The Future of Payments

Unintended Consequences? 82 BANKING PERSPECTIVES QUARTER 4 2018 Department of Justice most probably was not expecting that North Korea would make the named defendants available for trial in the United States. Assuming that this was not the governmental objective, that leaves the likely objective of the government being to provide normally secret details so that the financial industry could better prepare to guard itself against what represents a clear and present danger. SWIFT’S CUSTOMER SECURITY PROGRAM To its credit, SWIFT responded to the Bank of Bangladesh fraud, and other similar frauds that came to light in early 2016, in a deliberate and thoughtful manner, well before the details set out in the criminal complaint were publicly known. The response was SWIFT’s Customer Security Programme, which is carefully crafted to enhance the security of the ecosystem connecting financial institutions that are transferring funds among each other using instructions sent via the SWIFT network. As Gimbert and Hunter pointed out in their article, the program has three basic components: improved information sharing, enhanced tools to combat fraud, and a new customer security controls framework. Before examining some of the framework’s details, there is an important component of SWIFT value-transfer messages that the reader must understand. In a typical funds transfer – it doesn’t matter whether the transfer is denominated in the U.S. dollar, the euro, or the yen – one bank will send a payment order to another bank, asking it to transfer bank credit to a third party, called a “beneficiary.” In this relationship between banks, the bank sending the payment order typically is described as the respondent bank, and the bank receiving the payment order (and acting upon it) typically is described as the correspondent bank. SWIFT is the premier telecommunications service for communicating internationally this kind of value message. On the SWIFT network, not every correspondent bank will be amenable to receive payment instructions from every other respondent bank. Remember that there are 11,000 banks on the SWIFT network. To enable a correspondent bank to be selective regarding the respondent banks that the correspondent bank wishes to do business with, SWIFT introduced what is characterized as its “Relationship Management Application” (RMA). As SWIFT explains, RMA “enables financial institutions to define which counterparties can send them [value transfer] messages.” Further, SWIFT has also introduced something called “RMA Plus,” which enables a correspondent to be even more particular and to select the types of value transfer messages that the correspondent will receive from a particular respondent (e.g., only letters of credit). RMA and RMA Plus have a direct relationship with the CSP because the ability for a correspondent bank to be selective gives the correspondent bank leverage over a respondent bank. If a correspondent bank, for example, is not satisfied that a respondent bank is taking the needed precautions to protect the funds transfer ecosystem against payment fraud and cyberattack, then the correspondent bank can take unilateral action and, effectively, cut the respondent bank off from sending a value transfer message to the correspondent bank over the SWIFT network. And, from certain objective indicators, it would appear that some correspondent banks are using this leverage and cutting off respondent banks. SWIFT explains that, by using RMA, “many institutions are rationalizing their correspondent banking relationships in order to remove higher risk correspondents and to help reduce the risk of fraudulent transactions.” If correspondent banks as a group take parallel action against a specific respondent bank or respondent banks, then the respondent bank or respondent banks will find itself or themselves unable to send or receive payment messages. For an individual respondent bank, or for a class of such banks, this is potentially franchise ending. There are two components to the new customer controls. The first is the specific controls designed to enhance security. There are seven: (1) Restrict internet access and protect critical systems from the general information technology; (2) reduce attack surface and vulnerabilities; (3) physically secure the environment; (4) prevent compromise of credentials; (5) manage identities and segregate privileges; (6) detect anomalous activity with respect to systems and transactional records; and (7) plan for incident response and information sharing. An analysis of each one of the mandatory controls is beyond the scope of this article. There are, however, several observations about the controls and how they relate to what happened with respect to the cyberattack by North Korea. The first control, for example, involves protecting