What you'll learn:
- Navigating financial regulations in a dynamic economy and the cross-section of innovation and finance
- How regulators think about keeping the banking and financial sectors working smoothly
- What innovative areas in banking and finance regulators are looking at now -- and next
Transcription:
Chana Schoenberger (00:09):
So I would like to introduce Adrienne Harris, who is the Superintendent of the New York Department of Financial Services. Many of you know her as your regulator, others of her as probably the most active state regulator in financial services. I've had several bankers say to me that their own regulator will say to them, or their general counsel will say to them, this is what they're doing in New York now, so it's coming for us. You should be ready.
Adrienne Harris (00:38):
Friendly neighborhood regulator.
Chana Schoenberger (00:39):
Exactly. That's right here on Sesame Street. So you've been at the department for three years now. What are the highlights and challenges for you so far in this role?
Adrienne Harris (00:50):
Yeah, well first thank you for having me. It's good to be here with all of you. I think there are lots of challenges, frankly, as the financial services landscape continues to change and evolve and New York occupies such a unique space because while we are a state regulator, we are, as we like to say, the first among equals and really play an outsized role in the national and international regulatory landscape. For those that aren't familiar with DFS, we regulate about 3000 financial institutions, banks, credit unions, insurance companies, including health, life, and property and casualty we're really the first, and for a long time, the only prudential regulator of cryptocurrency in the country, state or federal. We oversee student lending, mortgage servicing, pharmacy benefit managers, so you name it. We regulate it to about the tune of $10 trillion in assets among our regulated institutions.
Chana Schoenberger (01:47):
So what we really need is another list, most powerful women and regulations
Adrienne Harris (01:50):
In regulation. There you go. Be a short list of female regulators. Sadly, very short, but so we really get to see the intersection and the overlap of all these different financial services and I think have an outsized role to your point in identifying trends, be it on the risk side or on the innovation side, and then can act very nimbly to highlight those trends or risks for federal regulators, for international regulators. Because also among our portfolio are 15 G SIBS and about 120 foreign in wholesale banks. So we really do punch above our weight, so to speak, as a state regulator.
Chana Schoenberger (02:28):
Although here in New York, we just basically do think we're better than everybody else.
Adrienne Harris (02:31):
Yes, it's true.
Chana Schoenberger (02:32):
In case you're not from here and we're wondering It's pretty much true.
Adrienne Harris (02:34):
It's true. It's true.
Chana Schoenberger (02:36):
Yeah. Okay, so that's sort of the parameters of your role. So what are the highlights in what you've done in the last three years?
Adrienne Harris (02:44):
Yeah, so I am the first non prosecutor to sit in my seat, which I am very proud of. My whole history is sort of in and out of the private sector. So I'm a J-D-M-B-A by training. Started my career at Sullivan and Cromwell, spent time at the Treasury Department and then leading the financial services portfolio in the Obama White House before starting my own company, taking it public and then coming back to public service. So for me, I really think about how do we make this a regulator that can protect consumers, protect markets, but also be good for business and prove the case that you can do both of those things and that those objectives are not mutually exclusive. So we've been very focused on kitchen table issues. So even though I am the first non prosecutor, for me, I said, how do we focus on consumer restitution, getting money back to New Yorkers?
(03:39):
And we've done now about $600 million almost in my tenure of getting money just back to New Yorkers. We continue to work on things like AI, crypto, we of course had a banking crisis last year that no way really we didn't anticipate or I didn't anticipate coming into the role. And then there's really been quite a number of operational challenges in the role. So making sure that we can be a modern regulator, that we have the personnel we need, that we have the tech and the other tools that we need to keep abreast of the marketplace and be a nimble, innovative regulator ourselves.
Chana Schoenberger (04:16):
Okay. What is a modern regulator?
Adrienne Harris (04:19):
A modern regulator in my mind is one, as I noted, who for me, I have a real allergy to ideology and financial regulation. So I really do think of New York as the best place to prove that you can protect consumers and markets and create a healthy, thriving, growing marketplace here in the financial capital. For us, it meant we really needed the tools to do that. So we've grown the team considerably. I was able to get the department fully funded for the first time in its history during my first state budget cycle.
Chana Schoenberger (04:53):
That's where the congestion pricing money went.
Adrienne Harris (04:56):
No, no, no.
Chana Schoenberger (04:59):
Long before that.
Adrienne Harris (05:00):
It was long before that. So we've hired about 500 new staff from industry, from other regulators, from international regulators. We got $60 million added to our appropriation so that we could do a technology makeover. And we really try to use all of our tools, so not just enforcement, enforcement really is meant to be the last resort, but how do we think about adding more examiners, doing more rules, but then also using guidance FAQ, educational opportunities to really engage not only with our regulated entities, but state legislators, federal legislators, academics. So we really spend a lot of time engaging with all of our stakeholders, surfacing all the data that we need so that we can make the best possible decision for our regulated entities and for the consumers we're charged with protecting.
Chana Schoenberger (05:51):
Okay. So you did a cool thing last week with cybersecurity, which we wrote about, and I know you all read American Banker, so I'm sure you read this story already, but tell us what this was about.
Adrienne Harris (06:00):
Yeah, so we've done a lot of work around cyber. It is obviously one of those risks that throughout the financial sector really keeps everybody up at night. So earlier this year, I guess late last year, we amended what's known as part 500, which is our cybersecurity regulation here in New York. It really was the nation's first financial regulation for cybersecurity. So it became the model for lots of the federal regulators, for lots of international regulators, for the NAIC and the CSBS. And that was in 2017. And then last year we decided we needed to amend it to update it because that world, those risks have really developed quite a lot. So we put a lot of work into amending part 500, and then last week we added guidance to the amended regulation that we did to account for the risks and the potential opportunities of AI and cybersecurity.
(06:53):
So the guidance really was meant to highlight best practices for our regulated entities to say, here are the new risks and threats you should be thinking about in the cybersecurity space. But because of ai, so think more sophisticated social engineering attacks, for instance, as opposed to those phishing schemes that we could all tell we're phishing because your name would be misspelled and there'd be all kinds of typos. Now, those sort of social engineering schemes are much more sophisticated because of AI. So how you think about your risk management frameworks in the face of these heightened risks or more sophisticated risks. But similarly, how might our regulated entities use AI as part of their defenses to identify some of these threat vectors, identify some of these risks to make sure you're finding malware in your system more quickly before it can really do damage to your systems. How do you think about AI in terms of data recovery and other tools that we demand our regulated entities have? And so the guidance we put out again, is just another tool. It wasn't meant to add new requirements to the regulation, but rather to put more meat on the bones and behave nimbly so that what we do as a regulator is keeping pace with risks as they develop in the marketplace.
Chana Schoenberger (08:15):
So just building on what you were seeing now and then our last session of course was about AI and how people are actually using it within banks. How do you think about regulating ai?
Adrienne Harris (08:25):
I think it's such a big thing and it's such a buzzword, and so everybody says AI and machine learning, and half the time they don't really know what they're talking about or what they're talking about isn't real AI, right? They're talking about databases or talking about maybe very basic and outdated machine learning. So for us, it's really about thinking not just about the big picture. What is ai? What are the risks? But really how do those risks and opportunities manifest in particular situations? So before the AI and cybersecurity guidance that we put out last week, a few months ago, we put out guidance on AI and insurance underwriting and pricing. Now, we were not the first state, for instance, to do something around AI and insurance, but what we saw in the marketplace was again, this sort of big picture, oh, AI and insurance, that's too big a bite to take as a regulator.
(09:17):
So we really limited our guidance to underwriting and pricing. We put aside claims, we put aside customer service and all these other use cases and said, how do we want our regulated entities to think about it in this particular discreet context? How do we want them to apply anti-discrimination frameworks? How do we think about statistical modeling and testing? And we laid out with some level of prescriptiveness the type of testing that we expected our institutions to engage in. And then we of course talk a lot about governance. So because something like AI is moving and developing so fast, it's less about how you approach a particular technology or a particular vendor, but more about how you put in place the right sort of governance and risk management framework that's going to be adaptable and nimble and evolve along with the technology. So we really spend a lot of time focused on that governance piece, making sure that our regulated entities have the right expertise in-house that they're thinking about third party vendor management, for instance.
(10:21):
So everybody in banking and financial services is very familiar with third party vendor management risk framework principles the same apply to ai. It is not going to be sufficient from our point of view as a regulator to say, well, the algorithm was discriminatory and this would go for banking as well, but it was our vendor who wrote the algorithm, we don't know how it works, so it's not our fault. These frameworks around third party vendor management are pretty well trodden paths. And so they apply here even with a new technology. And the guidance we did on AI and insurance underwriting and pricing was meant to pull some of that forward, add that transparency and make our regulated entities aware of our expectations proactively.
Chana Schoenberger (11:05):
It's such a big problem too because so much of machine learning is based on databases and using what we have from the past, and a lot of the data we have from the past is biased.
Adrienne Harris (11:15):
Well, and you think about insurance in particular. I know this is the powerful women in banking, but insurance by its nature, the business model is discrimination in the truest sense of the word. And so we had to really think about what is proper discrimination for purposes of underwriting insurance risk versus what is discrimination in the malevolent sense of the word that is not based on the risk that an insurer is underwriting? And how do you distinguish those two and how do you help insurance companies? And at some point, we will probably do something in banking as well. So as you said, forecasting, how do you think about the algorithm and the tools and the ways that delineate the discrimination that is underwriting and the discrimination that is really benevolent and the kind of thing we look to guard against. But I think one thing I'll say is we put everything out for notice and comment, even where the law doesn't require us to, because I think it's important to have this engagement with all of our stakeholders.
(12:16):
One thing that came from that guidance was people said, well, how can we do this testing? We can't possibly do this testing. It's going to be so hard, it's going to be so onerous. And I think one thing that we benefit from my experience in the private sector from having a diverse team at DFS that has regulatory experience, private sector experience is we're able to say, no, we know how this can work in a private sector context. The company that I helped start in Silicon Valley was an AI company and insurance. So when the insurance companies were coming and saying, this is impossible, I could with a lot of credibility say, no, it's not because I've done it and here's how I suggest you do it as well. And so I think having that diverse team, having the technology in the regulator and then engaging with our stakeholders really helps us make better regulation.
Chana Schoenberger (13:04):
Okay. So you talked about how the modernization of the agency is going. So Signature Bank failed in 2023. So it seems like that was yesterday, but it was actually a year and a half ago.
Adrienne Harris (13:14):
Yes.
Chana Schoenberger (13:15):
What's changed in the industry and in the way you think about regulations since then?
Adrienne Harris (13:19):
Yeah. So there were a number of things I think we had on our transformation plan before the collapse of signature, but of course that you never waste a crisis that caused us to really accelerate a lot of our planning. So there's a couple of things we're now doing differently. I have reorganized our banking division back to the way it was in the banking department before there was a DFS into bank and non-bank supervision. So we've separated those two things out, even though there's obviously some overlap there. We have new escalation protocols. What we found with Signature, or if you look at Silicon Valley Bank or probably even First Republic, is that when you look at the camel's ratings for those institutions, they were getting in particular around liquidity risk management. They were getting threes right on their exams for many, many years. So I said to the team, why are we letting C students continue to be C students, right?
(14:17):
If we have an institution that's continuing to get Cs for all intents and purposes on one metric of the Camel score cycle after cycle after cycle, we need to escalate that to leadership so that we can do an MOU bring in enforcement action, whatever the appropriate step is going to be. So now we have a new escalation protocol in place that really empowers the line staff to raise up to management those institutions that have persistent problems. We also looked and said, what does the training look like for our examiners? I've brought in about 150 new examiners to DFS in my time. They're the first new examiners that have come in since 2018. And so we really looked back and said, what does examiner training look like by the time you're at the end of your first year as an examiner, what are the skills you should have?
(15:04):
What are the experiences you should have had on the job and your second year and your third year? And let's create a syllabus and make sure that training is available to our examiners. So we've now done that. And then the other thing we put in place was what we call operational stress testing. I think one of the things that happened, and we wrote about this in our report of Signature Bank, is that the bank was unable to produce timely accurate data during the 72 hours of the weekend where it failed. So we were going to the bank and saying, how much collateral do you have that you can pledge to the Fed? How much collateral do you have that can go to flub and what kind of liquidity can you get? And again, we wrote about all of this in our report. They were telling us we've got $6.5 billion of collateral that we can pledge to the Fed.
(15:52):
And when we were pressure testing that in less than 12 hours, that number had been revised down to $500 million of collateral, and that's before the fed discount. That's a big swing to have in 12 hours when they're like, we have $6.5 billion, we can pledge. No, we have half a billion dollars we can pledge. So that prompted us to say to the rest of our regulated institutions, you have to be able to produce accurate data quickly and in a crisis, and it's not enough. Just have a plan that lives on the shelf of here's the playbook for a crisis. You've got to do the tabletop exercise. So we started piloting with a number of our institutions what a tabletop exercise would look like,
Chana Schoenberger (16:32):
Like war games for bank failures?
Adrienne Harris (16:33):
Like war games for bank failures. It's something we did when I was at the Treasury Department around cybersecurity. We had what we called the Hamilton exercises where we would bring a number of institutions in with all the regulators and have sort of a scenario play out with a third party facilitator to figure out how everybody would react. And so now we're doing something similar with our regulated banking institutions, again, as a pilot to say, let's put ourselves in a failure scenario. Maybe it's a deposit run or liquidity crisis, maybe it's something else, but can you produce timely, accurate data quickly so that we're all working from the same set of facts and don't have an instance where we think we've got six plus billion in collateral and really it's less than a half a billion and we're figuring that out real time.
Chana Schoenberger (17:24):
Yeah, I can see how that would be a problem.
Adrienne Harris (17:26):
Yeah, yeah, it makes the crisis that much more challenging for sure.
Chana Schoenberger (17:31):
How do you convey, I mean, what was that like? Were you texting them? Did you have someone on an open phone line? A zoom?
Adrienne Harris (17:39):
Yeah, it is a lot of communication. So I think when we went back to write the report and sort of do the retrospective analysis for ourselves, I mean, when you look at the phone calls, the text messages, the emails, the zooms, I mean, it is thousands of communications happening in a very short timeframe between bank leadership, me and my team, federal regulators, and at the time, I'm sure many in this room, remember it wasn't just sort of the three banks that we all think about now. It all sort of kicked off with Silver Gate and their self liquidation the week before then it was SVB and Signature. And we all thought First Republic was going to go that same weekend, but they got their lifeline and managed to make it a couple months.
Chana Schoenberger (18:29):
Two more months in the the two months,
Adrienne Harris (18:31):
But there were at least 20 other banks across the country that we could sort of see, at least from a regulatory perspective, here's how the dominoes are going to fall if the systemic risk exception had not been invoked. So we're on the phone with other state regulators, with the Fed Board, the New York Fed, the FDIC, who becomes the receiver, and you're talking to other bank CEOs who wants to buy a bank and they're like nobody. So it's a lot of fast communication, but I think the key to it is having that communication, whether it's with legislators, regulators, bank CEOs and general counsels, and you sort of put whatever squabbles you might have, whether it be partisan or territorial, all that's got to be put to the side so that you can get to the right answer and preserve the stability of the banking system.
Chana Schoenberger (19:33):
Wow. I'm trying to imagine the movie that they're going to make of this, right? Be like too big to fail, but state version.
Adrienne Harris (19:39):
Yeah, exactly. Maybe
Chana Schoenberger (19:40):
Who would play you in that movie?
Adrienne Harris (19:42):
Who would play me? I have to think about that one. I dunno.
Chana Schoenberger (19:46):
But seriously, folks, when you think about, because you were just talking about Silver Gate, when you think about crypto and digital assets, how does that fit into the broader financial services landscape here on Wall Street?
Adrienne Harris (19:57):
Yeah. Well, as I noted, we've been regulating the space for about 10 years and until very recently have been the only prudential regulator in the country, state, or federal with crypto specific authorities. So we have what we call a bit license. And then of course we have our limited purpose trust charter, both of which are vehicles that crypto companies or Tradify companies can use to engage in what we call virtual currency business activity. So we've gotten very good at regulating the space. I built the team from what was maybe three people when I came into now a team of 60 people that are solely dedicated to the licensing and examination of cryptocurrency companies and activities in the state of New York. You have to have a license from us to engage in that activity in New York state. And then we have a whole set of requirements, just like for our banks and insurance companies, so the same cybersecurity regulations that apply to banks apply to the crypto companies that we regulate, the same B-S-A-M-L requirements that the banks have apply to our crypto companies.
(20:59):
And then we have very, very strict reserving and capitalization requirements for our cryptocurrency companies as well. So for us, the formula is we take any crypto in cold storage plus crypto in hot storage, plus six months operating costs times 1.1, and that's the capital that they're all required to maintain at any time. And then we reserve the sole discretion. We are the government to require them to lift that capital in times of stress. It's worked very well because when we think about the crypto winter, FTX, Voyager Celsius, none of them were permitted to operate in New York because we hadn't given them a license. So when you look at the harm to consumers from those companies in New York, it's very, very minimal as compared to every other state in the country. And so New York has really become the model for the federal legislation that's been working its way through Congress for ICA in the EU for what they're doing out of the FCA in the UK.
(22:05):
Everybody really points to New York. And originally people thought, well, this regulation is so onerous it's going to kill innovation. But when you look at the data, we like data so much. What you see is the plurality, so not the majority, but the plurality of investment in crypto companies is in New York regulated companies because there's transparency, there's predictability, and then that regulation becomes sort of the good housekeeping seal. And so we have foreign regulators that come to us all the time and they say, we know if a company's been licensed in New York, it passes your standards, it'll pass our standards. And then you have Chairman McHenry on house financial services, for example, when he's putting forward his stable coin legislation and his market regulation, he's saying, this is modeled after New York. So we've had tremendous success in this space. We've also brought some of the first enforcement actions against crypto companies.
(23:00):
So we brought a hundred million dollars case against Coinbase that was mostly about cybersecurity and BSA violations. And then just I guess earlier this year, we're able to get $2.1 billion back to consumers from an enforcement action we brought against Gemini Earn. And that was consumers nationwide. So I actually got a very nice email from a gentleman in Ohio who said, thanks for getting my money back. I'm going to come to New York and spend it there. So I immediately forwarded it to my boss, the governor, and I was like, DFS does tourism. See, we are a multifaceted agency here.
Chana Schoenberger (23:41):
So we held our small business thinking conference last week in Vegas, and I sat down to breakfast with some bankers from the south, not from New York. And one of the gentlemen was telling me that he of course runs a bank, but on the side and not in his own bank. He invests in crypto. And he was telling me what a great idea this was. And I guess I was kind of surprised to hear a banker say that.
Adrienne Harris (24:02):
Well, we have, again, in an effort to utilize all the tools at our disposal, we have issued guidance for our banking institutions that want to engage in virtual currency business activity because of course, that's a bit of a different proposition than a crypto native company. So when you have a traditional bank that wants to custody crypto, that wants to engage in payments of crypto, that also requires our regulated banking institutions to come to us. We run all the traps and get pre-approval before they're allowed to do that. And that's meant to prevent or at least mitigate any bad effects from crypto on the banking sector. And this is something that also came up in the course of signature where there was this sort of misnomer that signature failed because of crypto because they were known as sort of a crypto friendly bank. But in fact, when you look at the percentage of their deposit base that was crypto companies, it was about 20%. And when you look at the deposits that fled during that weekend, it was about 24% of the deposits that fled that were crypto companies, but the rest were wholesale food vendors and small law firms. And it's in part because we have this rigorous guidance for banks that really limits, or at least requires them to apply strict risk management frameworks if they are engaged in virtual currency business activity here in New York.
Chana Schoenberger (25:27):
Before we run out of time here, this is a leadership conference. So I would love, aside from your actual work, I would love to hear a bit, you sort of alluded to your own career arc. What would you tell bankers about public service as a career?
Adrienne Harris (25:42):
Yeah, I love public service. I mean, except for twice a month when I'm like, why am I in public service when I look at my paycheck other than twice a month? And what I have found is the hardest problems are the ones that emerge in public service when you are trying to accommodate the interests of a number of stakeholders. It is just far more complex, frankly, than anything I've encountered the private sector, but it's so rewarding for us to be able to sit here today and say, in three years we've gotten almost 600 million back to New Yorkers. Some of that is mine. I had an insurance company that didn't pay one of my claims, and I was like, oh, I know the rules here. He owe me money. I'll take that check, please. I need it. Because twice a month.
Chana Schoenberger (26:37):
They definitely mess with the wrong girl.
Adrienne Harris (26:39):
Exactly. But there's just nothing more rewarding in my mind than solving those really hard problems that then have this broad implication for your city, for your state, for your country. And then to get an email from a gentleman in Ohio or from any of the consumers we help is just so terribly rewarding. And I do think my time in the private sector has made me a better and more effective regulator, but I think similarly, my time in public service made me a more effective businesswoman because I can translate. And for me, that's just been such a rewarding sort of arc in my career. So I would encourage everybody when you have the savings to spend some time in public service, because I really do think it's one of the most rewarding things you can do with your career and the skill sets that you develop in the private sector are so needed in public service and vice versa. So I really encourage people to spend a few years in the public sector.
Chana Schoenberger (27:40):
Once you've made your money.
Adrienne Harris (27:42):
Once you've made your money, or early before you really think you need money when you're like 20 and Ramen is fine every night, you can do it then and then go make your money later.
Chana Schoenberger (27:52):
Ramen is great. We have great ramen, New York.
Adrienne Harris (27:53):
You get high end Ramen now. When I was in my twenties, it was not high-end drama. Right.
Chana Schoenberger (27:58):
The dried stuff that you make on your hot plate. Okay, so what trends are you seeing on Wall Street today that make you your fingers itch and you're reaching for your regulatory plan?
Adrienne Harris (28:08):
I mean, the AI things that we've talked about, and I think we're so at the early stages, as I alluded to, right? We're all using this word or these words, but I think still there's so much left to go there. I've been thinking a lot lately about adjunctive ai. So not just AI that provides us with information, but AI that can then execute on decisions and act as an agent. So imagine you've got AI and you've got your customer service chat bot where it's like, you should call this number or you should do this, but then the AI that can actually go and do that thing and get the refund for you without you having to do anything. So we've been spending a lot of time thinking about that, and I think there's a real amazing set of opportunities there. But there will also be risks.
(29:00):
If we're a regulator, we think about risks. So we spend a lot of time thinking about that. There's really no end to the cybersecurity stuff and those risks there, that's just, as you all know, sort of an arms race, right? Between the threat actors and those of us that have to defend our systems. So we continue to think about that. The crypto space is evolving quite a bit too as we see more and more trad fi getting involved in the crypto space. So it's sort of less like the two dudes from Silicon Valley who have a new crypto company not to prejudge or paint with too broad a brush, but it's sort of less that now and more the traditional financial services companies looking to get involved in this space. So I'm really interested to see where that all is going to go as we think about tokenized assets as we think about payments. Yeah, there's lots of really interesting stuff happening.
Chana Schoenberger (29:55):
Cool. Okay, last question. What is the coolest thing you've seen in the industry recently?
Adrienne Harris (30:03):
There's so many cool things. Some of the AI stuff I think is just amazing. We're actually playing with a little bit of it ourselves. One of the projects we have with the state University of New York with the Stony System is we're taking our mortgage data, our insurance data, and then SUNY has this incredible treasure trove of weather data. So it's like weather from every corner of the state, every five minutes going back 40 years. It's like now I feel like I'm a meteorologist because we've been digging into this data, but we've been using AI to overlay mortgage data, insurance data, and this weather data to think about climate risk to banks, climate risk to insurance companies, climate redlining, and what that's going to look like. Are we going to see lenders stop lending to LMI communities that have a disproportionate exposure to climate change? How do we get ahead of that? And it's just so much data that you need AI tools and supercomputers to help wrap your arms around that. So I'm really excited about that. So I think there's lots to come in the AI space for sure.
Chana Schoenberger (31:10):
Extremely cool. Alright, well thank you very much superintendent, and thanks for being up here with me.
Adrienne Harris (31:15):
No, thanks for having me. Good to see you all.