The Alliance for Citizen Engagement

Facebook Instagram Linkedin
Pros and Cons of New York’s Regulation of Financial Institutions and Chatboxes
Picture of Noy Lohr

Noy Lohr

Chatbots, powered by artificial intelligence (AI), have become increasingly prevalent in the banking industry. The implementation of chatbots in banking increases customer satisfaction and loyalty through offering instant and round-the-clock support to handle a large volume of customer queries and address customer inquiries promptly. Around 37% of the U.S. population engaged with a bank’s chatbot in 2022, and this number is expected to increase in the future. Goldman Sachs launched AI technology called ChatGS AI to enhance their customer support procedures and boost efficiency within their customer service systems. This move is part of a trend where many institutions are turning to chatbots as a more cost-effective solution compared to human customer service.

Background  

The evolving technological sophistication of chatbots in banking sparks questions about cybersecurity policies, such as the New York Department of Financial Services Cybersecurity Regulation (Regulation 500). The NYDFS Cybersecurity Regulation establishes cybersecurity requirements on all Covered Entities (financial institutions and financial services companies). It includes requirements for developing and implementing an effective cybersecurity program, requiring Covered Entities to assess their cybersecurity risk, and developing a plan to proactively address risks.

What are the Key Components for the NYDFS Cybersecurity Regulation (23 NYCRR 500)?

The main goal of the regulation is to ensure comprehensive cybersecurity measures in financial institutions. This includes information security, access controls, business continuity planning, systems and network security, risk assessments, cybersecurity policies and procedures, third-party security, data retention policies, data security controls, detection of cybersecurity events, restoration of operations after an event, and third-party risk assessments. The regulation emphasizes the importance of aligning with industry best practices and ISO 27001 standards, while also requiring the use of qualified cybersecurity personnel, ongoing training and education, notification of cybersecurity events, and the implementation of multi-factor authentication.

Benefit of Third Party Regulations under 23 NYCRR 500

Many financial institutions use third party vendors to store customer data and provide AI technology, creating another gateway for attackers to infiltrate customers’ networks through backdoors. This means third-party risk protections are crucial. By enforcing minimum regulations on vendors, financial institutions aim to enhance the security and integrity of sensitive data. High-profile incidents like the Target 2013 hack and SolarWinds breach demonstrate the impact of such vulnerabilities.

Moreover, third-party risk protections promote transparency and accountability in the vendor relationship. By clearly defining minimum security requirements and establishing a vendor risk assessment framework, financial institutions set expectations and hold vendors accountable for meeting those requirements. This fosters a culture of shared responsibility and ensures that vendors prioritize cybersecurity measures and continuously enhance their security posture.

Furthermore, third-party risk protections support incident response preparedness. In the event of a cybersecurity incident, financial institutions need to restore normal operations promptly. By including third-party obligations in their incident response plans, organizations can outline the roles and responsibilities of vendors in responding to and recovering from cyber threats. This coordinated approach enhances incident response effectiveness and minimizes potential disruptions caused by third-party vulnerabilities.

Challenges of Third Party Regulations under 23 NYCRR 500

Third-party regulations can present certain burdens and challenges. Financial institutions face an increased compliance burden as they are responsible for ensuring their third-party vendors adhere to the stringent cybersecurity requirements. Financial institutions must allocate additional resources, time, and effort to effectively monitor and assess vendor compliance, requiring ongoing assessments and validations of their security practices and controls. Additionally, the regulations may impose limitations on vendor selection, potentially reducing the pool of available vendors and limiting competition and innovation in the market.

Utilizing third-party vendors in the development of chatbot technology has resulted in enhanced customer service and cost savings for financial institutions. Chatbots offer increased operational efficiency and cost savings for financial institutions. By automating basic inquiries and transactions, chatbots handle routine tasks. Reports show that when compared to the use of human agent customer service models, chatbots deliver $8 billion per annum in cost savings, approximately $0.70 saved per customer interaction. Wells Fargo has utilized third-party vendors in the launch of Fargo, a new chatbot virtual assistant that uses Alphabet’s Google Cloud platform to process customer’s input and provide tailored responses. Additionally, the U.S. Bank has introduced its Smart Assistant, exemplifying a new, growing reliance on chatbots in banking. However, it also introduces complexities and costs related to implementing and managing third-party risk programs.These complexities involve hiring specialized personnel, investing in cybersecurity tools and technologies, and conducting regular  assessments. These expenses can add up and impact the overall operational costs of financial institutions.

Recent Advancements

Several advancements in chatbots in banking can help financial institutions comply with the regulations set by the New York Department of Financial Services (NYDFS). Here are some notable advancements:

  • Enhanced Security Measures: Implementing robust data encryption protocols, secure data storage, and adhering to industry-standard cybersecurity practices ensures compliance with NYDFS regulations and safeguards customer data.
  • Natural Language Processing (NLP) and Machine Learning (ML) Improvements: Continual training of chatbot algorithms on real customer interactions and incorporating feedback loops enhances their understanding of customer queries, improving response accuracy and aligning with the NYDFS’s focus on reliable customer information.
  • Contextual Understanding and Personalization: Leveraging customer data and contextual information enables chatbots to provide personalized recommendations and tailored banking services, enhancing the customer experience and meeting the NYDFS’s emphasis on meeting customer needs.
  • Continuous Monitoring and Compliance Auditing: Regularly reviewing chatbot conversations and conducting compliance audits helps identify and rectify any compliance issues proactively, ensuring compliance with NYDFS regulations and accurate information provision.
  • Regular Updates and Compliance Training: Staying updated with NYDFS regulations, incorporating regulatory changes into chatbot processes, conducting compliance training, and maintaining up-to-date documentation demonstrates commitment to compliance and customer data protection.

Loading

Share this post

Give feedback on this brief:

Share non-partisan research driven by the next generation with your community