Why you should be rethinking SWIFT CSP compliance

The SWIFT Customer Security Program (CSP) continues to evolve. As do the threat actors. Roy Belchamber explains how you can comply with the updated Customer Security Controls Framework (CSCF) and simultaneously protect your organization from the monetary impacts of ever-increasing, but adapted, wire fraud threats

As CSP has evolved year-on-year, it has significantly raised the community’s cyber-security awareness and bolstered defenses. Evidence points to a dramatic fall-off in cyber attacks successfully targeting the back-office infrastructures of SWIFT-connected financial institutions. Accordingly, the fraudulent payments resulting from this type of institutional compromise have also enormously reduced. This is all positive and welcome.

But it is rare that fraud just disappears. Far from it. It is more typical that it is displaced; attack vectors and targets are adapted, alternate weaknesses exploited. There is some empirical evidence to suggest that the cyber criminals and advanced persistent threat actors (APTs) previously targeting SWIFT-connected financial institutions may have set their sights elsewhere over the past year or so. From ‘softer’ targets such as government-run pandemic relief programs to other high-value prizes, such as cryptocurrency theft.

However, in parallel, the sophistication of social engineering scams is rising, and malware is becoming ever-more mature and effective. Factor in the transnational nature of the various APTs and organized crime gangs and you soon understand why more of this high-value cyber fraud is being carried not just domestically, but also on cross-border payment rails. Not because of cyber compromise of the financial institutions themselves, but as a natural downstream output of more traditional predicate scams. These scams are being executed with higher levels of sophistication and at higher values, but following the usual modus operandi including high-value CEO fraud, fake invoices, investment scams and more.

Organized crime gangs and threat actor groups are more than happy to embrace the benefits of the community’s move to near real-time payments. This now enables them to quickly and efficiently move their proceeds of crime cross-border, out of reach and recovery, and leaves financial institutions facing a number of challenges in the SWIFT context:

• Complying with CSCF v2022, attesting to this and supporting this attestation with independent assessment. This latest version, effective from July, introduces one very significant change; control 2.9 (transaction business controls) is now mandatory. The objective of this control is to ensure banks monitor to know that transaction activity is within the expected bounds of normal business.
• Yet we see that the specific threat which control 2.9 addresses – cyber compromise of back-office infrastructure resulting in fraudulent payment injection into the payment network interface – seems to have all but disappeared over the past year or so.
• Conversely, more traditional wire-fraud threats are becoming more prevalent, more sophisticated and more likely than ever to be carried on the very same cross-border rails.

SWIFT-connected financial institutions now face a dilemma when choosing the monitoring tool to comply with their control 2.9 obligations. Should they take an approach that certainly looks sensible at first sight – selecting a simple, rules-based, in-network service that only addresses this very specific, very narrow use case? Or do they look for a solution that can cover both CSP compliance and the very real and increasingly sophisticated threat of evolved, high-value wire fraud?

Not all fraud problems are equal

To be clear, the present-day wire fraud threats are of such a nature that they cannot be effectively countered using simplified approaches. It is a different and far more challenging problem. Using a service built on simplified bounding rules typically demands an enormous number of discrete rule scenarios to be created and managed by the financial institution. Each mapping to risky payment characteristics, if these are even understood. Such an approach will soon become unmanageable and ineffective. It will almost certainly raise a mountain of poor-quality alerts, or worse: genuine messages blocked unnecessarily.

This is because it is impossible to take a tool that is only designed to monitor at an institutional level, using discrete bounding rules, and successfully pinpoint payment messages resulting from upstream scams. Because to do this effectively is a far more significant challenge, one that can only really be effectively performed using behavioral profiling at an account-to-account level. There is simply insufficient context to understand historical patterns at an institutional level. This is too aggregated. It is customers who are being scammed. Therefore, you need to understand behavior at the customer/account level. Anything more basic is far too crude and inaccurate.

Consider your coverage

Understanding customer behavior is where NetGuardians’ fraud-prevention software excels. It is important to understand that the NetGuardians solution covers multiple use cases:

• SWIFT CSP compliance, on both inbound and outbound payment traffic – using a combination of techniques, including simple bounding controls and behavioral profiling at bank, customer and account levels.
• Behavioral profiling for wire fraud carried over SWIFT – regardless of the upstream scams.
• Behavioral profiling for payment fraud on additional domestic and cross-border networks, including both traditional payment rails and instant payment schemes.

To draw an analogy, when you mean business about keeping thieves out, there’s not much point in putting a lock on the door but leaving your windows open. Yet this is effectively what banks are doing when they rely on stopping fraud by sticking with over-simplified, inappropriate protections.

A focus on customer behavior

Banks should focus their attention on fraud prevention that protects them from cyber compromise, but also addresses upstream scams and many other account fraud types, across any network, not just one specific network. Given that the techniques employed by the fraudsters keep changing, this means looking not at what the perpetrators are doing and working out ways to prevent that, but learning the behavior of customers so that risky, anomalous activity can be spotted and stopped quickly.

NetGuardians’ real-time fraud-prevention software builds customer and account profiles against which it compares every payment to give a risk score. Using sophisticated artificial intelligence models, the software is so accurate that it cuts false alerts for fraud by 85 percent and spots more fraud. Fewer false alerts mean lower operating costs, while greater fraud prevention means less money is lost to criminality. All helping to protect not only your customers’ assets, but also your bank’s reputation. Furthermore, this fraud prevention complies with SWIFT’s CSCF and operates on both outbound and inbound payment message traffic, for MT and ISO20022.

It is easily incorporated to give real-time fraud prevention in payment flows, with a simple SaaS subscription. This is safe and secure from your local infrastructure, pre-integrated with APIs for leading digital banking platforms such as Finastra. The solution can be up and running quickly, spotting and stopping both domestic and cross-border fraud, regardless of the type and source of this fraud or payment rails.

Any bank looking at upgrading its fraud-prevention controls to comply with SWIFT’s latest changes to its CSCF must think about the bigger picture. While it’s certainly good to have protection against fraudulent cross-border payments from cyber-threat actors, it’s far better to install software that also protects across other networks – such as domestic, Single European Payment Area (SEPA) or other payment schemes. It’s time to put locks on the windows too, not just the door.

Roy Belchamber is head of product management at NetGuardians and former product manager at SWIFT