1 / 67

SWIFT: The Financial Industry Infrastructure for Secure Messaging

SWIFT: The Financial Industry Infrastructure for Secure Messaging. Gabriel Soriano October 4 th , 2006 NYSSCPA Banking Convention. Agenda. 1 Overview of SWIFT. 2 Access to the SWIFT interface. 3 Access to the SWIFT network. 4 Messag e i ntegrity, confidentiality controls.

malha
Download Presentation

SWIFT: The Financial Industry Infrastructure for Secure Messaging

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SWIFT:The Financial Industry Infrastructure for Secure Messaging Gabriel Soriano October 4th, 2006 NYSSCPA Banking Convention Corp_present_20060927_v27.ppt

  2. Agenda 1 Overview of SWIFT 2 Access to the SWIFT interface 3 Access to the SWIFT network 4 Messageintegrity, confidentiality controls 5 Messaging Service and Interface Control functions Corp_present_20060927_v27.ppt

  3. Community Standards Platform Introducing SWIFT Corp_present_20060927_v27.ppt

  4. The SWIFT community banks found SWIFT - broker/dealers - central depositories & clearing institutions - exchanges securities market data providers 1973 1987 2004 travellers cheque issuers fund administrators 1988 2002 money brokers 1989 MA-CUGs 2001 - registrars & transfer agents - custody providers - trust or fiduciary services companies 1990 2000 securities MIs 1999 1992 - treasury counterparties - treasury ETC service providers investment managers 1998 1995 1996 • - payments MIs • proxy voting agencies • non-shareholding financial institutions trading institutions treasury securities ETC service providers Corp_present_20060927_v27.ppt

  5. SWIFT governance Oversight Governance National Bank of Belgiumand G-10 Central Banks Board Board Committees National Member Groups User Groups SWIFT members SWIFT community Corp_present_20060927_v27.ppt

  6. Sibos – forum for industry dialogue • Financial industry’s premier event • Global forum to debate strategic issues • Conference, exhibition, networking • 6,000 executives and technology managers • 2007: Boston, US, 1-5 October Corp_present_20060927_v27.ppt

  7. Working with SWIFT Partners • Solution Partners:Providers of business applications, middleware, and interfaces • Service Partners:Implementation and integration of connectivity and SWIFTSolutions • Business Partners:Marketing and selling SWIFT products • Network Partners:AT&T, Colt, Equant, BT Infonet Corp_present_20060927_v27.ppt

  8. SWIFT figures (July 2006) 2.5 billion messages per year 7,940 customers 206 countries Average daily traffic 11.2 million messages Peak day of 12.8 million messages 30 June 2006 Corp_present_20060927_v27.ppt

  9. SWIFTNet FIN messages by market (July 2006) Trade 27 million mgs Treasury 104 million mgs Payments 895 million mgs Securities 605 million mgs Corp_present_20060927_v27.ppt

  10. Traffic and Pricing Harnessing economies of scale Price (EURcent/msg) Traffic (Millions of messages) 50 3000 Traffic 45 2500 40 35 2000 30 1500 25 20 1000 15 Price 500 10 5 0 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006E Corp_present_20060927_v27.ppt

  11. Extending reachEmbracing the business community Corporates Securities Banking andPayments Corp_present_20060927_v27.ppt

  12. Banking Market Infrastructures – July 2006 Live Spain (NSLBE - SLBE) Sri Lanka (LankaSettle) Sweden (RIX) Switzerland (Remote Gate) Tanzania (TISS) Thailand (BAHTNET/2) Trinidad & Tobago (SAFE-TT) Uganda (UNIS) United Kingdom (CHAPS-£ CHAPS-€ / Enquiry Link) United States (CHIPS) Venezuela (PIBC) Zambia (RTGS) Zimbabwe (ZETTS) West African States (BCEAO) Kuwait (RTGS) Latvia (LVL) Luxemburg (LIPS) Malta (MARIS) Mauritius (MACSS) Namibia (NISS) Netherlands (TOP) New Zealand (AVP) Norway (NICS) Oman (RTGS) Philippines (PPS) Romania (REGIS) Slovenia (SIPS) South Africa (BOP - RTGS - SAMOS) Albania (AIP) Algeria (RTGS) Angola (PTR) Australia (PDS) Austria (ARTIS) Azerbaijan (AZIPS) Bahamas (BHS) Barbados (BDS) Belgium (ELLIPS) Bosnia & Herzegovina (BIH) Bulgaria (BGN-RINGS) Canada (LVTS) Chile (Netting - LBTR) CLS Bank Croatia (HSVP) Denmark (DDK-KRONOS) Egypt (CBE) EBA Clearing (EURO1/STEP1) ECB (TARGET) Finland (BOF) France (CRI – PNS/TBF) Germany (RTGSPlus) Ghana (GISS) Greece (HERMES) Guatemala (RTGS) Hungary (VIBER) Ireland (IRIS) Italy (BIREL) Jordan (RTGS) Kenya (KEPSS) Implementation Planning/Discussion Bahrain (RTGS) Lesotho (RTGS) Botswana (RTGS) Morocco (RTGS) Central African States (BEAC) Pakistan (RTGS) Eurosystem (TARGET2) Singapore (MEPS+) Israel (RTGS) Tunisia (RTGS) Fiji (RTGS) Georgia (RTGS) Lebanon (RTGS) Palestine (RTGS) Peru (RTGS) Russian Federation (RTGS) High-Value Payments Corp_present_20060927_v27.ppt

  13. Established in 1973 by 239 banks in 15 countries • Developed shared messaging platform for financial transactions • Emphasis on security, reliability and availability Heritage • Serving over 7,800 financial institutions across 204 countries • Payments, Securities, Foreign Exchange, Treasury and Trade • Reducing costs, improving automation, managing risk Understanding • Industry-owned community • Overseen by regulatory authorities • Impartial to the data transacted across the messaging platform Neutrality • Store and forward, file transfer, interactive query & response • Open standards • IP VPN over fibre-optic backbone Technology Community and Business dimensions Corp_present_20060927_v27.ppt

  14. SWIFT • Business and Technical Messaging Communications across the lifecycle of a financial transaction • SWIFT does NOT provide clearing or settlement services • SWIFT does not hold accounts or assets • Participants are responsible for their data • SWIFT is neutral, apolitical and user-owned Slide 14 Corp_present_20060927_v27.ppt

  15. Community Standards Platform Introducing SWIFT Corp_present_20060927_v27.ppt

  16. Message categories 0 System messages 1 Customer transfers & cheques 2 Financial institutions transfer 3 Foreign exchange, money markets & derivatives 4 Collections & cash letters 5 Securities markets 6 Precious metals & syndications 7 Documentary credits & guarantees 8 Travellers cheques 9 Cash management & customer status Corp_present_20060927_v27.ppt

  17. Message structure Corp_present_20060927_v27.ppt

  18. SWIFTStandards developmentA business centric approach Business process modelling SWIFTNet Marketpractice Applications Integration Standards Partners SWIFT Corp_present_20060927_v27.ppt

  19. Exceptions & Investigations Cash Management Single Credit Transfers Bulk Payments (CT + DD) MT 1xx, 2xx MT 9xx Exceptions & Investigations Cash Management Cash Management SWIFTStandardsPayments market Ordering customer’s financial institution Beneficiary customer’s financial institution MT 9xx MT 9xx MT 101 Payment Initiation (CT + DD) Exceptions & Investigations Ordering customer Beneficiary customer FIN-based XML-based (under construction) Corp_present_20060927_v27.ppt

  20. Community Standards Platform Introducing SWIFT Corp_present_20060927_v27.ppt

  21. SWIFTNet • One platform • Full STP • Highest level of security and resiliency • Standards • Lower costs • Reduced risk • Improved liquidity management • Facilitate Compliance Single access infrastructure • Payments • Foreign Exchange • Securities • Account Reporting • Messaging Services • FIN • FileAct • InterAct • Browse Applications Trade ABC Bank Treasury XYZ Bank SWIFTNet interface Payments Other Bank Investigation Any Bank Corp_present_20060927_v27.ppt

  22. Standards Rules SWIFTSolutions Quality of service Security Resilience Reliability SWIFT product stack SWIFTSolutions Payments  Treasury  Trade  Securities Directories and Information Services Messaging Services Interfaces Secure IP Network (SIPN) Corp_present_20060927_v27.ppt

  23. Identify potential risks in the following areas : • Access to the SWIFT interface • Access to the SWIFT network • Integrity/confidentiality of the SWIFT messages • Integrity of the message flow Corp_present_20060927_v27.ppt

  24. SWIFT interfaces • Open and close connection to STN/SIPN • Send messages to SWIFT • Receive messages from SWIFT • Manually enter messages • Accept messages from a back office application • Sendmessages to a back office application • Send messages to a printer Corp_present_20060927_v27.ppt

  25. SWIFT interfaces • SWIFTAlliance Access • SWIFTAlliance Entry • MERVA/ESA • TURBO SWIFT • STELINK • MINT • FASTWIRE • BESS • NOVA SWIFT • ... Corp_present_20060927_v27.ppt

  26. VPN box Connecting to SWIFTNetMany ways of implementing… Messaging Layer Communication Layer SWIFTNet Services Business Layer Middleware Back Office application Communication Interfaces Messaging interfaces Back Office application SWIFTNet Middleware Back Office application Back Office application ……. Your counterparty Back Office application Corp_present_20060927_v27.ppt

  27. VPN box SWIFTAlliance interface Middleware Layer Messaging Layer Communication Layer SWIFTNet Services Application Layer SWIFTAlliance Gateway (SAG) SWIFTAlliance Starter Set (SAS) SWIFTAlliance Access (SAA) SWIFTAlliance Entry (SAE) SWIFTNet You Your counterparty Corp_present_20060927_v27.ppt

  28. Signing on to the SWIFT interface Corp_present_20060927_v27.ppt

  29. Passwords • Initialisation password • Master password • Passwords documents available ? • Access to passwords documents ? Corp_present_20060927_v27.ppt

  30. Users of the SWIFT interface • Anonymous names vs Personal operator names • Are all operators still using the interface? Corp_present_20060927_v27.ppt

  31. Enabling an operator • Automatic enabled when approved by both LSO and RSO Corp_present_20060927_v27.ppt

  32. Disabling an operator • Automatic after too many wrong passwords • Manually by LSO, RSO or anybody with disabling permission Corp_present_20060927_v27.ppt

  33. Security parameters • List of configuration parameters • e.g. user period, max # of bad passwords… • only visible by LSO and RSO Corp_present_20060927_v27.ppt

  34. SWIFTAlliance: Segregation of duties Creation Verification Authorisation Approval Modification Corp_present_20060927_v27.ppt

  35. Profiles • Each operator has minimum one profile • a profile defines the applications, functions and permissions for one or more operators • one profile can be given to several operators • if permissions change, then the operators are disabled. LSO and RSO must re-approve these operators Corp_present_20060927_v27.ppt

  36. Profile details • A profile has 3 levels • applications • functions • permissions Corp_present_20060927_v27.ppt

  37. Permission details • Prohibited nothing = no restrictions • Allowed are all MTs starting with 1, 2 and 9 • SWIFT FIN system MTs not allowed Corp_present_20060927_v27.ppt

  38. What to check in a profile? • Access control • Message Creation and Modification • Message Approval • Message File • Security Definition Corp_present_20060927_v27.ppt

  39. Identify potential risks in the following areas : • Access to the SWIFT interface • Access to the SWIFT network • Integrity/confidentiality of the SWIFT messages • Integrity of the message flow Corp_present_20060927_v27.ppt

  40. VPN box VPN box SWIFT’s Secure IP Network (SIPN) Network Partner Swift Customer Swift Network Partner 1 Customer POP SIPN Backbone Network Network Partner 2 M-CPE IPsec tunnels provide end-to-end protection through the ‘untrusted’ vendor IP networks OPCs Backbone Access Points SIPN Access Network SIPN Corp_present_20060927_v27.ppt

  41. Security equipment needed to connect to FIN • Card readers • Integrated Circuit Cards (ICCs) Bank A Bank B Corp_present_20060927_v27.ppt

  42. Secure Card Reader (SCR) • Functions related to BKE and SLS services • Configuring and managing ICCs • PIN updates • SCR configuration Corp_present_20060927_v27.ppt

  43. Integrated Circuit Card (ICC) • contains functional elements of microcomputer • embedded chip within the card • works only when inserted into card reader • protected by 1 or 2 PINs • unique reference = SWIFT Card Number (SCN) Corp_present_20060927_v27.ppt

  44. SELECT LOGIN Connecting to the SWIFT networkSecure Login and Select (SLS) FIN APC LTC Corp_present_20060927_v27.ppt

  45. Manual Login and Select • Insert USER ICC in the card reader • use the CBT to send Login and Select to SWIFT Corp_present_20060927_v27.ppt

  46. Automated Login and Select • No operator intervention • USER ICC must be in card reader on Login and Select • or Session Keys must have been downloaded in advance Corp_present_20060927_v27.ppt

  47. QUIT LOGOUT Disconnecting from the SWIFT network FIN APC LTC Corp_present_20060927_v27.ppt

  48. PKI SWIFTNet FIN Phase 2 PKI: FIN Access control PKI: End-2-end security RMA: Relationship mgt. SWIFTNet PKI FIN HSM PKI PKI HSM SWIFTNet FIN interface SWIFTNet FIN interface PKI Corp_present_20060927_v27.ppt

  49. Identify potential risks in the following areas : • Access to the SWIFT interface • Access to the SWIFT network • Integrity/confidentiality of the SWIFT messages • Integrity of the message flow Corp_present_20060927_v27.ppt

  50. Authentication • applied on user-to-user messages • assures identity of sender • integrity of message text • mandatory for most message types Corp_present_20060927_v27.ppt

More Related