Swift Infrastructure

Slide 1 Corp_present_20060927_v27.ppt

Gabriel SorianoOctober 4th, 2006NYSSCPA Banking Convention

SWIFT:SWIFT:The Financial Industry The Financial Industry Infrastructure for Secure Infrastructure for Secure MessagingMessaging


Agenda1 Overview of SWIFT

2 Access to the SWIFT interface

3 Access to the SWIFT network

4 Message integrity, confidentiality controls

5 Messaging Service and Interface Control functions


Introducing SWIFT

Platform

Community Standards


The SWIFT community

fund administrators

MA-CUGs

banks found SWIFT

money brokers

trading institutions

- registrars & transfer agents- custody providers- trust or fiduciary services companies

investment managers

- broker/dealers- central depositories & clearing institutions- exchanges

- payments MIs- proxy voting agencies- non-shareholding financial institutions

- treasury counterparties- treasury ETC service providers

travellers cheque issuers

securities MIs

1987

1988

1989

1990

1973

1992

19951998

1999

2000

2001

2002

2004

securities market data providers

1996

treasury securities ETC service providers


SWIFT governance

National Bank of Belgiumand G-10 Central Banks

Board

Board Committees

National Member Groups

User Groups

SWIFT members

SWIFT community

OversightOversight

GovernanceGovernance


Sibos – forum for industry dialogue

Financial industry’s premier event Global forum to debate strategic issues Conference, exhibition, networking 6,000 executives and technology managers 2007: Boston, US, 1-5 October


Working with SWIFT Partners

Solution Partners:Solution Partners: Providers of business applications, middleware, and interfaces

Service Partners:Service Partners: Implementation and integration of connectivity and SWIFTSolutions

Business PartnersBusiness Partners: Marketing and selling SWIFT products

Network Partners:Network Partners: AT&T, Colt, Equant, BT Infonet


2.5 billion messages per year

7,940 customers

206 countries

Average daily traffic 11.2 million messages

Peak day of 12.8 million messages 30 June 2006

SWIFT figures (July 2006)


SWIFTNet FIN messages by market (July 2006)

2%

55%

6%

37%

PaymentsPayments895 million mgs

TradeTrade27 million mgs

SecuritiesSecurities605 million mgs

TreasuryTreasury104 million mgs


Traffic and Pricing Harnessing economies of scale

Traffic

Price

Price(EURcent/msg)

Traffic(Millions of messages)

5101520253035404550

1991

1992

1993

1994

1995

1996

1997

1998

1999

2000

2001

2002

2003

2004

200520

06E

0

500

1000

1500

2000

25003000


Extending reachEmbracing the business community

Corporates

Securities

Banking andPayments


Banking Market Infrastructures – July 2006

High-Value Payments

Albania (AIP)Algeria (RTGS)Angola (PTR)Australia (PDS)Austria (ARTIS)Azerbaijan (AZIPS)Bahamas (BHS)Barbados (BDS)Belgium (ELLIPS)Bosnia & Herzegovina (BIH)Bulgaria (BGN-RINGS)Canada (LVTS)Chile (Netting - LBTR)CLS BankCroatia (HSVP)

Kuwait (RTGS)Latvia (LVL)Luxemburg (LIPS)Malta (MARIS)Mauritius (MACSS)Namibia (NISS)Netherlands (TOP)New Zealand (AVP)Norway (NICS)Oman (RTGS)Philippines (PPS)Romania (REGIS)Slovenia (SIPS)South Africa (BOP - RTGS - SAMOS)

Bahrain (RTGS) Lesotho (RTGS)Botswana (RTGS) Morocco (RTGS)Central African States (BEAC) Pakistan (RTGS)Eurosystem (TARGET2) Singapore (MEPS+)Israel (RTGS) Tunisia (RTGS)

LiveSpain (NSLBE - SLBE)Sri Lanka (LankaSettle)Sweden (RIX)Switzerland (Remote Gate)Tanzania (TISS)Thailand (BAHTNET/2)Trinidad & Tobago (SAFE-TT)Uganda (UNIS)United Kingdom (CHAPS-£ CHAPS-€ / Enquiry Link) United States (CHIPS)Venezuela (PIBC)Zambia (RTGS)Zimbabwe (ZETTS)West African States (BCEAO)

Denmark (DDK-KRONOS)Egypt (CBE)EBA Clearing (EURO1/STEP1)ECB (TARGET)Finland (BOF)France (CRI – PNS/TBF)Germany (RTGSPlus)Ghana (GISS)Greece (HERMES)Guatemala (RTGS)Hungary (VIBER)Ireland (IRIS)Italy (BIREL)Jordan (RTGS)Kenya (KEPSS)

ImplementationFiji (RTGS)Georgia (RTGS)Lebanon (RTGS)Palestine (RTGS)Peru (RTGS)Russian Federation (RTGS)

Planning/Discussion


Community and Business dimensions• Established in 1973 by 239 banks in 15 countries• Developed shared messaging platform for financial transactions• Emphasis on security, reliability and availability

Heritage

• Serving over 7,800 financial institutions across 204 countries• Payments, Securities, Foreign Exchange, Treasury and Trade• Reducing costs, improving automation, managing risk

Understanding

• Industry-owned community• Overseen by regulatory authorities• Impartial to the data transacted across the messaging platform

Neutrality

• Store and forward, file transfer, interactive query & response• Open standards• IP VPN over fibre-optic backbone

Technology


SWIFT

Business and Technical Messaging Communications across the lifecycle of a financial transaction

SWIFT does NOT provide clearing or settlement services

SWIFT does not hold accounts or assets Participants are responsible for their data SWIFT is neutral, apolitical and user-owned

Slide 14


Introducing SWIFT

Platform

Community Standards


Message categories0 System messages1 Customer transfers & cheques2 Financial institutions transfer3 Foreign exchange, money markets & derivatives4 Collections & cash letters5 Securities markets6 Precious metals & syndications7 Documentary credits & guarantees8 Travellers cheques9 Cash management & customer status


Message structure


SWIFTStandards developmentA business centric approach

Business process modelling

SWIFTNet Marketpractice Applications IntegrationStandards

SWIFT Partners


SWIFTStandardsPayments market

Ordering customer

Beneficiary customer

Ordering customer’s

financial institution

Beneficiary customer’s financial institution

Bulk Payments (CT + DD)

MT 1xx, 2xx

FIN-based XML-based (under construction)

Paym

ent I

nitia

tion

(CT

+ D

D)

MT

101

Exce

ptio

ns &

Inve

stig

atio

ns

Exceptions & Investigations

Exce

ptio

ns &

Inve

stig

atio

ns

MT 9xx

Cash ManagementC

ash

Man

agem

ent

MT

9xx

MT

9xx

Cas

h M

anag

emen

t

Single Credit Transfers


Introducing SWIFT

Platform

Community Standards


Single access infrastructure

SWIFTNet interface

One platform Full STP Highest level of

security and resiliency

Standards

Lower costs Reduced risk Improved liquidity

management Facilitate

Compliance

SWIFTNet

■Payments ■Foreign Exchange■ Securities■Account Reporting

Messaging Services■ FIN■ FileAct ■ InterAct■ Browse

Applications

Trade

Treasury

Payments

Investigation

ABC Bank

XYZ Bank

Other Bank

Any Bank


SWIFTSolutions Payments Treasury Trade Securities

SWIFT product stackR

esili

ence

Reliability

Quality of service

Security

Directoriesand

InformationServices

Secure IP Network (SIPN)

Standards Rules

Interfaces

SW

IFTSolutions

Messaging Services


Identify potential risks in the following areas :

Access to the SWIFT interface Access to the SWIFT network Integrity/confidentiality of the SWIFT messages Integrity of the message flow


SWIFT interfaces– Open and close connection to

STN/SIPN– Send messages to SWIFT– Receive messages from SWIFT– Manually enter messages

– Accept messages from a back office application

– Send messages to a back office application

– Send messages to a printer


SWIFT interfaces– SWIFTAlliance Access– SWIFTAlliance Entry– MERVA/ESA– TURBO SWIFT– STELINK– MINT– FASTWIRE– BESS– NOVA SWIFT– ...


Connecting to SWIFTNet Many ways of implementing…

SWIFTNet

Messaging

interfaces

Communication

Interfaces

Communication Layer SWIFTNet ServicesMessaging

LayerBusiness

Layer

Back Office application


Middleware

Your counterparty


VPNbox


Middleware

Back Office application …….


SWIFTAlliance interface

SWIFTNet

You

CommunicationLayer SWIFTNet ServicesMessaging

LayerApplication

LayerMiddleware

Layer

SWIFTAlliance Access (SAA)

SWIFTAlliance Entry (SAE)

SWIFTAlliance Gateway (SAG)

SWIFTAlliance Starter Set (SAS)

Your counterparty

VPNbox


Signing on to the SWIFT interface


Passwords

Initialisation password Master password

Passwords documents available ? Access to passwords documents ?


Users of the SWIFT interface

Anonymous names vs Personal operator names

Are all operators still using the interface?


Enabling an operator

Automatic enabled when approved by both LSO and RSO


Disabling an operator

Automatic after too many wrong passwords

Manually by LSO, RSO or anybody with disabling permission


Security parameters

List of configuration parameters– e.g. user period, max # of bad passwords…

only visible by LSO and RSO


SWIFTAlliance: Segregation of duties

Creation Verification Authorisation

Modification

Approval


Profiles

Each operator has minimum one profile a profile defines the applications, functions and

permissions for one or more operators one profile can be given to several operators if permissions change, then the operators are

disabled. LSO and RSO must re-approve these operators


Profile details

A profile has 3 levels– applications– functions– permissions


Permission details

Prohibited nothing = no restrictions

Allowed are all MTs starting with 1, 2 and 9

SWIFT FIN system MTs not allowed


What to check in a profile?

Access control Message Creation and Modification Message Approval Message File Security Definition





Network PartnerSwift

SWIFT’s Secure IP Network (SIPN)Customer Swift

Customer

M-CPE

BackboneAccessPoints

OPCs

SIPN

SIPN BackboneNetwork

POP

SIPN AccessNetwork

NetworkPartner 2

NetworkPartner 1VPN

box

VPNbox

IPsec tunnels provide end-to-end protection

through the ‘untrusted’ vendor IP networks


Security equipment needed to connect to FIN

Card readers Integrated Circuit Cards (ICCs)

Bank A Bank B


Secure Card Reader (SCR)

Functions related to BKE and SLS services

Configuring and managing ICCs

PIN updates

SCR configuration


Integrated Circuit Card (ICC)

contains functional elements of microcomputer embedded chip within the card works only when inserted into card reader protected by 1 or 2 PINs unique reference = SWIFT Card Number (SCN)


Connecting to the SWIFT networkSecure Login and Select (SLS)

FIN

APC

LTC

LOGIN

SELECT


Manual Login and Select

Insert USER ICC in the card reader use the CBT to send Login and Select to

SWIFT


Automated Login and Select

No operator intervention USER ICC must be in card reader on Login

and Select or Session Keys must have been downloaded

in advance


Disconnecting from the SWIFT network

FIN

APC

LTC

QUIT

LOGOUT


SWIFTNet FINinterface

SWIFTNet FIN Phase 2

SWIFTNet

FINPKIPKI

PKI PKI

SWIFTNet FINinterface

HSMHSM

PKI

PKI: FIN Access controlPKI: End-2-end securityRMA: Relationship mgt.





Authentication

applied on user-to-user messages assures identity of sender integrity of message text mandatory for most message types


Authenticator keys : what to check?

Keys regularly changed ? Still correspondent relationship ? Keys securely stored ? Procedure for unsuccessful BKE ? Procedure for messages that failed

authentication?


Local Authentication

authentication between back-office application and SWIFT interface


Integrity of the message flow :session numbers

FIN

APC

LTCLogin

1265Select

1281


Sequence numbers

472136Input Sequence

Number

327185Output Sequence

Number


Message Input Reference (MIR)

031020ABNKBEBBAXXX0142123456

input date sender’s addressinput

session number

input sequencenumber


Message Output Reference (MOR)

031020ABNKBEBBAXXX0142654321

output date receiver’s addressoutput

session number

output sequencenumber


Routing in the SWIFT interface

application

printer 2

printer 1


Routing in the SWIFT interface

Are all messages accounted for ?

Are all the messages routed to the right place ?

Is there any specific routing for received messages with PDE or PDM trailer ?


Interface/Network Audit TrailsInterface/Network Audit Trails


Message File

keeps copy of all messages status and history of messages can be

checked


Identification of a message : UUMID

(Unique) User Message Identifier

IBNPAFRPPXXX202TR7823689

input/output message

correspondent

MT sender’s reference


Event Journal

events in the SWIFT interface actions initiated by the software or actions by

users


Search function in Event Journal

Search on – date and time– class and severity– operator– description of the event


MT 081 Daily Check Report

lists number of messages sent and received for all APC or FIN sessions closed since previous MT 081

generated daily at approximately midnight local time, provided APC and FIN are closed

FIN

APC

LTC

081081

081081


MT 082 Undelivered Message Report

received from SWIFT every day lists all undelivered messages at generation

time : messages sent by your institution but not yet received by your correspondent

082082


Example of an auditor’s profile

Access Control Signon Start and End time

Applications FunctionsPermissions

Applic. Interface Open/Print PartnerFirst part

Local Aut Key = YesBK Management Open/Print Communicating Pair (pre-agree/keys)

Access CP : Prohibited nothing

Event Journal -

Message File SearchCompletely hide messages

of other units=No

Security Definition -


Making financial messagingMaking financial messagingsafer and less costlysafer and less costly

Documents

Swift Infrastructure