The Future of Payments

83 BANKING PERSPECTIVES QUARTER 4 2018 the general computer systems within a financial institution, and also the critical systems (i.e., SWIFT) that might be penetrated in the event that the general computer system is compromised. This control has obvious relevance to the facts of the Bangladesh case, where phishing was used to get access to the general computer environment, and where there was no firewall to protect the SWIFT application. Another control is to detect anomalous activity. In the Bangladesh case, some of the fraudulent transfers were paid to beneficiaries with which a central bank would not ordinarily do business. A control like the one envisioned by SWIFT would have detected the suspicious transfers in the Bangladesh case and presumably would have stopped the fraud before it reached $81 million. The second component of SWIFT’s CSP is attestation. SWIFT expects that financial institutions that are connected on the network will attest to their compliance with the mandatory controls and make the results available upon request to any correspondent bank that makes an inquiry. Note that a dialogue between the correspondent bank and a respondent bank regarding the attestation could be brought into focus by the threat represented by RMA. If a correspondent bank became uncomfortable that a given respondent bank was taking the needed action to secure the funds transfer ecosystem, or its SWIFT connection, then it could simply configure RMA such that the respondent bank could no longer send value-transferring payment orders to the correspondent bank. This is precisely how the incentives are intended to work – the attestation is designed to be supported by the discipline of counterparty management. If a correspondent bank believes that its respondent bank is a weak link in the ecosystem, then it is expected to take the necessary action to push the respondent bank toward reform. This is not to say that counterparty discipline is the only tool for fostering compliance. SWIFT has also reminded financial institutions that it reserves the right to inform the home country supervisors of a noncompliant financial institution that the financial institution has not attested. Presumably, any prudential supervisor hearing that an institution within its jurisdiction has not taken minimal steps to secure itself from cyberattack would respond appropriately. Further, as of January 1, 2019, SWIFT is reserving the right to notify host country supervisors of financial institutions that have failed to timely reattest, or that have not confirmed full compliance with the mandatory controls. In 2019, SWIFT plans to make a report available to messaging counterparties to look up those users of the network who have not attested and are noncompliant. Together, these represent progressive steps designed and intended to enhance the security of the ecosystem by giving an incentive to all network participants to work toward ensuring there are no weak links. The controls and RMA work together to enable a correspondent bank (and the community of correspondent banks) to use individual and collective power over any respondent bank that has not complied with CSP to enhance the security of the network. This is the overall design, and it was created to operate in precisely this fashion throughout the world. In the United States, unlike the rest of the world, there is a statutory infrastructure that backstops the rules governing funds transfers. This statute is Article 4A of the Uniform Commercial Code (UCC). In my view, there are specific provisions of UCC that work to give incentives to further correspondent banks to push their respondent banks to take necessary precautions. IMPLICATIONS OF ARTICLE 4A OF THE UCC A payment order to effect a funds transfer, which is sent by a respondent to a correspondent bank situated in the United States, will typically be sent through the SWIFT system and governed by Article 4A of UCC. Let us envision a payment order that was sent by a financial institution located in an emerging market country that had been infiltrated by a malefactor like the North Korean malefactor charged in the criminal complaint. This payment order will not be authorized by the respondent bank because it has been designed by the perpetrator to move funds not to an intended beneficiary but to a confederate of the malefactor. Yet, even though the payment is not authorized by the sending respondent bank, the respondent bank might nonetheless be held responsible for the payment order by operation of law, and more specifically by operation of certain provisions of Article 4A. If the correspondent bank verified the payment order in accordance with a “security procedure” that is commercially reasonable and the product of an agreement between the respondent bank and the correspondent bank, and the correspondent bank is able to prove such compliance (which is ordinarily not difficult – the