Payments Innovation Alliance Los Angeles
Payments Innovation Alliance Los Angeles
23 February 2017
SWIFT gpi concept
Messaging technologies
Accessible by any bank
Faster, same day use of funds* Transparency of fees Still reach non-initiative banks
SLA rulebook
End-to-end payments tracking Remittance information transferred unaltered
Core transaction banks
(*) within the timezone of the receiving gpi member
Reaching any bank
Tracker
Directory
Observer
Value-added product suite
2
SWIFT gpi initiative banks 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30.
ABN AMRO Bank ABSA Bank Alfa-Bank Australia and New Zealand Banking Group* Axis Bank Banco Bilbao Vizcaya Argentaria Bangkok Bank Bank of America Merrill Lynch* Bank of China* Bank of New York Mellon* Bank of Nova Scotia Bank of the Philippine Islands Bank of Tokyo-Mitsubishi UFJ* Banco Bradesco Banco Santander Banco de Crédito del Peru Banco do Brasil Banorte Banque Européenne d’Investissement Barclays* Bidvest Bank BNP Paribas* Budapest Bank CaixaBank Canadian Imperial Bank of Commerce China Construction Bank China Merchants Bank Citibank* Commonwealth Bank of Australia Commerzbank SWIFT gpi overview – February 2017
92
50% Europe, Middle East, Africa
30% Asia Pacific
initiative banks Channelling payments into 224 countries Representing 71% of all SWIFT cross-border payments
20% Americas Regional representation of SWIFT gpi banks
31. 32. 33. 34. 35. 36. 37. 38. 39. 40. 41. 42. 43. 44. 45.
Crédit Agricole Crédit Mutuel-CIC Banques Credit Suisse CTBC Bank Danske Bank* DBS Bank* Deutsche Bank DNB Bank Ecobank E.Sun Commercial Bank Erste Group Bank Fifth Third Bank FirstRand Bank Handelsbanken Helaba Landesbank HessenThüringen 46. HSBC Bank
47. ICICI Bank 48. IndusInd Bank 49. Industrial and Commercial Bank of China* 50. ING Bank* 51. Intesa Sanpaolo* 52. Intl. FCStone 53. Investec 54. Itaù Unibanco 55. JPMorgan Chase Bank* 56. Kasikornbank 57. KBC Bank 58. KEB Hana Bank 59. Lloyds Bank 60. Mashreq Bank 61. Maybank 62. Mizuho Bank*
63. 64. 65. 66. 67. 68. 69. 70. 71. 72. 73. 74. 75. 76. 77. 78. 79. 80. 81. 82. 83. 84. 85. 86. 87. 88. 89. 90. 91. 92.
National Australia Bank Natixis Nedbank Nordea Bank* Oversea-Chinese Banking Corporation PKO Bank Polski Promsvyazbank Rabobank Raiffeisen Bank International Resona Bank Royal Bank of Canada* Royal Bank of Scotland Sberbank Siam Commercial Bank Silicon Valley Bank Skandinaviska Enskilda Banken Société Générale SpareBank 1 Standard Bank of South Africa Standard Chartered Bank* Sumitomo Mitsui Banking Corporation* Swedbank Tadhamon International Islamic Bank TMB Bank Toronto-Dominion Bank UBS U.S. Bank UniCredit* United Overseas Bank Wells Fargo* (*) Pilot bank
3
Major innovation from the outset: payments tracker
“One-glance” status overview
Transparency of total fees and time
Unique, end-end tracking number
Track path, in real time Central payments database, hosted at SWIFT Details of banks along the chain
Updated via MT199 or API Data consumption via GUI, via MT199 (push) or via API (pull)
4
SWIFT Customer Security Program (CSP) | Modus Operandi & CSP Framework
Step 1 Attackers compromise customer's environment
Step 2 Attackers obtain valid operator credentials
Step 3 Attackers submit fraudulent messages
Step 4 Attackers hide the evidence 5
CSP | You > Security Guidelines and Assurance CSP Security Controls Framework
Security Controls
1.
Restrict Internet access
2.
Segregate critical systems from general IT environment
3.
Reduce attack surface and vulnerabilities
4.
Physically secure the environment
Know and Limit Access
5.
Prevent compromise of credentials
6.
Manage identities and segregate privileges
Detect and Respond
7.
Detect anomalous activity to system or transaction records
8.
Plan for incident response and information sharing
Secure Your Environment
3 Objectives
8 Principles
27 Controls
• Applicable to all customers and to the whole end-to-end transaction chain beyond the SWIFT local infrastructure • Mapped against recognised international standards – NIST, PCIDSS and ISO 27002 • 16 controls are mandatory and 11 are advisory 6
CSP | You > Security Guidelines and Assurance
Assurance Framework
Self Attest
Self Inspect
Third-Party Inspect
Self-Attestation • Where customer positively asserts that it meets the security requirements • First- and second-line of defence – provided by senior management • All customers with an interface • All customers with a small local footprint
Self-Inspection • Where customer’s Internal Audit asserts that the customer meets the security requirements • Third-line of defense - provided by IA function • Risk based sample of customers with a small local footprint
Third-Party Inspection • For an external party that provides independent validation that the customer meets the security requirements • All traffic concentrators (extended SIP), executed by SWIFT • Risk based sample of customers with an interface, executed by third-party auditors 7
23 February 2017
SWIFT gpi concept
Messaging technologies
Accessible by any bank
Faster, same day use of funds* Transparency of fees Still reach non-initiative banks
SLA rulebook
End-to-end payments tracking Remittance information transferred unaltered
Core transaction banks
(*) within the timezone of the receiving gpi member
Reaching any bank
Tracker
Directory
Observer
Value-added product suite
2
SWIFT gpi initiative banks 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30.
ABN AMRO Bank ABSA Bank Alfa-Bank Australia and New Zealand Banking Group* Axis Bank Banco Bilbao Vizcaya Argentaria Bangkok Bank Bank of America Merrill Lynch* Bank of China* Bank of New York Mellon* Bank of Nova Scotia Bank of the Philippine Islands Bank of Tokyo-Mitsubishi UFJ* Banco Bradesco Banco Santander Banco de Crédito del Peru Banco do Brasil Banorte Banque Européenne d’Investissement Barclays* Bidvest Bank BNP Paribas* Budapest Bank CaixaBank Canadian Imperial Bank of Commerce China Construction Bank China Merchants Bank Citibank* Commonwealth Bank of Australia Commerzbank SWIFT gpi overview – February 2017
92
50% Europe, Middle East, Africa
30% Asia Pacific
initiative banks Channelling payments into 224 countries Representing 71% of all SWIFT cross-border payments
20% Americas Regional representation of SWIFT gpi banks
31. 32. 33. 34. 35. 36. 37. 38. 39. 40. 41. 42. 43. 44. 45.
Crédit Agricole Crédit Mutuel-CIC Banques Credit Suisse CTBC Bank Danske Bank* DBS Bank* Deutsche Bank DNB Bank Ecobank E.Sun Commercial Bank Erste Group Bank Fifth Third Bank FirstRand Bank Handelsbanken Helaba Landesbank HessenThüringen 46. HSBC Bank
47. ICICI Bank 48. IndusInd Bank 49. Industrial and Commercial Bank of China* 50. ING Bank* 51. Intesa Sanpaolo* 52. Intl. FCStone 53. Investec 54. Itaù Unibanco 55. JPMorgan Chase Bank* 56. Kasikornbank 57. KBC Bank 58. KEB Hana Bank 59. Lloyds Bank 60. Mashreq Bank 61. Maybank 62. Mizuho Bank*
63. 64. 65. 66. 67. 68. 69. 70. 71. 72. 73. 74. 75. 76. 77. 78. 79. 80. 81. 82. 83. 84. 85. 86. 87. 88. 89. 90. 91. 92.
National Australia Bank Natixis Nedbank Nordea Bank* Oversea-Chinese Banking Corporation PKO Bank Polski Promsvyazbank Rabobank Raiffeisen Bank International Resona Bank Royal Bank of Canada* Royal Bank of Scotland Sberbank Siam Commercial Bank Silicon Valley Bank Skandinaviska Enskilda Banken Société Générale SpareBank 1 Standard Bank of South Africa Standard Chartered Bank* Sumitomo Mitsui Banking Corporation* Swedbank Tadhamon International Islamic Bank TMB Bank Toronto-Dominion Bank UBS U.S. Bank UniCredit* United Overseas Bank Wells Fargo* (*) Pilot bank
3
Major innovation from the outset: payments tracker
“One-glance” status overview
Transparency of total fees and time
Unique, end-end tracking number
Track path, in real time Central payments database, hosted at SWIFT Details of banks along the chain
Updated via MT199 or API Data consumption via GUI, via MT199 (push) or via API (pull)
4
SWIFT Customer Security Program (CSP) | Modus Operandi & CSP Framework
Step 1 Attackers compromise customer's environment
Step 2 Attackers obtain valid operator credentials
Step 3 Attackers submit fraudulent messages
Step 4 Attackers hide the evidence 5
CSP | You > Security Guidelines and Assurance CSP Security Controls Framework
Security Controls
1.
Restrict Internet access
2.
Segregate critical systems from general IT environment
3.
Reduce attack surface and vulnerabilities
4.
Physically secure the environment
Know and Limit Access
5.
Prevent compromise of credentials
6.
Manage identities and segregate privileges
Detect and Respond
7.
Detect anomalous activity to system or transaction records
8.
Plan for incident response and information sharing
Secure Your Environment
3 Objectives
8 Principles
27 Controls
• Applicable to all customers and to the whole end-to-end transaction chain beyond the SWIFT local infrastructure • Mapped against recognised international standards – NIST, PCIDSS and ISO 27002 • 16 controls are mandatory and 11 are advisory 6
CSP | You > Security Guidelines and Assurance
Assurance Framework
Self Attest
Self Inspect
Third-Party Inspect
Self-Attestation • Where customer positively asserts that it meets the security requirements • First- and second-line of defence – provided by senior management • All customers with an interface • All customers with a small local footprint
Self-Inspection • Where customer’s Internal Audit asserts that the customer meets the security requirements • Third-line of defense - provided by IA function • Risk based sample of customers with a small local footprint
Third-Party Inspection • For an external party that provides independent validation that the customer meets the security requirements • All traffic concentrators (extended SIP), executed by SWIFT • Risk based sample of customers with an interface, executed by third-party auditors 7
