Security and Unintended Consequences

Posted by Charles Kahn on Aug 14, 2009

Filed Under (Finance)

The law of unintended consequences is a mainstay of economic thinking. Someone with power establishes a rule or regulation of some sort and assumes that people will simply follow it. But people don’t just do what they’re told. Instead, they have desires, objectives, goals. And when the rules change, people respond according to their goals. And sometimes the rule maker doesn’t like the result.

The university makes you change your internet password once a year—and of course their rules about what constitutes an acceptable password are different from those of the bank, the shopping site, and the newspaper site. For these sites, this inconvenience is good: they don’t want me using the same password for fear of cross contamination—as someone snooping at the newspaper gets into my bank account.

But it can be counterproductive: one place where I worked demanded we change passwords once a month, with the result that what the rulemakers thought was a seven character password was effectively a four character password, with everyone using variants of xxxxjan, xxxxfeb, xxxxmar… Bottom line: lots of inconvenience for users; unintended consequence: less protection, not more.

Of course, in the case of Homeland Security, everybody has his or her favorite version of this story: body searches of grandmothers and the like. And of course, some of that criticism is unfair: if a search pattern is established, terrorists will recruit to foil it. And also of course, sometimes the goal of the rulemakers is simply to be seen to be doing something: effectiveness is beside the point.

Probably the greatest example of ineffectiveness of security rules arises in the case of anti-money laundering regulation as applied to drug enforcement. The regulatory burden the rules place on banks is stupendous: the costs and difficulties of opening new accounts has multiplied out of all recognition; the burden of serving foreign customers has become so prohibitive that many American banks avoid the business. And the effect on the market for illegal drugs has been nil. While the compliance costs for the regulation are onerous for the law-abiding, the costs for evaders are negligible.

In this arena, a classic example of unintended consequences arises: the anti-money laundering regulations require banks to report “suspicious account activity” to the authorities. But what constitutes suspicious activities is undefined—it is, to be fair, inherently undefinable. There are penalties on the banks for non-reporting. Result: banks report everything, the system is overwhelmed, and less useful information gets through than would have happened without the rule.

The anti-money laundering programs can point to some notable successes in other fields, in particular in confronting political corruption. This probably says something about the relative profit opportunities of corrupt politicians and drug bosses.

The good news is that the average individual in the U.S. (and in particular the typical newspaper reporter) understands the law of unintended consequences at gut level. The bad news is that when columnists attempt to predict the public responses to new legislation, the analysis is subject to pop psychologizing and all sorts of wishful thinking. I admit that my preferred form of armchair theorizing—economic modeling—is not without its faults. But I would put it up as a superior explanation, particularly for large numbers and for periods of time longer than a particular newspaper article can be remembered.