From Q2 2017, SWIFT customers will have to comply with new mandatory customer security requirements. A whole new segregated physical network might be needed – but Jason Steer, EMEA CTO, Menlo Security, claims that isolation technology is the quicker, cheaper and easier solution.
More than ten thousand banks and financial institutions in over two hundred countries rely on a standard code to identify the correct destination for international wire transfers. The Society for Worldwide Interbank Financial Telecommunication was founded in 1973 to develop a system that was faster and more secure than existing TELEX mechanisms, and they created the SWIFT code that is used today.
Security is clearly a vital concern for SWIFT. Any ability to penetrate the system and manipulate the code might allow criminals to control the movement of bank transfers. The challenge for SWIFT lies in its extensive global attack surface: successful penetration of any customer’s system might potentially provide a doorway into the SWIFT system itself. So security is not just an internal matter for SWIFT, it also relies critically upon the security of each individual user.
In September 2016 SWIFT announced a set of core security standards and an assurance framework against which all its customers would be required to demonstrate their compliance every year. SWIFT Chairman, Yawar Shah explained, “The growing cyber threat requires a concerted, community-wide response. This is also why the SWIFT board unanimously approved the framework and remains fully engaged in overseeing and driving the further development of SWIFT’s Customer Security Programme.”
During the second quarter of 2017 the standards will be made applicable to all customers connected to SWIFT, including those connected through service bureaus. After that, SWIFT’s customers will be required to provide self-attestation against 16 mandatory controls on an annual basis. Inspections and enforcement will begin on 1 January 2018, when customers’ compliance status will be made available to their counterparts, ensuring transparency and allowing firms to assess risk of counterparts with whom they are doing business. SWIFT will then report non-compliant customers to their regulators, and randomly select customers for additional assurances, either from their internal or external auditors.
This process will not preclude customers from independently requesting additional assurance from their counterparts. Customers will also be able to announce their compliance with a further 11 advisory controls that will supplement the 16 mandatory controls. Yawar Shah admitted that: “We recognise that this will be a long-haul, and will require industry-wide effort and investment, as well as active engagement with regulators”.
SWIFT’s Customer Security Controls Framework
The SWIFT Security Controls Framework can be summarised in terms of its three objectives, eight core principles and twenty-seven requirements or controls, of which sixteen are compulsory and a further eleven are advisory – see diagram.
A full listing of these controls can be found at https://www.swift.com/myswift/customer-security-programme-csp/security-controls. It is well worth looking at it as a guide to everything that should beconsidered when auditing security for any system, not just SWIFT. The controls cover not only IT measures – such as 2.1 Internal Data Flow Security and 2.3 System Hardening – and process measures such as 1.2 OperatingSystem Privileged Account Control, but also the need for 7.2 Security Training and Awareness for employees.
So, how is the customer going to comply with some of these requirements, such as 2.3 System Hardening (Reduce the cyber attack surface of SWIFT-related components by performing system hardening) and 6.1 MalwareProtection (Ensure that local SWIFT infrastructure is protected againstmalware)? In view of the growing complexity of most organisations’ systems, and their porosity in terms of wireless access, mobile working and Internet connectivity, how can these conditions possibly be met without the costly task of building and maintaining an extra dedicated and physically segregated system? Isolation technology could be the answer.
Isolation Technology – a better solution
Today’s most sophisticated form of isolation technology was developed for the critical needs of the finance industry, to address the problems of Internet usage. Few financial institutions could operate successfully without the immediacy and responsiveness of e-mail, e-chatting and Internet access – and this poses significant risks.
The problem is that the Internet’s success today lies in its rich, responsive multimedia experience; a far cry from the static pages of its early years. What makes this possible is the hidden “active content” that lies behind surface appearance – the Flash and Java and other interactive elements. Even a PDFor Word document includes a lot more hidden complexity than you see on the surface and that is why we are continually warned against opening attachments in suspicious e-mails.
It is these files and active content that can be infiltrated with exploits, even on generally “trusted” sites. A recent report by Menlo Security showed that visiting top any of the top 50 websites in UK resulted in your browser downloading an average 1.40MB of active code and executing 40 scripts per website; the “winner” was the website that executed 132 scripts from 48 background domains.
The solution to solving some of these requirenents is to find a way to provide the user with a replica of the webpage, document or email that has all the hidden content removed. This is what happens when you can safely read and print a copy of a document, even if the original PDF contains an exploit.
One simple technique has been to reproduce the pixels on the page – like printing a copy of the page onto the user’s screen. This “one-size-fits-all” approach makes no allowance for the actual content – whether text, image or video – whereas the hidden active content is specifically designed to improve the user experience by adapting the rendering to suit the content. So pixel mirroring tends to slow down page loading, reduce responsiveness and makes common operations, such as printing and copy-paste almost impossible for the normal end-user.
A better, “Document Object Model” (DOM), approach allows for the actual content type and the dynamic manner it is represented in the browser. DOM Mirroring means that the isolating process actively monitors the currently loaded page tab for changes, translates those changes into DOM commands (without the underlying active content) and sends those commands to the end user’s device, so the user’s “safe” page automatically updates in sync with the original. For example: instead of sending a Flash video to the endpoint, the same movie will be sent as crisp, suitable quality HTML5, while non-active safe elements are simply transmitted as they are. All the natively available fonts can be reproduced at the end point, so the whole page looks, feels and behaves just as it should. When it comes to printing, this DOM Mirroring approach allows the document to reflow to suit the local printer – unlike the pixel mirroring approach that freezes the page as a rigid array of pixels.
The reason why Internet isolation need not require installing special hardware, browsers or other software on the users’ devices is that it can be delivered as a Cloud based service via your desktop browser. It replaces the actual web page with a “clean” page image that is then solidly encrypted and transmitted via a secure web proxy to the user’s screen.
The advantages of isolation
Much of traditional IT security is based on experience of cyber attacks that have already happened, a knowledge of their characteristics (IOC’s), what to look for and how to resist future attacks. With today’s rapid malware evolution this becomes an extremely complex and demanding approach.
SWIFT’s requirements include the need for user education and training. This includes much more than just an understanding of the technology, because successful cyberattacks rely heavily on social engineering via Phishing; users need to be trained to recognise the many signs of a dodgy e-mail, and to think twice before clicking on the handy short-cut buttons offered.
Today’s Spear Phishing is even more invidious because it works its way into the users’ confidence via subtle steps. For example, one is much more inclined to trust an e-mail that uses your proper name and refers to personal details such as “Hi John, we hear that you are a keen chess player and wonder if you would like to join the company’s chess club – click here”. But all such data could be harvested by trawling employees’ Facebook and LinkedIn profiles. The link provided might even take John to a realistic looking chess club page with real people’s names on it and a chance to join by providing personal details… In this way the attackers gain knowledge of the user’s credentials and their first foot into the corporate system.
So the simple instruction 7.2 Security Training and Awareness could require endless training and on-going updates with each new escalation of Spear Phishing exploits. This cannot ever be totally avoided, but e-mail and web isolation that strips all e-mails of hidden content and warns if the link leads to an infected site will not only make training simpler but also free the users to spend more time on actual work.
SWIFT and secure
The DOM mirroring isolation platform was developed in collaboration with JPMorgan Chase & Co. Its features and capabilities were developed from square one with financial services in mind and it was deployed with zero impact to users. It was claimed to deliver a seamless user experience.
In fact it was so popular as a solution that, in just two years, the same technology has been successfully adopted by other critical sectors, including government, technology, healthcare, oil and gas companies in many countries worldwide. The user response has been overwhelmingly positive, and the reduction in risk serves to increase both morale and productivity. Of course this requires caution: one should not encourage a too complacent sense of security, but rather to build as much caution into the system itself so that users do not get bogged down in detail. Remember, the essence of isolation is to sterilize all communications on the assumption that anything might contain malware rather than to rely on a huge databank of potential risks.
How can this technology be used to help SWIFT compliance? This clearly depends upon the individual organisation, its systems and business processes, so there is no simple answer. But it would surely make sense to ask for advice from specialists in isolation technology before committing to any drastic fork-lift overhaul of the corporate system.
Jason Steer EMEA CTO
Jason is an engineer at heart and has built and broken computer and networks since 1996. Jason has worked at a number of successful technology companies over the past 15 years, including IronPort, Veracode&FireEye. Jason has worked as a cyber-expert with CNN, Al Jazeera & BBC and has worked with the EU and UK Government on Cyber Security Strategy. Jason has spoken at numerous industry events such as ENISE.
Taking control of compliance: how FS institutions can keep up with the ever-changing regulatory landscape
By Charles Southwood, Regional VP – Northern Europe and MEA at Denodo
The wide-spread digital transformation that has swept the financial services (FS) sector in recent years has brought with it a world of possibilities. As traditional financial institutions compete with a fresh wave of challenger banks and fintech startups, innovation is increasing at an unprecedented pace.
Emerging technologies – alongside the ever-evolving concept of online banking – have provided a platform in which the majority of customer interactions now take place in a digital format. The result of this is a never-ending stream of data and digital information. If used correctly, this data can help drive customer experience initiatives and shape wider business strategies, giving organisations a competitive edge.
However, before FS organisations can utilise data-driven insights, they need to ensure that they can adequately protect and secure that data, whilst also complying with mandatory regulatory requirements and governance laws.
The regulation minefield
Regulatory compliance in the FS sector is a complex field to navigate. Whether its potential financial fraud or money laundering, risk comes in many different forms. Due to their very nature – and the type of data that they hold – FS businesses are usually placed under the heaviest of scrutiny when it comes to achieving compliance and data governance, arguably held to a higher standard than those operating in any other industry.
In fact, research undertaken last month discovered that the General Data Protection Regulation (GDPR) has had a greater impact on FS organisations than any other sector. Every respondent working in finance reported that the changes made to their organisation’s cyber security strategies in the last three years were, at least to some extent, as a result of the regulation.
To make matters even more confusing, the goalpost for 100% compliance is continually moving. In fact, between 2008 and 2016, there was a 500% increase in regulatory changes in developed markets. So even when organisations think they are on the right track, they cannot afford to become complacent. The Markets in Financial Instruments Directive (MiFID II), the requirements for central clearing and the second Payment Service Directive (PSD2), are just some examples of the regulations that have forced significant changes on the banking environment in recent years.
Keeping a handle on this legal minefield is only made more challenging by the fact that many FS organisations are juggling an unimaginable amount of data. This data is often complex and of poor quality. Structured, semi-structured and unstructured, it is stored in many different places – whether that’s in data lakes, on premise or in multi-cloud environments. FS organisations can find it extremely difficult just to find out exactly what information they are storing, let alone ensure that they are meeting the many requirements laid out by industry regulations.
A secret weapon
Modern technologies, such as data virtualisation, can help FS organisations to get a handle on their data – regardless of where it is stored or what format it is in. Through a single logical view of all data across an organisation, it boosts visibility and real-time availability of data. This means that governance, security and compliance can be centralised, vastly improving control and removing the need for repeatedly moving and copying the data around the enterprise. This can have an immediate impact in terms of enabling FS organisations to avoid data proliferation and ‘shadow’ IT.
In addition to this, when a new regulation is put in place, data virtualisation provides a way to easily find and access that data, so FS organisations can respond – without having to worry about alternative versions of that data – and ensures that they remain compliant from the offset. This level of control can be reflected even down to the finest details. For example, it is possible to set up access to governance rules through which operators can easily select who has access to what information across the organisation. They can alter settings for sharing, removing silos, masking and filtering through defined, role-based data access. In terms of governance, this feature is essential, ensuring that only those who have the correct permissions to access sensitive information are able to do so.
Compliance is a requirement that will be there forever. In fact, its role is only likely to increase as law catches up with technological advancement and the regulatory landscape continues to change. For FS organisations, failure to meet the latest legal requirements could be devastating. The monetary fines – although substantial – come second to the potential reputation damage associated with non-compliance. It could be the difference between an organisation surviving and failing in today’s climate.
No one knows what is around the corner. Whilst some companies may think they are ahead of the compliance game today, that could all change with the introduction of a new regulation tomorrow. The best way to ensure future compliance is to get a handle on your data. By providing total visibility, data virtualisation is helping organisations to gain back control and win the war for compliance.
TCI: A time of critical importance
By Fabrice Desnos, head of Northern Europe Region, Euler Hermes, the world’s leading trade credit insurer, outlines the importance of less publicised measures for the journey ahead.
After months of lockdown, Europe is shifting towards rebuilding economies and resuming trade. Amongst the multibillion-euro stimulus packages provided by governments to businesses to help them resume their engines of growth, the cooperation between the state and private sector trade credit insurance underwriters has perhaps missed the headlines. However, this cooperation will be vital when navigating the uncertain road ahead.
Covid-19 has created a global economic crisis of unprecedented scale and speed. Consequently, we’re experiencing unprecedented levels of support from national governments. Far-reaching fiscal intervention, job retention and business interruption loan schemes are providing a lifeline for businesses that have suffered reductions in turnovers to support national lockdowns.
However, it’s becoming clear the worst is still to come. The unintended consequence of government support measures is delaying the inevitable fallout in trade and commerce. Euler Hermes is already seeing increase in claims for late payments and expects this trend to accelerate as government support measures are progressively removed.
The Covid-19 crisis will have long lasting and sometimes irreversible effects on a number of sectors. It has accelerated transformations that were already underway and had radically changed the landscape for a number of businesses. This means we are seeing a growing number of “zombie” companies, currently under life support, but whose business models are no longer adapted for the post-crisis world. All factors which add up to what is best described as a corporate insolvency “time bomb”.
The effects of the crisis are already visible. In the second quarter of 2020, 147 large companies (those with a turnover above €50 million) failed; up from 77 in the first quarter, and compared to 163 for the whole of the first half of 2019. Retail, services, energy and automotive were the most impacted sectors this year, with the hotspots in retail and services in Western Europe and North America, energy in North America, and automotive in Western Europe
We expect this trend to accelerate and predict a +35% rise in corporate insolvencies globally by the end of 2021. European economies will be among the hardest hit. For example, Spain (+41%) and Italy (+27%) will see the most significant increases – alongside the UK (+43%), which will also feel the impact of Brexit – compared to France (+25%) or Germany (+12%).
Companies are restarting trade, often providing open credit to their clients. However, there can be no credit if there is no confidence. It is increasingly difficult for companies to identify which of their clients will emerge from the crisis from those that won’t, and whether or when they will be paid. In the immediate post-lockdown period, without visibility and confidence, the risk was that inter-company credit could evaporate, placing an additional liquidity strain on the companies that depend on it. This, in turn, would significantly put at risk the speed and extent of the economic recovery.
In recent months, Euler Hermes has co-operated with government agencies, trade associations and private sector trade credit insurance underwriters to create state support for intercompany trade, notably in France, Germany, Belgium, Denmark, the Netherlands and the UK. All with the same goal: to allow companies to trade with each other in confidence.
By providing additional reinsurance capacity to the trade credit insurers, governments help them continue to provide cover to their clients at pre-crisis levels.
The beneficiaries are the thousands of businesses – clients of credit insurers and their buyers – that depend upon intercompany trade as a source of financing. Over 70% of Euler Hermes policyholders are SMEs, which are the lifeblood of our economies and major providers of jobs. These agreements are not without costs or constraints for the insurers, but the industry has chosen to place the interests of its clients and of the economy ahead of other considerations, mindful of the important role credit insurance and inter-company trade will play in the recovery.
Taking the UK as an example, trade credit insurers provide cover for more than £171billion of intercompany transactions, covering 13,000 suppliers and 650,000 buyers. The government has put in place a temporary scheme of £10billion to enable trade credit insurers, including Euler Hermes, to continue supporting businesses at risk due to the impact of coronavirus. This landmark agreement represents an important alliance between the public and private sectors to support trade and prevent the domino effect that payment defaults can create within critical supply chains.
But, as with all of the other government support measures, these schemes will not exist in the long term. It is already time for credit insurers and their clients to plan ahead, and prepare for a new normal in which the level and cost of credit risk will be heightened and where identifying the right counterparts, diversifying and insuring credit risk will be of paramount importance for businesses.
Trade credit insurance plays an understated role in the economy but is critical to its health. In normal circumstances, it tends to go unnoticed because it is doing its job. Government support schemes helped maintain confidence between companies and their customers in the immediate aftermath of the crisis.
However, as government support measures are progressively removed, this crisis will have a lasting impact. Accelerating transformations, leading to an increasing number of company restructurings and, in all likelihood, increasing the level of credit risk. To succeed in the post-crisis environment, bbusinesses have to move fast from resilience to adaptation. They have to adopt bold measures to protect their businesses against future crises (or another wave of this pandemic), minimize risk, and drive future growth. By maintaining trust to trade, with or without government support, credit insurance will have an increasing role to play in this.
What Does the FinCEN File Leak Tell Us?
By Ted Sausen, Subject Matter Expert, NICE Actimize
On September 20, 2020, just four days after the Financial Crimes Enforcement Network (FinCEN) issued a much-anticipated Advance Notice of Proposed Rulemaking, the financial industry was shaken and their stock prices saw significant declines when the markets opened on Monday. So what caused this? Buzzfeed News in cooperation with the International Consortium of Investigative Journalists (ICIJ) released what is now being tagged the FinCEN files. These files and summarized reports describe over 200,000 transactions with a total over $2 trillion USD that has been reported to FinCEN as being suspicious in nature from the time periods 1999 to 2017. Buzzfeed obtained over 2,100 Suspicious Activity Reports (SARs) and over 2,600 confidential documents financial institutions had filed with FinCEN over that span of time.
Similar such leaks have occurred previously, such as the Panama Papers in 2016 where over 11 million documents containing personal financial information on over 200,000 entities that belonged to a Panamanian law firm. This was followed up a year and a half later by the Paradise Papers in 2017. This leak contained even more documents and contained the names of more than 120,000 persons and entities. There are three factors that make the FinCEN Files leak significantly different than those mentioned. First, they are highly confidential documents leaked from a government agency. Secondly, they weren’t leaked from a single source. The leaked documents came from nearly 90 financial institutions facilitating financial transactions in more than 150 countries. Lastly, some high-profile names were released in this leak; however, the focus of this leak centered more around the transactions themselves and the financial institutions involved, not necessarily the names of individuals involved.
FinCEN Files and the Impact
What does this mean for the financial institutions? As mentioned above, many experienced a negative impact to their stocks. The next biggest impact is their reputation. Leaders of the highlighted institutions do not enjoy having potential shortcomings in their operations be exposed, nor do customers of those institutions appreciate seeing the institution managing their funds being published adversely in the media.
Where did the financial institutions go wrong? Based on the information, it is actually hard to say where they went wrong, or even ‘if’ they went wrong. Financial institutions are obligated to monitor transactional activity, both inbound and outbound, for suspicious or unusual behavior, especially those that could appear to be illicit activities related to money laundering. If such behavior is identified, the financial institution is required to complete a Suspicious Activity Report, or a SAR, and file it with FinCEN. The SAR contains all relevant information such as the parties involved, transaction(s), account(s), and details describing why the activity is deemed to be suspicious. In some cases, financial institutions will file a SAR if there is no direct suspicion; however, there also was not a logical explanation found either.
So what deems certain activities to be suspicious and how do financial institutions detect them? Most financial institutions have sophisticated solutions in place that monitor transactions over a period of time, and determine typical behavioral patterns for that client, and that client compared to their peers. If any activity falls disproportionately beyond those norms, the financial institution is notified, and an investigation is conducted. Because of the nature of this detection, incorporating multiple transactions, and comparing it to historical “norms”, it is very difficult to stop a transaction related to money laundering real-time. It is not uncommon for a transaction or series of transactions to occur and later be identified as suspicious, and a SAR is filed after the transaction has been completed.
FinCEN Files: Who’s at Fault?
Going back to my original question, was there any wrong doing? In this case, they were doing exactly what they were required to do. When suspicion was identified, SARs were filed. There are two things that are important to note. Suspicion does not equate to guilt, and individual financial institutions have a very limited view as to the overall flow of funds. They have visibility of where funds are coming from, or where they are going to; however, they don’t have an overall picture of the original source, or the final destination. The area where financial institutions may have fault is if multiple suspicions or probable guilt is found, but they fail to take appropriate action. According to Buzzfeed News, instances of transactions to or from sanctioned parties occurred, and known suspicious activity was allowed to continue after it was discovered.
How do we do better? First and foremost, FinCEN needs to identify the source of the leak and fix it immediately. This is very sensitive data. Even within a financial institution, this information is only exposed to individuals with a high-level clearance on a need-to-know basis. This leak may result in relationship strains with some of the banks’ customers. Some people already have a fear of being watched or tracked, and releasing publicly that all these reports are being filed from financial institutions to the federal government won’t make that any better – especially if their financial institution was highlighted as one of those filing the most reports. Next, there has been more discussion around real-time AML. Many experts are still working on defining what that truly means, especially when some activities deal with multiple transactions over a period of time; however, there is definitely a place for certain money laundering transactions to be held in real time.
Lastly, the ability to share information between financial institutions more easily will go a long way in fighting financial crime overall. For those of you who are AML professionals, you may be thinking we already have such a mechanism in place with 314b. However, the feedback I have received is that it does not do an adequate job. It’s voluntary and getting responses to requests can be a challenge. Financial institutions need a consortium to effectively communicate with each other, while being able to exchange critical data needed for financial institutions to see the complete picture of financial transactions and all associated activities. That, combined with some type of feedback loop from law enforcement indicating which SARs are “useful” versus which are either “inadequate” or “unnecessary” will allow institutions to focus on those where criminal activity is really occurring.
We will continue to post updates as we learn more.
Mastercard Delivers Greater Transparency in Digital Banking Applications
Mastercard collaborates with merchants and financial institutions to include logos in digital banking applications Research shows that ~25% of disputes...
Success beyond voice: Contact centres supporting retail shift online
As the nation continues to overcome the challenges presented by COVID-19, customers have shifted their channel preferences, and contact centres have demonstrated...
7 Ways to Grow a Profitable Hospitality Business
Hospitality requires charisma and innovation The hospitality industry is a multibillion-dollar industry with lots of career opportunities in hotels, theme...
AML and the FINCEN files: Do banks have the tools to do enough?
By Gudmundur Kristjansson, CEO of Lucinity and former compliance technology officer Says AML systems are outdated and compliance teams need better...
Finding and following your website’s ‘North Star Metric’
By Andy Woods, Design Director of Rouge Media The ‘North Star Metric’ (NSM) is one of many seemingly confusing terms...
Taking control of compliance: how FS institutions can keep up with the ever-changing regulatory landscape
By Charles Southwood, Regional VP – Northern Europe and MEA at Denodo The wide-spread digital transformation that has swept the financial...
Risk assessment: How to plan and execute a security audit as a small business
By Izzy Schulman, Director at Keys 4 U Despite the current global coronavirus pandemic and the uncertainty it has placed...
Buying enterprise professional services: Five considerations for business leaders in turbulent times
By James Sandoval, Founder and CEO, MeasureMatch The platformization of professional services provides businesses with direct, seamless access to the skills...
Wireless Connectivity Lights the Path to Bank Branch Innovation
By Graham Brooks, Strategic Account Director, Cradlepoint EMEA As consumers cautiously return to the UK high street in the past...
Financial Regulations: How do they impact your cloud strategy?
By Michael Chalmers, MD EMEA at Contino How exactly do financial regulations affect your cloud strategy? It’s a question many of...