Over the past couple of years, the financial sector has become a prime target for cybercriminals and fraudsters across the globe. This was inevitable, given the amount of money that can potentially be stolen, and a major headache for both banks and their customers. TransUnion, a global information company, found for example that there was a 149% rise in suspected global digital fraud attempts on financial services between the final four months of 2020 and the first four months of 2021.¹

Several of these attacks targeted payment messaging via the SWIFT network. When the fraud protection specialist Eastnets surveyed 200 banks worldwide in the summer of 2019, 80% stated they had experienced at least one SWIFT-related fraud attempt since 2016. In addition, two in three survey participants felt that SWIFT cyber-crime attempts had increased over the period, with only two in five banks being “very confident” that they had detected every attempt at cyber fraud reaching its systems via the network.²

“In the past, there was the understanding that everything that is being sent on the SWIFT network is safe. This changed when we saw prominent breaches”
Leif Simon, Director Transaction Surveillance Solutions, Cash Management at Deutsche Bank

The most prominent bank attack occurred in February 2016 when hackers manipulated the internal systems of the Bangladesh central bank by deploying trusted Windows software.³ The attackers then issued 35 bogus payment requests via the SWIFT network to illegally transfer close to US$951m. Thirty were intercepted while five of these fraudulent instructions were authorised and paid which led to a withdrawal of US$81m.⁴

The Bangladesh Bank heist was a turning point for the financial industry. “In the past, there was the understanding that everything that is being sent on the SWIFT network is safe. This changed when we saw prominent breaches,” said Leif Simon, Director Transaction Surveillance Solutions, Cash Management at Deutsche Bank in a webinar hosted by Eastnets and Finextra on 17 February.

The webinar provided a deep dive into the Customer Security Programme (CSP) which SWIFT launched in 2016 to ensure that banks put in place “defences against cyberattacks that are up to date and effective” and “to protect the integrity of the wider financial network”, as the financial message provider states on its website.⁵ According to Simon, the CSP has created “a level playing field” for SWIFT’s 11,000 members that are connected to the provider’s messaging platform, products and services. “We now have a minimum standard that everyone in the network has to adhere to, which solves the problem of the weakest link,” he explained.

However, as cybercriminals ramp up their efforts and new fraud techniques evolve, SWIFT is regularly updating its Customer Control Framework (see Figure 1). The participants of the webinar reviewed what banks should know about the upcoming changes to the CSCF and how best to prepare for staying compliant in 2022. Simon was joined by fellow panellists Saeed Patel, Eastnets Group Product Development Management Director and Ivi Soomägi, SWIFT CSP Coordinator at SEB Group. Moderating the session was Gary Wright, Head of Research at Finextra.

Evaluating what is changing this year begins with a look at how the CSCF works: from 2016 onwards SWIFT has introduced mandatory and advisory security controls for all its users. While the mandatory controls must be implemented on their local SWIFT infrastructure, the advisory controls are based on recommended practice that the financial message provider endorses all users put in place.⁶ As Figure 1 shows, some advisory controls have become mandatory over time, and new controls have been added in response to new threats in the cybersecurity space.

“Financial institutions will need to identify abnormalities in the messages, which I believe is a radical change”
Saeed Patel, Group Product Development Management Director at Eastnets

In July 2021, SWIFT published its latest version of the CSCF with the deadline for compliance by financial institutions at the end of this year. “In 2022, SWIFT is introducing radical changes to its CSP,” Eastnets’ Patel said. “For the first time, it will become mandatory for banks to implement an anti-fraud solution.” Previously this was voluntary.

Technically speaking, it means that all financial institutions connected to SWIFT must comply with Control 2.9 (Transaction Business Controls) requirements by year-end. “Financial institutions will need to identify abnormalities in the messages, which I believe is a radical change,” added Patel.

These abnormalities include, for example, traffic outside of normal business hours or unusual activities with respect to beneficiaries, source, currencies or countries. As Patel pointed out, in implementing these changes to its CSCF, SWIFT aims to remove a potential gateway for hackers as “ransomware develops intelligence around your operation”. “In the case of Bangladesh, the bank was hit outside its usual business hours,” he recalled.

The big question, however, is what is defined as abnormal behaviour? As Deutsche Bank’s Simon noted: “There is no black-and-white answer to this, which makes compliance with section 2.9 so difficult.” He suggested that each bank should evaluate the payment products it offers, the clientele for each product and how clients are using them. “In the retail banking business, a payment amount of €100.000 may be abnormal; for a corporate bank it is not,” he added as an example.

Given these complexities and the volumes that transactions banks must process daily, Patel believes that “you need to have machine learning and artificial intelligence adopted extensively in your operations to detect unusual activities and patterns”. Furthermore, having real time detection is imperative: “You need to block messages before they are fully executed,” he stressed. Section 2.9 also requires FIs to implement a real-time reconciliation model, which validates that the message exists in the back-office application before being released to the SWIFT network.

While the requirements on banks are increasing, a poll question during the webinar showed that several financial service providers are still unfamiliar with the latest changes to CSCF (see Figure 2) – despite the end-2022 compliance deadline.

But what about the internal work? How can a bank ensure that each business function is aware of its requirements under the CSP? “This is not easy to track,” admitted SEB’s Soomägi. In her role, she is responsible for notifying the business within the banking group of any changes to the CSP, setting up training and educating internal colleagues. “Only when you are making the assessments can you really see how the business has implemented controls.”

From 2021, financial institutions are also required to mandate an independent assessor, which aims to provide other members of the network with greater security that its counterparties are compliant. Yet, as the second poll question showed, nearly one in five webinar participants either may not be ready for the year-end deadline or said they need help (see Figure 3).

Sources

¹ See https://bit.ly/3vJrlx1 at transunion.com
² See https://bit.ly/3hLEYDF at eastnets.com
³ See https://bit.ly/3sOBFSz at deloitte.com
⁴ See https://bit.ly/3pMyc53 at assets.kpmg
⁵ See https://bit.ly/3pKPpvE at swift.com
⁶ See https://bit.ly/3HQswx9 at swift.com