Main Content

Cyberthreats and Wholesale Payment Systems

CPMI’s strategy for improving end-point security raises important issues that will require careful consideration.

By Alaina Gimbert and Rob Hunter

The Clearing HouseEarly in 2016, the first reports of a historic theft began to surface in the press. Sounding more like the storyline of a James Bond movie than the mundane world of wholesale payments, newspaper reports said that $81 million had been stolen by “hackers” from the Bank of Bangladesh’s account at the Federal Reserve Bank of New York (It has since been reported that all but $15 million of the original $81 million has been recovered). The theft happened over a weekend in February, and by the time it was discovered, the money had been transferred out of the Bank of Bangladesh’s Federal Reserve account and ultimately dispersed at casinos in the Philippines. Although the funds were clearly gone, it was not clear where the “hack” had occurred.

Over the following months, more details came to light. The root cause of the theft, the “hack,” had been the compromise of the Bank of Bangladesh’s own infrastructure, which was used to send SWIFT messages. SWIFT is an international financial messaging system, a major artery in the global correspondent banking network, through which banks instruct payments to other banks. The compromise to Bank of Bangladesh’s connection to SWIFT enabled criminals (now believed to have been the government of North Korea) to send fraudulent payment instructions to the Federal Reserve Bank of New York. For the first time, it appeared that account takeover – a cybercrime that previously had plagued only retail customers – had moved into wholesale payment systems. Unfortunately, as the world soon learned, the Bank of Bangladesh was neither the first nor the last of such wholesale account takeover incidents enabled by cyber compromise.

Not long after the Bank of Bangladesh stories surfaced came news that Banco del Austro, an Ecuadorian bank, had also been victim of an account takeover through its compromised SWIFT connection in early 2015. The bad guys got away with $12 million. More reports followed suggesting that Russian and other Asian banks also had suffered the same crimes. As these similar, though less sensational, incidents came to light in 2016, it became known that criminals and state actors were exploiting cybersecurity vulnerabilities in what long had been assumed to be a safe space: correspondent communication channels. Both the private and public sectors knew that the SWIFT incidents meant the wholesale payment space needed to be re-evaluated in light of a new kind of threat.

Public Sector Response
The Bank of Bangladesh and other compromises of banks’ SWIFT connections are a manifestation of the larger cyberthreat environment that the public and private sector have been grappling with in recent years. Experts estimate that cybercrime damage costs will hit $6 trillion annually by 2021, up from $3 trillion in 2015, and that cybercrime will be more profitable than the global trade of all major illegal drugs combined. Consistent with this prediction, cyberattacks are the fastest-growing crime in the U.S., and they are increasing in size, sophistication, and cost.

Experts estimate that cybercrime damage costs will hit $6 trillion annually by 2021, up from $3 trillion in 2015, and that cybercrime will be more profitable than the global trade of all major illegal drugs combined.

The public sector response to this threat has been uneven and at times unhelpful. Since 2014, U.S. banks have been issued or seen proposed at least 43 cybersecurity-related regulations, standards, guidance, examination expectations, and other requirements. Bank examiners often follow up on these issuances to impose additional, varying requirements as supervisory expectations. By one estimate, large U.S. multinational banks spend 40% of their cybersecurity efforts demonstrating compliance with regulatory standards.7 These are valuable resources that could otherwise be gainfully directed to cybersecurity defense.

More recently, there have been calls to harmonize existing regulatory requirements and standards with the National Institute of Standards and Technology (NIST) Cybersecurity Framework and to adopt a more collaborative public-private partnership approach to cybersecurity to be led by NIST or the Department of Homeland Security (DHS) and not the financial regulators. NIST’s recent release of updates to the Framework for Improving Critical Infrastructure Cybersecurity, which was prepared with input from members of the regulatory community, suggests such collaborative public-private partnerships can be fruitful.

The public sector has also been working through the current administration to strengthen federal networks and critical infrastructure, directing agencies to align their risk management policies with the NIST Framework and further directing DHS, the Department of Justice, the Department of Defense, and others to identify authorities and capabilities that the agencies could employ to support the cybersecurity efforts of critical infrastructure entities and to develop recommendations for better supporting the cybersecurity risk management efforts of those entities. These collaborative approaches, which contrast sharply with less helpful and even harmful regulatory mandates, avoid imposing a “one-size-fits-all” solution on firms with widely diverse risks and capabilities and allow cyberdefense to continue evolving to meet the challenges of fighting on a complex, ever-changing battlefield.

Private Sector Response
The U.S. financial sector is aware of the constantly emerging nature of cybersecurity threats and is actively engaged in addressing it. Banks own the risk associated with cybersecurity attacks and have every incentive to mitigate it. Accordingly, U.S. banks employ tens of thousands of cybersecurity professionals – many of them former members of the intelligence community, law enforcement, or the military – and some of the brightest minds in computer science and social engineering. The largest U.S. banks have disclosed that they spend $250 million to $500 million on cybersecurity annually.

Beyond individual bank responses, the U.S. private sector also has taken collaborative steps since 2016 to address potential compromises in wholesale payments through a number of means. In addition to industry resources, such as the Financial Services Information Sharing and (FS-ISAC) and the Financial Systemic Analysis & Resilience Center (FSARC), which provide education, alerts, analysis, and coordination related to cyberthreats, large banks have also entered into cyberthreat information sharing arrangements with each other. (Note: Financial Services Information Sharing and (FS-ISAC) serves as a global financial industry resource for cyber and physical threat intelligence analysis and sharing. FS-ISAC is unique in that it was created by and for members and operates as a member-owned nonprofit entity. FS-ISAC constantly gathers reliable and timely information from financial services providers, commercial security firms, federal/national, state and local government agencies, law enforcement, and other trusted resources. With this information, the FS-ISAC is uniquely positioned to quickly disseminate physical and cyberthreat alerts and other critical information to its members. This information includes analysis and recommended solutions from leading industry experts. FS-ISAC is currently active with members and partners across countries and regions throughout North and South America, Europe, the Middle East, and the Asia/Pacific region. Financial Systemic Analysis & Resilience Center (FSARC) is affiliated with FS-ISAC. Its mission is to proactively identify, analyze, assess, and coordinate activities to mitigate systemic risk to the U.S. financial system from current and emerging cybersecurity threats through focused operations and enhanced collaboration between participating firms, industry partners, and the U.S. government. FSARC’s activities will continue enhancement and effectiveness of information exchange, sharing of greater sophisticated analysis techniques, and closer collaboration between large U.S. financial services firms and U.S. government agencies, including Treasury, DHS, and the FBI and will leverage existing FS-ISAC controls to ensure the protection of private information.).

Collaborative approaches avoid imposing a “one-size-fits-all” solution on firms with widely diverse risks and capabilities and allow cyberdefense to continue evolving to meet the challenges of fighting on a complex, ever-changing battlefield.

The industry has also carried out a number of multiparticipant cybersecurity exercises; in these, cross-functional teams at banks and wholesale payment operators play out scenarios in which a global bank suffers a cyberattack and its wholesale payment instructions are compromised. Additionally, wholesale payment groups have developed industry playbooks for scenarios in which a bank suffers some form of cyberattack and must disconnect (or be disconnected from) wholesale payment systems. Insights gained from these efforts have enabled individual entities and the industry collectively to (i) better understand their capabilities and needs in the event of a cybersecurity event affecting wholesale payment systems and (ii) revise their processes, procedures, and technical capabilities to better address such potential situations.

Aside from the cooperative, industry-led efforts to prepare for potential larger-scale compromises of wholesale payment networks, SWIFT itself took action to bolster the security of its network. SWIFT, like other financial market utilities, had primarily focused on the security of its own systems and software and relied upon its users to secure their systems as well. This is a rational and practical approach given that users ultimately are responsible for the payment instructions they send to financial market infrastructures and are regulated entities.

However, the incidents at the Bank of Bangladesh and elsewhere revealed that users may not be securing their systems as vigorously as they should and that supervisory and enforcement regimes, particularly in emerging economies, may be lacking, given the increasing sophistication and state backing of malicious actors. This issue may be more acute for SWIFT, given its international nature and the variability of cyber-resilience of banks in different countries. There is no question that banks globally must adapt their defenses to evolving cyberthreats; the question is how (Note: Security in the global wholesale payment community appears to be improving. It was reported in early April that the central bank of Malaysia thwarted an attempt to steal funds through altered SWIFT messages by taking “prompt action” in coordination with SWIFT, other central banks, and financial institutions, “Malaysia’s Central Bank Blocks Attempted SWIFT Fraud).

For SWIFT, part of the answer lies in a revised approach to security in its network. In 2016, SWIFT launched its Customer Security Programme with three components: information sharing, enhanced tools, and a customer security controls framework. Improved information sharing (for example, SWIFT’s establishment of a security intelligence team that shares indicators of compromise with the SWIFT community) and enhanced tools (such as SWIFT’s provision of a second-channel daily validation report of transactions) were predictable ways to bolster the network’s security. What is novel about the program is the third component, the customer security control framework.

The customer security control framework is new territory for SWIFT and has implications for other financial market infrastructures. The framework prescribes detailed requirements for how users secure their local SWIFT-related systems (Note: The security controls fall under seven primary control objectives: (1) Restrict Internet Access and Protect Critical Systems from General IT Environment; (2) Reduce Attack Surface and Vulnerabilities; (3) Physically Secure the Environment; (4) Prevent Compromise of Credentials; (5) Manage Identities and Segregate Privileges; (6) Detect Anomalous Activity to Systems or Transaction Records; and (7) Plan for Incident Response and Information Sharing). Further, SWIFT users must self-attest to their level of compliance with the security controls. Users can choose to make their attestations available to other users with whom they have correspondent or other business relationships. Likewise, users can request that other users make their attestations available to them.

This transparency – the ability of correspondent banks to have a line of sight into the information security controls of the banks with which they do business – both empowers banks to understand the potential information security risks of their counterparts and presents new quandaries. Assuming a correspondent attests that its security controls do not fully meet the SWIFT requirements, what ought the other bank do? Request more information from the correspondent? If so, how much more? If Bank A chooses to continue a correspondent relationship with Bank B, which does not fully meet the SWIFT requirements – perhaps because Bank B is the only otherwise acceptable bank in a particular country – will Bank A have to justify its decision to its regulator or to a court in future litigation in which Bank B claims that Bank A ought not to have executed an authorized but compromised payment instruction? Or might banks determine that particular countries or regions have insufficient information security practices and trigger a new form of derisking?

It is clear that well-intentioned ideas for improving the cybersecurity of wholesale payments need to be carefully vetted by the stakeholders – both private and public – of wholesale payment systems.

Though well-intentioned, the SWIFT requirements may turn banks into the effective information security regulators of other banks. Is this the right outcome?

Improving End-Point Security
The Committee on Payments and Market Infrastructures (CPMI), an international standards-setting organization, has also taken up the issue of securing wholesale payment systems. In May 2018, it issued a final strategy to reduce fraud related to end-point security. Members of CPMI, including the Federal Reserve, plan to act as a “catalyst” for implementation of the strategy within their respective jurisdictions and to monitor progress this year and next. Hence, wholesale payment system operators and participants will be expected to incorporate the strategy into their risk management frameworks. The strategy specifically calls for (i) operators to establish and assure adherence to clear end-point security requirements for participants; (ii) operators and participants to provide and use information and tools to prevent and detect attempted wholesale payments fraud; and (iii) operator and participants to adopt procedures and practices to respond to actual or suspected fraud in a timely manner. While CPMI has taken a fairly accommodative posture in the strategy by expressly recognizing the need for flexibility with respect to how different systems and jurisdictions implement the strategy, there are issues lurking beneath the strategy that merit careful consideration.

Although SWIFT elected to establish security controls for its community, it is not clear that U.S. wholesale infrastructures (operators) – i.e., The Clearing House Interbank Payments System (CHIPS) and Fedwire – ought to do the same. This is because only U.S. chartered entities (banks or branches of foreign banks) can participate in CHIPS and Fedwire. As such, the participants are already required to comply with comprehensive information security requirements pursuant to law, regulation, and regulatory guidance. They are also subject to examination for such compliance.

The regulatory obligations applicable to CHIPS and Fedwire participants relate to information security programs generally and the use of payment systems specifically. For example, the Federal Financial Institution Examination Council’s Information Technology Examination Handbook includes a detailed section on wholesale payment systems. This section includes the expectation that financial institutions implement internal and operational controls to “mitigate or limit operational risks, such as authentication and encryption techniques to ensure the authenticity of the payer and payee as well as prevent unauthorized access to information in transit and edit checks and automated balancing to verify the integrity of the information relative to the payment order and funds transfer transaction.”

U.S. depository institutions are further expected to put in place internal controls to “maintain overall integrity for any funds transfer operation” consistent with certain recommended control objectives (Note: These control objectives include “protecting original instructions from loss or alteration,” “authenticating the identity and authority of the sender,” “maintaining a physically secure environment,” and “maintaining appropriate separation of duties for employees involved in the payment process”). While the CPMI strategy contemplates that operators can leverage existing, broadly supported security frameworks, given the existing regulatory and supervisory framework for the security of wholesale payment systems, it is questionable whether additional requirements established by U.S. operators will in fact make U.S. wholesale payment systems safer than they would otherwise be under existing requirements.

However, since CPMI’s strategy directs operators to establish end-point security requirements for their participants, the issue then becomes how operators would determine if their participants really meet the requirements. Would self-attestations suffice? Or would operators need a third party to certify to the participant’s standards? The strategy proposes a range of options – from self-certification to third party certification – that operators will need to consider when determining their approach to “promoting adherence” to their end-point security requirements.

Next, if an operator determines that a participant does not fully meet its security requirements, what action does it take? Given the potential systemic impact of removing a large, global bank from CHIPS or Fedwire, might suspension of a participant due to its inability to meet the operator’s security requirements create other risks in the financial system? Indeed, CPMI’s strategy cautions operators to “exercise care” when considering whether a participant’s access to a wholesale system should be restricted or suspended due to end-point security deficiencies. However, like the issue of continuity-of-access during resolution, there will be an inherent tension between preserving bank access to critical financial market infrastructures and an operator’s need to manage its own risks, which CPMI has now defined to include not only a participant’s financial and operational capabilities but also its end-point security. And might an operator also have a responsibility to enable transparency among participants in the system to share information about their end-point security – leading to the same questions noted above with respect to the SWIFT program about what participants should do with knowledge about other banks’ security standards? Perhaps oversight and remediation of end-point information security gaps are best addressed, as they historically have been, through the very entities established to ensure the safety and soundness of banks: state and federal regulators.

It is also important to note that the U.S. legal framework that applies to wholesale payments places responsibility on a bank to establish a commercially reasonable security procedure agreement with its customer who instructs a payment order, whether such customer is an individual, business, or another bank. The legal framework allocates liability for transfers that arise from instructions that were not authorized by the customer to either the bank or the customer, based on the bank’s adherence to those procedures and whether the bank accepted the customer’s order in good faith. However, the framework does not require or consider that an operator would interject security requirements that apply to a participant’s own systems. It is unclear how such operator security requirements would relate to the U.S. legal framework. It is foreseeable, given the nature of litigation related to large value wires, that future plaintiffs would assert claims based upon operator security requirements and disrupt the established legal framework that historically has been relied upon for wires. Operators and participants in the U.S. will need to consider these potential legal claims in their implementations of end-point security requirements and other elements of the CPMI strategy.

The CPMI strategy calls for operators and participants to (i) provide and use information and tools to prevent and to detect attempted wholesale payments fraud to the extent reasonably practicable and legally permissible and feasible, and (ii) adopt procedures and practices to respond to actual or suspected fraud in a timely manner while preserving the finality of settled payments. These tasks will need to be carefully calibrated to the legal, regulatory, and operational contexts of wholesale payment systems. There are significant legal considerations with data sharing, including data privacy laws, data sharing restrictions, and potential liability for passing on unverified claims of fraud. Furthermore, although there may be additional informational tools that operators can provide to assist participants in preventing and detecting fraud, tools that would have an operator slow or stop payments could have significant implications for liquidity flows in wholesale systems (Note: The Federal Reserve has proposed to monitor all Fedwire payments in real time and reject any Fedwire payment that would cause or increase an overdraft in the sender’s Federal Reserve account and exceed its net debit cap. Such rejection is intended to give the sending bank an opportunity to verify authorization, to fund the transaction, and to limit risk to both the bank and its Reserve Bank. Policy on Payment System Risk and Expanded Real-Tim Monitoring).

It is clear that well-intentioned ideas for improving the cybersecurity of wholesale payments need to be carefully vetted by the stakeholders – both private and public – of wholesale payment systems. The interpretation and application of CPMI’s strategy by the regulatory community and implementation by the private sector will determine whether or not good intentions lead to good results.

Wholesale payment systems, like other vectors of our financial system, must adapt to ever-evolving cyberthreats. The public sector can assist in enabling this adaption by convening public-private dialogue, encouraging the private sector to assess and respond to cyberthreats, and carrying out its traditional bank oversight functions. However, regulatory requirements, even well-intentioned ones, that overlook the complexities and jurisdictional contexts of wholesale payment systems may prove ineffective or harmful to such systems.