Page 1

accumepartners.com

Are you compliant with the new regulations mandated by the SWIFT Customer Security Program (CSP)? Newly benchmarked standards on SWIFT have caused many financial institutions to enhance their wire funds transfer controls. Sanjay Marwaha (MD), Global Risk & Regulatory Advisory Services Practice Leader & Alan Cheung (Director), Risk & Regulatory Advisory Services for Accume Partners offer key highlights from the recent SWIFT CSP Program. Overview Many institutions are adopting the changes with SWIFT (Society for Worldwide Interbank Financial Telecommunication)

Standards MT (Message Type) Release in 2020 related to payment data management. This means removing free-format

message options for fields 50 and 59 from the MT 103 and related messages to ensure that payer and beneficiary data

is systematically captured and exchanged in a structured format.

As a first line of defense, banks and financial institutions must adapt and comply with screening detailed information

(i.e., full name, address) when ordering customers and beneficiaries on wire fund transfers. To comply with the

increasing regulations by 2020, businesses are mandated to screen against regulatory published lists of sanctioned

entities on upcoming changes with SWIFT Standard MT that enables customers to clearly define which counterparties

are allowed to transact. In addition, the new SWIFT structured formats will further increase security in countering

against cyber threats that have been negatively impacting banks and financial institutions for the last several years.

Pressure on SWIFT Banks and Financial Institutions The newly benchmark standards on SWIFT have applied significant pressure on various banks and financial institutions to do the following: ▪ Improve methods to identify the name of the payer and the appropriateness of the payment data.

▪ Ensure interfaces for exchanging SWIFT messages with back office applications are working properly. ▪ Set up and define which counterparties are allowed to send FIN (wire transfers) messages between banks and

financial institutions.

▪ Align and secure the local SWIFT infrastructure using the CSP standards and principles against cyber threats.

The main goal for banks and financial institutions is to be able to deliver a robust customer payment from a traditional correspondent bank to enhance the global payments innovation (GPI) initiative. Without upgrading the key processes in accordance with SWIFT Standards MT by 2020 and having a SWIFT Subject Matter Expert, the current state to transact payment is slow (over 2-3 days), expensive, and relies on outdated system interfaces to capture the necessary information timely and accurately. How can you defend against Cyberattacks? A new set of standards is being implemented to address an increasing number of large dollar compromises on the SWIFT Network. As part of the updated CSP, new technical standards are being implemented to address these threats. The goal is to improve the current state of your SWIFT infrastructure to prevent fraud and unauthorized financial transaction from occurring. Below are the SWIFT’s Customer Security Controls Framework (CSCF) controls:

Secure Your Environment Restrict Internet Access Protect Critical Systems from Workplace IT Environment Reduce Attack Surface and Vulnerabilities Physically Secure the Environment

Know & Limit Access

Prevent Compromise of Credentials Manage Legal Entities and Segregate Privileges

Detect & Respond Detect Anomalous Activity to Systems or Transaction Records Plan for Incident Response and Information Sharing

Source: SWIFT CSP

SWIFT Enhancements

SWIFT Work

Page 2

accumepartners.com

1. Limit privilege user access based on job roles and responsibilities on IT applications; 2. Reduce the Attack Surface and Vulnerabilities;

3. Physically Secure your Environment; 4. Prevent Compromise of Credentials; 5. Manage Identities and Segregate Privileges; 6. Detect Anomalous Activity to Systems or Transaction Records; and, 7. Plan for Incident Response and Information Sharing.

Implementation of security controls such as incident response, security awareness training, multi-factor authentication

and detection of anomalous behavior is necessary in order for your Bank to protect itself from compromise.

Where are the attacks coming from?

Cyberattacks can occur anywhere in the world at any given point

in time. For the last few years, several financial institutions have

been hacked with unauthorized wire fund transfers via SWIFT

resulting in millions stolen. This has been the result of poor SWIFT

governance and operational controls. See below example of

various global banks that were cyber attacked:

What are likely Threat Scenarios?

Some of the most common root causes of unauthorized access are

vulnerabilities identified in the internal network such as the

following:

• Using malware which compromises the network

perimeter and establishes a foothold within the local

network.

• Escalating their current privileges (e.g., via system exploits or by obtaining user credentials).

• Performing reconnaissance activities to identify the next target system.

• Repeating to move laterally across the network in search of the end goal (SWIFT upstream systems).

• Performing reconnaissance to understand how transactions can be performed and authorized; and,

executing their end goal (submission of fraudulent transactions).

Additionally, there are key methods to circumvent the established SWIFT controls by penetrating either the mail

gateway (high restrictive controls in which file types are limited to only those necessary), endpoint devices (software to

prevent arbitrary binary execution and control of script and macro execution), or account control (privilege access

rights).

How Accume Can Help

We at Accume Partners have the expertise to meet your requirements. Below are our key SWIFT service products:

• Provide SME guidance and assist in SWIFT Implementation for your organization.

• Perform an external audit review on Pre and/or Post SWIFT Implementation Phase(s).

• Perform a SWIFT Risk Assessment, specifically IT and Operation inherent risk areas.

• Evaluate the existing business logic, transaction generation, data feeds from both internal and external

sources, and the local SWIFT infrastructure located at headquarter(s) and any of its subsidiaries.

• Evaluate security controls are in-place to ensure good business practices spanning the SWIFT end-to-end

transaction process.

2017 Oct: The Far Eastern International, Taiwan $60M stolen via SWIFT

2017 Oct: NIC Asia Bank, Nepal $4.4M stolen via SWIFT

2016 Feb: The Bank of Bangladesh, Bangladesh $81M stolen via SWIFT

2015 Dec: Tien Phong Bank, Vietnam $1.13M stolen via SWIFT

2015 Oct: Philippines Further attacks reported Attempt intrusion failed

2015 Jan: Banco del Austroz, Ecuador $12M stolen via SWIFT

2013 N/A: Sonali Bank, Bangladesh $250K stolen via SWIFT

Source: Reuters

SWIFT Work

Page 3

accumepartners.com

Accume Partners can provide (1) a review of end-to-end local SWIFT infrastructure transactions; (2) comparison and benchmark against industry standards and peers; (3) data integrity and feeds; (4) Cybersecurity and forensic investigations; (5) External SWIFT Audit Program in Pre and Post Implementation Plans; and (6) Penetration Testing.

Accume – SWIFT Service Team

Our Accume Partners team will provide guidance and help ensure control, monitoring, enforcement of SLA (Standard Legal Agreement), and maintenance of service quality. In addition, we will provide guidance on the expectations of SWIFT requirements from 2018 through 2021. These include the following: all banks are able to receive GPI messages, all payments are tracked via UETR (Unique end-to-end Transaction Reference) for MT 103 (beneficiary bank) & MT 202 COV (cover payments/bank-to-bank payments), all payments are to be confirmed, and the same UETR must be passed across from the ordering institution to the intermediary institution to the beneficiary institution to comply with SWIFT Standard Release.

About the Authors

Sanjay Marwaha is the Global Risk & Regulatory Advisory Services Practice Leader for Accume Partners. He has 20+

years of professional services including internal audit, regulatory compliance, enterprise risk management, information

technology, blockchain, business process enhancement, strategy, and performance improvement. Prior to Accume,

Sanjay was the Chief of Staff and a leader in PricewaterhouseCoopers Governance, Risk and Compliance Practice. In

addition, he was the US Risk Advisory Financial Services Practice Leader at BDO. He works directly with senior

management including the Board, C-suite executives and Senior Management. If you have any questions, please contact

Sanjay at 585-721-9399 or email him at smarwaha@accumepartners.com

Alan Cheung is a Director in the Risk and Regulatory Advisory in Capital Markets, BSA/AML Compliance, Data Analytics,

and Cybersecurity at Accume Partners. He has over 16 years of experience helping financial services firms identify and

manage risk capital exposures, cyber risks and threats, as well as provide clients with regulatory and compliance support.

If you have any questions, please contact Alan at 646-831-0506 or email him at acheung@accumepartners.com.

About Accume Partners

Accume Partners is a trusted advisor that assists clients by delivering integrated risk, regulatory, and cybersecurity

solutions to help manage uncertainty and drive business value. We focus on both emerging and established financial

services, commercial and education sectors. We have over 25 years of experience, a local and national presence, and

advise over 500 clients. Read the About Accume Magazine: accumepartners.info/accumemagazine.