A session all about the cyber threats the sector faces was a highlight on day 2 of Swift's Community Update - Focus on Europe virtual event, which explored how fraudsters perpetrate an attack and attempt to legitimise their ill-gotten gains, as well as how the industry is working together to fight back.

Hacking the system

Fraudsters targeting financial services are not going away. Despite the technological advancements in security in recent years, it is still the human factor - usually through an email compromise - that is the easiest way into a bank's network.

Attackers are well-resourced, constantly evolving their modus operandi and racing to make use of new technologies such as artificial intelligence and machine learning.

Some of the payment fraud trends Swift has observed include:

• Attackers targeting banks which process a low amount of cross-border payments and are based in countries with a high or very high risk rating on the Basel AML Country Corruption List. For example, regions such as Africa, South East Asia and Latin America
• The amounts sent in individual fraudulent transactions have significantly reduced, from tens of millions of US dollars, to between 250,000 and two million US dollars
• Attackers historically would have issued fraudulent payments outside of working hours, but this is now more likely to occur during working hours.

Follow the money

Integral to getting away with a hack, a series of steps, including preparation, placement, layering, and integration, help fraudsters cover their tracks and cash out following successful attacks. The preparation phase involves activities such as setting up front companies and recruiting money mules.

"Money mules act as an effective intermediary between the initial cyber attack and the onward transfer of the funds to the criminal and threat groups behind these attacks," said Simon Viney, cybersecurity financial services sector lead at BAE Systems. "They help to obfuscate the chain of events in the money trail."

The placement phase follows, which is where the cyber attack and the initial transfer of funds actually occurs. Foreign currency exchanges, cash intensive businesses, and front companies are used in the layering phase to launder the stolen cash. Front companies are often set up in jurisdictions known for strong banking secrecy laws, or where there's poor enforcement of money laundering regulations. Then the integration phase sees the money actually being spent.

Tackling the threat

The community-wide response to cyber threats was led by Swift and its Customer Security Programme (CSP) that launched in 2016. Brett Lancaster, head of the CSP at Swift, described it as a multi-year, multi-faceted initiative to raise the bar of overall cyber hygiene across the entire Swift customer base.

"CSP is agnostic, it doesn't matter whether you are a market infrastructure or a corporate, a securities player or an independent service provider," Lancaster said. "Whether you're dealing with securities or payments on treasuries or trade in terms of your business, it doesn't matter. All 11,000 customers on Swift have to go to the same principles."

At the heart of the CSP are a set of controls that should be used as part of day to day hygiene. They're based on industry standard cyber practice, such as NIST, ISO 27000 and PCI DSS, and are essentially there to help raise the bar of community cyber protection.

"Every year we try and raise the bar slightly, by adding either more controls to ones that are optional, or indeed promoting ones that are optional to be mandatory," Lancaster noted.

CSP also includes pattern detection, counterparty risk management measures, and information sharing through the Swift Information Sharing and Analysis Centre (ISAC).

Customer viewpoint

Banks need to comply with Swift's customer security controls, but on top of that is an array of information from the KYC-Security Attestation (KYC-SA) portal to be managed. As a large transaction bank with thousands of counterparties, Deutsche Bank decided to implement a risk-based approach to implementation.

"We have to start by looking at high risk countries first and high risk counterparties that have given rise to concern in terms of cyber risk exposure," said Leif Simon, director, transactions surveillance solutions at Deutsche Bank. "Also, it's not just about cyber risk in itself, but we see a correlation between other risk items such as anti-money laundering, and tax evasion."

It was clear from the discussion that it is important for every institution to think about the risk framework that is appropriate to them, and that there is no one-size-fits-all approach.

"It's really important to recognise that existing relationships in the black book are customers of ours as well as counterparties, and indeed those customer counterparties provide services on behalf of our customers as well," noted Stuart Bailey, head of industry, strategy and design, payments CIO at Lloyds Bank. "As we look to assess the risk, we also have to look at the implications in terms of how do we deliver trade finance services, for example. What type of payments are we doing in which regions? What alternatives do we have and how risky are those? It's important to understand the nuance in the implications on the bank and its services and the customers."

The Swift KYC-SA has recently added a 'grant all' function. This feature, which automatically grants attestation data access data requests received from existing messaging correspondents, was discussed by the panellists.

"We believe the grant all feature will certainly reduce the operational burden of these requests coming in and out, because we will be able to now get that without a lot of manual intervention," said Simon. "Another important aspect of introducing the grant all feature is that it will reduce the number of non-respondents to data requests. We still have a relatively large blind spot in our requests to our counterparties from non-respondents, so we hope that we can reduce that blind spot considerably with the grant all feature."