The SWIFT Customer Security Programme
SWIFT, which is mainly known as the network for the standardised exchange of messaging and transactions between affiliated financial institutions and companies, now offers a range of products for the processing of payment transactions to thousands of industry customers. Yet even SWIFT has reported increased attacks by hackers on the infrastructure of their users in recent years. The Central Bank of Bangladesh is the most prominent example, suffering a loss of USD 81 million (initially billion dollar losses were reported). The Turkish Akbank and the Ecuadorian Banco Del Austro were also hit by losses worth millions. There are also further incidents, which were never made public for fear of reputational damage.
SWIFT has initiated the Customer Security Programme (CSP) as a response to the significant increase in attacks on the local SWIFT infrastructure of its customers. The aim of this initiative, which was presented at the Sibos conference by the end of 2016 and published in April 2017, is to support SWIFT users in the struggle against fraud in payment transactions. On the one hand, the measures of the programme aim to better secure technically the SWIFT payment environment on the customer end and introduce a relevant audit framework; on the other hand, the information exchange within the SWIFT community is intended to be expanded.
A core component of the CSP includes the Customer Security Controls Framework presented in the graphic. Consisting of 3 overarching objectives - 'Secure your Environment', 'Know and Limit Access' and 'Detect and Respond' - and 8 security principles - the framework offers a total of 27 controls. 16 of these controls are mandatory for all SWIFT users, including financial services providers and corporates. Additionally, a further 11 controls are recommended for all users. For those users who don't have a local SWIFT infrastructure but for example use SWIFT service bureaus or get access through the system manufacturer, a slightly condensed version, with 11 mandatory and 9 optional controls, is envisaged.
These controls include IT security procedures, access guidance, measures on software integrity or training concepts. The SWIFT security controls are in line with international security standards, such as those from the National Institute of Standards and Technology (NIST), the Payment Card Industry Data Security Standard (PCI DSS) and the ISO/IEC 27002 Standard for control mechanisms for information security [Information technology -- Security techniques -- Code of practice for information security controls].
Click here to enlarge image.
SWIFT developed an attestation and compliance process to ensure compliance with the framework. As a first step, SWIFT expects all users, irrespective of whether they are directly (e.g. via Alliance Lite2) or indirectly (e.g. via a SWIFT service bureau) connected, to implement an initial self-assessment on compliance with the controls. These results are to be communicated by all users to SWIFT by the end of 2017 at the latest. The CSP will officially come into force on 1 January 2018 and all SWIFT participants are required to confirm their compliance with the requirements on an annual basis. In the case of non-confirmation or non-compliance the participants risk being reported by SWIFT to the competent supervisory authority or to their own business partners.
The confirmation can take place in three different ways: self-attestation, self-inspection via an internal audit or in the form of a third party inspection from an external auditor like KPMG. Irrespective of the choice of confirmation method, SWIFT will review compliance with the controls on a sample basis by means of internal and external audits. Furthermore, there will be the option to provide chosen business partners with own CSP data via the SWIFT network as well as to make available a dedicated process to release or request CSP Data, thus promoting the own reputation. This increases transparency within the SWIFT network and allows users to take risk-oriented decisions with regard to their choice of counterpart.
Due to the complexity of the controls in the CSP, we recommend to start implementing the new requirements already at this point. The first step is to settle important strategic issues - all aspects should be considered, including whether the implementation of optional controls is worthwhile, the choice and conception of the suitable confirmation process right through to the evaluation of the publication option within the network.
Specifically we advise, in the framework of the initial assessment, to analyse the existing security structures and any identified gaps in light of the CSP. As a next step, the existing gaps should be resolved through appropriate measures and pursuant to the requirements of the framework, before the results of the assessment are communicated to SWIFT as a last step. For the annual renewal of the confirmation, in particular in cases of self-assessment, it is essential to set up an adequate process to check compliance with the controls.
Consequently, the challenges of SWIFT CSP offer the opportunity to consider an overall solution to the issue of security in financial transactions, which goes beyond the implementation of CSP and ranges from process and organisational design all the way up to a payment transaction IT infrastructure outside of SWIFT. And this is exactly what SWIFT CSP wants to achieve: More security.
Source: KPMG Corporate Treasury News, Edition 69, July 2017
Author: Nils Bothe, Senior Manager, Finance Advisory, firstname.lastname@example.org
© 2018 KPMG AG Wirtschaftsprüfungsgesellschaft, ein Mitglied des KPMG-Netzwerks unabhängiger Mitgliedsfirmen, die KPMG International Cooperative (“KPMG International”), einer juristischen Person schweizerischen Rechts, angeschlossen sind. Alle Rechte vorbehalten.