Doesn’t it seem like more than a year that we’ve been reading about the Wells Fargo scandal? I’m sure for anyone working at Wells, the ordeal feels like it’s already dragged on far longer than a year.
This anniversary came to mind when I attended Finovate’s Fall conference in New York City in mid-September. I vividly recall sitting in nearly the same seat at an earlier show when a news alert hit my phone with breaking news of Wells’ unauthorised account openings. The reactions of those seated near me ranged from jaw-dropped amazement to “What’s the big deal?” shrugs. Given the turmoil at Wells over the past year, I think we can agree which response was closer to the mark.
I had to check my calendar archive to convince myself this had occurred in September 2016 and not earlier. The timing was relevant because, as luck would have it, Equifax’s data breach became public knowledge just three days before the latest Finovate event. And though its roster was set well before such info was available, you can bet that every data-security-oriented solution on the agenda worked a reference to the mishap into their pitches.
Beyond the surface similarities (a sense of consumers’ personal information, financial privacy and trust being compromised), the two situations share little in common. Wells’ was an “inside job”, while Equifax’s defences were penetrated by nefarious outsiders. Wells’ incentive plans were crafted to boost revenue and unwittingly created an opening to pad bonus payouts. Nothing in Equifax’s misfortune seems to have been driven by a desire for personal enrichment, unless it’s determined the firm had underspent on cybersecurity. Deficiencies in corporate governance could be flagged as a root cause for both, but ironically it’s the Equifax situation that’s likely to have greater and farther reaching financial impact on the general population, extending well beyond Equifax’s “customers” – a group that’s not easy to define.
The trajectory of public fallout, however, looks all too familiar. There are plenty of calls for Congressional hearings and heightened regulation, and the intense scrutiny, combined with incessant demand for split-second responses, creates inevitable slip-ups, fuelling a continuing drip of awkward headlines. Witness Equifax itself retweeting a link to a phoney website purporting to help affected consumers.
There are enough legitimate questions to be answered that it’s a shame to watch the conversation pivot to off-base ones. I was pleasantly surprised to find little being made at first of the month-plus lag between Equifax learning of its breach and disclosing it publicly. Like clockwork, however, after a couple of weeks this too became part of the prevailing narrative. Consensus among security experts is that it’s very dangerous to announce a breach until you’re confident the perpetrators have been expunged from the system. If the bad guys know they’ve been found out while they still have access, the risk of even more catastrophic actions increases dramatically. So beating up the company on this point seems like piling on.
Mark your calendars: when Finovate again convenes in New York City in mid-September 2018, the odds are good that Equifax will still be dealing with the aftermath of the latest – and possibly most chilling – data breach. I hope they’re prepared for this kind of long game. And maybe, just maybe, Wells will be out of the headlines by then.
Meanwhile, credit unions can best serve their communities by equipping front-line staff with enough ongoing information to help members cut through the clutter. After all, in crises like these, Americans turn to their “trusted agent” for advice and security, making it a perfect opportunity for credit unions to reinforce those all-important relationships.
– This article is reproduced with kind permission. Some minor changes have been made to reflect BankNXT style considerations. Read more here. Image by Omelchenko, Shutterstock.com