GAO said.

“Until these new and continuing control deficiencies, which collectively represent a significant deficiency, are fully addressed, there will be an increased risk of unauthorized access to, modification of, or disclosure of sensitive data and programs and disruption of critical operations,” the GAO said. “Therefore, these deficiencies warrant the attention and action of management.”

At the Federal Reserve Banks, the GAO reported that it identified “one new information system general control deficiency” related to a system maintained and operated by them. The problems in the banks’ system “did not contribute individually or collectively to the significant deficiency we identified” in the Fiscal Service’s system, the GAO said.

The reports, released Tuesday, don’t specify the exact nature of any of the new or previously identified problems. The GAO said it provided details to the Treasury and Federal Reserve Banks in reports that were for official use only. Information about the Schedules of Federal Debt is publicly available from the Bureau of the Fiscal Service, but given the importance of that data to the government and the U.S financial system, the GAO chose to restrict access to the descriptions of its IT concerns.

The Fiscal Service said that it “continues to work to address the 16 prior year recommendations that remained open as of September 30, 2018, and has established plans to address the nine new recommendations made in this year’s report,” the GAO said.

The Board of Governors of the Federal Reserve System, meanwhile, “stated that the agency takes control deficiencies seriously and that FRB management is currently in the process of addressing the new and continuing information system general control deficiencies,” the GAO said.

The post System that tracks federal debt needs security fixes, GAO says appeared first on FedScoop.

The Society for Worldwide Interbank Financial Telecommunication, or SWIFT, a global messaging service relied on by banks for international money transfers, has hired two large cybersecurity vendors and launched threat intelligence sharing and forensic analysis services for its customers, it announced Monday.

“Customer intelligence, including intelligence related to attacks that have ultimately failed, is crucial,” said Chief Technology Officer Craig Young, in a release announcing SWIFT had hired BAE Systems and Fox-IT.

Delft, Netherlands-based Fox-IT says it is Europe’s largest specialized cybersecurity company. BAE systems is a U.K.-based global defense contractor with a large cyber operation.

SWIFT said the contractors will complement its in-house cyber expertise and work closely with its newly formed Customer Security Intelligence unit “to support SWIFT’s customer information sharing initiative and to help strengthen cybersecurity across the global SWIFT community.”

According to the release, the new unit will conduct “forensic investigations on customer premises” where there has been an attack on the SWIFT system, the release said. These investigations “will complement the internal investigations being carried out by affected customers. SWIFT is also feeding related intelligence — in anonymized form — back to the wider SWIFT community in order to help prevent future frauds in customer environments.”

“Information we have already received from impacted banks has allowed us to identify new malware and to publish related [indicators of compromise] which are helping to protect” other customers, said Young, adding that timely information was vital to make sharing more useful.

“We therefore continue to remind customers that they are obliged to inform SWIFT of such incidents as soon as possible, and to proactively share all relevant information with us so we can assist all SWIFT users.”

In February, cyber thieves hacked into the Bangladesh central bank’s connection to the SWIFT network, which is where banks exchange messages authorizing international payments.

The hackers sent a series of payment instructions to the Federal Reserve Bank of New York, transferring $951 million from Bank Bangladesh’s account to financial institutions in the Philippines. Most of the transactions were blocked but $81 million went through and has never been recovered.

The post Global financial messaging system SWIFT hires cybersecurity firms appeared first on FedScoop.

(Federalpaymentsimprovement.org)

The Federal Reserve released a plan Monday for improving the speed and security of the more than $174 trillion in noncash payments made every year via credit cards, checks, third-party payment processors, virtual currencies and online transactions.

The proposal cites the increasing demand for real-time processing via high-speed networks and mobile devices, along with the growing number of threats to the security of sensitive data and their potential to erode public confidence in the electronic payment infrastructure, as the impetus behind the need for a strategy involving banks, financial companies and businesses of all sizes.

“This plan reflects the contributions and commitment of thousands of payment system participants who shared their expertise and perspectives during the past 18 months,” Esther George, president of the Federal Reserve Bank of Kansas City and a member of the Federal Reserve’s Financial Services Policy Committee, said in a statement. “Consequently, we believe the strategies and tactics in the plan have broad support and strong prospects for success.” George will serve as executive sponsor for the payment system improvement initiative, a joint effort of the Federal Reserve Banks and Board of Governors.

The strategy outlines five improvement goals for the payment system: speed, security, efficiency, timely international payments and greater collaboration throughout industry on making improvements to the system.

“A safer, more efficient and faster payment system contributes to public confidence and economic growth,” said Federal Reserve Board Gov. Jerome H. Powell in a statement. Powell will co-chair the initiative’s oversight committee.

“We know that markets move to real-time, and banking customers are no different,” said Ben Milne, chief executive officer of Dwolla Inc., a Des Moines-based mobile payment processor. “In a world measured by milliseconds, the value of a payment infrastructure that reduces bank transfer speeds from two to four days to under a second is incalculable. The Federal Reserve has laid out a clear vision of its expectations for an improved system so the question will be how strong and reactive can this approach be in such a quickly evolving environment.”

In 2012, the U.S. payment system processed approximately $122.4 billion in noncash payments worth more than $174 trillion. But the payment system infrastructure has not kept pace with the rapid introduction of new technologies, increase in user demand and the growing sophistication of cyber threats, the strategy states.

“The Federal Reserve believes that the U.S. payment system is at a critical juncture in its evolution,” the strategy document says. “High-speed data networks are becoming ubiquitous, computing devices are becoming more sophisticated and mobile, and information is increasingly processed in real time. These capabilities are changing the nature of commerce and end-user expectations for payment services. Meanwhile, payment security and the protection of sensitive data, which are foundational to public confidence in any payment system, are challenged by dynamic, persistent and rapidly escalating threats.”

The Fed said it plans to establish multiple task forces this year and is encouraging organizations to get involved through a new website, fedpaymentsimprovement.org. The Fed has scheduled a live webcast on the strategy for Jan. 29.

Read the full proposal, Strategies for Improving the U.S. Payment System, here.

The post Fed releases plan for improving payment system speed and security appeared first on FedScoop.

That remains a monumental task, but one where those efforts are building momentum, thanks in part to the emerging presence of chief data executives within federal agencies.

While data managers aren’t new, their role and authority have gained greater importance within the federal government following the release of the Obama administration’s
Open Data Policy in May 2013. Since then, the departments of Transportation and Agriculture, among others, have followed the lead of the Federal Communications Commission, the Federal Reserve Board and other agencies in appointing chief data executives to focus greater attention on data management.

Department of Homeland Security information sharing executive Donna Roy. (Credit: AFCEA Bethesda)

Donna Roy, executive director for the Department of Homeland Security’s Information Sharing Environment Office, has spent the past eight years working on cross-agency programs aimed at making data easier to share and more useful. Speaking at a forum hosted by
AFCEA Bethesda, Roy held up DHS’s Data Framework program as an example of what it and others are doing to make data more readily available and useful.

The data challenge that emerged from the Boston Marathon bombing, she said, is the extensive number of DHS systems — more than 40 — holding “somewhere over 900 data sets” that analysts must log on to. It’s a cumbersome process and easy to miss important information, she said.

The reason for that stems from the fact that “we have never separated our systems from our data,” she said.

“We’re starting to do that at the department … moving these highly valuable data sets” into what Roy referred to as a “data lake” — where department data information exists independently of the systems that the data was created on or might later be ingested into.

“And the way we do that … is to get really specific about how we use the data, how we promise the public we’re going to use the data — and ensure we go about … putting it into the data lake,” she said.

Roy used the analogy of how music files now can be played on a variety of technical platforms and devices, carrying with them supplemental information, such as images or a history of the artists, or coding that can contextually restrict how the file can be used.

Making DHS’s vast amount of data independent but also accessible only to those with the appropriate viewing privileges remains a massive challenge for the DHS officials.

The department, however, is making progress in recent months, Roy said, thanks to the DHS’s Data Framework, an information technology program that supports advanced data architecture and governance processes.

The
DHS Data Framework defines four elements for controlling data:

1) User attributes — which identify characteristics about the user requesting access, such as organization, clearance and training.

2) Data tags — which label the type of data involved, where the data originated and when it was ingested.

3) Context information — which combines what type of search and analysis can be conducted (or the function of the information), with the purpose for which data can be used.

4) Dynamic access control policies — which evaluate user attributes, data tags, and context and rules for granting or denying access to DHS data in the repository, based on legal authorities and related policies.

The data cleansing challenge

But finding and accessing the right data is only 20 percent of the data problem, she said. The other 80 percent of the problem “is all around making data usable, sanitizing the data as much as possible as it goes into the lake.”

“If you look at what most data scientists are doing, they’re doing mostly data janitor work,” she said.

Bobby Jones, acting chief data officer at the Department of Agriculture concurred, said that putting the policies and systems in place to clean up data – and generate clean data in the first place – is one of his top priorities.

“Data cleansing takes on a couple of connotations,” Jones said. The first involves cleaning the metadata – eliminating duplication, misspellings, broken URLs and other faulty tags. Jones, who also serves as deputy chief information officer for policy and planning at USDA, said his office is also developing automated scripts to speed up the metatag clean up process in the future, adding that the metatagging in 36 percent of the department’s datasets have been addressed since August.

The second focus, he said, is on the data itself. “The first thing we want to do is improve the machine-readable part of the data” by trying to convert more of the department’s documents into XML file formats and “increase our APIs so we have direct links to the information itself,” he said.

Knowing whether the department’s agencies are actually taking all the necessary steps to cleanse their data remains a central challenge, Jones acknowledged. To tackle that issue, department officials have assigned data stewards to each of USDA’s agencies and offices, to develop strategies and action plans to improve data management.

The Department of Transportation is also looking at ways to increase the underlying value of the data the department generates and collects.

Improving the value of data involves working with a range of entities outside of the department, said Daniel Morgan, who was recruited four months ago to become the Department of Transportation’s first chief data officer. That includes working with a host of state and local agencies, as well as “info-mediaries, who are trying to add value to our information,” he said.

Integrating and analyzing data is an essential part of DOT’s efforts to improve national highway safety. He explained how the department, for instance, pulls together data on the use of medications by truck drivers, combined with detailed accident reports and related road condition reports to look for ways to reduce motor vehicle fatalities.

But as chief data officer, Morgan also has a larger and longer-term role. Morgan has been charged with guiding DOT’s “intelligent transportation” strategies as vast amounts of real-time data from vehicles and traffic sensors begin to knit together in new and powerful ways.

“What you see is the convergence of electrical and civil engineering [disciplines] as well as transportation and adding an IT component, which is a big cultural change for the transportation” industry, he said.

It’s also a hint of the growing urgency federal officials face in getting on top of their data management policies.

The post Agencies lay groundwork to make data more valuable appeared first on FedScoop.