The Society for Worldwide Interbank Financial Telecommunication is a telecommunication provider based out of Brussels in 1973 to provide standardized financial messaging across financial institutions globally. As of now, it is the biggest financial messaging system in the world. Before SWIFT, the financial institutions relied heavily on TELEX for banking transactions. But TELEX was not as secure, and it is also slow. As of now, it has over 10,000 institutions spread over 212 countries, processing over 24 million messages every day.
The consortium provides a shared network infrastructure called the SWIFT-NET or the SWIFT Network which is shared among the member financial institutions. SWIFT per se doesn’t facilitate a financial transaction, rather provides the platform to send purchase orders in the form of SWIFT messages (containing information of the beneficiary, source account details, the bank’s BIC/IBAN code, etc). The actual transaction itself is settled using the correspondent accounts the member banks with each other. SWIFT itself will not hold/process/cleanse any of the traversing information.
Around half of the SWIFT, dealings are for payment-based messages. Remaining 43% of the SWIFT traffic deals with security transactions and rest is for treasury transactions.
To facilitate the institutions’ connection to the SWIFT-NET, SWIFT provides some products to create, send, receive and process SWIFT messages.
SWIFT offers many services that aid the businesses and institutions to carry out secure transactions. The lists of services are:
SWIFT system makes use of several applications for banking infrastructure for processing payment instructions between financial institutions, real-time instruction matching for treasury and forex transactions, and securities market infrastructure for processing settlement and clearing instructions for securities, derivatives transactions, payments, and forex.
Another service the banks can avail from the SWIFT system is dynamic and real-time monitoring of activity, messages, reporting, and trade flow. The reports can be filtered based on message types, country, region, and related parameters.
For providing a shield against cyber-frauds, SWIFT offers financial crime compliance, utilities like Know Your Customer (KYC), Anti-Money Laundering (AML), and Sanctions.
The SWIFT system is extremely secure in providing the core feature for businesses like reliable, scalable and secure network for effortless messaging service. It offers multiple products and services for the end-user to send and receive messages through various messaging software, hubs, and network connections.
In certain transactions, the customers use huge transactional volumes which are complicated to process the instructions manually. So, the need for automated services for processing, transmission, and message creation increased. SWIFT has successfully implanted the software for this already, however, the cost for the transaction will also increase.
CSP is a standardized compliance framework to which all the member organizations should adhere.
In order to maintain a uniform security posture across all the member institutions, SWIFT, came up with a list of requirements that each of the member organizations must be in compliant with called the Customer Security Program.
It was first initiated in 2016 with about 11 advisory and 16 mandatory controls. Which was later in 2019 version increased to 19 mandatory and 10 advisory controls.
CSP has got 3 objectives and 8 principles and the 2019 version of the CSP guidelines has 29 controls. The objectives and their corresponding principles are as follows
• Restrict the internet access
• Disconnecting the integral systems from common IT environment.
• Minimizing attack areas and vulnerabilities.
• Physically Safeguarding the environment.
• Preventing compromise of credentials.
• Manage identity and segregate privileges.
• Detect unnatural activities within the system or transaction records.
• Prepare for incident response and information sharing.
SWIFT deployment follows 4 types of Architectures
• Architecture A1 – Which is a full-stack deployment, which means the messaging interface (eg, SWIFT Alliance Access), the communication Interface (eg, the SWIFT Alliance Gateway) all resides inhouse.
• Architecture A2 – which is a partial stack deployment, wherein the communication interface is not owned and housed by the organization, rather outsourced to a SWIFT approved service provider
• Architecture A3 – Where, the organization holds only the Connector ( eg, SWIFT Alliance Lite 2) which enables direct connectivity to the SWIFT Net. The organization holds a very minimal footprint while still enjoying seamless connectivity.
• Architecture B – Where the organization only houses the operator PCs and makes use of the architecture from a third-party service provider or the same organization’s different branch.
The mandatory and advisory security controls are determined by the type of architecture that a customer is using. This architecture controls and components need to be covered. 19 mandatory controls and 10 advisory controls are there for the customers who are using architecture type “A” (A1, A2 or A3). 14 mandatory controls and 6 advisory controls should be there for the customers with architecture type “B”. The security controls must be followed by the clients and the entire end-to-end transaction chain in the SWIFT’s local infrastructure.
SWIFT is keen to carry out industrial standard in implementing the security controls that match up with those of the NIST. The control statements and definitions are also released by the SWIFT authorities for each advisory and mandatory control. In 2017, SWIFT released the final control statements in Q2 2017 after taking advice from industry experts.
.svg)
