The financial messaging cooperative will be making compliance with core cyber-security requirements and an associated assurance framework mandatory.
Photo courtesy of Sibos, Flickr
Financial messaging and systems cooperative SWIFT underscored its commitment to cyber-security protections at its SIBOS conference in Geneva last week with a set of core security standards and an associated assurance framework that the cooperative is making mandatory for all customers.
Throughout this year, SWIFT officials have been grappling with a series of cyber-attacks among its members and customers.
While the Belgium non-profit cooperative group has been indirectly involved in several attacks, an incident this past February is seen as a watershed moment. In that case, attackers used SWIFT codes to break into the account of the Bangladesh central bank, and via messages and multiple attempts broke into the Federal Reserve Bank of New York, which then led to the theft of a hefty sum, according to official confirmations and media reports. The hackers in this instance did encounter some barriers but ultimately $100 million was stolen from the Bangladesh central bank account. Some of that amount has been tracked down and retrieved, but $81 million went missing, according to official confirmations and media reports.
Given that backdrop, SWIFT at SIBOS wanted to make clear that it is taking cyber-security further by requiring clients to prove they’re compliant annually via new controls in the assurance framework.
The push will be for the “long-haul, and will require industry-wide effort and investment, as well as active engagement with regulators,” says Yawar Shah, chairman of SWIFT. “The growing cyber threat requires a concerted, community-wide response. This is also why the SWIFT board unanimously approved the framework and remains fully engaged in overseeing and driving the further development of SWIFT’s Customer Security Programme.”
The program, which launched in June 2016, sets an operational and security baseline for customers who need to protect the processing and handling of their SWIFT transactions, SWIFT officials say. The cooperative will be enhancing SWIFT’s “own products and services to provide customers with additional protection and detection mechanisms, and in turn help customers to meet these baselines,” officials add.
The core security standards are based on “three overarching objectives which address major areas of attention for customers’ SWIFT-related environments,” according to SWIFT officials. “Under SWIFT’s new assurance framework, customers will be required to provide self-attestation against 16 mandatory controls on an annual basis.”
SWIFT will launch the self-attestation in the second quarter of 2017 “when the standards will be made applicable to all customers connected to SWIFT, including those connected through service bureaus,” officials say.
Inspections and enforcement by the cooperative will begin Jan. 1, 2018, when customers’ compliance status “will be made available to their counterparts, ensuring transparency and allowing firms to assess risk of counterparts with whom they are doing business,” SWIFT officials say.
“From January 2018, SWIFT will report the status of any non-compliant customers to their regulators, and randomly select customers who will be required to provide additional assurance either from their internal or their external auditors,” officials say.
“This quality assurance process will not preclude customers from independently requesting additional assurance from their counterparts. In addition, customers will also be able to choose to disclose their compliance with a further 11 advisory controls that will supplement the 16 mandatory controls,” according to SWIFT.
SWIFT will make the detailed objectives and controls available to customers at the end of October 2016.
“During a two-month validation period, SWIFT will engage with nominated security contacts at SWIFT National Member Groups to collect community feedback before the final standards are published at the end of March 2017,” officials say.
“While customers remain responsible for protecting their own environments, SWIFT is fully committed to helping strengthen customers’ security and helping them improve their security measures and our aim in setting out this framework is to support customers by helping to drive awareness and improvements in the industry’s overall security,” says SWIFT CEO Gottfried Leibbrandt, in a prepared statement.
In a related move in time for SIBOS, SWIFT officials introduced Daily Validation Reports, a tool designed to supplement customers’ existing fraud controls, officials say.
Using SWIFT’s records of customers’ messages, the Daily Validation Reports “will give customers an accurate summary of their message flows, affording them an
Photo courtesy of Sibos, Flickr
independent means of verifying their messaging activity and detecting any unusual patterns,” officials say. The service is intended to enhance the ability of clients to identify possible fraud attempts and thus improve “the likelihood they can cancel any fraudulent transfers.”
SWIFT will provide the reports via a separate channel to customers’ payments and compliance teams, enabling departments at customer firms to access “independently sourced information through an independent channel, even if their own systems or operational staff have been compromised and their locally stored records have been obfuscated,” officials say.
The Daily Validation Reports will include both Activity Reports that aggregate daily activity across currencies, countries and counterparties — giving clients a snapshot view of each day’s messaging activity against which to detect unusual patterns; and Risk Reports that will provide customers with “a focused review of large or unusual payment flows and new combinations of payment parties – allowing unusual senders, destinations and patterns to be more quickly and easily identified,” officials say.
The Daily Validation Reports offering is one of several initiatives of the Transaction Pattern Detection stream within SWIFT’s Customer Security Program, officials say.
SWIFT intends to launch the Daily Validation Reports in December 2016 as part of SWIFT’s Compliance services, a set of utilities designed to assist institutions in managing their financial crime compliance risks, officials say. “Other SWIFT tools and services that can help to reduce transaction and financial crime compliance risks include RMA Plus, Sanctions Screening, Sanctions Testing, The KYC Registry, Compliance Analytics and the Payments Data Quality Service,” officials add.
“In August SWIFT launched a campaign focused on its Relationship Management Application (RMA) to raise awareness of the tool’s usage as a first line of defense against unwanted or unexpected message flows,” SWIFT officials say. “RMA is a filter that enables users to manage their correspondent relationships and is a first line of defense against unwanted or unexpected message flows. It allows users to select and limit the correspondents from whom they wish to receive messages, as well as to restrict the type of messages that they receive.”
RMA could mitigate the risk of receiving unwanted or fraudulent payments, and is intended to help message traffic is with trusted parties only, officials say.
Looking ahead, SWIFT, in collaboration with its cooperative members, will be investigating methods “to enhance market practice in the use of message standards for fraud prevention and investigation, and exploring additional fraud controls,” officials say.
Need a Reprint?
