SWIFT Codes Under Attack: How Safe Are Banks?
- Karunakar Mohapatra, Market Research Analyst at CustomerXPs
- 20.10.2016 08:45 am SWIFT
Gone are the days when ski-masked felons would barge into banks with guns cocked and order everyone to get down. With the internet becoming ubiquitous and as banks and technology have evolved, so has financial crime.
The modern scarfaces operate from the comfort of an undetectable pad half way across the world. They are high IQ, tech-savvy and their only weapons are their brains and their gadgets. Global technological advancements and online anonymity have in fact come as a blessing for the intelligent ‘digital’ felon.
Though banks have grown in leaps and bounds from a business standpoint, there is still the question of how shielded they really are from hacking, money-laundering, asset siphoning, etc., all of which have become alarmingly regular.
So, what have banks been doing to combat the situation? To start with, they implemented measures to mitigate these risks and are regularly evaluating their security systems. One such measure was the implementation of the SWIFT codes. But, the question is, is it enough?
What is a SWIFT Code?
Society for Worldwide Interbank Financial Telecommunication codes or SWIFT Codes, also known as Bank Identifier Codes (BIC) are unique identification codes allocated to each bank. These codes are used when transferring money between banks, especially for international wire transfers and for communication between banks.
Currently, there are about 40,000 ‘live’ SWIFT Codes (those which are actively connected to the SWIFT network) and about 50,000 ‘passive’ SWIFT Codes (used for manual transactions).
Is the SWIFT Code mechanism helping? It was, until the recent (February 2016), high-profile scandal where USD 81 million was stolen from a bank in Bangladesh, came to light. The incident highlighted the insufficiency of SWIFT Codes in securing online banking transactions and how instances of cybercrimes against SWIFT member banks have been increasing.
Few other examples of such heists which occurred through SWIFT manipulation:
- Banco del Austro (Ecuador) – a whopping USD 12 million
- Tien Phong Bank (Vietnam) – a mere USD 1.36 million
Banks or SWIFT – where does the onus lie?
While SWIFT defended itself by stating that the network itself wasn’t attacked during any of the above mentioned heists, these attacks, however, are disconcerting and reflect upon the vulnerabilities of the system run by SWIFT.
Leonard Schrank, Chief Executive at SWIFT for 15 years, suggested that SWIFT develop an anomaly detector to catch dubious message traffic as it arrives. He believes that the network had long since known that end-users are a key vulnerability and that SWIFT needs to work harder to alleviate these attacks.
That being said, the onus lies on every single bank to ensure their own security first so that systems are not susceptible to attacks and threats. This cannot be achieved by depending on SWIFT alone. Banks will need to take the extra step to secure their systems and increase security controls.
How is SWIFT working towards better security protocols?
Since the Bangladesh bank drama, SWIFT has been urging its member banks to beef up their security measures and has promised new rules to improve security for bank transfers. In line with this, SWIFT sent a communication to all its users in May 2016 updating them on the steps they were taking to provide better security, including:
- Information sharing – SWIFT will continue to notify all member banks, as soon as possible, of any cases of malware that is made known to them and update the banks with all new and relevant information related to cybercrimes. To improve this information sharing, SWIFT will centralize all new and existing information in their Knowledge Base in a restricted customer section on SWIFT.com
- Collaboration against cyber threats – the banking fraternity’s security can only be achieved through a collaborative approach between and among SWIFT, its users, its central bank overseers and third party suppliers. To this end, all of them need to inform SWIFT of any suspected fraudulent use of their institution’s SWIFT connectivity or related to SWIFT products and services immediately.
What else can banks do?
To begin with – putting the house in order. Banks need to start identifying the challenges they face. Some of them would be:
- identify risks within the AML processes
- study how to bring in agility in their AML strategy
- ensure detection and investigation of suspicious activities
- ensure AML operations’ team is equipped with intelligent real-time, cross-channel tools
There’s a variety of anti-fraud technology solutions available, but banks must realize that strategies that delivers real-time, actionable intelligence is increasingly becoming the de-facto standard, given the innovation in sophisticated fraud. Financial institutions need solutions that can help automate, streamline and comply with existing and emerging regulatory AML/CFT compliance programs and solve these problems in real time.
Innovative solutions are now available that monitor and detect suspicious transactions across channels and in real- time as it happens, helping the bank’s risk and compliance teams take accurate decisions at the precise right time. These solutions feature Suspicious Activity Monitoring, Customer Risk Categorization, Entity Identity Resolution / Watch List Filtering, Regulatory Reporting (CTR/STR/SAR), Case Management and Entity Link Analysis.
While financial institutions, networks such as SWIFT, regulators and policy makers are aware of the systemic gaps, radically more stringent lines of defence will be the shape of things to come. Heists, laundering and other frauds will continue to occur as hackers get more brazen, but the least banks can do is have foresight on the magnitude of the problem and take sure steps to secure themselves.
As Malcolm Marshall, KPMG’s Global Head of Information Protection & Business Resilience states, “Security is not something that should get in the way of doing business but is something that enables you to do it more safely. Hopefully that means something to you and your customers.”