Experts discuss the key role CSP counterparty attestation data can play in strengthening risk management at Sibos 2021.
SWIFT’s Customer Security Programme (CSP) isn’t just a way for banks to attest to their own security controls – it’s also a powerful tool that can help banks manage their counterparty risk more effectively by requesting and assessing their counterparties’ attestation data.
During a session at this year’s Sibos event, early adopters Leif Simon, Director of Transactions Surveillance Solutions at Deutsche Bank and Joanne Cash, Head of Operations Control Management, at BNY Mellon explained the benefits of using counterparties’ attestation data in this way, and the factors that can help banks get the most value from their data.
Holistic risk mindset
Simon explained that since the high-profile cybersecurity incidents of 2016, SWIFT’s Customer Security Programme (CSP) has played an important role in maintaining trust within the community. For Deutsche Bank, he added, counterparties’ CSP data has become “the single most important data source we have for cybersecurity risk assessments.”
Cash noted that the counterparty risk assessment process has brought a number of benefits for BNY Mellon. For one thing, the exercise has enabled the bank to build a partnership across teams including cyber, information security, business and risk and compliance. A further benefit is that the exercise requires a holistic risk mindset, as it forms part of a broader view of the bank’s counterparty risk assessment.
“Not all counterparty attestations are created equal,” she observed. “You can place more weight, for example, on those that have an external audit opinion.” Likewise, banks may not see all controls as equally critical: more weight might be given to counterparties’ firewalls, for example, than to advisory controls in areas such as scenario analysis.
Making a difference
The speakers revealed some of the ways that attestation data have made a difference to their banks. On one occasion, BNY Mellon’s cyber team had warned of chatter around potential cyberattacks targeted at financial institutions in a specific jurisdiction. As a result, Cash explained the bank was able to pull details of all counterparties in that jurisdiction from the counterparty risk attestation tool, review the data, look at patterns of activity – “and then determine some additional monitoring that we put in place.”
Simon, meanwhile, cited a counterparty which had indicated non-compliance with one or two CSP controls. “That enabled us to get in contact with them early and discuss the reasons for the non-compliance,” he said. “It turned out that they just needed some more time to implement some enhancements to their infrastructure, which gave us comfort that potential weaknesses were being remediated.”
Ingredients for success
So how can banks make the best use of their counterparties’ attestation data? The speakers cited several success factors that have proved important for their institutions:
- Resources – Cash and Simon both emphasised the importance of having the right resources in place. “We found it was easier to centralise that work into our control team and create an enterprise solution that partners both with the technology teams and with the business teams,” said Cash.
- Communication and socialisation – BNY Mellon’s relationship managers needed to be able to answer questions from clients and counterparties. To address this, the bank created a CSP council with regular meetings, as well as publishing background information and frequently asked questions on a website.
- Executive level support – “We got the most senior people in technology and operations engaged in this, and we also pulled in senior people from the business,” said Cash. “So we can quickly escalate any issues or concerns with our own attestation, but also with non-responsive counterparty attestations.”
- Find a home for the project – Simon found that the project didn’t naturally sit within KYC or financial risk management, “but deserves to be handled as a project in its own right. It was clear from the beginning that we had to put a separate organisational structure around it.”
- Prioritise counterparties – Instead of tackling everything at once, Deutsche Bank opted for a risk-based approach that involved prioritising specific counterparties – an approach which Simon said might be particularly valuable for smaller institutions.
Putting it in practice
Finally, the speakers provided some additional tips for institutions considering how put this into practice in their organisation. Cash said that some counterparties had initially been reluctant to release CSP data to the bank. “It’s important to be patient and understand that different people in the community have different perspectives, and work with them to get the right outcome,” she observed.
“It may look like an overwhelming exercise to start embracing CSP for your institution,” said Simon. “My piece of advice is if you think you can’t do everything at once do as we did. We defined a risk-based approach to prioritise the counterparties and the work we had to do, and then we worked through this in order. That way you can at least get started and I would really say don’t hesitate. Once you get started you will see how things fall into place and how it really builds up to become a very useful programme.”
To learn more, read our ebook, Unlocking the value of your counterparties’ CSP attestation data.