Clari5

SWIFT Codes Under Attack: How Safe Are Banks?

Gone are the days when ski-masked felons would barge into banks with guns cocked and order everyone to get down. With the internet becoming ubiquitous and as banks and technology have evolved, so has financial crime.

The modern scarfaces operate from the comfort of an undetectable pad half way across the world. They are high IQ, tech-savvy and their only weapons are their brains and their gadgets. Global technological advancements and online anonymity have in fact come as a blessing for the intelligent ‘digital’ felon.

Though banks have grown in leaps and bounds from a business standpoint, there is still the question of how shielded they really are from hacking, money-laundering, asset siphoning, etc., all of which have become alarmingly regular.

So, what have banks been doing to combat the situation? To start with, they implemented measures to mitigate these risks and are regularly evaluating their security systems. One such measure was the implementation of the SWIFT codes. But, the question is, is it enough?

 

What is a SWIFT Code?

Society for Worldwide Interbank Financial Telecommunication codes or SWIFT Codes, also known as Bank Identifier Codes (BIC) are unique identification codes allocated to each bank. These codes are used when transferring money between banks, especially for international wire transfers and for communication between banks.

Currently, there are about 40,000 ‘live’ SWIFT Codes (those which are actively connected to the SWIFT network) and about 50,000 ‘passive’ SWIFT Codes (used for manual transactions).

Is the SWIFT Code mechanism helping? It was, until the recent (February 2016), high-profile scandal where USD 81 million was stolen from a bank in Bangladesh, came to light. The incident highlighted the insufficiency of SWIFT Codes in securing online banking transactions and how instances of cybercrimes against SWIFT member banks have been increasing.

Few other examples of such heists which occurred through SWIFT manipulation:

  • Banco del Austro (Ecuador)  – a whopping USD 12 million
  • Tien Phong Bank (Vietnam) – a mere USD 1.36 million

Banks or SWIFT – where does the onus lie?

While SWIFT defended itself by stating that the network itself wasn’t attacked during any of the above mentioned heists, these attacks, however, are disconcerting and reflect upon the vulnerabilities of the system run by SWIFT.

Leonard Schrank, Chief Executive at SWIFT for 15 years, suggested that SWIFT develop an anomaly detector to catch dubious message traffic as it arrives. He believes that the network had long since known that end-users are a key vulnerability and that SWIFT needs to work harder to alleviate these attacks.

That being said, the onus lies on every single bank to ensure their own security first so that systems are not susceptible to attacks and threats. This cannot be achieved by depending on SWIFT alone. Banks will need to take the extra step to secure their systems and increase security controls.

How is SWIFT working towards better security protocols?

Since the Bangladesh bank drama, SWIFT has been urging its member banks to beef up their security measures and has promised new rules to improve security for bank transfers. In line with this, SWIFT sent a communication to all its users in May 2016 updating them on the steps they were taking to provide better security, including:

  • Information sharing – SWIFT will continue to notify all member banks, as soon as possible, of any cases of malware that is made known to them and update the banks with all new and relevant information related to cybercrimes. To improve this information sharing, SWIFT will centralize all new and existing information in their Knowledge Base in a restricted customer section on SWIFT.com
  • Collaboration against cyber threats – the banking fraternity’s security can only be achieved through a collaborative approach between and among SWIFT, its users, its central bank overseers and third party suppliers. To this end, all of them need to inform SWIFT of any suspected fraudulent use of their institution’s SWIFT connectivity or related to SWIFT products and services immediately.

What else can banks do?

To begin with – putting the house in order. Banks need to start identifying the challenges they face. Some of them would be:

  • identify risks within the AML processes
  • study how to bring in agility in their AML strategy
  • ensure detection and investigation of suspicious activities
  • ensure AML operations’ team is equipped with intelligent real-time, cross-channel tools

There’s a variety of anti-fraud technology solutions available, but banks must realize that strategies that delivers real-time, actionable intelligence is increasingly becoming the de-facto standard, given the innovation in sophisticated fraud. Financial institutions need solutions that can help automate, streamline and comply with existing and emerging regulatory AML/CFT compliance programs and solve these problems in real time.

Innovative solutions are now available that monitor and detect suspicious transactions across channels and in real- time as it happens, helping the bank’s risk and compliance teams take accurate decisions at the precise right time. These solutions feature Suspicious Activity Monitoring, Customer Risk Categorization, Entity Identity Resolution / Watch List Filtering, Regulatory Reporting (CTR/STR/SAR), Case Management and Entity Link Analysis.

While financial institutions, networks such as SWIFT, regulators and policy makers are aware of the systemic gaps, radically more stringent lines of defence will be the shape of things to come. Heists, laundering and other frauds will continue to occur as hackers get more brazen, but the least banks can do is have foresight on the magnitude of the problem and take sure steps to secure themselves.

As Malcolm Marshall, KPMG’s Global Head of Information Protection & Business Resilience states, “Security is not something that should get in the way of doing business but is something that enables you to do it more safely. Hopefully that means something to you and your customers.”

 

Episode 1: Malafide Intentions​

Our new series of thrillers – produced and directed by CustomerXPs and Banking Technology – narrate the tales of the fight between the forces of good (the Clari5 analytics and anti-fraud software) and the forces of evil. Based on real events and guaranteed to keep you on the edge of your seat!

The alert flashes on the dark screen. His cat nap is disturbed by the “on/off” flashing on the monitor which causes his eyelids to flutter open. He looks at the array of numbers and text that appear to be just a vast, random set of data, for the lay person. But Oliver’s trained eye and keen mind are attuned to pick out anomalies from this data load. Oliver wasn’t called Hawk by his colleagues, the keenest, sharpest AFO (anti-fraud officer) at the Bank of Sentee (BoS) for nothing.

Oliver’s eyes rapidly scan through Michael Hook’s transaction history.

POS 12.30 pm SF, 22.07.16, Starbks
POS 16.30 pm SF, 22.07.16, Movtkts
POS 19.30 pm SF, 22.07.16, Metreon
POS 20.20 pm ABJ, 22.07.16, Fouani Electronics
 – there it was, popping out at him like a girl in a magenta halter in a room full of black tuxedos! Oliver quickly runs a check for country codes and finds ABJ is Abuja, Nigeria.

Oliver’s fingers flew over the keyboard and his eyes scanned through Michael Hook’s transaction history for the past seven days. Come on Clari5, he urged. Clari5, Oliver’s best friend, obliged. Michael Hook’s transactions seemed fine, no anomaly, no suspicious activity. So then what explained Nigeria?

Could Michael, a regular graphic designer, travel from San Francisco to Nigeria, a distance of over 7700 miles in 50 minutes? He ain’t no Superman!

12.30 pm, 22.07.2016, Starbucks, 3595 California Street, San Francisco

“Good afternoon sir, can I take your order?”

“Hi. Mmm… I’ll have a chicken BLT sandwich and a decaf Pike Place coffee, please.”

“Sure. What name shall I add to the order?”

“Michael Hook.”

“Have a seat and we’ll call out your name. Have a good day.”

Michael looked at his Fitbit. 12.33 pm. God! “Is it stuck or is it me?” he wondered. He looked thoughtful as he sat down, his mind unspooling the conversation he had with Jessica in the morning. Sigh! He swiped through his messages. “4.30 show, don’t forget, J.” Her curt response: “Yup.”

He’s got to make it up to her, he loves her too much to lose her. Thoughts swirled in his head like the steam from the coffee mug. Should he buy her something before the movie? A ring? Would she accept?

“Can I afford to get married?”

Technology is a savior. Michael checked his bank account on his smartphone. $10,578. He had the dosh. He felt a sliver of excitement welling up inside of him. Yes, maybe he would surprise Jessica after all. 

16.30 pm, 22.07.2016

Back in office Michael bought two movie tickets at movietickets.com. “Booked for To Steal From A Thief. See you at 6.00 – AMC Metreon,” he texted. “See you” popped up on his phone. Michael continued to look at his text message knowing Jessica was still miffed at him, but his modus operandi was all sorted.

POS 19.30 pm SF, 22.07.16

“Large tub of cheese popcorn and two Diet Cokes, please!”

“That’ll be $5.50. Thank you.”

The counter assistant at the popcorn counter at the Metreon swiped Michael’s card. It’s intermission and Michael wanted to hurry back to Jessica. She seemed to be enjoying the movie. He knew it was all going to be okay.

POS 20.20 pm ABJ, 22.07.16, Fouani Electronics

“Come on Michael,” Oliver muttered under his breath. “Tell me you’re in San Francisco buddy and we’ll be fine, just confirm it man.” But Michael’s phone was on “silent”. He missed the SMS alert completely, and the second one as well.

“Breathe Oliver, it’s okay Oliver, have sent the two alerts to Michael Hook.” Oliver tried to soothe his frayed nerves. All POS transactions checked out. The last one at 20.20 ABJ seemed different. Was Michael in Nigeria? But Michael hadn’t travelled anywhere in the last 12 months! Clari5 confirmed that. Oliver commanded Clari5 to give up Michael’s transaction history for the last six months to double-check. No, nothing. Michael wasn’t a big spender. And neither was he a defaulter. His last big electronics purchase was for a Kindle. Wow!

Oliver checked with Clari5: “do you think it’s a fraudulent transaction?” Clari5 advised Oliver to refuse authorisation of Michael’s card for $2,150 at Fouani Electronics, ABJ. That’s it, Oliver made his decision. He ran a few commands and an SMS was sent to Michael disabling his credit card.

22.00 pm, 22.07.16

Michael looked at the two texts from BoS. His credit card was disabled. At that exact moment his phone rang. “Oliver Pagliace from BoS. Am I speaking with Michael Hook?” 

Two days later at Fiore d’Italia – 20.00 hrs.

“OMG! Really? Oh darling, when did you, I can’t imagine…”

Michael just finished proposing to Jessica. With his credit card.

22.00 hrs, BoS branch, San Francisco, California – 24.07.16

The light from the monitor was blinking. Oliver was just biting into a sandwich. He turned around. Clari5 was at it again. This time it was Dar-es-Salaam.

“Gotcha.”

Financial Mecca Tightening The Screws On Anti-Money Laundering!

“Breaking News: Singapore to use data tracking against money-laundering”. What bearing does this headline have on a safer and more secure banking system?

The 1MDB fiasco

Let’s rewind to 2015 and 1Malaysian Development Berhad – a Malaysian fund set up in 2009 by the Prime Minister of Malaysia, with the intention of turning Kuala Lumpur into a financial hub, much like its neighbour, through strategic investments, to help boost the economy.

The Wall Street Journal broke a story in 2015 and reported a paper trail of alleged misappropriation of funds in 1MDB to the tune of US $ 700 million, traced to the PM’s personal accounts.

All hell broke loose and investigations by the US Department of Justice revealed that the quantum of laundered money is actually US $3.5 billion!

Since then, multiple foreign authorities have been involved in the investigations of this scam – something so massive that it has thrown open a Pandora’s box on the prevalent AML security systems in banks.

In May, earlier this year, Singapore, South East Asia’s leading financial centre ordered the Swiss bank BSI to shut down on charges of “suspected corruption of public foreign officials, dishonest management of public interests and money laundering”.

MAS (Monetary Authority of Singapore) and its role in banking regulations

A brief perspective on MAS and its scope of authority – www.mas.gov.sg states, “As Singapore’s central bank, the Monetary Authority of Singapore (MAS) promotes sustained, non-inflationary economic growth through appropriate monetary policy formulation and close macroeconomic surveillance of emerging trends and potential vulnerabilities.”

“It manages Singapore’s exchange rate, foreign reserves and liquidity in the banking sector. MAS is also an integrated supervisor overseeing all financial institutions in Singapore — banks, insurers, capital market intermediaries, financial advisors, and the stock exchange. ”

 

“With its mandate to foster a sound and progressive financial services sector in Singapore, MAS also helps shape Singapore’s financial industry by promoting a strong corporate governance framework and close adherence to international accounting standards.”

“In addition, it spearheads retail investor education.”

“MAS ensures that Singapore’s financial industry remains vibrant, dynamic and competitive by working closely with other government agencies and financial institutions to develop and promote Singapore as a regional and international financial centre.”

“Given the nature of its position and authority, one of its functions is to “conduct integrated supervision of financial services and financial stability surveillance.”

“Moreover with Singapore being a key financial mecca in the South Asian region, it plays an active role in international fora and is a key contributor to shaping financial regulatory norms.”

In this context, given the nature of the 1MDB scandal, Singapore’s MAS has been probing different banks for any breach of security and money laundering activities while handling transactions linked to 1MDB.

To quote a report in Shanghai Daily, “The Monetary Authority of Singapore is looking at several aspects of the UBS and DBS Group Holdings’ operations including whether they were diligent enough in knowing who their customers were and what the source of their funds was, and whether they were particularly careful in screening politically-exposed persons such as government officials, banking and legal.”

The investigation by MAS could lead to hefty fines and various other penalties if the banks under question were found to be non-compliant with the very stringent anti-money laundering rules, policies and measures.

In the past, the US has imposed hefty penalties on banks found to have lapses with money-laundering activities, tax evasion and international sanctions, but Asian regulators have found to be slow to act.

Given this context, it was incumbent upon Singapore to act tough and prove that banks in the city-state are complying with anti-money-laundering rules.

Given this back story it is but natural for the central bank of Singapore to clamp down heavily on any fraudulent activity that jeopardizes the reputation of Singapore as a mecca for banking not only in Asia but globally.

“We will make more robust risk assessments of financial institutions’ business activities, client profiles, geographical connections, transaction volumes and quality of controls,” Ravi Menon, the MD of MAS said.

According to the UN Office on Drugs and Crime, the estimated amount of money siphoned off globally in one year is 2 – 5% of global GDP, or $800 billion – $2 trillion in current US dollars. Money laundering is an epidemic and must be curbed – no question about it.

Advanced tech to the rescue

With escalating frequency and complexity of financial crimes, it is imperative for banks to pay greater attention to fraud prevention not just from a regulatory compliance perspective but for better operational risk management.

They must understand that if their systems are not preemptive in nature, then ‘post-incident’ scenarios are going to be quite common.

Banks need to work in partnership with solution innovators to combat the menace.

 

Given the sophistication of large-scale economic fraud., there is a need to move away from conventional channel-centric AML approaches and consider real-time, cross-channel solutions that have the capability to analyse big data and provide real-time intelligence covering Suspicious Activity Monitoring, Customer Risk Categorization, Entity Identity Resolution/Watch List Filtering, Regulatory Reporting (CTR/STR/SAR), Case Management and Entity Link Analysis.

Banks must understand the gravity of the situation and begin evaluating solutions that can quickly enable a strong and strategic fraud prevention framework to pro-actively thwart potential threats from sophisticated money-laundering syndicates.

Sources: