Swift announced last year it required those using its messaging systems to meet a set standard of security. The first deadline to attest that steps have been taken, but without the need to have met full compliance, was December 31.
Since the deadline, the company has disclosed that 89% of its customers had attested to the mandatory levels. These customers represent 99% of all the financial messages sent along its network. And since Swift reported seeing 7.2 billion messages sent during 2017, an average of 28.14 million messages a day, it is not an inconsiderable number.
James Richardson, head of market development, risk and fraud, at Bottomline Technologies, says the move has been well received in the most part, adding: “Introducing the controls has created a new minimum standard. For some it will require a lot of work to meet this standard. There are 11,000 companies on Swift that need to be brought up to speed.”
Richardson says Swift’s customers are divided into three distinct groups.
“There are splits between companies as to the levels they are at. There are some that have attested and are fully compliant already," he says. "These companies are really raising the bar of security across companies and the industry at large.”
For the second group, having the long deadline towards full compliance has been of benefit.
Richardson says: “There is a group that have seen the importance of attesting, and met the deadline, but are not yet complaint. This may be due to their own constraints around technology or budget.”
Meanwhile, there is the group that makes up the remaining 11%. According to Richardson, this group has considerable work to do.
“There is also, however, a small number that have not yet attested," he says. "At this point, Swift has stated all along it reserves the right to inform the regulator of those who have not attested.”
Customers that do not meet the standards will not have to stop using the Swift network, but their counterparties will be able to see that they have not attested. Customers are able to see where other companies are in the process of attestation by accessing the KYC [know your customer] registry security attestation application.
Swift has suggested that customers should begin to incorporate attestation data into their risk-management and decision-making processes.
The process of proving compliance will now be an annual requirement.
Pat Antonacci, programme director, customer security programme at Swift, cautions that, while the framework has been built on a requirement of self-attestation, there are ramifications if it is ignored.
“To ensure community transparency, Swift reserves the right to report those users who have yet to attest to their financial supervisors, and banks have been reminded of this,” he says.
Bottomline Technologies' Richardson says this has been a successful strategy, adding: “Swift has been clever in how they have implemented this by applying peer pressure. It is easy to see if a company has attested – they are listed with a green tick if they have and are greyed out if they haven’t.”
For some it has been more of a struggle to meet the standards. Antonacci says Swift has given its customers help should they need it.
“Leading up to December 2017, Swift carried out a global engagement campaign to drive awareness and understanding of both the CSCF and the attestation process. We held more than 200 dedicated customer security work sessions around the world, which were attended by more than 14,500 attendees.”
Richardson says companies that might need extra support shouldn’t put off working towards compliance.
“Companies really should be aiming to be compliant within six months, well ahead of the December 2018 deadline," he says. "The standards and the deadlines were advised a year ago. We are advising companies to look to be fully compliant within three and six months, as this will give them extra time should it take longer than planned.
"There has been no suggestion from Swift that they are open to extending the deadlines. Companies have to get it done in time or risk being reported to the in-country regulator.”
Swift has also worked on processes to give customers a greater level of insight into their operations and create better understanding of their own systems.
Antonacci at Swift says: “We have also developed anti-fraud tools to help customers. In 2016 we introduced a daily validation report, a fraud detection tool that allows customers to verify Swift message flows and detect unusual transaction patterns and new and uncharacteristic payment relationships. The reports have been well received by the community.”
Richardson says that in his experience of speaking to Bottomline Technologies clients on the Swift network there are some who wanted more.
“Among those that have attested and are compliant, there is some feeling that the controls, whilst appropriate for the Swift environment specifically, do not go far enough," he says.
“From the conversations we have had with companies and customers, there is a call to go into transaction and behaviour monitoring, beyond manual and post-submission checking. They do not see it as a box-ticking exercise; they want to push the security rules on payments further."
He adds: "For these companies they want to see where the controls can be used for other payment types, such as in Faster Payments and Sepa.”
The processes will continue to be rolled out during the coming year.
Antonacci says: “Our payment controls service, to be launched in Q3 2018, is an in-flight service that monitors payment messages in real-time in the Swift network. It will bring additional safeguards to ensure that payment instructions are in line with business expectations and don't represent a significant or unacceptable business risk.”
He says Swift provides information such as security alerts, anonymized information on points of compromise and the nature of known security attacks.
“The security controls were developed in conjunction with industry experts and designed to be in line with existing information security industry standards: PCI-DSS, ISO 27002, and NIST," says Antonacci.
"They are kept under constant review to ensure our community is best protected from emerging and evolving cyber threats – but over time we do expect that they will evolve in light of the changing cyber threat landscape.”
The rules were not created in a silo, and Swift worked to ensure CSCF does not contradict any of the regulations that companies are having to work within. As well as pushing the rules further, some companies want to see how the rules from the CSCF can be applied elsewhere.
Richardson says: “There will be assessments to see how and where the controls can find further uses. Under PSD2 [Payment Services Directive II] there is a need for strong account authentication, unless the company can prove it has a low fraud ratio. Many companies are eager to avoid having to implement two-step authentication processes, so can they find a commonality between Swift’s controls and PSD2?”