Yawar Shah highlights urgency and importance of SWIFT’s Customer Security Control Framework – here is his speech in full
"Today, I speak to you as a fellow banker.Leaders in the global payments and securities settlement industries are known to be thoughtful, strategic and capable of handling complex issues simultaneously across the globe.
They are used to dramatic shifts and major forces impacting their industries like globalization, competition from FinTech startups and of course increasing regulation and compliance.
They are now getting ready to deal with another paradigm shift that will impact their businesses, their risk appetites, and the way in which they deal with customers and counterparties. They are getting ready to deal with a paradigm shift that could even change the dynamics of what drives competitive advantage. I am of course talking about fraud and cybercrime
The disruptive forces of fraud and cyber have always existed and had to be dealt with in our industry.
What is different now is that these threats are more organized, more sophisticated and more global than ever before.
Over the last year we have seen cyber fraudsters penetrate firms to try to steal money, and more recently there has been a lot of noise about those trying to penetrate firms looking purely for information.
There is no evidence that SWIFT’s network or core messaging services have been compromised in any of these attacks, but the incidents reaffirm that the financial world is clearly a target.
In this environment, cyber protections are more important than ever, which is why SWIFT is focussed so keenly on both its own cyber protections, as well as helping its customers to bolster their cyber protections.
It’s why SWIFT is leading the industry charge through its Customer Security Programme.
As we would expect, every major bank and market infrastructure has a focus on protecting itself from direct attacks from cyber-criminals.
But that alone is not enough. We also need to be ready to deal with the impact of such attacks on our institutional and corporate customers as their exposure to these very same threats impacts on us as well.
What that means is that we need to understand our customers’ and counterparts’ cyber risk more explicitly than we have ever had to in the past.
This new paradigm will have a major impact on the P&Ls of banks’ payments and security settlement businesses in the coming years. Those who organize themselves to deal with this challenge, not only by improving their own defences, but also by working with their clients to understand and improve theirs, will gain a competitive advantage.
Your trusted bank-owned cooperative and partner intends to help the industry in this, with its unique capabilities and community-based approach. As you know, SWIFT is setting global control standards for the community to measure itself against.
In the near future banks and market infrastructures will therefore be able to evaluate their clients and counterparties around the world against a standard set of cybersecurity controls. SWIFT will not only set these standards, but it will also make it easy to access counterparts’ self-attestations through a single trusted source: the SWIFT KYC Registry, with the approval of the attesting customer.
While SWIFT’s Customer Security Control Framework will considerably help the community in facing this challenge, success will also require a serious, concerted and organized effort within banks from all three lines of defence: the businesses line; the risk and compliance functions; and the audit functions.
I believe it is safe to assume that few banks today are organized and sufficiently staffed to reassess the SWIFT RMA arrangements that allow them to send and receive instructions over the SWIFT network in an integrated fashion while assessing operating, fraud and cyber risk. The new paradigm will also need to be scaled to handle customers and counterparties at the BIC level.
In the near-term, reviews of these arrangements and of customer and counterparty cyber self-assessments will require informed and organized decision-making so as not to cause major business disruptions or create unnecessary risk.
This process will require significant coordination and partnership within and across organisations. Firms’ technology operations and cyber teams will know how to assess these controls within their own organisations. In addition, they will also need to work in partnership with the cyber and fraud risk experts supporting business leaders from the payments and securities areas. And finally, these groups will need to work with counterparts’ cyber and fraud teams.
This is likely to be a dynamic and iterative process. The learning curve both for those submitting their self-assessments, and for those evaluating them, will be fairly steep.
The decision-making process on whether and how to do payments and securities clearing with counterparts will also be quite complex.
But those businesses that prepare themselves appropriately will be able to make more agile and more informed risk-based decisions than before. They will be able to calibrate their relationships – creating compensating controls as well as pricing in risk where needed, thereby at once both protecting themselves and encouraging counterparts to improve their security. This will help drive improvements right across the community.
In doing this, the community will not just need to consider SWIFT’s cyber controls, but will also have to incorporate upstream transaction management and transaction-checker controls in their thinking.
Clearing banks may, for instance, ask their counterparts to mitigate risk by enhancing their sender fraud controls. Again, SWIFT intends to help the industry here.
As you will be aware, SWIFT just announced the launch of a new payment controls service to bolster customers’ fraud and cyber-crime controls. Initially targeted at smaller and lower-volume customers, the service will enable SWIFT customers to screen their payment messages according to their chosen parameters, enabling them to immediately detect unusual message flows before transmission.
With its unique capability, SWIFT has designed this service so that customers will be able to integrate it directly into their SWIFT messaging flows. This will significantly enhance their ability to control their messaging activity and enable them to immediately detect unusual or uncharacteristic payment patterns.
Many clearing banks may also put in receiver fraud controls, balancing the risk of increasing liability and litigation.
Banks’ regulators will be not only watching and enforcing the mandated controls but also asking the banks about their cyber governance and risk assessment frameworks.
Why am I talking about this now?
Because we, as an industry, have a limited amount of time to get ready to deal with this.
SWIFT published its detailed controls to the community a few weeks ago, together with the timeline for self-assessment and attestation which, for the mandatory controls, is before the end of this year. If you have not done so already, I strongly encourage you to consult these, and begin preparing yourselves.
SWIFT is also ready with its team of experts to help you prepare not only your own self-assessments, but also to advise you as consumers of the self-assessments from your global payments and security supplement businesses. SWIFT will hold seminars and workshops around the world for thousands of its customers to help them better understand the specific expectations and time lines.
Many of your customers and counterparts will likely seek advice and education from you, their correspondents, as they conduct their self-assessments, as they always have in times of major change. Those correspondents that are prepared and organized will be able to fundamentally differentiate themselves.
Those institutions that start now and organize themselves will not only face a less disruptive process, but may also be able to create a competitive advantage and, from that, stronger customer partnerships.
This organisational aspect will be key, as few – if any – correspondents are likely to have a single department that can be charged with reviewing counterparts’ self-attestations in an integrated fashion and calibrating these relationships accordingly. Preparing for this will require care and resourcing. Investments will need to be made and budgets secured. Skill sets will need to be built, and cross-functional teams formed. This will require investment in people, processes and departments. With budgets being determined now, I would urge you to get started.
This is of course far from the only business issue that you face – but I did want to stress its urgency and importance. Fortunately today you will also have lots to discover and discuss in the other challenging business areas that SWIFT is working on – such as correspondent banking and gpi; financial crime compliance and regulation; innovation and FinTechs.
I urge you to join the sessions and to engage and look forward to a series of interesting and fruitful discussions.