Cash Management, Technology
Keeping the SWIFT network secure
09 March 2022
As the number of cyber attacks on financial institutions increases, SWIFT needs to further safeguard its network. flow’s Desirée Buchholz reports on why the Customer Security Programme is key – and how banks should prepare for the upcoming changes in 2022
Over the past couple of years, the financial sector has become a prime target for cybercriminals and fraudsters across the globe. This was inevitable, given the amount of money that can potentially be stolen, and a major headache for both banks and their customers. TransUnion, a global information company, found for example that there was a 149% rise in suspected global digital fraud attempts on financial services between the final four months of 2020 and the first four months of 2021.1
Several of these attacks targeted payment messaging via the SWIFT network. When the fraud protection specialist Eastnets surveyed 200 banks worldwide in the summer of 2019, 80% stated they had experienced at least one SWIFT-related fraud attempt since 2016. In addition, two in three survey participants felt that SWIFT cyber-crime attempts had increased over the period, with only two in five banks being “very confident” that they had detected every attempt at cyber fraud reaching its systems via the network.2
“In the past, there was the understanding that everything that is being sent on the SWIFT network is safe. This changed when we saw prominent breaches”
The most prominent bank attack occurred in February 2016 when hackers manipulated the internal systems of the Bangladesh central bank by deploying trusted Windows software.3 The attackers then issued 35 bogus payment requests via the SWIFT network to illegally transfer close to US$951m. Thirty were intercepted while five of these fraudulent instructions were authorised and paid which led to a withdrawal of US$81m.4
Protecting the integrity of the SWIFT network
The Bangladesh Bank heist was a turning point for the financial industry. “In the past, there was the understanding that everything that is being sent on the SWIFT network is safe. This changed when we saw prominent breaches,” said Leif Simon, Director Transaction Surveillance Solutions, Cash Management at Deutsche Bank in a webinar hosted by Eastnets and Finextra on 17 February.
The webinar provided a deep dive into the Customer Security Programme (CSP) which SWIFT launched in 2016 to ensure that banks put in place “defences against cyberattacks that are up to date and effective” and “to protect the integrity of the wider financial network”, as the financial message provider states on its website.5 According to Simon, the CSP has created “a level playing field” for SWIFT’s 11,000 members that are connected to the provider’s messaging platform, products and services. “We now have a minimum standard that everyone in the network has to adhere to, which solves the problem of the weakest link,” he explained.
However, as cybercriminals ramp up their efforts and new fraud techniques evolve, SWIFT is regularly updating its Customer Control Framework (see Figure 1). The participants of the webinar reviewed what banks should know about the upcoming changes to the CSCF and how best to prepare for staying compliant in 2022. Simon was joined by fellow panellists Saeed Patel, Eastnets Group Product Development Management Director and Ivi Soomägi, SWIFT CSP Coordinator at SEB Group. Moderating the session was Gary Wright, Head of Research at Finextra.
Figure 1: SWIFT enhancements of its Customer Security Control Framework (CSCF)
Identifying abnormal behaviour
Evaluating what is changing this year begins with a look at how the CSCF works: from 2016 onwards SWIFT has introduced mandatory and advisory security controls for all its users. While the mandatory controls must be implemented on their local SWIFT infrastructure, the advisory controls are based on recommended practice that the financial message provider endorses all users put in place.6 As Figure 1 shows, some advisory controls have become mandatory over time, and new controls have been added in response to new threats in the cybersecurity space.
“Financial institutions will need to identify abnormalities in the messages, which I believe is a radical change”
In July 2021, SWIFT published its latest version of the CSCF with the deadline for compliance by financial institutions at the end of this year. “In 2022, SWIFT is introducing radical changes to its CSP,” Eastnets’ Patel said. “For the first time, it will become mandatory for banks to implement an anti-fraud solution.” Previously this was voluntary.
Technically speaking, it means that all financial institutions connected to SWIFT must comply with Control 2.9 (Transaction Business Controls) requirements by year-end. “Financial institutions will need to identify abnormalities in the messages, which I believe is a radical change,” added Patel.
These abnormalities include, for example, traffic outside of normal business hours or unusual activities with respect to beneficiaries, source, currencies or countries. As Patel pointed out, in implementing these changes to its CSCF, SWIFT aims to remove a potential gateway for hackers as “ransomware develops intelligence around your operation”. “In the case of Bangladesh, the bank was hit outside its usual business hours,” he recalled.
The big question, however, is what is defined as abnormal behaviour? As Deutsche Bank’s Simon noted: “There is no black-and-white answer to this, which makes compliance with section 2.9 so difficult.” He suggested that each bank should evaluate the payment products it offers, the clientele for each product and how clients are using them. “In the retail banking business, a payment amount of €100.000 may be abnormal; for a corporate bank it is not,” he added as an example.
Given these complexities and the volumes that transactions banks must process daily, Patel believes that “you need to have machine learning and artificial intelligence adopted extensively in your operations to detect unusual activities and patterns”. Furthermore, having real time detection is imperative: “You need to block messages before they are fully executed,” he stressed. Section 2.9 also requires FIs to implement a real-time reconciliation model, which validates that the message exists in the back-office application before being released to the SWIFT network.
How to deal with non-compliant counterparties
While the requirements on banks are increasing, a poll question during the webinar showed that several financial service providers are still unfamiliar with the latest changes to CSCF (see Figure 2) – despite the end-2022 compliance deadline.
Figure 2: Level of understanding among FIs on 2022 changes
Source: Finextra Webinar
Drawing on these results, moderator Gary Wright asked Deutsche Bank’s Simon how the Bank uses counterparty attestation data – given that in an interconnected network like SWIFT each bank depends on its counterparties to help protect the ecosystem.
“After six years of the CSP, we see very few areas of non-compliance among our counterparties – and if so, they are typically minor and relate to advisory controls,” said Simon. Using the analogy of a car, he reflected, “If the brakes are not working that is a problem; but if it’s one of the headlights you can deal with it – at least for a short time.” However, he stressed that it was never the intention to stop business with a counterparty because they were not compliant with one or two controls of the CSP. “We are, rather, trying to understand why they were not compliant and what steps they are taking to become compliant.”
Real time reconciliation is key
But what about the internal work? How can a bank ensure that each business function is aware of its requirements under the CSP? “This is not easy to track,” admitted SEB’s Soomägi. In her role, she is responsible for notifying the business within the banking group of any changes to the CSP, setting up training and educating internal colleagues. “Only when you are making the assessments can you really see how the business has implemented controls.”
From 2021, financial institutions are also required to mandate an independent assessor, which aims to provide other members of the network with greater security that its counterparties are compliant. Yet, as the second poll question showed, nearly one in five webinar participants either may not be ready for the year-end deadline or said they need help (see Figure 3).
Figure 3: Some FIs risk missing the compliance deadline
Source: Finextra Webinar
Assessing these results, Eastnets’ Patel stressed: “We believe that these mandatory changes are essential to keep the industry secure and safe, because financial criminals have armies of technologists themselves. Technology providers, regulators and financial institutions should therefore join forces to ensure that the banking sector is one step ahead – which is why CSP is so important.”
YOU MIGHT BE INTERESTED IN
CASH MANAGEMENT, TECHNOLOGY
With payments fraud on the rise, how can treasury departments prepare the best line of defence against would-be fraudsters? flow reports on a recent EuroFinance webinar that explored new fraud patterns and how these risks are being addressed
CASH MANAGEMENT, TECHNOLOGY
The launch of SWIFT Go is a milestone for the cross-border payments space. As the story continues to develop, flow explores how the industry is driving the initiative forward – and how companies could benefit
CASH MANAGEMENT, TECHNOLOGY
As payments become increasingly fast, minimising fraud risk and ensuring visibility is gaining importance. flow explores how the faster payments space is evolving and how pre-validation will help financial institutions and corporates