Fraud and cyber high alert: the new normal?

Cyber security is top of mind for industry executives, as high-profile security breaches continue to reverberate. SWIFT’s Customer Security Programme (CSP) has mobilised its members to take decisive action. What benefits are being gained from such collaboration? In an industry where robust safeguards at one institution can be undermined by weak security at another, is it time to include cyber exposure as an element of Know Your Customer (KYC) risk? How can banks use RMA+ to better manage correspondent relationships and related risk? What is the landscape of payment risks and how do institutions best protect themselves? With cyber risk here to stay, what skill sets should banks develop and recruit in order to protect themselves and their community?

A chain is only as strong as its weakest link, which makes SWIFT’S Customer Security Programme (CSP) a necessary step in addressing cyber-crime. As a global network, SWIFT allows exchanges between different types of banks – from the very largest multinational institutions through to very small banks. The perception is that perhaps some of the smaller banks have not taken cyber security as seriously as they should, which has created weak points in the SWIFT network. The fraud attacks on the SWIFT network were a wakeup call for many SWIFT members. That is why the CSP is very timely and the whole SWIFT community should engage with the Programme. CSP will create transparency between members on the SWIFT network and will be a strong incentive for all banks to show they are not lagging behind when it comes to cyber security.

Initially the CSP assessments are based on self-evaluation, but that may evolve over time to assessments conducted by a third-party. The card industry’s Payment Card Industry Data Security Standard (PCI DSS) is a good indicator of how CSP has been set up. Most of the card industry players have engaged with PCI DSS, which provides a strong and demanding standard for card security. It is becoming very necessary for the SWIFT community to engage in a similar type of project.

In the light of recent regulatory moves, there is growing awareness of the need to actively manage Know Your Customer (KYC) risk, particularly between banks. SWIFT is playing a role with its KYC Registry. Smaller banks, which might be more exposed to cyber risks, would already be assessed as a risk by larger banks because of their size.

Financial institutions are making a range of efforts to streamline their approach to counterparty risk and KYC to ensure they have exchanges only with approved counterparties. Among these efforts is implementation of SWIFT’s RMA+, a filter that enables financial institutions to define which kind of FIN message type(s) they want to receive from, and send to, each of their counterparties. Such tactical approaches help banks to ensure that they do not leave open any links which would not be supported by full KYC compliance.

We are in the early days of applying technology to the issue and although technological capabilities are developing rapidly, we still need to combine that with human experience and understanding of SWIFT payments.

Philippe Lepoutre
Deputy Head of Global Transaction & Payment Services

In the retail payments world, fraudulent payments attempts are common. In the SWIFT world, which is characterised by very high value, but comparatively low volume payments, they are much rarer; Societe Generale has not experienced a fraudulent transaction via SWIFT. This does not mean it won’t happen, but the attempts to date have been unsophisticated. The hacking attack on Bank of Bangladesh showed that criminals are targeting SWIFT and therefore defences have to be strengthened.

Knowing how to fight a fraud or cyber-attack that has not yet happened is challenging. Banks must bring together specialists in payments, SWIFT, data science and technology to work together and detect the possible ways a fraud might be attempted through SWIFT. A deep understanding of the flow that comes through the SWIFT pipes every day will help in pinpointing suspicious transactions. In retail payments, the large volumes mean that machine learning systems can self-learn more easily based on the track-record of frauds; this is not the case with SWIFT payments yet

Ideally, internal defences at banks should be combined with defences inside SWIFT itself. Within a global network like SWIFT it is often easier to detect fraudulent transactions than it is within a single bank. Such an approach could involve SWIFT managing a set of generic rules, which are based on SWIFT members’ experience. This combination of security at individual financial institutions and at SWIFT would provide the most secure approach. This will take time to build, but is in the direction the industry should head.

Thierry Olivier Group's Chief Information Security Officer Societe Generale