SWIFT CEO Gottfried Leibbrandt delivered the keynote address at the 14th annual European Financial Services Conference in Brussels today. During the speech, Leibbrandt announced SWIFT’s five-part Customer Security Programme to reinforce the security of our shared, global financial system.
The five part-plan, includes initiatives to:
- Improve information sharing among the global financial community;
- Harden security requirements for customer-managed software to better protect their local environments, enhance our guidelines and develop security audit frameworks for customers;
- Support banks’ increased use of payment pattern controls to identify suspicious behavior; and
- Introduce certification requirements for third party providers.
The following is Leibbrandt’s speech as prepared for delivery:
Hello and thank you for having me here today.
Cyber security is serious. It’s a critical issue for the financial system – and it’s a critical issue for SWIFT. Cyber concerns are not new to us at SWIFT. Indeed, ever since I took on this job, cyber risk has been the main thing to keep me awake at night. We work very hard at improving the cyber security of our network; every day we wake up and go to sleep thinking about, and protecting against that threat. It is hard work and never done. And rightly so for SWIFT. After all, we are trusted by our clients to carry billions of high value payment messages a year. This requires a network that meets the highest standards in terms of: Confidentiality, Integrity and Availability.
Our network was designed to meet these challenges. Cyber security is part of our DNA – it is not an afterthought. Not just hardware and software, but people, processes, procedures, checks, in fact a whole organisation for whom “failure is not an option”.
So, as we’ve said a few times before these past few months, let me repeat: SWIFT, our network, software and our core messaging services have not been compromised. Ensuring that remains the case is, and always will be, SWIFT’s top priority.
But the financial industry, as a community, has to be clear that cyber risk is big; there will be more cyber attacks. And inevitably some will be successful. Acknowledging this doesn’t mean we are resigned to it. Rather, it means that we must work even harder at our collective defensive efforts.
Recent Cyber fraud events are a watershed event for the industry
Let me turn to the recent fraud at Bangladesh that has caught multiple headlines. I think it will prove to be a watershed event for the banking industry; there will be a before and an after Bangladesh. The Bangladesh fraud is not an isolated incident: we are aware of at least two, but possibly more, other cases where fraudsters used the same modus operandi, albeit without the spectacular amounts. The banks were compromised, credentials to payment generation systems were obtained to send fraudulent payments and the statements/confirmations from their counterparties were obfuscated.
So this is a big deal. And it gets to the heart of banking.
Keeping money secure is core business for banks. So these events are a problem on at least two fronts.
First it’s a problem because banks that are compromised like this can be put out of business. It’s not like retailers losing credit card details or telcos losing customer details. Telcos and retailers will take reputational hits, and may face some financial liabilities, but things will move on. When banks lose control of access to their payment channels, it’s different. In the recent cases, thieves were able to move just some of those banks’ overseas assets. As a result, for the banks concerned, the events haven’t been existential. The point is that they could have been.
Second, it’s a problem because the financial system is hugely interconnected and it operates on trust.
What about SWIFT?
At this point two questions pop up for SWIFT, at least they have in the press: 1. Isn’t SWIFT in the middle of all of this? 2. What are you going to do about it? Let me answer both in turn, since the answer to the first forms the basis of the second.
As I said above, SWIFT, our network, software and our core messaging services have not been compromised. In Bangladesh and the other cases, the thieves compromised the IT environment and worked their way to the bank systems where the SWIFT instructions are generated and the confirmations received. And while we (and other providers) give tools and software to our customers, our customers run these in their own environment and need to keep them secure. We cannot secure our customers’ environments and cannot assume responsibility for that.
At the same time, we play a crucial role in the global payments system, and the events form a direct threat for that system. We therefore very much want to be part of the solution. We think we can be and we have to be.
The need to share information
Over the past weeks and months, we have already stepped up our efforts, notably on sharing information.
The gravity of this threat is the very reason that all of us in the global financial community have to be willing to share that information. Through trusted channels, of course; but we have to share.
Banks can learn from one another about the modus operandi and put better preventative measures in place; entities like SWIFT can serve as the information sharing channel, and we can develop indicators of compromise to help those banks improve their detective capabilities. We are doing so.
But information sharing needs to get better, much better. It is critical that the global financial community works together to bolster our mutual security.
We are calling for a collective effort in our global financial community to reinforce the security of our entire, shared system.
Our security is our collective mission and can only be strengthened through a collaborative approach which includes SWIFT, third party suppliers, policymakers, regulators and our users, big and small.
And particularly the large clearing banks – many of whom I see here today – have a really important role to play; your networks of relationships means that you can have a truly global, viral effect.
And we are going to do much more. We are the global bank-owned cooperative at the heart of the global payment system, a system that is facing a persistent threat. We are stepping up to the plate as our owners and overseers expect us to.
Customer Security Programme
Indeed, we are working with our community on a five-part customer security program that we will announce later this week; five big initiatives that mutually reinforce each other. We are reaching out to customers to discuss with them in more detail and answer any questions.
First, as I just mentioned, we aim to drastically improve information sharing among the global financial community. We will demand more information of our customers, and share that back with the community. The ambition is to do on an international scale what banks in several countries are already doing domestically. We will do it in a confidential way that uses the data while protecting the identity of the institution and customers.
Second, we will harden security requirements for customer-managed software to better protect their local environments.
Third, we will enhance our guidelines and develop security audit frameworks for customers.
Fourth, we will look to see what we can do to support banks’ increased use of payment pattern controls to identify suspicious behavior.
And finally, we will introduce certification requirements for third party providers.
This requires Cooperation
This will only work if the industry works together. Banks, regulators, third-party providers and SWIFT. SWIFT is not all-powerful, we are not a regulator, and we are not a policeman; success here depends on all the stakeholders in and around the industry. The security of our network remains our key priority; the security of their own environments has to remain (and, for some, become) banks’ priority.
Let me close by returning to innovation.
The opportunities that innovation has brought banks and their customers are tremendous – technology and connectivity have introduced the sector to cyber risk. Back before mainframes, ATMs, mobile banking and PCs, it was all about men and guns. Now it is about men and hoodies hunkering over keyboards. And as we continue to connect everything to everything, things will get ever more challenging.
We are seeing some really exciting advances in innovation – and that’s great. The banking experience is immeasurably better today than it was a few years ago – inside banks as well as outside. Let’s have more of that. But these amazing technological advances open the door for increasingly complex cyber threats, the problem must become the solution – technology is essential to our cybersecurity.
Now more than ever, we need to see innovation in security – we’re seeing some, after all, the famous AES algorithm was designed less than 30 km away from here, but let’s have more.
You all know what I’m talking about – bring on the next generation of pattern recognition, monitoring, anomaly detection, authentication, biometrics—and a host of innovations we have yet to develop that will improve and preserve the security of our industry.
We need more of these incredible innovations, and just as importantly, our industry needs to use more of what’s already available to us.
The cyber challenge is huge, and demands action, and change, by all stakeholders. And change is hard. Sometimes it takes a crisis. As the saying goes: “a crisis is a terrible thing to waste”; so let’s use this crisis as an industry to come out stronger, better and even more secure.
Dealing with the loneliness crisis with assistive technology
By Karen Dolva, CEO and Co-Founder of NoIsolation
Humans are social beings, and for most children, school will be their most important social arena. Unfortunately, however, many children and adolescents with long-term illnesses are unable to attend school for extended periods, due to treatment plans, ill health or more recently due to the risk of infection. Research has shown that long-stints of school absence for children and adolescents with Chronic Fatigue Syndrome (ME) and cancer can range from months to years.
These prolonged periods of absence, which often lead to limited interactions with other children and adolescents, can result in children completely losing their social network, leaving them feeling cut off, lonely and isolated, all as a result of something that is completely out of their control. What kind of consequences can this type of social isolation have for children and young adults?
In a recent in-depth investigation into the impact of COVID-19 on the emotional and educational development of British school-aged children, No Isolation partnered with independent researcher, Henry Peck, to look into the impact of COVID-19 on school aged children, to shed further light on the consequences of school closures, not only across the UK, but the long term effects that this can have on children and adolescents everywhere throughout the pandemic.
As a company working to abolish loneliness and isolation amongst those suffering with chronic illness, we were already aware of the effect that social isolation can have on a child’s educational development and mental health. For the investigation we collected responses from 1,005 parents and carers of 1,477 children spanning primary and secondary school.
Results of the study found that a concerning 76% of parents and carers reported that, since lockdown, they have become worried that their children are suffering from loneliness. Results also showed that parents and carers of 5-10-year-olds worry that their children are lonely often or all of the time, whilst parents and carers of 11-16-year-olds are concerned that their children are lonely at least some of the time. This is likely due to the fact that older children have greater access to social technologies, while younger children often rely on non-verbal forms of communication such as facial expression, physical contact, and through play, all of which is difficult to recreate whilst away from the school setting.
At No Isolation we are committed to creating solutions that will help children stay connected to their friends and their education, regardless of circumstance. We’ve seen first-hand the devastating impact that loneliness can have on a child, and know that children that can’t attend school don’t just miss out on learning, they miss out on friendships too. Losing this contact during the early years developmental stages can be devastating, leading to anxiousness and an increase in feelings of isolation. This report sheds light on the hundreds of thousands of young people that may not be able to rejoin their friends in school, and it is vital that they don’t fall through the cracks. We plan to continue researching the impact of this unprecedented pandemic and driving the conversation around how we, as a nation, can ensure the mental wellbeing and educational development of those most affected.
Loneliness has been found to have serious implications for both physical and mental health. People suffering from loneliness are 32% more likely to have a stroke and are 26% more at risk of early mortality. From No Isolation’s own research into the impact of school absence due to long-term illness, we have found that children are particularly vulnerable to loneliness if they cannot attend school.
Researchers, Perlman and Peplau, define loneliness as a negative feeling, stating that a lonely person is experiencing a discrepancy between desired and actual social contact. Being socially isolated is not synonymous with being lonely, but there will often be a correlation between social isolation and loneliness. Though much empirical research on adults and adolescents shows a link between loneliness and depression, many studies have found that friendship-related loneliness is more explanatory for depressive symptoms among adolescents than parent-related loneliness. One possible explanation is that friends are the preferred source of social support during adolescence.
With that in mind, we should be both sad and alarmed by the high numbers of young people unable to attend school, and more so by the fact that we do not really know who they are or exactly why they cannot go to school. Research has shown that social isolation and loneliness often correlate with mental disorders, including depressive disorders, there are, however, options available for children and adolescents in the form of assistive technologies, enabling them to stay connected with education and their peers.
The provision of dedicated school staff, inspirational hospital schools, the use of avatars like AV1 that enable children to attend school remotely, are just a few of the ways that assistive technology and exemplary attitudes are helping children with long-term illnesses from becoming disconnected from essential social networks. There are also examples of individuals who are pushing to keep children from falling between the cracks and becoming invisible, such as Amy Dixon, who is running a petition that will do exactly that, bringing these issues to the attention of those who can make a real change. It is, and will be, thanks to these exemplary changes that more support is being offered to children that are virtually invisible across the UK at present.
However, not all children have the option to receive these kinds of provision. There are pockets of excellent practice driven on an individual and local level, but there needs to be systemic change at a policy level, to ensure everyone is supported.
Educational provision for children out of school due to illness appears to be something of a postcode lottery, with some families having to fight for 3 hours of home tuition a week, whilst others are offered 15 hours by default. This is thought to be, in part, due to the open statutory guidance which allows for flexible interpretation of government guidelines, as well as financial limitations schools and city councils face. To improve the lives and outcomes of this group of children, is to create a more accurate view and analysis. This can be done by joining up existing datasets, by asking better questions, and by building a model that predicts future numbers of children from falling outside of the system. This, in turn, will push the issue up the political agenda and drive much needed changes to statutory guidance. Most importantly, it would lead to more support for children that are seemingly invisible across the UK.
Regulatory overlaps cause conflicts, confusion and complexity: is collaboration the answer?
By Rob Fulcher, Head of Business – Americas, CUBE Global
Regulatory overlaps are an ongoing, perplexing and often time-consuming anomaly. They occur where multiple market regulators act disjointedly in their attempt to address a market failure, thereby imposing different regulatory requirements with contradictory or overlapping obligations. For financial institutions, this can be problematic: which regulation should take precedence? Will they face punitive action for neglecting one obligation in favour of another?
Following the global financial crisis of 2008, a swathe of new policies and acts came into force with a view to protecting the system and essentially preventing another market crash. Inevitably, this led to a host of new regulations, some of which created overlaps and inconsistencies. In turn, this leads to inefficiencies and misunderstandings as businesses endeavour to comply with all and every regulation, often finding themselves at a stand-off.
Financial institutions – especially the compliance team – are desperate for regulatory clarity. However, in many cases, it is not forthcoming. Regulatory clarity is not, it seems, high on the regulator’s agenda. A recent report by CUBE, RegTech for Regulatory Change, in association with Burnmark, explored the evolving landscape of regulatory overlaps. We now delve deeper into this topic to ask, ‘what is the solution?’
GDPR, PSD2 and MiFID II – to collect or protect data?
One notorious regulatory overlap that causes consistent headaches for financial institutions is that between GDPR and PSD2.
While GDPR gives individuals greater control over their data and restricts the freedoms of organisations to share it, PSD2 imposes data sharing requirements on ﬁnancial service providers. It is up to the banks to ensure that correct policies and procedures are in place so as to comply with both pieces of legislation. This is not often an easy task considering their almost diametrically opposite aims.
The same can be said for the regulatory rules that surround both MiFID II and GDPR – two pieces of legislation filled with inherent contradictions. While the former focuses on consumer protection through transparency and retaining more information about the investor community; the latter is concerned with data protection and limiting the access to investor data if so desired by the owner of the data and giving investors the right to be forgotten.
Data privacy and AML – data sharing can only go so far
Data is a commodity – compared often to crude oil. For financial institutions, data is not only part of ongoing business functions, but it also holds potential for manipulation, misinformation or illicit activity. Surprisingly, the value of data has only truly been realised in recent years. In turn, we have seen a swathe of money laundering and data protection activity – leading to new and amended regulations to bolster data protections and simultaneously impose supervisory requirements to avoid money laundering. Global banks are ﬁnding it challenging to comply with one without compromising on the other.
Multinational banks often ﬁnd themselves walking a tight rope between trying to meet data privacy requirements and simultaneously meeting those surrounding anti-money laundering (AML). For example, banks in the US are forbidden from sharing Suspicious Activity Reports (SARs) with foreign branch counterparts due to disclosure restrictions, thereby making it diﬃcult to implement a group-wide compliance program.
Regulatory overlap in the US
The US has a long-established, complicated and often fragmented regulatory structure. Signiﬁcant and costly overlaps exist across the board, especially between the Oﬃce of the Comptroller of the Currency (OCC) and the Federal Reserve System’s data collection activities, along with its supervision and examination activities. Consumer protection is conducted by six US regulators, which naturally results in overlaps, duplication and confusion.
Similarly, the US Securities and Exchange Commission (SEC), Commodity Futures Trading Commission (CFTC) and state securities regulators oversee securities and derivatives markets, leading to similar concerns of overlaps and fragmentation. Swaps and security-based swap products face the supervision of SEC and CFTC and market participants have made it known that this leads to signiﬁcant market and operational challenges.
Regulatory overlap is not new – nor is there a clear solution. We have occasionally heard tales of compliance team members writing to regulators to request clarification, often to no avail. In the meantime, financial institutions must take steps to implement all relevant regulations where they can and mitigate risks where they are not able.
Regulatory technology (RegTech), especially automated change management platforms such as CUBE, highlight overlaps and alert compliance teams where issues or inconsistencies arise. For now, this is the most effective means of managing unclear regulations.
Ultimately, the answer lies with financial regulators themselves. While uncertainty exists, regulators must issue guidance and expectations in order to standardise approaches across the industry. The ideal outcome is undoubtedly founded in collaboration: regulators across sectors, industry and jurisdictions should collaborate to ensure that legislative changes are consistent and do not tread on the toes of the other. With the emergence of new technology – and related new regulation – many regulators are calling for a joined-up approach and looking to work together in their supervisory goals. Perhaps collaborative, unambiguous financial regulators aren’t so far away after all.
Rob has 20 years’ experience in financial services sales and management. Following his early sales career at Euler Hermes, a global credit insurance business, Rob went on to establish a 15-year career in GRC. Initially working in London at Complinet, a compliance and risk business, Rob subsequently relocated to New York. In 2010, Complinet was acquired by Thomson Reuters and Rob played a pivotal role in growing GRC revenues, especially relating to regulatory change management. As Head of Sales Americas for CUBE Global, Rob re-built the sales team and consistently out-performed all other regions.
This is a Sponsored Feature.
Christmas isn’t cancelled; Santa now does click & collect
Despite fears that Christmas will be cancelled this year, new data from ACI Worldwide (NASDAQ: ACIW) finds that, with local lockdowns and social distancing measures in place across the UK, the Festive shopping season is starting earlier this year.
Based on analysis on hundreds of millions of eCommerce transactions around the globe, ACI’s latest eCommerce tracker predicts we will see a 27% increase in online shopping transactions. Along with a whopping 40% increase in click and collect purchases as consumers remain socially distant and local lockdowns continue.
Indeed, consumers acting as Santa’s little helpers have begun purchasing presents online even earlier than before to keep the Christmas dream alive. Concerns around limited product availability and delivery delays have seen online transactions increase by 21% in the last four weeks, when compared to the same period last year.
Amanda Mickleburgh, Director of Merchant Fraud Product at ACI Worldwide commented, “While Black Friday has typically been the starting line for the festive period, this year Prime Day sounds the klaxon. There are myriad reasons for this. With everyone encouraged to social distance and many areas of the UK now under even tighter local lockdowns, there’s more time than ever to browse online for presents. Added to this, many remember the severe delays in receiving purchases at the start of lockdown, and will be looking to avoid missing presents under the Christmas tree.
“Merchants should look to expand their same day shipping capabilities and provide free returns or extend T&Cs, to capitalise on this trend. Far from seeing physical stores as a lost cause, they should take advantage of the increase in demand for click and collect. And turn their stores into valuable real estate by expanding their click and collect capabilities.
However, there is a dark side to the holiday season kicking off earlier – fraud continues to increase as criminals take advantage of click and collect options and consumers start to buy higher-value items like the latest electronics. ACI’s analysis found that the value of attempted fraud increased from $7 to $9 per consumer this September compared to 2019.
Amanda Mickleburgh continued, “While click and collect is a major draw for consumers, merchants need to increase their fraud protection measures for this channel. As more merchants continue to offer this option to customers, there are greater opportunities for fraudsters to create a nightmare before Christmas.”
How Siloed Data Leaves Financial Institutions Open to Fraud
By Stephanie Lapierre, CEO Tealbook Reducing the risk of fraud is a top priority for all financial institutions since fraud...
Dealing with the loneliness crisis with assistive technology
By Karen Dolva, CEO and Co-Founder of NoIsolation Humans are social beings, and for most children, school will be their...
Round Table Feature – Attracting FDI at times of crisis
In recent years the growth of Northern Ireland’s financial services sector has been fuelled by an unbeatable combination of world-class...
UK versus Australia – data regulation on both sides of the world
By Guy Hanson, VP, Customer Engagement, Validity While consumer data privacy continues to be a hotly debated topic and many...
COVID-19 is changing people’s preferences when it comes to BTL investments
By Jamie Johnson, CEO of FJP Investment Throughout 2020, investors have had to navigate increasingly treacherous and volatile market conditions...
Three things to help fintech unicorns grow profitability
By Kash Amini, CEO and Founder of MasLife The new breed of fintech companies is missing a trick with a...
How banks can take on Google in the race for AI talent
By Nicola Sullivan, solutions director at candidate engagement tech firm Meet & Engage The events of 2020 have made the...
Furlough Fraud: genuine mistake or cheating the system?
As the furlough scheme comes to an end, many employers will be at risk of falling foul of its stringent...
Five features that decrease the value of your home
When you’re preparing to sell your house or flat you might think of various steps you could take that might...
Regulatory overlaps cause conflicts, confusion and complexity: is collaboration the answer?
By Rob Fulcher, Head of Business – Americas, CUBE Global Regulatory overlaps are an ongoing, perplexing and often time-consuming anomaly....