SWIFT Customer Security Program (CSP) What does it mean for Corporate Treasurers?

These days, IT security became a must and payments in particular are crucial for all companies. SWIFT (i.e. “Society for Worldwide Interbank Financial Telecommunication” based in La Hulpe in Belgium) has a key player in this payment landscape has decided to launch a program in order to testify each one compliance to base rules. The approach in itself is commendable and sound. However, we can address the issue on how far corporate treasurers should go in their compliance efforts. The measures should not be implemented at any price as they are users and not service providers. At the end of the day, SWIFT will disclose each one current level of compliance to compulsory and advisory controls.

Customer Security Programme (CSP) or the way to safeguard security across banking community

SWIFT has recently launched the CSP. A new program based on a self-assessment questionnaire to determine whether the Swift user is or not “secured” and respect best practices in terms of security. A good new idea? It looks like it is a sound initiative. However, the best is the enemy of the good. British would say that “if it ain’t broke, don’t fix it”. This program has been dedicated to support financial institutions in reinforcing the security of their SWIFT related infrastructure. A Customer Security Control Framework (i.e. CSCF) has been published in April 2017. It is certainly one consequences of the attacks faced by Swift. It defines a set of mandatory and advisory controls that should be implemented at Swift customer’s operating environments. According to SWIFT, there are two main milestones users should observe: the first one is the SWIFT BIC’s were expected by end of last year to submit to Swift a self-attestation which requires financial institutions to attest their level of compliance versus the mandatory controls. SWIFT reserves the right to report to Supervising Institutions any BIC’s that have not completed their attestation. Then, by end of 2018, all SWIFT BIC’s must comply with mandatory controls and update their attestations. SWIFT then reserves the right to report to Supervising Institutions any BIC’s (i.e. companies/banks) that do not attest their compliance with all mandatory controls. As said, it seems interesting and useful. Claiming that a breach around these services could lead to significant disruptions and financial losses is somehow true. But are we certain that all these controls are necessary for corporates? In our views, as treasurers, it maybe goes a bit too far. A full compliance is great but isn’t it more an issue for banks than for corporates, especially those using SWIFT service bureau. Being based first a self-assessment, the exercise remains difficult and results not easy to compare. We will need some time to further clarify up to which level we should be compliant and further elaborate best practices.  

Growing cyberattacks and increasing IT risks

The growing threat of cyberattacks has never been more pressing. We all know and some even faced recent instances of payment fraud in our customers’ local environments. It certainly demonstrates that there is a necessity for industry-wide cooperation to fight against the IT and systems threats. It is important to notice that while SWIFT’s network or services have not been compromised, incidents take often place after a customer suffered security breaches within its own infrastructures. Everyone is responsible when we talk about IT security and must make sure its own environment is secured and safe. In my view, security is something that belongs to all of us up to a certain degree. SWIFT is a cooperative structure, belonging to banks and is therefore and fortunately committed to playing an important role in safeguarding security. The payment and banking information ecosystem is wide and vital. It needs to be perfectly protected and risks mitigated as much as possible. This huge security program launched by SWIFT is dedicated to enhance information sharing throughout the user’s community. We need a solid customer security control framework and no one can doubt about this. The idea of sharing best practices and to better detect or prevent fraud attempts is an excellent objective. Nevertheless, IT security has a high cost and in absolute any single measure is good but the marginal cost can sometimes be exaggerated compared to the objectives it tends to reach. We must keep in mind the IT risk return in mind while investing in security. A corporate is not a market infrastructure nor a financial institution and its costs must remain reasonable. Corporates have noticed an increase of costs related to payment and security while the automation and technology were supposed to reduce them. It is a sort of paradox we have to accept.

Security is a three level work

This ambitious program has been articulated around three mutually reinforcing areas. As explained by SWIFT on its website, the customers will first need to protect and secure their local environment (US), it is then about preventing and detecting fraud in the commercial relationships (OUR COUNTERPARTS) and continuously sharing information and preparing to defend against future cyber threats (OUR WHOLE COMMUNITY). And it is right that security is a collective duty and a joined effort if we claim to succeed. This new program consists of 16 compulsory control measures and 11 optional one’s (i.e. voluntary). Customers and members can be called to present additional evidences of their compliance.

What should corporates do in order to be compliant?

Numerous corporates have started their self-assessment exercise alone and some with the support of advisors. The advantage of a joined exercise or at least a gap analysis is that it gives corporate users a bit of benchmark. Who could claim he/she knows precisely what should be implemented or not and how to assess it. It is a tricky review as it can have heavy consequences as SWIFT user. It must be taken and reviewed seriously. Advisors then try to define measures taken and milestones to protect its informational assets and risks around disclosures of non-authorized data and its legitimacy in a regulated and legal context that became stricter over years. Therefore, three objectives (i.e. secured environment, controlled access(es), detect and act); eight principles (e.g. limit access to internet, reduce attack surface, prevent hacking of identifiers, manage access and privileges, detect abnormal activities into systems, intervention and sharing plans) and eventually 27 controls (as already mentioned above – such as compliance with international standards ISO 27002, PCI-DSS, etc…). You will easily understand that it is a huge prevention effort required and that external resources can be necessary. It also involves several support functions and company departments. One of the first tip is to set up a cross-functional team to oversee CSP implementation, including risk, compliance, technology legal and operations. In future, such program must be part of the whole IT security internal reviews and security programs (e.g. a SOC2).

Not only once in a life, but renewed annually, at least

The CSP self-assessment once published on the KYC register must be renewed every year and will be made available to all its counterparties through this application. The heavy exercise includes service bureau entities and Alliance Lite 2 for business applications (L2BA). Once the user has published his/her self-attestation in the SWIFT KYC Registry, it can make it available to any counterparty through that same application and therefore at his/her own discretion being transparent towards other counterparties. Behind this idea of transparency and controlled visibility, SWIFT expects that all parties will be somehow “forced” to respect the Customer Security Control Policy (CSCP). Once you are a SWIFT user and have a BIC, no way to escape from this self-assessment. These attestations should provide an accurate representation of the degree of compliance with the security controls at the same time the self-assessment questionnaire answers are submitted. The risk remains that SWIFT reserves the right to report non-compliance to the Supervisors or to their messaging counterparties for corporates and non-supervised entities. The national banks of each EU countries have already sent messages to their supervised financial institutions. For more details, users have to consult documents published on SWIFT website.

Time to get ready, if you have not yet started…

No one could contest the benefits of such a security program and we all understand the reasons behind and the aim of it. However, it may appear to you, if you hear for the first time about CSP, to be a huge project. The IT part of it makes it complicate for treasurers and highly technical. We should conduct these readiness assessment against mandatory and advisory internal controls. It is necessary to also assess how attestation requirements align with existing service organization control (i.e. the so-called “SOC” programs) reporting. A starting point will be to review past audit and risk findings to identify potential gaps and to make a gap analysis, once the self-assessment questionnaire will be finalized for the first time. Eventually, we will have to identify manual interventions required for processing in order to determine potential technological solutions and improvements. These will have a cost and ad hoc budgets will then have to be approved by a Steering Committee or by the CFO. It is important to notice that among the treasury community this topic is not often addressed and discussed. Maybe it is too early or our community is too slow in implementing. As there are several gateways to be connected to SWIFT network, a benchmark among SWIFT corporate users could be useful. As a reminder the connection to SWIFT can use 1 of the 3 connectivity solutions: SWIFT cloud connectivity, cloud-based connectivity using a SWIFT partner interface or customer-hosted connectivity. Depending on the way to be connected and potential recourse to a service bureau the measures to be implemented can vary. I believe that the European Association of Corporate Treasurers could help in coordinating experience and positions. In conclusion, we can admit that this famous attacks on the Bangladesh bank has changed the situation. Cyber-security is a constant, never-ending and painful exercise. However, it is necessary to prevent further issues. More than 6 billion transactions a year (roughly) and more than 11 thousands customers give you an idea of the landscape. Such a program and the review of internal controls must be embedded into our IT security processes and will require, I am afraid, time, resources and money. The key paradox to keep in mind is that cyber risk is growing likely faster than IT technology and that the more sophisticated IT systems are, the more at risk we will be. We must remain vigilant and proactive as cyber-risks evolve day after day. SWIFT will begin disclosing information to counterparties about customers’ compliance with the advisory controls in January 2018. It a good measure initiated by SWIFT. But it remains difficult to assess at this stage as we suffer from lack of benchmark on what are good practices for Corporates using SWIFT network, especially when they pass through a Service Bureau. We have to wait and see. Although Randy Pausch used to say: “No matter how bad things are, you can always make things worse”, we should give time to SWIFT to demonstrate how useful such a program could be. For those who do not want to comply with this program, they will have to contemplate alternative solutions. Unfortunately, the IT security, these days, and remains the major focus of all of us and there are no concessions to allow in order to protect our payments.  

Fran?ois Masquelier,  Deputy Chair of EACT