SWIFT was not compromised but misused, says Alain Raes

The Society for Worldwide Interbank Financial Telecommunications (SWIFT) for years has been prodding Indian banks to use more structured messages instead of customised ones so that they can be audited easily. The issue with customised messages, identified by the suffix of 99, is that they are almost impossible to audit and SWIFT doesn’t validate these transactions. The Nirav Modi scam at Punjab National Bank (PNB) shows that banks are not listening. In an interaction with Anup Roy, Alain Raes, chief executive (Europe, Middle East and Africa, and Asia Pacific), SWIFT, said SWIFT was not compromised but misused. Edited excerpts: 

What are you doing about the security of the SWIFT network? The recent events seem to show that people could easily breach the systems.

The word “easily” is an overstatement. Since the Bank of Bangladesh heist two years ago, we concluded that while the SWIFT network hasn’t been compromised, what happens is that banks are not implementing the required level of security measures. We have 16 security principles and 11 advisories. These principles range from better credentials, training to employees, network integration, using of two-factor authentication and other security protocols. We defined those principles about 18 months ago and then mandated all clients of SWIFT to self-attest against those principles. We are also introducing, among other measures, services that automatically stop a transaction if it does not fall into a regular pattern.

How did Indian banks react to your 16 principles?

In India, 85 per cent of all the banks self-attested by the end of last year. That doesn’t mean that all those banks were fully compliant with all the principles. Full compliance will have to come by the end of this year. But many of these banks have said they were fully compliant. Two months ago we communicated to all the local regulators the list of the banks which had not done self-attestation. Next year also we will do the same thing. 

Did PNB say it was fully compliant?

It’s different there. What happened in PNB concerned processes, not cyber-attacks. It’s misuse of processes of the banks by insiders — nothing to do with us really. 

The RBI came up with advisories to fix vulnerabilities in the SWIFT network. 

They were about the environment, not SWIFT. One of the recommendations was integrating the SWIFT network with the bank’s back-office operations. These we have been recommending for years. Some did, some didn’t. Somewhere, what the RBI was recommending was part of the 16 principles we have. 

In SWIFT you have various formats, but it seems Indian banks prefer to transact in the ‘99’suffix, which is highly customised. 

We have categories of messages. Each of those categories covers different banking business segments. For example, category five is for securities clearance, category one is for covering customer payments, category two is for treasury transactions, and category three is for foreign exchange. Now, within each of those categories, at the end we have a ‘99’ suffix. These are open formats. These are not automatable; these are something that banks are defining between themselves.

The RBI found that is the problem — Indian banks rampantly use these 99 formats. 

They do. 

They are very difficult to audit?

Absolutely. Every single 99 is a single transaction. It has to be coupled with an agreement between different parties involved in such transactions. It’s typically not what we recommend. What we are recommending is a message like code one or three, which is a customer transfer where you have a sequence of fields, where data needs to be fed. When you start moving to 99, it becomes a lot less automatable, processing is impacted, and leads to mistakes, errors, and eventually frauds. And by the way, we don’t validate those transactions. 

Meaning? 

With structured messages, we validate the syntax of those messages against the standard. If banks don’t respect the syntax, those messages are rejected by the network. 

But still they go through?

They go through, yes, but we don’t validate those.

Are you planning to stop those messaging types?

No, we don’t. Because there is always the need for banks and institutions to exchange information that is not always fully standardised. And that happens in many other countries as well. But these are not the majority of messages. We do communicate, argue and push for more automation. That’s what we are trying to make in India. 

Are most of the transactions of Indian banks in 99 format?

No. Most of them are standard formats, but in the case of letters of undertakings (LoU), there were some problems. It is fair to say that trade finance transactions are much more difficult to automate. Again, you have rules and practices that differ from one country to another.