Could PCI DSS provide a guide for safeguarding payments over Swift?

Could PCI DSS provide a guide for safeguarding payments over Swift?

Philippe Lepoutre, deputy head of global transaction and payment services and Thierry Olivier, chief information security officer at SocGen assess Swift's Customer Security Programme (CSP) and how it might evolve in the future to provide a better safety net for interbank payment flows.

 A chain is only as strong as its weakest link, which makes Swift's Customer Security Programme (CSP) a necessary step in addressing cyber-crime. As a global network, Swift allows exchanges between different types of banks – from the very largest multinational institutions through to very small banks. The perception is that perhaps some of the smaller banks have not taken cyber security as seriously as they should, which has created weak points in the Swift network.

The fraud attacks on the Swift network were a wakeup call for many Swift members. That is why the CSP is very timely and the whole Swift community should engage with the Programme. CSP will create transparency between members on the Swift network and will be a strong incentive for all banks to show they are not lagging behind when it comes to cyber security.

Initially the CSP assessments are based on self-evaluation, but that may evolve over time to assessments conducted by a third-party. The card industry’s Payment Card Industry Data Security Standard (PCI DSS) is a good indicator of how CSP has been set up. Most of the card industry players have engaged with PCI DSS, which provides a strong and demanding standard for card security. It is becoming very necessary for the Swift community to engage in a similar type of project.

In the light of recent regulatory moves, there is growing awareness of the need to actively manage Know Your Customer (KYC) risk, particularly between banks. Swift is playing a role with its KYC Registry. Smaller banks, which might be more exposed to cyber risks, would already be assessed as a risk by larger banks because of their size.

Financial institutions are making a range of efforts to streamline their approach to counterparty risk and KYC to ensure they have exchanges only with approved counterparties. Among these efforts is implementation of Swift’s Relationship Management Application+ (RMA+), a filter that enables financial institutions to define which kind of FIN message type(s) they want to receive from, and send to, each of their counterparties. Such tactical approaches help banks to ensure that they do not leave open any links which would not be supported by full KYC compliance.

In the retail payments world, fraudulent payments attempts are common. In the Swift world, which is characterised by very high value, but comparatively low volume payments, they are much rarer; Société Générale has not experienced a fraudulent transaction via Swift. This does not mean it won’t happen, but the attempts to date have been unsophisticated. The hacking attack on Bank of Bangladesh showed that criminals are targeting Swift and therefore defences have to be strengthened.

Knowing how to fight a fraud or cyber-attack that has not yet happened is challenging. Banks must bring together specialists in payments, Swift, data science and technology to work together and detect the possible ways a fraud might be attempted through Swift. A deep understanding of the flow that comes through the Swift pipes every day will help in pinpointing suspicious transactions. In retail payments, the large volumes mean that machine learning systems can self-learn more easily based on the track-record of frauds; this is not the case with Swift payments yet.

Ideally, internal defences at banks should be combined with defences inside Swift itself. Within a global network like Swift it is often easier to detect fraudulent transactions than it is within a single bank. Such an approach could involve Swift managing a set of generic rules, which are based on Swift members’ experience. This combination of security at individual financial institutions and at Swift would provide the most secure approach. This will take time to build, but is in the direction the industry should head.

Comments: (1)

Bob Lyddon
Bob Lyddon - Lyddon Consulting Services - Thames Ditton 09 October, 2017, 17:06Be the first to give this comment the thumbs up 0 likes

And in the meantime major banks have cut off RMA completely for banks with whom no ASI relationship exists on either side (so-called "Non-customer RMA") and implemented RMA+ even with those counterparties where an ASI relationship does exist. This vastly reduces the possibility for MT103 'Cover' payments and indeed much else as well, such as reacting quickly to a customer request for MT101. The rump of remaining messaging that is allowed will indeed be well safeguarded, but at what cost to members and to the value of the network in the medium term? Surely there must be a better way than to cut into one's own flesh (ins eigene Fleisch schneiden, as they say in Germany)? I notice that this issue is not on the SIBOS agenda explicitly, or even implicitly: one supposes this is because the "regulatory guidance" behind it is taken as binding, even though in fact it does not come from regulators at all, but from the Wolfsberg Group.