24 October 2017
Register now

Could PCI DSS provide a guide for safeguarding payments over Swift?

09 October 2017  |  8530 views  |  1 Swift logo web screen shot

Philippe Lepoutre, deputy head of global transaction and payment services and Thierry Olivier, chief information security officer at SocGen assess Swift's Customer Security Programme (CSP) and how it might evolve in the future to provide a better safety net for interbank payment flows.

 A chain is only as strong as its weakest link, which makes Swift's Customer Security Programme (CSP) a necessary step in addressing cyber-crime. As a global network, Swift allows exchanges between different types of banks – from the very largest multinational institutions through to very small banks. The perception is that perhaps some of the smaller banks have not taken cyber security as seriously as they should, which has created weak points in the Swift network.

The fraud attacks on the Swift network were a wakeup call for many Swift members. That is why the CSP is very timely and the whole Swift community should engage with the Programme. CSP will create transparency between members on the Swift network and will be a strong incentive for all banks to show they are not lagging behind when it comes to cyber security.

Initially the CSP assessments are based on self-evaluation, but that may evolve over time to assessments conducted by a third-party. The card industry’s Payment Card Industry Data Security Standard (PCI DSS) is a good indicator of how CSP has been set up. Most of the card industry players have engaged with PCI DSS, which provides a strong and demanding standard for card security. It is becoming very necessary for the Swift community to engage in a similar type of project.

In the light of recent regulatory moves, there is growing awareness of the need to actively manage Know Your Customer (KYC) risk, particularly between banks. Swift is playing a role with its KYC Registry. Smaller banks, which might be more exposed to cyber risks, would already be assessed as a risk by larger banks because of their size.

Financial institutions are making a range of efforts to streamline their approach to counterparty risk and KYC to ensure they have exchanges only with approved counterparties. Among these efforts is implementation of Swift’s Relationship Management Application+ (RMA+), a filter that enables financial institutions to define which kind of FIN message type(s) they want to receive from, and send to, each of their counterparties. Such tactical approaches help banks to ensure that they do not leave open any links which would not be supported by full KYC compliance.

In the retail payments world, fraudulent payments attempts are common. In the Swift world, which is characterised by very high value, but comparatively low volume payments, they are much rarer; Société Générale has not experienced a fraudulent transaction via Swift. This does not mean it won’t happen, but the attempts to date have been unsophisticated. The hacking attack on Bank of Bangladesh showed that criminals are targeting Swift and therefore defences have to be strengthened.

Knowing how to fight a fraud or cyber-attack that has not yet happened is challenging. Banks must bring together specialists in payments, Swift, data science and technology to work together and detect the possible ways a fraud might be attempted through Swift. A deep understanding of the flow that comes through the Swift pipes every day will help in pinpointing suspicious transactions. In retail payments, the large volumes mean that machine learning systems can self-learn more easily based on the track-record of frauds; this is not the case with Swift payments yet.

Ideally, internal defences at banks should be combined with defences inside Swift itself. Within a global network like Swift it is often easier to detect fraudulent transactions than it is within a single bank. Such an approach could involve Swift managing a set of generic rules, which are based on Swift members’ experience. This combination of security at individual financial institutions and at Swift would provide the most secure approach. This will take time to build, but is in the direction the industry should head.

Comments: (1)

Bob Lyddon
Bob Lyddon - Lyddon Consulting Services - Thames Ditton | 09 October, 2017, 17:06

And in the meantime major banks have cut off RMA completely for banks with whom no ASI relationship exists on either side (so-called "Non-customer RMA") and implemented RMA+ even with those counterparties where an ASI relationship does exist. This vastly reduces the possibility for MT103 'Cover' payments and indeed much else as well, such as reacting quickly to a customer request for MT101. The rump of remaining messaging that is allowed will indeed be well safeguarded, but at what cost to members and to the value of the network in the medium term? Surely there must be a better way than to cut into one's own flesh (ins eigene Fleisch schneiden, as they say in Germany)? I notice that this issue is not on the SIBOS agenda explicitly, or even implicitly: one supposes this is because the "regulatory guidance" behind it is taken as binding, even though in fact it does not come from regulators at all, but from the Wolfsberg Group.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

EastNets adopts AI to monitor Swift traffic for fraudulent messages

EastNets adopts AI to monitor Swift traffic for fraudulent messages

14 June 2017  |  9521 views  |  0 comments | 4 tweets | 12 linkedin
Swift launches cyber-threat intelligence service

Swift launches cyber-threat intelligence service

15 May 2017  |  13798 views  |  0 comments | 11 tweets | 15 linkedin
Swift and EastNets deny hacker claims that NSA infiltrated back door to spy on Mid East banks

Swift and EastNets deny hacker claims that NSA infiltrated back door to spy on Mid East banks

18 April 2017  |  7584 views  |  0 comments | 5 tweets | 7 linkedin
Swift introduces tool to help banks spot fraudulent messages

Swift introduces tool to help banks spot fraudulent messages

12 April 2017  |  7780 views  |  1 comments | 6 tweets | 18 linkedin
SOFE Berlin: Cyber security worries dominate closing debate

SOFE Berlin: Cyber security worries dominate closing debate

25 November 2016  |  18718 views  |  0 comments | 3 tweets | 9 linkedin
Swift in the firing line of new bank-targeting Trojan

Swift in the firing line of new bank-targeting Trojan

11 October 2016  |  7342 views  |  0 comments | 10 tweets | 21 linkedin
Swift to 'name and shame' banks who fail to meet security standards

Swift to 'name and shame' banks who fail to meet security standards

28 September 2016  |  8070 views  |  1 comments | 16 tweets | 23 linkedin
Swift unveils tool to help banks spot fraudulent transfers

Swift unveils tool to help banks spot fraudulent transfers

20 September 2016  |  7297 views  |  3 comments | 10 tweets | 7 linkedin
Swift presses banks on security as more hacks surface

Swift presses banks on security as more hacks surface

31 August 2016  |  8519 views  |  0 comments | 20 tweets | 30 linkedin
Swift calls in outside help to shore up cyber defences

Swift calls in outside help to shore up cyber defences

11 July 2016  |  6729 views  |  0 comments | 7 tweets | 17 linkedin
Swift's Perez-Tasso warns of defining cybersecurity moment

Swift's Perez-Tasso warns of defining cybersecurity moment

16 June 2016  |  8781 views  |  0 comments | 8 tweets | 15 linkedin
Swift to review strategy in wake of cyber attacks

Swift to review strategy in wake of cyber attacks

03 June 2016  |  12662 views  |  4 comments | 19 tweets | 24 linkedin
Symantec traces Swift attacks to North Korea

Symantec traces Swift attacks to North Korea

27 May 2016  |  7939 views  |  0 comments | 11 tweets | 9 linkedin
Swift outlines new security protocols as crisis escalates

Swift outlines new security protocols as crisis escalates

24 May 2016  |  9805 views  |  5 comments | 11 tweets | 30 linkedin
As details of third attack emerge, Swift calls on banks to report hacks

As details of third attack emerge, Swift calls on banks to report hacks

20 May 2016  |  7966 views  |  0 comments | 17 tweets | 10 linkedin
Vietnam's TPBank thwarts Swift messaging heist

Vietnam's TPBank thwarts Swift messaging heist

16 May 2016  |  5922 views  |  1 comments | 3 tweets | 4 linkedin
Swift warns of second victim of bank hackers

Swift warns of second victim of bank hackers

13 May 2016  |  11601 views  |  5 comments | 11 tweets | 21 linkedin
Swift confirms multiple cases of fraudulent message traffic

Swift confirms multiple cases of fraudulent message traffic

26 April 2016  |  7771 views  |  2 comments | 5 tweets | 18 linkedin
Swift warns banks of malware threat

Swift warns banks of malware threat

25 April 2016  |  9671 views  |  0 comments | 16 tweets | 12 linkedin

Related company news

 

Related blogs

Create a blog about this story (membership required)
visit www.atos.netvisit www.vasco.comvisit www.innotribe.com

Top topics

Most viewed Most shared
Mastercard to roll out blockchain APIMastercard to roll out blockchain API
19898 views comments | 31 tweets | 43 linkedin
HSBC partners Bud for open banking trialHSBC partners Bud for open banking trial
15306 views comments | 23 tweets | 32 linkedin
Sibos 2017: API or the highwaySibos 2017: API or the highway
11041 views comments | 12 tweets | 23 linkedin
Eight banks form joint venture to launch blockchain trade platformEight banks form joint venture to launch b...
9156 views comments | 15 tweets | 29 linkedin

Featured job

Competitive base, double ote, benefits
London, UK

Find your next job