The Future of Payments

85 BANKING PERSPECTIVES QUARTER 4 2018 as their home country, and Article 4A frequently provides the legal infrastructure for wholesale credit transfers made by these correspondent banks. Many of these correspondent banks may decide that their best option is to avoid completely the risk of a noncompliant respondent bank and take direct action against such a respondent bank. If the noncompliance is indicative of the state of security practices in a particular emerging market country, then many respondent banks in that jurisdiction may experience the same reaction. The result will be a derisking that affects the entire country and the country’s ability to access certain financial markets. What are the alternatives? One possibility is for a correspondent bank to assist respondent banks in complying with the SWIFT mandatory security controls and to help them in upgrading the controls so that they can attest to compliance. But if a correspondent bank lends such aid, does it face the same potential liability as the biblical Good Samaritan? In this story (at least its law school variation), the Good Samaritan rescuer is liable if its rescue attempt happens to be negligent (notwithstanding good intentions). The moral is that if you should decide to attempt a rescue, you need to do it using ordinary care or not do it at all. Applying this lesson to a correspondent bank’s decision to assist a respondent bank in upgrading its funds transfer security, a correspondent bank might decide it does not wish to place itself in such a sensitive position. A correspondent bank taking on such a noble role would likely find that the talent it was devoting to the cause of aiding the respondent bank was increasing its costs. At the same time, the prospective profitability of the funds transfer business flowing from any given respondent bank tends to be quite small. When a cost/benefit analysis is done, the conclusion often is that this kind of assistance is not good business, and that does not account for the possibility that, if the security controls fail, the correspondent bank will be blamed. From a business perspective, this type of undertaking would not be seen as being in the best interests of the correspondent bank’s shareholders. Some also question whether SWIFT should foster better network security by network rules that could be administered by SWIFT or agents working for SWIFT. This would lift the burden from the correspondent banking community and place it on the communications service provider. Instead of pressure for compliance being provided by a counterparty, the pressure would be applied by the service provider. The residual risk is that if the security fails, the service provider may be blamed. It is perhaps understandable that SWIFT’s CSP places the disciplinary responsibility largely on the correspondent banks, with the clear objective that such pressure will foster better security procedures in the respondent bank community. For now, the jury is still out whether SWIFT’s CSP will lead to a new round of derisking. It is not, of course, inevitable. Any particular respondent could adopt the controls needed to comply fully with SWIFT’s CSP. The necessary tools are available. But as the criminal complaint reveals, there should be no doubt about the need to harden the security of systems that make global funds transfers. And, in the United States, Article 4A will have, in my view, an amplifying effect. n ENDNOTES 1 Alaina Gimbert and Rob Hunter, “Cyberthreats and Wholesale Payment Systems,” Banking Perspectives, vol. 6, no. 2 (2018). https://www.theclearinghouse.org/banking- perspectives/2018/2018-q2-banking-perspectives/articles/ cyberthreats-and-wholesale-payment-systems 2 A PDF of the criminal complaint is available here: https://www. justice.gov/opa/press-release/file/1092091/download 3 “U.S. Accuses North Korea of Plot to Hurt Economy as Spy Is Charged in Sony Hack,” The New York Times, September 6, 2018 https://www.nytimes.com/2018/09/06/us/politics/north-korea- sony-hack-wannacry-indictment.html 4 “Cyber Attack Hits 200,000 in at Least 150 Countries: Europol,” Reuters, May 14, 2017. https://www.reuters.com/article/us- cyber-attack-europol/cyber-attack-hits-200000-in-at-least-150- countries-europol-idUSKCN18A0FX 5 Sara Peters, “Sony Hackers Knew Details of Sony’s Entire IT Infrastructure,” Dark Reading, December 14, 2004. https://www. darkreading.com/sony-hackers-knew-details-of-sonys-entire-it- infrastructure-/d/d-id/1317898 Many correspondent banks may decide that their best option is to avoid completely the risk of a noncompliant respondent bank and take direct action against such a respondent bank.