SWIFT Issues Second Open Banking API

Harjith Prabhakaran, product director, at Santa Clara, Calif.-based security management company Exabeam, noted, "Today, payment-based messages still account for nearly 50% percent of its traffic, while 43% percent now concerns security transactions." He added, "The remaining traffic flows to treasury transactions. Linking more than 11,000 global financial institutions in more than 200 countries and territories, over 15 million financial messages per day (five billion messages a year) are exchanged on SWIFTNet."

Prabhakaran said SWIFT's robust message format allows for enormous scalability, so it has progressively expanded to deliver services to a variety of organizations, including financial institutions, brokerage institutions, corporate business houses, securities dealers, clearinghouses, foreign exchange and money brokers, and treasury market participants.

The Exabeam product director pointed out although it does not hold funds or manage accounts, SWIFT enables an international user community to communicate securely. "It exchanges standardized financial messages in a reliable way, facilitating global and local financial flows, and supporting international trade and commerce."

Nevertheless, Prabhakaran maintained in recent years two specific instances led to documented loopholes associated with SWIFT security.

The first case involved the misuse of the transaction verification process. Prabhakaran said, "In the three-step process, the maker keys the SWIFT message in the system, the checker checks it, and the verifier transmits it after they're convinced of its genuineness." But here Prabhakaran explained, at least three persons confirming the loan creation conspired (the same person in this case) to make the fraud possible.

In the second circumstance, an institution did not establish a dual-control process for the creation, verification, authorization, and transmission of free-format messages to verify the transaction between the checker-maker. "As a result, a series of SWIFT messages between the financial institutions and its correspondent banks regarding remittance instruction amendments weren't routed to the supervisor's attention for review," Prabhakaran said. On investigation, the bank discovered a staffing shortage led supervisors to skip their due diligence before approving the loan disbursements. A clerk took advantage of the loophole by recalling loan proceeds and subsequently transferring them to their personal account.

But it is not all bad news, Prabhakaran explained. As the malicious actors become more sophisticated so too do those working to prevent such negative behavior. "To detect abnormal and anomalous activities, advances in analytics can now leverage machine learning and behavior analytics to create baselines for users and devices. Service providers can ingest logs from Windows Active Directory, proxies, firewalls, security alerts, databases, and other applications," he said.

Prabhakaran also suggested at least seven event types are capturable from SWIFT Alliance Gateway logs based on recent deployments. Three are related to SWIFT messages (message creation, verification, and authorization), while four pertain to login activities. "Once these programs receive the Alliance Gateway logs, they can parse, normalize and create events for specific SWIFT-related activities."

Prabhakaran added. "Behavioral models allow machine learning programs to learn the message creator for a specific authorizer, as well as the authorizer for a specific verifier. Similar models and rules can be created for the authorizer and verifier."

With user and entity behavior analytics to detect abnormal and anomalous activities, financial institutions can analyze SWIFT logs along with the rest of infrastructure logs, Prabhakaran said. "This provides complete visibility in addition to rapid detection and correlation of SWIFT events alongside other infrastructure-related incidents."