* Data security huge concern in landmark ECB bank tests
* Hackers could make billions from obtaining test results early
* ECB may soon upgrade project from ‘confidential’ to ‘secret’
* Centralised data stored in Frankfurt, all work done on ECB computers
* Every consultant must get individual ECB security clearance
* Financial penalties for consultants who breach confidentiality
By Laura Noonan and Eva Taylor
LONDON/FRANKFURT, June 1 (Reuters) - It would be an insider trader’s dream to know ahead of time which of Europe’s banks will fail or need more capital, and all that data will be stored somewhere in cyberspace as the European Central Bank assesses the euro zone’s top banks.
The chances of a leak are multiplied by the thousands of consultants who will work on data for the ECB’s Comprehensive Assessment of the currency bloc’s most important 128 banks, which include household names like Deutsche Bank and Santander along with national champions Bank of Cyprus and Bank of Valletta.
“It (data security) is of enormous concern,” said Dan Keeble, a London-based partner at Deloitte, which is working on part of the ECB’s assessment, an Asset Quality Review (AQR) for the euro zone’s 13 largest banks and some smaller ones.
“Aside from the fact that much of the information required to conduct the AQR is commercially sensitive to individual banks, details of the conclusions regarding the AQR have the potential to be market influencing, and could damage financial stability.”
That is why the consultants working on the centralised data - U.S. firm Oliver Wyman - cannot cut and paste, take screenshots or print out the data they are working on. And they will only have access to their part of the project, and only for as long as it takes to complete their task.
Thousands of other consultants working on individual banks face similar restrictions. Anyone caught leaking the information risks a hefty jail sentence, and the ECB said all access to the data is monitored, so users can be traced.
The ECB, long used to holding sensitive data about its market operations and keeping secret its plans for interest rate changes, told Reuters data security was the “highest priority” in the review it is undertaking before it becomes the euro zone’s financial supervisor in November.
All data communicated to, from and within the ECB is stored on ‘Darwin’, the ECB’s document and records management system. Anyone who wants access must file a request through a designated security manager at a national financial supervisor, and the central project management office must approve.
“All Comprehensive Assessment data is classified as ECB-Confidential, and access is limited to those who require it for project purposes,” the ECB told Reuters in a statement, adding that the project “may be uprated soon to ECB-Secret”.
Data about individual banks is stored on isolated servers within Darwin, and elevating it to Secret means access to the database, which is encrypted, is controlled by more senior people.
As well as staff at the ECB’s newly created supervisory arm, much of the heavy lifting in the review is being done by private consultancy Oliver Wyman, which is acting as project manager.
“Oliver Wyman maintains strict processes to manage the confidentiality of proprietary client information as standard policy,” the ECB said. “Each person working on the Comprehensive Assessment has signed additional confidentiality documents.”
Oliver Wyman, whose staff work out of the ECB’s Frankfurt premises and use ECB computers and must get security clearance from the ECB, declined to comment.
The data worked on by the ECB and Oliver Wyman in Frankfurt is the final link in a project that spans the euro zone and beyond into countries where the banks have operations.
Almost all of the national supervisors producing information for the ECB have hired auditors to help them with the job, while many of the banks have also hired third parties.
They face a similarly strict list of requirements. Documents are typically reviewed on bank PCs, and any transfer of information to auditors’ computers is severely restricted, people familiar with the process told Reuters.
Auditors that do store information in their own environments must prove that access controls are good enough to protect the information, the people added.
A source familiar with the process said data on individual banks is sent to national supervisors using encrypted emails through a specially secured channel. Both sides need keys to code and decode the data. Auditors send their work in the same way.
Deloitte’s Keeble said there were also financial penalties built into the audit contracts to deal with data security breaches.
But even the most advanced technology protocols are only as strong as the weakest link in the chain.
“There’s a massive concern about somebody leaving a laptop in a pub,” as one source familiar with the tests put it. (Editing by Will Waterman)