Frequently asked questions about Daily Validation Reports
Why has SWIFT developed Daily Validation Reports?
One element of recent insider fraud attacks involves attackers hiding the evidence of fraudulent wire payments that they have sent. In these incidents fraudsters have deleted logs, manipulated transaction records, system files and database records, and in some cases, crashed or left environments in an unrecoverable state. Our smaller customers are dependent on the accuracy of the data on their own systems. In the event of a security breach, local environments can no longer be trusted to present a true record of transaction activity. Daily Validation Reports provides a view of SWIFT’s record of a customers’ activity that can be used to independently verify, in aggregate form, payment messages that have been sent or received.
Who will benefit from Daily Validation Reports?
Daily Validation Reports have been designed primarily for smaller institutions that might lack the most sophisticated tools for providing robust responses to fraud threats or reacting in the event of fraudulent activity. They will be most useful for institutions with smaller transaction volumes, since they require manual review processes.
When will Daily Validation Reports be available?
Daily Validation Reports will be soft-launched at the start of December 2016. The soft-launch is to allow controlled ramp-up of customer numbers and to provide an opportunity for customers to provide feedback on the use of the reports to SWIFT. General availability will follow in 2017.
Can my institution participate in the soft-launch?
The soft-launch is targeted at smaller customers that are willing to engage with SWIFT to provide feedback on the reports and further understanding of how the reports are used. Please contact us if you would like to be considered for inclusion in the soft-launch.
What about larger customers?
Larger institutions will typically have more comprehensive cyber defences and fraud prevention controls, as well as their own backup reporting systems. Their large transaction volumes mean that a manual review process using Daily Validation Reports might be less suitable, although smaller branches of larger institutions might find the reports useful.
Which area of my institution will benefit from Daily Validation Reports?
Daily Validation Reports are a secondary control to verify and understand payment activity. Payments operations, compliance and fraud prevention teams will benefit from the reports.
Will I only get Daily Validation Reports if I ask, or will I automatically get them?
This is a service available to customers who specifically subscribe to it. Register your interest now.
How do Daily Validation Reports work?
Daily Validation Reports are available on a daily basis and leverage the underlying BI platform used by Watch and Compliance Analytics tools. Customers log in through www.swift.com. The reports provide aggregate reporting of transaction activity to allow review of inbound and outbound payments by currency, country and counterparty bank.
The reports allow the customer to see the originator, sender, receiver and beneficiary counterparty banks and the aggregate transaction activity by value, volume, currency and message type, with values normalised to a user-selected base currency.
Message type filters are provided to allow quick access to data. Within each report, daily payment value and volume averages (calculated over a 24-month period) are presented, along with a percentage change indicator which allows rapid identification of significant variations in payment patterns. Report information can be extracted to Excel or similar tools.
How many users can a customer have?
There are five users as part of the licence. Further blocks of 10 users can be purchased separately.
What is required to start using Daily Validation Reports?
Very little. The reports are designed to be quick and easy to use and there is minimal customer configuration. Following receipt of an e-order, access will be granted and access roles must then be allocated by the customer. Training materials and user guides will be provided.
Are there any existing alternatives to Daily Validation Reports?
No other vendor can provide access to SWIFT’s record of transaction activity.
One alternative to Daily Validation Reports would be for a customer to use FINInform/FINCopy to deliver copies of messages to a separate interface where they could create a separate database to generate similar reports. Some larger customers already do this.
Other alternatives would be to use commercially available fraud detection and prevention tools. However, in the event of cyber compromise these tools could be bypassed by a fraudster.
How are customers being involved in the development of Daily Validation Reports?
We have been working with customers to define the scope of the Daily Validation Reports and will continue to do this in the run-up to the soft-launch date in December. As part of the soft-launch there is also opportunity for further collaboration with customers.
How much will Daily Validation Reports cost?
Please contact your SWIFT account manager for details on pricing.
Will SWIFT be opening and reading messages to produce these reports?
The service has been designed in full compliance with our policies and under SWIFT Board governance. We have strong safeguards in place, and access to data is fully in line with other SWIFT data analytics services such as Business Intelligence and Compliance Analytics.
Do Daily Validation Reports mean that SWIFT will do the fraud detection for the customer?
No, absolutely not. Customers are fully responsible for validating that their payments activity is correct.
Are customers obliged to take Daily Validation Reports to meet Customer Security Programme (CSP) security guidelines?
No, there is no obligation on customers to do this. Daily Validation Reports are an additional control that they can use, depending on their environment and as a way to supplement other controls that they may have in place. A subscription to Daily Validation Reports does not remove other obligations. Customers must still meet security guidelines defined as part of the Customer Security Programme and also must report attempted and actual cyber fraud events to SWIFT.