listen to this article:
Financial institutions are subject to legal, operational, and accounting mandates that the institutions perform as intended. Increasingly, those mandates are met through competent management of cryptographic keys and resources. But competent cryptographic management requires agile solutions that enforce policy, stay ahead of new attacks and eliminate governance headaches.
The Sarbanes Oxley Act
Law expects a financial institution to report its financial condition accurately. Financial reports are critical to the institution’s function in the market. But to report accurately, the institution must implement strong accounting processes and controls.
How does law make sure those controls are in place? In the US, the law requires certifications from executives which is commonly known as The Sarbanes Oxley Act. Sarbanes Oxley calls for executives of publicly traded institutions to periodically certify that they have overseen responsible internal controls for reporting financial condition.
Under this requirement, executives are personally liable if they sign a certificate knowing it is wrong. To give an example, suppose a bank executive signs a certificate on internal controls, while knowing that the controls for protecting cryptographic keys are weak. The executive could be personally liable for the false certification.
What is the Cost of Weak Controls Over Financial Reports?
Weak controls over a cryptographic key can be catastrophic. In 2020, the master PIN key for bank payment cards at South Africa’s Postbank fell into the hands of dishonest employees. The bank suffered $3.2 million in fraudulent transactions and incurred an estimated $58 million in expenses replacing 12 million customer cards. These losses ultimately cost the bank’s investors (stakeholders).
The disaster at Postbank can be understood this way: Before the theft, the bank had reported its financial condition to stakeholders like insurers, creditors, and shareholders. Stakeholders acted on this report by, for instance, selling insurance to the bank, purchasing the bank’s stock and bonds, or extending credit to the bank. But the financial report was inaccurate because it was based on the assumption that effective controls prevented abuse of the master PIN key. That assumption was wrong. Therefore, the financial condition of the bank before the theft was much worse than reported. Stakeholders were unable to act on accurate information. Stakeholders suffered by, for example, having to pay unexpected insurance claims or seeing the value of their stock and bonds drop. Stakeholders suffered because executives failed to diligently implement and review controls for reporting the status of assets like the PIN key.
The Role of Cryptography in Financial Institutions Internal Control
Without internal controls, a financial institution is worthless. That is why, in the United States, the law (15 U.S.C. Section 78m(b)(2)(B)) requires publicly traded institutions to maintain reasonable controls for
- accurate financial accounting,
- the protection of assets, and
- the prevention of unauthorized transactions.
Today, the goals of internal enterprise controls are often achieved with cryptography. For financial institutions, cryptography supports:
- secrecy, so that adversaries cannot interrupt or spy on operations or transactions
- authentication of people, machines, and transactions, so that an institution and its trading partners are assured who is acting and what the content of the action is
- integrity of records and documentation, so that third parties like courts or auditors can confirm the status of assets, liabilities, or internal processes
- segregation of duties among staff, so that multiple staff members serve as checks and balances against each other to prevent abuse and mistakes
- chronology, so that the time of events and transactions can be established
How Do Institutions Comply with Internal Controls Requirements?
To assure compliance with requirements for internal controls, financial institutions must by law satisfy outside parties such as auditors and regulators. The third parties must be able to test assets and processes and review documentation on them. Such testing and documentation increasingly depend on effective and verifiable use of cryptographic resources, including platforms for managing keys and certificates.
What Is the Cost of Failure to Comply with Internal Control Requirements?
Failure to comply with internal control requirements can lead to legal liability for an institution, as well as for its executives and members of its board of directors.
Last yearaa now former CEO of one of the largest US banks, was forced to pay a $17.5 million fine for encouraging unauthorized transactions. A decade earlier, he had nurtured a culture in the bank that motivated employees to foist unwanted accounts on retail customers, inconsistent with the bank’s policies. The unwanted accounts, such as credit card accounts, caused the bank to charge customers unexpected fees. In effect, by fostering a dishonest culture, Stumpf undermined the bank’s controls against unauthorized transactions.
Stumpf paid the fine to the Comptroller of the Currency, a US bank regulator.
Payment Vehicles and the Growing Complexity of Key Management
In keeping with mandates for internal control, financial institutions have come to rely on many different cryptographic resources, for a myriad of purposes. These diverse resources, ever-growing in number, require responsible key governance. Key governance must be thoroughly comprehended by leadership and constantly reevaluated and improved.
Examples of common cryptographic resources are the components of the encryption ecosystem that underpins the automated clearing house (ACH) payment system in the US. The ecosystem supports diverse players, including banks, service providers, and payment originators. The players must use cryptography in compliance with the rules of NACHA – The Electronic Payments Association.Consistent with the rules, the different players deploy a variety of technologies for management of keys and other cryptographic resources.
The ACH rules change regularly,in good part to forestall attacks and potential disputes. Payment disputes are a genuine risk. Disputes have arisen on several occasions among Russian banks over whether the owners of private keys used them to initiate payments.
ACH is just one of many payment and trading methods that require institutions around the world to manage and protect cryptographic keys. The methods for payment and trading among institutions are expanding and diversifying.
In January of this year, the Office of the Comptroller of the Currency announced that US banks may now use stablecoin cryptocurrencies for bank payments.
Increasingly, cryptocurrencies and other blockchain applications are flourishing in mainstream finance. For instance, Bitcoin is the core asset owned by Grayscale Bitcoin Trust, a publicly-traded investment product registered with the US Securities and Exchange Commission.
For institutions, cryptocurrencies and other blockchain resources introduce a new realm of cryptographic key management: more keys, together with new issues for controlling the keys, developing policies on control, documenting and monitoring use and control of the keys and so on.
Cryptographic Governance Must Keep Up with a Changing Financial Landscape
Expectations for cryptography in financial services are rising. Technologies are changing, and threats are intensifying.
For an institution, cryptographic governance solutions must ensure keys and resources are not lost, stolen, or misused. Solutions must divide power and responsibility so that an institution’s custodians, employees and authorities (such as an audit committee) apply checks and balances against each other and cannot collude to commit fraud. Further, solutions must enable the institution’s leadership, as well as third parties like auditors and regulators, to readily confirm that intended controls are in place and management’s policies are enforced.
The Law Expects Institutions to Stay Up to Date
Financial institutions are under constant pressure. They face legal risks and compliance struggles in the context of rapidly changing technology. Their management of cryptographic keys and resources must be robust and flexible enough to keep pace.