"The banking industry has existing standards in place that do not exist in the retail space," said Thomas Curry, comptroller of the currency. "It may be necessary to impose legal or other requirements on retailers in that situation."
To prevent cybersecurity attacks, U.S. Treasury Department is working to ease information sharing between regulators and the private sector, said Mary Miller, undersecretary of the Treasury for domestic finance.
But this is only a short-term step.
“We think it would be very valuable to have comprehensive legislation on cybersecurity,” Miller told the Senate Banking, Housing and Urban Affairs Committee.
Other witnesses called for legislation that would create standards for notifying consumers in case of a breach.
"It's easy to see the banks and retailers pointing to each other,” Sen. Robert Menendez, D-N.J., said. “The problem with this is the consumer is standing in the middle, not being protected.”
The high cost of ensuring data security is a roadblock for financial institutions and regulatory bodies trying to address the growing threat of cyber attacks, said Mary Jo White, chairwoman of the Securities and Exchange Commission.
“We do have significant budget challenges which impact our very important IT initiatives,” White said. “There is nothing we value more importantly than data security.”
Cybersecurity concerns come after data breaches at Target and Neiman Marcus that affected more than 110 million customers and put as many as one third of Americans at risk for identity theft.
The witnesses also asserted their commitment to continue implementing the Volcker Rule, part of the Dodd-Frank Act. It bans proprietary trading -- restricting banks from making speculative investments that are not in the interest of their customers.
“We expect large banks to meet the highest standards,” said Curry.
Three bank regulatory agencies -- FDIC, SEC and the Federal Reserve -- want a higher minimum proprietary ratio. That’s a percentage that indicates how dependent a company is on debt. A higher value indicates less reliance on creditors and should signal solid financial health.
But regulators have yet to find an effective minimum ratio, said Daniel Tarullo, member of the Board of Governors of the Federal Reserve System.
But Sen. Elizabeth Warren, D-Mass., questioned the efficacy of current regulations in deterring banks from risky behavior.
"If financial institutions can settle their claims out of court and get a raise [for executives] for settling them, where's the deterrent?" Warren said.
She referred to JP Morgan Chase which spent more than $13 billion in a settlement last year, but its CEO Jamie Dimon still saw a 75 percent raise in his salary -- now $20 million -- at the end of the year.
"This raises questions on whether our enforcement strategy is working or whether we're making it more likely for banks to break the law," Warren said.
We are still focused on the largest institutions that have a reliance on short-term wholesale funding, Tarullo said.
"It's not size alone, it's complexity that should be playing a role here," said Sen. Chuck Schumer, D-N.Y.