Agencies Issue Guidance in Response to SWIFT Compromises

In the wake of high-profile compromised communications in the SWIFT communications network, the federal banking agencies issued guidance alerting banks to specific risk mitigation techniques that can minimize the cyber risks associated with interbank networks and wholesale payments systems.

The guidance — which included no new regulatory expectations — emphasized conducting ongoing information security risk assessments and monitoring, protecting against unauthorized access, implementing and testing controls, managing business continuity risk, enhancing employee cybersecurity awareness and sharing information within the industry. For example, to prevent unauthorized access, the agencies recommended limiting the number of network credentials and reviewing access rights frequently.

“Financial institutions should review their risk management practices and controls over information technology and wholesale payment systems networks, including authentication, authorization, fraud detection, and response management systems and processes,” the agencies said. “The FFIEC members emphasize that participants in interbank messaging and wholesale payment networks should conduct ongoing assessments of their ability to mitigate risks related to information security, business continuity, and third-party provider management.”

The guidance came after a widely reported sequence of hacks that used malware to issue unauthorized payment orders through the Society for Worldwide Interbank Financial Telecommunication, or SWIFT, network. SWIFT is used to verify the authenticity of transfer requests. Banks in the Philippines, Bangladesh, Vietnam, Ecuador and other countries are reported to have been hit by fraudulent SWIFT messages. For more information, contact ABA’s Heather Wyson-Constantine.