The new normal?
With cyber security top of mind for industry executives, one of the sessions at Sibos 2017 discussed the impact of high-profile security breaches and the arrival of SWIFT’s Customer Security Programme (CSP).
The 2016 Bangladesh Bank attack prompted institutions to change their mindsets on how to avoid such attacks.
SWIFT’s CSP empowers organisations to review their risks they with different counterparties.
Behavioural technology may play a greater role in the area of transactions.
- There is a growing focus on recruiting staff with a different mindset to build teams of “super sleuths” for investigative work.
Impact of the Bangladesh Bank heist
Cyber security has evolved in recent years. Straight-through processing rates rose in the 1990s, but today “we are unwinding and stopping a lot of these transactions” because of OFAC screening and AML surveillance.
The size and sophistication of the 2016 attack on Bangladesh Bank prompted people to reset their mindsets and consider how they could avoid similar attacks in their own organisations.
Subsequent actions have included analysing systems and networks for vulnerabilities, as well as carrying out desktop cyber exercises and reviewing business processes. It’s crucial to understand clients’ normal behaviour so that banks can recognise when a particular location is “out of bounds” and react before it’s too late.
SWIFT’s Customer Security Programme
SWIFT’s CSP was launched in 2016 and initially seen by some as “an audit regime.” But in reality the programme is a bilateral system that empowers organisations to think about the risk they have with different counterparties. The CSP does not shift the duty of care from the sender to the receiver bank. Institutions should ask what their contractual terms say “in terms of who's liable with respect to this payment that goes out.”
So how will regulation evolve? The initiative has to come from the industry – “If we wait for a regulator to tell us what to do, it’s too late.” If regulation becomes too prescriptive, it may become backward-looking, with a focus on “trying to check the boxes.”
Regulation could be viewed as “another third-party risk management,” and discussions should begin with an understanding of the threats. “Starting with just, ‘We’re worried about security, broadly,’ is untenable.”
I think one of the biggest shifts is that ‘If it ain't broke, don't fix it’ is dead. We can't do that anymore.
Technology and outsourcing
The importance of behavioural technology is growing and will play a key role in the transactional space, alongside artificial intelligence and machine learning.
“The notion that any individual institution should have its own hardware, build its own software, control all of its own data in one place is going away.” But it’s crucial to understand the dependencies involved in outsourcing
Some banks are starting to recruit employees with a different mindset, such as a core group of “super sleuths” who carry out investigation work, as well as getting ahead of AML concerns. These individuals may have transactional experience or a criminal justice background. There are also potential benefits of tapping into the new ‘e-crimes education.’
It is no longer good enough to believe something is working without really understanding how it works. The mindset needs to change to ‘we’d better figure out how it works right now, before someone else does.’
Immediacy and irreversibility
The push towards real-time payments provides no margin for error. There are also issues associated with irreversible transactions - particularly with cryptocurrencies – and a wider aspect of where the industry is heading: “We want things to happen and to be done forever.”
Collaboration and cooperation
The industry has a shared interest in cyber fraud and cyber security, so it important to be able to share information about the risks. For example, The Financial Services Information Sharing and Analysis Centers’ (FS-ISAC) weekly communications have got people talking. This type of sharing is the next frontier – “every organisation shouldn’t have to figure this out on their own.”
I think the more we share and collaborate as an industry – events, practices – I think we’re all going to be better off.