The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
Protecting the financial infrastructure Before the Committee on Financial Services, U.S. House of Representatives September 8, 2004 Introduction Thank you Chairman Oxley and Ranking Member Frank, for inviting me to discuss a matter of significant importance to our country: protecting our financial infrastructure. As we approach September 11, I would like to take a moment to honor the memory of those who lost their lives and to honor those who supported one another on September 11, 2001. Although the financial sector has years of experience dealing with operational disruptions caused by weather, power, and other critical infrastructure outages, the September 11 attacks had a profound effect on how the industry thinks about physical and cyber security as well as business-continuity planning. After the crisis subsided, sector participants, including the Federal Reserve, reflected on lessons learned and how they should be incorporated into daily business processes and business-resumption planning. My remarks today will highlight the actions the Federal Reserve took on September 11 and immediately following to maintain confidence in and restore the operation of our financial system. I will also focus on numerous steps that we and the other financial regulators have taken since September 11 to improve the resilience of--and to protect--the financial infrastructure. Response to September 11 On Tuesday, September 11, terrorists destroyed a portion of the critical infrastructure that supports the U.S. financial markets, disrupted communications networks, and forced numerous market participants to move to contingency sites. These challenges, along with the tragic loss of employees of a few major financial firms, complicated trading, clearing, and settlement of a number of financial instruments. Operational disruptions caused uncertainties about payment flows, making it difficult for the reserve market to channel funds to where they were needed most. Depository institutions that held more reserve balances than they preferred had difficulty placing and delivering the excess in the market; on the other hand, depository institutions awaiting funds had to scramble to cover overdraft positions. As a result, market participants experienced significant liquidity dislocations, and the demand for reserves grew rapidly. The Federal Reserve accommodated the demand for reserves through a variety of means, the relative importance of which shifted through the week. On Tuesday morning, shortly after the attacks, the Federal Reserve issued a press release stating that "the discount window is available to meet liquidity needs," thus reassuring financial markets that the Federal Reserve System was functioning normally. Borrowing by depository institutions surged to a record $45.5 billion by Wednesday. Federal Reserve discount loans to banks to meet liquidity needs dropped off sharply on Thursday and returned to lower levels by Friday. Separately, overnight overdrafts on Tuesday and Wednesday rose to several billion dollars, as a handful of depository and other institutions with accounts at the Federal Reserve were forced into overdraft positions on their reserve accounts. Overdrafts returned to negligible levels by the end of the week. Like their U.S. counterparts, foreign financial institutions operating in the United States faced elevated dollar liquidity needs. In some cases, however, these institutions encountered difficulties positioning the collateral at their U.S. branches to secure Federal Reserve discount window credit. To be in a position to help meet the enhanced need for funds, three foreign central banks established new or expanded arrangements with the Federal Reserve to receive U.S. dollars in exchange for their respective currencies. These swap lines, which lasted for thirty days, consisted of $50 billion for the European Central Bank, $30 billion for the Bank of England, and an increase of $8 billion (from $2 billion to $10 billion) for the Bank of Canada. The European Central Bank drew on its line that week to channel funds to institutions with a need for dollars. During that week, the disruption in air traffic caused the Federal Reserve to extend record levels of credit to depository institutions in the form of check float. Float increased dramatically because the Federal Reserve continued to credit the accounts of banks for the checks they deposited, even though the grounding of airplanes meant that checks normally shipped by air could not be presented to the checkwriters' banks on the usual schedule. Float declined to normal levels the following week once air traffic was permitted to recommence. Finally, over the course of the week, as the market for reserves began to function more normally, the Federal Reserve resumed the use of open market operations to provide the bulk of reserves. The open market desk accommodated all propositions for funding through repurchase agreements down to the target federal funds rate, operating exclusively through overnight transactions for several days. The injection of reserves through open market operations peaked at $81 billion on Friday. The combined infusion of liquidity from the various sources caused the level of reserve balances at Federal Reserve Banks to rise to more than $100 billion on Wednesday, September 12--about ten times the normal level. In addition to accommodating the heightened demand for reserves, the Federal Reserve took several steps to facilitate market functioning in the wake of the September 11 attacks. For example, the hours of the funds and securities transfer systems for U.S. government and agency securities operated by the Federal Reserve were significantly extended during the week after the attacks. From September 11 through the 21st, the Federal Reserve reduced or eliminated the penalty charged on overnight overdrafts, largely because those overdrafts were almost entirely the result of extraordinary developments beyond the control of the account holders. For four weeks after the attacks, the Federal Reserve Bank of New York liberalized the terms under which it would lend securities from the System portfolio, and the amount of securities lent rose to record levels in the second half of September. The Federal Reserve working with the National Communications System (NCS) also assisted market participants in restoring their telecommunications services. The markets and financial market authorities worked hard to restore operations, and market activity resumed relatively quickly after the attacks. By the week following September 11, the financial system had largely begun to function normally, although activities to address the aftermath of the attacks continued for some time. Steps Taken Since September 11 to Protect the Financial Infrastructure Within weeks of September 11, we initiated a self-assessment of our contingency arrangements across the Federal Reserve and embarked on forty initiatives, which we classified under five broad headings: Ensure continuity of Federal Reserve operations. Ensure market liquidity during a crisis. Ensure effective communications and coordination during a crisis. Improve resilience of the private-sector financial system infrastructure. Improve resilience of the telecommunications infrastructure supporting critical financial services. Some of the key steps the Federal Reserve has taken to improve our infrastructure and the delivery of critical central-bank and financial services include the following: We have developed plans to ensure that critical central-bank activities, supervisory functions, and financial services operations have sufficient redundancy in facilities and staff. We have enhanced and tested business-continuity arrangements for critical functions and business lines. Our facilities for providing critical financial services are backed up at fully operational, geographically diverse sites to ensure a speedy recovery even if the critical infrastructure is disrupted across multistate areas. We have enhanced our resiliency for discount window lending and cash services provided by the Reserve Banks. We have improved our tools and authority to provide liquidity in a crisis. In 2003, the Board established the primary credit program, as well as special arrangements for rapidly reducing the primary credit rate to the federal funds rate in an emergency. We also have improved the ability of the Board to approve the extension of emergency discount window credit. The federal financial agencies took immediate steps to work together to identify new vulnerabilities exposed by September 11. These efforts were coordinated under the umbrella of the President's Working Group on Financial Markets, the Financial and Banking Infrastructure Information Committee (FBIIC), and, for depository institutions more specifically, the Federal Financial Institutions Examination Council (FFIEC). The agencies have implemented a duty officer program and developed communications protocols for dealing with their staffs, regulated financial institutions, and the public. We have also developed and tested facilities for secure communication among ourselves and with other agencies. The agencies that participate in FBIIC, including the Federal Reserve, and that have direct supervisory and regulatory responsibilities for the financial sector have assessed potential system vulnerabilities. We have shared that information with the Department of Homeland Security (DHS). Indeed, I would like to commend the DHS for their work to share information and coordinate with the financial sector including the FBIIC during the recent elevation of the threat level to orange for financial services firms in New York City, northern New Jersey, and Washington, D.C. The timely communications and sharing of information enabled financial-sector participants and law enforcement authorities to take steps to mitigate risks so that customers of financial services firms were able to conduct business in the usual fashion. Financial-sector participants, including the financial regulators, strengthened business-resumption plans with an overall goal of ensuring the smooth operation of the financial system. Previously, terrorist attacks were treated as low-probability/high-impact events affecting a single institution. As a result of September 11, industry participants are now planning for events that affect wide areas, last longer, and involve loss of life or widespread destruction of property and information assets. The process of strengthening the resilience of the financial system and, in particular, organizations that could have a systemic effect if they were disabled, is being accomplished through the existing regulatory framework. More than a year ago, in April 2003, the Federal Reserve, the Office of the Comptroller of the Currency (OCC), and the Securities and Exchange Commission (SEC) issued an Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System. The paper formalizes a set of sound practices viewed as necessary by the agencies and the financial industry to ensure the rapid recovery of the U.S. financial system following a wide-scale disruption that may include loss or inaccessibility of staff. In particular, the paper articulates sound practices for resumption and recovery of critical clearing and settlement activities by core clearing and settlement organizations and financial institutions that play significant roles in critical markets by virtue of their market share (greater than five percent in one or more critical financial markets). The sound practices include establishing geographically dispersed backup facilities for clearing and settlement so that these organizations can meet recovery objectives within the business day if a wide-scale disruption takes place. Using their respective supervisory and regulatory processes, the agencies are conducting focused, ongoing dialogues with the organizations that are subject to the sound practices paper. Financial organizations are investing millions of dollars to implement the sound practices. Clearing and settlement organizations, which are the financial utilities for the U.S. financial system, have made substantial progress in improving their resilience and achieving out-of-region geographic dispersion between primary and backup operations facilities and data centers. Several have met or will meet the sound practices by year-end, with the remainder scheduled to complete implementation in the second half of 2005. Banks and broker-dealers that play significant roles in the critical markets defined in the paper indicate they will meet the paper's 2006 implementation date. The sound practices are also relevant to other financial-sector participants. Many of the concepts in the paper amplify long-standing and well-recognized principles relating to safeguarding information and the ability to recover and resume essential financial services. Over the past few years, the FFIEC has revised and expanded guidance for banking organizations pertaining to operational risk. In December 2002, we issued revised guidance on information security. In April 2003, the FFIEC issued expanded guidance on businesscontinuity planning. The guidance addresses both the operational- and business-risk issues that depository institutions must incorporate into their business-continuity plans. The guidance specifically refers to the need to plan and test for recovery of critical business lines and functions--such as retail banking services--in the face of wide-scale disruption, as well as scenarios in which physical or information assets and personnel are lost. Recently, the FFIEC issued guidance on managing additional risks arising from information technology operations, network management, and wholesale and retail payments systems. Our examiners are assessing banks against these guidelines. Other financial market authorities are taking similar steps for the organizations that they regulate. Challenge of Protection While the agencies and financial-sector participants are working to improve their operational resilience, some vulnerabilities continue to pose challenges. The strategy underlying the sound practices is to increase the likelihood that systemically critical institutions will be able to recover rapidly from a wide-scale disruption. However, the sound practices address only recovery, not the prevention of an attack. The agencies are addressing this concern by working to improve coordination and emergency planning efforts between federal, state, and local homeland security authorities; the various federal, state, and local protection agencies; and the systemically critical institutions. Efforts have focused on the locations where the systemically critical institutions have their primary operations--including New York City. The agencies also plan to work with local protection agencies in cities where critical institutions are locating backup sites. As part of these efforts, the Department of the Treasury has arranged for site surveys of key financial-services sector assets to determine whether physical security can be hardened. Protection plans have been developed and are being implemented. Importance of Telecommunications to the Financial Services Sector The resilience of the telecommunications infrastructure is, from our perspective, one of the most important national issues involving the nation's critical infrastructure. The U.S. financial system depends on telecommunications to effect transactions and make payments. Following September 11, the Federal Reserve and the FBIIC agencies expanded and promoted the use of National Security/Emergency Preparedness (NS/EP) telecommunications programs sponsored by NCS. These programs worked well in helping to resume operations on September 11. The Federal Reserve is working with FBIIC agencies through outreach to expand NCS services to clearing and settlement organizations processing securities. Approximately 5,000 additional authorizations to ensure the priority of voice telecommunications have been issued in the financial sector. Moreover, about 4,100 critical circuits used to transmit financial data have been registered for priority restoration and provisioning of new lines; these include most circuits between the payment and settlement systems, the markets, and key market participants. The National Security/Emergency Preparedness telecommunications program operated by the NCS currently focuses on recovery and restoration. The FBIIC agencies believe that a third aspect--protection--through establishment of a national program for maintaining physically diverse circuits and switches, should be incorporated into the program. Treasury has designated the Federal Reserve as the lead agency for telecommunications for the FBIIC interdependencies study. At the Federal Reserve's request, the telecommunications sector through the National Security Telecommunications Advisory Committee (NSTAC) reviewed the resilience of the telecommunications infrastructure. In response to the NSTAC's recommendations that were submitted to the President in April 2004, the Alliance for Telecommunications Industry Solutions (ATIS) is organizing a National Diversity Assurance Initiative. ATIS has asked the Federal Reserve to participate in a pilot program to develop and test the requirements for physical circuit diversity across multiple carriers that can be used by the financial system and potentially other critical sectors. The Federal Reserve is collaborating with telecommunications services providers through NSTAC and the Federal Communications Commission Network Reliability and Interoperability Council. As an example, the Federal Reserve is currently working with the NSTAC to plan how NS/EP telecommunications services can be applied to the next generation of telecommunications networks based on internet protocols. Summary In summary, Mr. Chairman, we believe that protecting the infrastructure that supports our financial system is a matter of national importance. As a result of careful planning and considerable investment by both the private and public sectors, the financial sector is one of the most resilient parts of our economy. The supervisory framework for the financial sector oversees compliance with security and business-resumption expectations, which are relatively high because of the importance of ensuring the smooth operation of our financial system. All financial institutions have been expected to incorporate lessons learned from September 11, recent power outages, and cyber attacks. Organizations that we believe could have a systemic effect on the financial system if their functions were disrupted are being asked to meet very high standards of business resumption. The Federal Reserve will continue to treat the protection and resilience of the sector as a key responsibility. Thank you Mr. Chairman and members of the Committee. I am happy to respond to any questions. Return to top 2004 Testimony Home | News and events Accessibility | Contact Us Last update: September 8, 2004, 10:00 AM
@FedFRASER