The Society for Worldwide Interbank Financial Telecommunication, better known as SWIFT, platform powers the global financial world. Through this Belgium-based system, which is used by more than 11,000 institutions in more than 200 countries and territories, more than 25 million messages are sent per day that facilitate the secure transfer of trillions of dollars.
But in the past few years, a few high-profile heists been carried out by criminals who have exploited the SWIFT communications network. Hackers got away with some $6 million from a Russian bank in February, showing that vulnerabilities still exist even after the organization pledged to heighten security following two separate cyber heists, with thieves reportedly using the platform to defraud a bank in Bangladesh out of $81 million in 2016 and another group moving around $12 million out of an institution in Ecuador in 2015.
“The platform is extremely secure, but there are vulnerabilities,” said Juan Manuel Gómez, sales engineering lead for Latin America and the Caribbean at software and technology company Citrix Systems, Inc.
To further fortify its platform, SWIFT introduced new protocols, known as its Customer Security Program (CSP), that all participating banks and other organizations must comply with. The first deadline came and went on December 31, 2017, and Citrix, dating back to last year, has been working behind the scenes with several companies in Colombia to help them reach compliance.
“They are asking for companies using the platform to attest that they are compliant,” said Gómez, who is based in Fort Lauderdale.
While users still have until the end of 2018 to prove they are fully compliant with all the mandatory controls, Gómez says that those who continue to delay face more onerous administration hurdles.
Banks that are not yet compliant have not been barred from using SWIFT, but they may face higher scrutiny to their transactions going forward, Gomez speculates. This could drastically affect business, he says, as the bank on the other side of the transfer may take significantly more time to finalize the transaction. Something that should take days could run more than a week.
He compares it to a consumer FICO score. A person with a credit rating of 760 can get approved quickly for a small loan by almost any bank without facing high scrutiny. But if someone at the 580 level asks for the same amount, while it ultimately may be deemed an acceptable risk for the creditor, chances are they will take more time before approving the funds and more heavily vet the historical track record.
“Organizations that do not comply with the new regulations will still be able to continue working, but will need a greater number of validations for each transaction, which will affect their agility of operation in the financial sector and, therefore, their commercial productivity,” said Gómez.
Citrix is aiming to help companies get compliant and offers solutions to bring banks up to speed quickly. And given that the SWIFT program is based upon eight principles, with a combined 27 separate mandates, there is a lot of boxes to check off before hitting the “fully compliant” barrier outlined by SWIFT.
In Colombia, there are nearly 130 authorized SWIFT codes used, including banks and other companies that have access to the network, some of which are connected to one enterprise operating in different locations. Citrix has worked with around half of these firms and banks so far, said Gómez, and is increasing the push to aid clients in CSP compliance.
The process begins easily enough. The first phase focuses on conducting a basic assessment to see how companies are using SWIFT, something that can take a few days or a week. “The implementation process that is happening now is going to bring to light who is ahead and who still has a lot of work to do on this,” said Gómez.
Then comes hardening some some security aspects in terms of technology and architecture. Isolating the user application is key, particularly ensuring it is completely shut off from the internet browser used on the machine, as this the most vulnerable pathway to malicious external threats. “We need to separate it to make sure it doesn’t have connection with any other applications,” he said.
Next comes factors such as formalizing the authentication process to better manage user controls to the system. That can be done with usernames and password, or perhaps more advanced security such as biometrics, and is followed by various other protocols to ensure the rest of the mandates are met.
All this will take about a month for even those companies that are quite far behind. Gómez says that firms that have gone through similar compliance processes, like those of the Payment Card Industry Security Standards Council (PCI SSC), tend to have a better institutional understanding of how the process works. It doesn’t mean that they will already have checked off the necessary boxes for the SWIFT mandate, but going through something like this before tends to make everything easier the next time.
Citrix started an awareness campaign in third quarter last year to get companies prepped for the necessary change. Some companies were quick to react while others have just put it on their radar now. In Colombia, Gómez is seeing more institutions start to prioritize SWIFT security compliance, and he believes a second wave will get serious before the mid-point of the year.
Then, going forward, in 2019 and beyond, there will likely be more updates to the SWIFT mandates that will require small, but essential, adjusts. As always getting compliant with financial sector regulations is more of an ongoing journey rather than a trip with a final destination. “It’s a continuous process,” he said.
(Photo credit: Citrix)