The Future of Payments

Unintended Consequences? 84 BANKING PERSPECTIVES QUARTER 4 2018 correspondent bank shows that its equipment “authenticated” that the message was issued by specific equipment at the respondent bank), then the respondent bank will be liable for the unauthorized order to the correspondent bank, provided that the correspondent bank has acted in “good faith.” These particular statutory rules place the correspondent bank in the position where, if it follows the agreed-upon security procedure, it is not liable for the unauthorized payment. This is the design of Article 4A – it encourages commercially reasonable security procedures through the use of liability rules. However, there are two important details that might disrupt this generalized allocation of fraud loss to the respondent bank. The first relates to the security procedure itself. It must be “commercially reasonable.” Article 4A provides that commercially reasonability is a question to be decided by a judge, who shall consider a number of factors, including “the circumstances of the customer known to the bank.” Because of the way in which the new SWIFT CSP functions, it will likely enable the correspondent bank to know the circumstances of its respondent bank in far more detail than the correspondent bank had known before SWIFT’s attestation program. Let’s hypothesize that a correspondent bank learns through the attestation process that a respondent bank is not complying with SWIFT’s mandatory security controls. By way of illustration, perhaps the respondent discloses that it does not have a firewall protecting the SWIFT application from its general computer network. This is a circumstance of the respondent bank that is now known to the correspondent bank. Can the correspondent bank continue with business as usual? More specifically, can the correspondent bank continue to offer a security procedure that depends on SWIFT verification knowing that the respondent bank may be a victim of a fraud like the one documented in the criminal complaint? One might argue that these facts cry out for some kind of compensating control, to offset the obvious weakness pointed up in the attestation. Is it the correspondent bank’s responsibility to be its respondent bank’s keeper? Perhaps not, but doesn’t the correspondent bank have a larger role with respect to the ecosystem and in hardening the weak links that threaten the ecosystem? Arguments can be made on either side of this question. Another question arises with respect to the correspondent bank’s “good faith.” Under New York law, “good faith” means “honesty in fact and the observance of reasonable commercial standards of fair dealing.” If, in the example being considered, the correspondent bank continues to process funds transfers from a respondent in a business- as-usual manner while knowing the respondent has not implemented SWIFT’s mandatory controls, is it assuming the risk of fraudulent transfers? If it continues processing (rather than configuring RMA such that the respondent cannot continue to place the correspondent bank in the position of an enabler), is it acting in good faith? Suppose that other, similarly situated correspondent banks are taking that action and excluding a respondent bank that is noncompliant. Does this influence the legal analysis? I’m asking these questions to illustrate how the statutory infrastructure in the United States might affect decision- making regarding SWIFT’s CSP. In their article, Gimbert and Hunter asked whether the SWIFT CSP might “trigger a new form of derisking.” This point is drawn into sharper relief by the details in the criminal complaint and by an awareness of the amplifying effects of Article 4A. Regarding risk management generally, a correspondent bank can take five different approaches to this emerging funds transfer risk. It can: (1) avoid or prevent the risk, (2) reduce the risk, (3) share the risk, (4) transfer the risk, or (5) accept the risk. This is elementary risk management. More specifically, a correspondent bank may elect to avoid the risk relating to a noncompliant respondent bank or to cease taking that risk if it has already commenced doing so. This is where RMA and RMA Plus factor into the analysis. SWIFT has created a tool that the correspondent bank can readily use to avoid the risk relating to the noncompliant respondent bank. A NEW ERA OF DERISKING? As the criminal complaint makes clear, the funds transfer frauds attributable to state actors have been aimed largely at emerging market countries, where security practices tend to be at the trailing edge. At the same time, many correspondent banks tend to be in the industrialized countries that also are countries associated with reserve currencies like the U.S. dollar, the euro, and the yen. Because the premier reserve currency is the U.S. dollar, many correspondent banks have the United States