Published: June 29, 2018
These days, IT security is a must, especially around payments, which are crucial for all companies. SWIFT, a key player in this landscape, has recently launched a new initiative aimed at detecting whether users of the SWIFT network are compliant with basic security controls. But is this taking things a step too far for corporates?
SWIFT has recently launched the Customer Security Programme (CSP), a new initiative based on a self-assessment questionnaire to determine whether a SWIFT user is or is not ‘secured’ and therefore respecting best practices in terms of security. On paper, this looks like a sound initiative. But is it a good idea in practice? After all, as the British would say: “if it ain’t broke, don’t fix it”.
At its heart, the CSP is dedicated to supporting financial institutions to reinforce the security of their SWIFT-related infrastructure. A Customer Security Control Framework (CSCF) was published in April 2017, partly as a result of the consequences of the cyberattacks faced by SWIFT. This Framework defines a set of mandatory and advisory controls that should be implemented in SWIFT customers’ operating environments.
According to SWIFT, there are two main milestones users should observe. And in fact, the first has already passed – all financial institution SWIFT Bank Identifier Codes (BICs) were expected to submit (by the end of last year) to SWIFT a self-attestation around their level of compliance versus the mandatory controls. SWIFT reserves the right to report to Supervising Institutions any BICs that have not completed their attestation.
Then, by the end of 2018, all SWIFT BICs must comply with mandatory controls and update their attestations. Similarly, SWIFT then reserves the right to report to Supervising Institutions any BICs (i.e., companies/banks) that do not attest their compliance with all mandatory controls.
As I said, the CSP seems interesting and useful. Claiming that a breach around these services could lead to significant disruptions and financial losses is true to some extent. But are we certain that all these controls are necessary for corporates? In our view, as treasurers, it maybe goes a bit too far.
Aiming for full compliance is great but isn’t it more of an issue for banks than for corporates, especially those using SWIFT service bureaus? Being based first on a self-assessment, the exercise is difficult and the results are not easy to compare. We will need some time to further clarify up to which level we should be compliant and further elaborate best practices.
The growing threat of cyberattacks has never been more pressing. We all know of, and some have even faced, recent instances of payment fraud in our customers’ local environments. It certainly demonstrates that there is a need for industry-wide cooperation to fight against IT and systems’ threats. It is important to note that while SWIFT’s network or services have not been compromised as such, incidents have taken place after a customer suffered security breaches within its own infrastructures.
What this highlights is that everyone is responsible when we talk about IT security and must make sure their environment is secured and safe. In my view, security is something that belongs to all of us - to a certain degree. SWIFT is a cooperative structure, belonging to banks and is therefore (and fortunately) committed to playing an important role in safeguarding security. The payment and banking information ecosystem is wide and vital.
It needs to be perfectly protected and risks mitigated as much as possible.
This huge security programme launched by SWIFT is dedicated to enhancing information-sharing throughout the user community. We need a solid customer security control framework and no-one can question this. The idea of sharing best practices to better detect or prevent fraud attempts is also an excellent objective.
Nevertheless, IT security is expensive and although each individual measure is good in itself, the cost can sometimes be too great compared with what it can achieve. We must keep the IT risk/return in mind while investing in security. A corporate is neither a market infrastructure nor a financial institution, and its costs must remain reasonable. Corporates have seen an increase in costs related to payments and security, even though automation and technology were supposed to reduce them. It is a kind of paradox we just have to accept.
This ambitious programme has been formulated around three complementary areas. As explained by SWIFT on its website, the customers will first need to protect and secure their local environment (us); it is then a question of preventing and detecting fraud in the commercial relationships (our counterparts) and continuously sharing information and preparing defences against future cyber threats (our whole community). And it is right that security is a collective duty and for there to be a joint effort if we claim to succeed.
This new programme consists of 16 compulsory control measures and 11 optional (i.e., voluntary) ones. Customers and members may be called upon to present additional evidence of their compliance.
Numerous corporates have started their self-assessment exercise by themselves, and some have done so with the support of advisors. The advantage of a joint exercise or at least a gap analysis is that it gives corporate users a bit of a benchmark. Otherwise, who could claim he/she knows precisely what should be implemented or not and how to assess it?
It is a tricky review, since it can have serious consequences as a SWIFT user. It must be taken very seriously. Advisors then try to define measures taken and milestones achieved to protect its informational assets and risks around disclosures of non-authorised data and its legitimacy in a regulated and legal context that has become stricter over years. Figure 2 lists the numbers of objectives and principles of the CSC Framework, which led to the 27 compulsory or voluntary controls mentioned above, including compliance with international standards ISO 27002, Payment Card Industry Data Security Standard (PCI-DSS) and so on.
Understandably, the CSP represents a significant prevention effort that may require external resources. It also involves several support functions and company departments. One of the first tips is therefore to set up a cross-functional team to oversee CSP implementation, including risk, compliance, technology, legal and operations. In future, such a programme must be part of the whole IT security internal reviews and security programmes (e.g., a SOC 2).
The CSP self-assessment, once published on the SWIFT KYC Registry, must be renewed every year. This demanding exercise includes service bureau entities and Alliance Lite 2 for business applications (L2BA). Once the user has published his/her self-attestation in the SWIFT KYC Registry, they can make it available to any counterparty through that same application and therefore at his/her own discretion being transparent towards other counterparties. Behind this idea of transparency and controlled visibility, SWIFT expects that all parties will be somehow ‘forced’ to respect the Customer Security Control Policy (CSCP).
Once you are a SWIFT user and have a BIC, there is no way to escape from this self-assessment. These attestations should provide an accurate representation of the degree of compliance with the security controls at the same time the self-assessment questionnaire answers are submitted. The risk remains that SWIFT reserves the right to report non-compliance to the supervisors, or to their messaging counterparties, for corporates and non-supervised entities. The national banks of each EU country have already sent messages to their supervised financial institutions. For more details, users have to consult documents published on the SWIFT website.
The first time you hear about CSP, it appears to be a huge project. The IT part of it makes it complicated for treasurers and it is highly technical. We should conduct these readiness-assessments against mandatory and advisory internal controls. It is also necessary to assess how attestation requirements align with existing service organisation control (i.e., the so-called ‘SOC’ programmes) reporting. A starting point will be to review past audit and risk findings to identify potential gaps and to make a gap analysis, once the self-assessment questionnaire has been finalised for the first time.
Eventually, we will have to identify manual interventions required for processing in order to determine potential technological solutions and improvements. These will come at a cost and ad-hoc budgets will then have to be approved by a Steering Committee or by the CFO. It is important to note that this topic is rarely addressed and discussed within the treasury community.
Maybe it is too early, or our community is too slow in implementing such initiatives. As there are several gateways by which to be connected to the SWIFT network, a benchmark among SWIFT corporate users could be useful. As a reminder, the connection to SWIFT can use one of the three connectivity solutions: SWIFT cloud connectivity, cloud-based connectivity using a SWIFT partner interface, or customer-hosted connectivity. Depending on the connection method and potential recourse to a service bureau, the measures to be implemented can vary. I believe that the European Association of Corporate Treasurers could help in coordinating experience and positions.
In conclusion, it is clear that the infamous Bangladesh Bank heist has intensified the need for better controls. Cyber-security is a constant, never-ending and painful exercise. However, it is necessary to prevent further issues. More than circa six billion transactions a year and more than 11,000 customers using SWIFT give you an idea of the landscape in question. Such a programme and the review of internal controls must be embedded into our IT security processes and will require, I am afraid, time, resources and money.
The key paradox to keep in mind is that cyber risk is likely to be growing faster than IT technology and that the more sophisticated IT systems are, the more at risk we will be. We must remain vigilant and proactive as cyber-risks evolve day after day. SWIFT will begin disclosing information to counterparties about customers’ compliance with the advisory controls in January 2018.
Is it a good measure on SWIFT’s behalf? It is difficult to assess it at this stage. We will have to wait and see. As the American professor of computer science Randy Pausch used to say: “No matter how bad things are, you can always make things worse”. We should never forget this as alternative solutions emerge.
François Masquelier
Head of Corporate Finance and Treasury, RTL Group, and Honorary Chairman, European Association of Corporate Treasurers
François Masquelier has been Head of Corporate Finance and Treasury with RTL Group since November 1997. Before joining RTL Group he worked for Mitsui Talyo Kobe Bank (Sakura Bank) in Brussels, Eridania Béghin-Say Coordination Center in Brussels and ABN AMRO Bank in Belgium and Luxembourg.
He is Doctor in Law, Fiscal Law and Economy & Administration from the University of Liège, and has a degree from the Business School of Brussels. François is the President of the Association of Corporate Treasurers in Luxembourg (ATEL), and the Honorary Chairman of the European Association of Corporate Treasurers (EACT).
The world over, treasurers are seeking improved visibility and control over their data. After all, data is the lifeblood that drives corporate treasury success. Martin Bellin, Founder and CEO, BELLIN, believes that having a tool capable of aggregating that data “has exponential utility”. Is he right, and more to the point, does it really exist? […]
BNP Paribas scales new heights, winning seven TMI Awards in tandem with its clients As corporate branding goes, BNP Paribas’ trademark green could not be more appropriate – the bank is leading the pack in terms of its sustainability commitments and solutions, and is TMI’s 2021 Global Bank of the Year for ESG. Bank Awards […]
Co-creation as a Source of Practical Innovation Treasurers are rightly wary of hype around innovation and new technologies, particularly ‘solutions looking for problems’. Co-creation between corporates and banks can help to avoid this pitfall by enabling treasurers to address real pain points with their banking partners. Pierre Fersztand, Global Head of Cash Management, Trade & […]
As treasurers look to improve their departments’ resilience to help withstand future crises, in-house banks (IHBs) are back in the spotlight. TMI speaks to four industry experts to understand how IHBs can help restore profitability and reduce risks. We also examine trends such as in-house banking-as-a-Service (IHBaaS) and outline how IHB structures are evolving. Christof […]
