Special report scs_v7single


Published on

SWIFT Special report: Trends in operational risk and cost control

Published in: Economy & Finance, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Special report scs_v7single

  1. 1. Trends in operational risk and cost control
  2. 2. Introduction THE FINANCIAL INDUSTRY FACES A GROWING RANGE OF CHALLENGES, WHICH ARE PUTTING PRESSURE ON OPERATIONAL EFFICIENCY, COST CONTROL AND EVEN ON BUSINESS MODELS. THIS SPECIAL REPORT AIMS TO ADDRESS A FEW OF THESE IMPORTANT TOPICS AND TO CONTRIBUTE TO DEBATE AS THE INDUSTRY LOOKS FOR THE RIGHT SOLUTIONS. The biggest changes are occurring in the regulatory sphere. Since the financial crisis, the G20 has spearheaded tougher regulations co-ordinated at a global level. Key areas of focus include anti-money laundering and anti-terrorist financing, identification and management of systemic risk, and resolution and recovery of international institutions. In the US and Europe, particularly, huge regulatory changes are being implemented as a response to these priorities. Financial institutions are addressing a host of new initiatives aiming to provide greater stability via increased capital requirements and liquidity rules, for example. Collectively, these will have a profound impact on how banks operate and with whom they do business. Elsewhere, organisations are striving to cut costs, eliminate risk, and improve efficiency – but many have found projects less successful than they hoped and difficult to sustain. For example, in the area of technology infrastructure – one of the biggest fixed costs for a financial institution – it can be hard to pinpoint exactly where resources are being used or if they are being wasted. This makes it hard to generate efficiencies and cost savings. Management information that can support strategic decision-making by identifying risks and opportunities is of growing importance to executive management and bank boards. Looking across counterparty relationships and correspondent banking networks, it can be even more difficult to identify which relationships are fruitful and which are not. In a world where boundaries are coming down and risks are increasing, a clear understanding of this is becoming ever more critical. Stringent regulations around know your customer and sanctions, for example, mean that the cost of doing business with some counterparties will dramatically increase. For some banks operating in high risk jurisdictions, this could have a major impact on banking partners. For banks, these and other challenges represent a complex web of priorities, which often have to compete internally for resources. Banks are therefore seeking new tools that will enable them to address these issues, and ideally to turn challenges into opportunities. Increasingly, access to the right knowledge will be invaluable in helping banks to retune infrastructure, manage risks and optimise business models. SWIFT is an ideal partner to help institutions navigate these issues. We provide expert knowledge through our wide range of consulting services, including benchmarking, operations and technical advisory services.
  3. 3. 1 2 4 Special Report | SWIFT Consulting Services Contents 2–3 SANCTIONS AND AML: A COMMUNITY RESPONSE TO COMPLIANCE Regulators and policy makers are raising the bar in what they expect from banks in the compliance space. As a result, banks and other financial institutions are re-evaluating their internal processes, their counterparty risks and their licence to operate in some markets. 4–5 LIQUIDITY MANAGEMENT: FROM END-OF-DAY TO INTRADAY New regulations are putting ever more pressure on banks to improve their liquidity management, but banks are still searching for the systems and processes that will enable them to comply. 6–7 BUSINESS RELATIONSHIPS: RETHINKING RECIPROCITY Both cost pressure and new regulations are forcing banks to review business relationships. Subjecting transaction data to ‘reciprocity analysis’ will reveal who are the most important – and most profitable – counterparties. 8–9 DATA MINING: HARNESSING INFORMATION FOR OPERATIONAL EFFICIENCY In the social media world of Google and Facebook, mining data to uncover patterns and relationships is a cornerstone of the business model. It is just as relevant to banking, where data mining can help banks to cut cost, eliminate risk and better use resources. 10–11 DISASTER RECOVERY: THINKING THE UNTHINKABLE AND FINDING NEW WAYS TO PREPARE When it comes to business continuity, financial institutions have nowhere to hide. Operations can be disrupted by systems failures, cyber attacks, or natural disasters. What can banks do to instill the right culture and processes? 12–13 CYBER CRIME: TAKE A HOLISTIC APPROACH TO FIGHT CYBER CRIMINALS From DDoS to APT to Zero Day attacks, financial institutions face an ever more aggressive and sophisticated battle in cyberspace. Assuming the worst, understanding your enemy and prioritising the risks are the first lines of defence.
  4. 4. 2 Special Report | SWIFT Consulting Services Sanctions and AML: A community response to compliance Regulators and policy makers are raising the bar in what they expect from banks in the compliance space. As a result, banks and other financial institutions are re-evaluating their internal processes, their counterparty risks and their licence to operate in some markets. In July this year, the G20’s final communique from Moscow reiterated its commitment to the work of the Financial Action Task Force (FATF) in fighting money laundering and terrorism financing, and its key contribution to tackling other crimes such as tax crimes, corruption, terrorism, and drug trafficking. In particular, G20 leaders emphasised their support for FATF’s identification and monitoring of high risk jurisdictions and, in the prudential area, called for further cooperation and adherence to information exchange standards. Policy makers’ attention on risky jurisdictions comes at the same time as a growing focus on individual financial institutions, where financial crime compliance is seen as the front line in the fight against money laundering and terrorist financing. Regulators worldwide have intensified the pressure on banks, asking them to show that they have in place adequate and effective measures. Sanctions compliance is increasingly complex: • 0,000 names and aliases on lists 4 • ists updated virtually every day L • ew categories, such as aircraft, are being added N • idening scope of sanctions programme: W eg: Trans-Criminal Organizations “The compliance environment at jurisdiction and individual bank level is increasingly tough,” says Thierry Chilosi, Head of Banking Initiatives EMEA, SWIFT. “Countries and institutions face ever more stringent requirements and there is growing emphasis on being able to demonstrate to regulators that they are compliant.” For institutions, failure to comply risks punitive fines as well as reputational and commercial damage. But compliance presents a series of real challenges to the industry. In the first place, it is operationally complex and technologically demanding. A consistent global sanctions infrastructure requires the ability to effectively manage multiple sanctions lists in disparate formats, which are growing rapidly and changing almost daily, across a network of jurisdictions that may have different requirements. “ WE INCREASINGLY SEE BANKS TAKING A MORE HOLISTIC VIEW OF THE PAYMENTS CHAIN TO ACHIEVE A BETTER UNDERSTANDING OF THE MARKET CONTEXT FOR PAYMENTS Thierry Chilosi ” Rising cost of compliance In the second place, compliance is expensive – and getting more so. SWIFT estimates that the number of alerts – and therefore the operational cost of compliance – is doubling every four years. The compound annual growth rate (CAGR) of all SWIFT FIN volumes between 2003 and 2011 shows that the number of transactions is growing at 7.5% annually. Similarly, the CAGR of the OFAC SDN List between 2010 and 2012 shows that sanctions lists are growing at a rate of 9.6% annually. Because the number of alerts is proportional to the number of transactions and the number of names on lists, the amount of investigative resource – and therefore the cost – is linked to the volume of alerts. [See Fig 1] “This means that compliance is an operational imperative for banks. To be properly equipped, banks need to have in place the right people, processes and technology,” says Chilosi. “Technology, such as sanctions filters, must be effective, efficient and give banks the correct coverage. Increasingly, banks will need to ‘re-prove’ this capability to regulators.” Having the right processes in place will help institutions to monitor the risks and to manage them, adds Chilosi. The right processes will also help banks to understand when their systems are too sensitive, for example, turning up too many false positives. “In this case, establishing a testing environment will help institutions to see how their filters are performing and to adjust where necessary.”
  5. 5. 3 2 4 Special Report | SWIFT Consulting Services Fig. 1: Impact of list and transaction volume growth on alert numbers 3.00 2.50 Operational cost doubling every 4 years 2.00 1.50 2x alert numbers 1.00 0.50 SDN 0.00 Transactions Alerts 2010 2011 2012 2013 2014 2015 2016 People and culture are crucial – and because this function is so important, compliance is no longer treated as a silo but is becoming embedded in the business. “We increasingly see banks taking a more holistic view of the payments chain to achieve a better understanding of the market context for payments,” says Chilosi. “Banks are looking for a better sense of all the risks involved – country risk, currency risk, traffic routes, the PEPs. Banks recognise the need to ensure people are properly trained and have the right market knowledge. Moreover, regulators expect that staff understand these risks. Ignorance is no longer a defence.” Challenge for the community The risks of non-compliance are potentially as serious for jurisdictions. Being put on a FATF watch list can have damaging ramifications. FATF will call upon its members to apply countermeasures proportionate to the risks associated with each jurisdiction; as a result, banks transacting with named countries and their domestic banks will be forced to re-evaluate the risk of doing business with them, and this will translate into higher costs and closer scrutiny for both in-country and out-ofcountry banks. Not acting means these countries run the risk of financial exclusion from foreign investment. “The risk rating of a counterparty bank is intrinsically linked with the risk rating of the bank’s home jurisdiction. In the most serious case, then, the risk of taking no action is that an entire financial community ends up with limited or no access to the US dollar or the euro,” says Chilosi. 2017 2018 Some financial communities have taken a robustly proactive approach to, turning compliance into a pillar of sustainable financial infrastructure development. In Ghana, for example, policy makers and the central bank responded smartly to being identified by FATF as a risky jurisdiction in February 2012. First, the government took immediate steps to create the right legal and regulatory framework to criminalise money laundering and terrorist financing. Then, Bank of Ghana led the way for the banking community, implementing sanctions screening technology and processes, and helping the domestic banks to come to grips with compliance challenges. This action was so successful that in October 2012, FATF removed Ghana from the watch list. “The compliance area is a major issue for financial institutions, leading them to re-evaluate their process, their counterparty risks and their operations in some markets,” says Chilosi. “Many are finding that a holistic approach works well. One major issue is the scarcity of expert resources. Resolving this will be part of the answer.”
  6. 6. 4 Special Report | SWIFT Consulting Services Liquidity management: From end-of-day to intraday New regulations are putting ever more pressure on banks to improve their liquidity management, but banks are still searching for the systems and processes that will enable them to comply. Long overshadowed by a focus on capital, the financial crisis revealed the vital importance of liquidity management. To avoid a repeat of the liquidity squeeze that caused the financial system to seize-up during the crisis, regulators have put in place a new regulatory framework, which requires banks to monitor liquidity across all their correspondent bank accounts, in all currencies. For banks the new rules present huge challenges – and many are still searching for the right mechanisms and processes. “Many banks are not prepared for the changes that are coming and it could be a struggle for some in the industry to comply with them,” says Catherine Banneux, Senior Market Manager, Banking Markets, SWIFT. Since the beginning of the year, the Basel Committee on Banking Supervision (BCBS) has been further defining its requirements for the management of sound liquidity risk management and supervision, the so-called ‘Sound Principles’. In April, the Committee published Monitoring tools for liquidity management. The document sets out tools that will enable banking supervisors to monitor banks’ intraday liquidity risks and their ability to meet payment and settlement obligations on a timely basis under both normal and stressed conditions. Intraday liquidity is a key element of a bank’s overall liquidity risk management framework. The BCBS says six operational elements should be included in a bank’s strategy for managing intraday liquidity risk: • he capacity to measure expected daily gross liquidity inflows t and outflows, anticipate the intraday timing of these flows where possible, and forecast the range of potential net funding shortfalls that might arise at different points during the day; • he capacity to monitor intraday liquidity positions against t expected activities and available resources (balances, remaining intraday credit capacity, available collateral); • rrangements to acquire sufficient intraday funding to meet a intraday objectives; • he ability to manage and mobilise collateral as necessary t to obtain intraday funds; • robust capability to manage the timing of liquidity outflows a in line with intraday objectives; and • bility to deal with unexpected disruptions to intraday a liquidity flows. “ MANY BANKS ARE NOT PREPARED FOR THE CHANGES THAT ARE COMING AND IT COULD BE A STRUGGLE FOR SOME IN THE INDUSTRY TO COMPLY WITH THEM ” Catherine Banneux The BCBS has developed seven separate monitoring tools in, recognition of the fact that no single tool could take into account the diverse factors that influence a bank’s usage of intraday liquidity in payment and settlement systems and its vulnerability to intraday liquidity shocks. These are categorised according to the type of institution: • aily maximum intraday liquidity usage – available intraday D liquidity at the start of the business day, total payments and time-specific obligations; • eporting banks that provide correspondent banking R services – value of payments made on behalf of correspondent banking customers and intraday credit lines extended to customers; and • eporting banks that are direct participants – intraday R throughput. Moving to real time Current practices in liquidity management will have to change, says Banneux, if banks are to comply with the requirements set out by the Committee. For example, at present, banks monitor liquidity in the currencies they clear themselves (a UK bank focuses on sterling et cetera.) However, under the new intraday monitoring rules, regulators expect banks to manage and monitor the liquidity in all of their correspondent bank accounts across the world, in any currency.
  7. 7. 5 2 4 Special Report | SWIFT Consulting Services “Having to manage and monitor the liquidity in all of these accounts is a completely new requirement,” says Banneux. “While some of these accounts are actively managed, SWIFT estimates that 90% are not – payments are sent and received throughout the day, but the accounts are checked only on an end-of-day basis.” Implementing more confirmations will enable institutions to build a balance with their correspondents during the day that is based on what is really happening, rather than a forecast. The collapse of Lehman Brothers highlighted the chaos that can ensue if a correspondent bank goes bust during the day – many banks simply did not know the level of their exposure to Lehmans. Most accounts are also currently managed on a forecast, rather than a real time, basis. “The financial regulators want to push banks to understand what is happening throughout the day with balances on account, instead of making do with expected balances. That is a real shock to banks because many of them simply do not have visibility of their cash throughout the day. The majority operate on an end-of-day basis. This is likely to have a huge impact on banks.” Intraday monitoring of accounts can also limit the costs associated with the provision of credit, a facility for which banks are increasingly charging. “Good liquidity management is all about managing your balances and making sure you are not too short or too long on your accounts,” says Banneux. “There are regulatory drivers for this but also business drivers. Being able to better manage liquidity can deliver ROI in the millions of euros because it is related to funding and liquidity costs.” The BCBS is not only focusing on real-time balances. It will also require bank treasurers to be able to analyse and report on future and past liquidity movements. However, most bank treasurers focus on only a three-day horizon either backwards or forwards. Harnessing data While this may seem to be a bleak picture for banks, Banneux is optimistic; data is the key to intraday liquidity management, monitoring and reporting. “In order to build intraday liquidity reports for the regulators, a bank will have to gather information item by item. This can be done with transactional data, which SWIFT can provide,” he says. Transactional data has the potential to “reshape the cash management space”, adds Banneux, as it will enable institutions to base their activities on actuals rather than forecasts. At present, only about 16% of payments sent over the SWIFT network are covered by an immediate confirmation. For the rest, financial institutions have to wait until the end of the day to discover whether the payments have been made or received. Combining data streams The improvements that can be realised with better use of transactional data are not limited to cash management. Banks can use securities transaction data to manage flows and build a view of intraday liquidity in this area as well. By using a combination of data streams in this way, banks can build solid and recurring reports for the regulators that more accurately reflect their intraday liquidity status. Moreover, as regulators require banks to report on a group and on an entity level, their approach must be global. “Generally banks don’t have such data centrally available,” says Banneux. “Often subsidiaries will email spreadsheets to their head office. The solution is to gather the data centrally in order to build a database that covers every entity in every location. This is something that SWIFT, as a network for correspondent banks globally, is well placed to do.” Fig. 1: The holy grail for treasurers Millions Example of intraday liquidity usage curve constructed using SWIFT message data between two counterparties 400 300 200 100 (100)– (200) (300) (400) (500) 00.00 00.35 01.10 01.45 02.20 02.55 03.30 04.05 04.40 05.15 05.50 06.25 07.00 07.35 08.10 08.45 09.20 09.55 10.30 11.05 11.40 12.15 12.50 13.25 14.00 14.35 15.10 15.45 16.20 16.55 17.30 18.05 18.40 19.15 19.50 20.25 21.00 21.35 22.10 22.45 22.20 23.55 (600) Source: SWIFT
  8. 8. 6 Special Report | SWIFT Consulting Services Business relationships: Rethinking reciprocity Both cost pressure and new regulations are forcing banks to review business relationships. Subjecting transaction data to ‘reciprocity analysis’ will reveal who are the most important – and most profitable – counterparties Correspondent banking is about relationships and underpinning many of those relationships is reciprocity – the exchange of business to the benefit of both parties. But regulations and cost pressures are changing the nature of correspondent banking and reciprocity. In many areas, banks with weak balance sheets or high risk are being dropped from relationship networks, and volumes are increasingly concentrated on fewer partners. The concept of reciprocity is also evolving, from a traditionally armslength relationship to deeper partnerships. Geertjan van Bochove, Consultant, Business Intelligence EMEA at SWIFT, says many banks are reviewing their correspondent relationships. In part, this is driven by shrinking margins. “In Europe, for example, one of the drivers for these reviews is the Single Euro Payments Area [SEPA], which, when it comes into full effect on 1 February 2014, will eliminate the margins that can be made on cross-border payments in the Eurozone.” Those institutions whose correspondent relationships in Europe have been cash-driven will need to find alternative sources of revenue, such as cash management, trade finance and credit provision. Moreover, SEPA is not the only regulatory initiative that will have an impact on correspondent banking: Anti-Money Laundering (AML) and Know Your Customer (KYC) requirements, Basel II, Dodd-Frank and FATCA will also play a part in reshaping the agenda for financial institutions. In EMEA and the Americas, the shrinking number of correspondent banking relationships or connections in a network is startling. Figure 1, below, shows how banks in both of these regions are continuing to reduce the size of their network (the number of nostro/vostro relationships). This is largely because complying with regulations – such as Know Your Customer – makes it expensive to manage a large network. In Asia Pacific, by contrast, banks are following their corporate clients and because they are exporting and importing more, the region’s banks are still expanding their relationship networks. How a bank approaches its correspondent relationships differs from institution to institution. Definitions of reciprocity also differ, depending on how individual institutions are organised. Common to all institutions, however, are the regulatory and economic pressures that are making correspondent banking increasingly costly and difficult to maintain. The idea that correspondent banking is only about reaching the right customers quickly and at low cost is becoming obsolete. “ RECIPROCITY AND THE BUSINESS RELATIONSHIP ARE NO LONGER ABOUT PURE REVENUE GENERATION ” Geertjan van Bochove “In essence, reciprocity is about striking win-win deals. In entering a relationship, a bank is trying to give business to its counterparty in return for an equivalent amount of business from that counterparty,” says van Bochove. It is extremely important when reviewing correspondent relationships, therefore, to understand the counterparty and its business. The power of data Data can be crucial to understanding the shape of your counterparty’s business and what it means for your bank; essentially, it can help you to define the direction and scope of a relationship. “A bank needs to understand the business of the correspondent it wants to partner with. A bank in Greece, for example, will not be able to reciprocate a deal with a promise of increased volumes. But if a bank wants to strike a deal with a partner in South Africa, that arrangement will be all about growth in payments or trade finance.” Fig. 1: The number of active BIC-BIC connections 10% APAC, 4% 5% 0% -5% EMEA, -11% -10% -15% AME, -16% -20% 2005 2006 2007 2008 2009 2010 2011 Source: SWIFT Watch
  9. 9. 7 2 4 Special Report | SWIFT Consulting Services Fig. 2: Index growth of reporting versus payments on the SWIFT network 300 250 200 150 100 50 Reporting Payments 0 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 Source: SWIFT Watch Analysis of payments flows between markets also helps banks to target their offerings more effectively. While South Africa is a growth story, analysis of payment flows reveals that banks in the country already have well established relationships with US banks for USD clearing, so there would be little point in a German bank, for example, offering USD clearing as part of a reciprocal deal. Many correspondent relationships have been measured using internal factors, such as the fees made on trade finance deals and FX. But van Bochove says this reveals only part of the picture: “It is important to look internally, but institutions must also understand what is happening in the market as a whole. In evaluating a relationship does an institution understand what the overall market is doing?” For example, a correspondent banking programme may be deemed successful if payments have increased by 10% a year. But considered in isolation such a figure is meaningless, van Bochove says. “If you don’t know what other institutions in the payments market are doing, you don’t know whether you are under- or over-performing the market as a whole. Analysis of payments data may reveal that the market overall had grown 25%, in which case 10% indicates that the relationship is under-performing.” Van Bochove adds that gaining access to data on a global bank level will help institutions to leverage their correspondent relationships. For very large financial institutions such insight is invaluable. “The payments and trade finance flows between very large institutions can have a big impact on reciprocity. The story is no longer about the network and establishing as many connections as possible. It is about knowing exactly what and where the flows are; how does a large institution know what business its individual branches are doing with the individual branches of its counterparty? Without global payments data, the relationship cannot be managed at an optimum level,” he says. Basing relationships on fact Knowledge is power – so understanding exactly what level of business an organisation does with its counterparties can help shape discussions around correspondent banking relationships. “SWIFT data might reveal that a bank is sending more payments to its correspondent than it thought. This knowledge should be used as the basis of a new relationship that is built on fact rather than supposition. Such factual discussions make it much more likely that the relationship will be a win-win one for both banks and therefore sustainable and relevant in the long term.” Factual analysis of relationships will also play an increasingly important role as KYC and AML requirements are strengthened by financial regulators. Regulatory reporting is becoming more and more important. The growth in the number of reporting messages versus the number of payment messages sent over the SWIFT network has rocketed (see Fig. 2), showing that counterparties are requesting more and more reporting so that they can understand their liquidity position. “Intraday reporting will become the norm in the future for all institutions and while this will continue to drive up the number of reporting messages, it is likely to change the nature of reciprocity; if an institution charges another for intraday advice messages, that institution should expect to be charged for the same information in return. As a result, fees for reporting are likely to decrease,” says van Bochove Enhanced business intelligence services can help banks to better identify new market opportunities, understand endcustomer behaviour and better monitor liquidity in correspondent banking relationships. “Reciprocity and the business relationship are no longer about pure revenue generation,” says van Bochove. “Relationships must now be based on the facts of the top-, as well as bottom-line and this can be achieved by analysing the data available, which will deliver the insights required for truly win-win relationships.”
  10. 10. 8 Special Report | SWIFT Consulting Services Data mining: Harnessing information for operational efficiency In the social media world of Google and Facebook, mining data to uncover patterns and relationships is a cornerstone of the business model. It is just as relevant to banking, where data mining can help banks to cut cost, eliminate risk and better use resources. For many financial institutions (FIs), data is a by-product of their business; something to be accumulated and stored but not exploited. However data mining – the process of collating and analysing large amounts of data in a database to discover patterns or relationships – can help FIs to reduce costs and risks. “ A significant cost for banks is exception handling. SWIFT has estimated that it costs the industry €140 million per year to repair failed messages that have been rejected by its network. Data mining means banks can identify the number of exceptions that are being handled and, crucially, the causes of those exceptions, allowing them to root out the problem by improving processes. It will also allow them to see how they fare compared to their competitors. DATA CAN REVEAL UNUSUAL PATTERNS IN RESOURCE USE AND FURTHER ANALYSIS CAN DETECT AREAS FOR IMPROVEMENT. Michel Pronce ” “The big question for individual banks is what is my share of that total industry cost?” says Yves Smeyers, Principal Consultant, SWIFT Consulting Services, EMEA at SWIFT. Data mining can help FIs to answer this question by providing deeper analysis of which particular message types or counterparties are the most problematic. Even further benefit is derived when that data mining puts a bank’s individual data within a broader industry context, he says. “Banks only have access to their own data, but SWIFT has access to aggregated data from the entire community. By looking at the bigger picture – a combination of an institution’s data and SWIFT’s industry-wide data – individual FIs can gain a greater understanding of how they are performing compared to their peers.” For example, SWIFT’s data will reveal exactly how many rejections each bank in its community has for particular messages. By understanding the industry average for rejections of particular messages and comparing themselves to their peers, FIs can work out which areas they need to focus on in order to bring down the costs of message repairs. “ THE BIG QUESTION FOR INDIVIDUAL BANKS IS WHAT IS MY SHARE OF THAT TOTAL INDUSTRY COST? Yves Smeyers ” Capacity planning Data mining can also help FIs to plan their capacity on the network by revealing the number of messages sent and the IT resources those messages consume. “If this data is not analysed, it limits the scope of an FI’s capacity planning,” says Michel Pronce, Key Client Service Manager at SWIFT. “Data can reveal unusual patterns in resource use and further analysis can detect areas for improvement.” Deeper analysis of message data can also help FIs to improve the cost efficiency of their infrastructure. “There are many data points that can be examined to understand the total cost of ownership of an institution’s SWIFT infrastructure, for
  11. 11. 9 2 4 Special Report | SWIFT Consulting Services Fig. 1: Processing cost of Negatively Acknowledged messages on SWIFT (in MEUR/year) 9.5 22.8 95.0 37.5 Payments Securities Trade Finance Treasury example. This includes the message costs as well as the cost of hardware, software and the personnel required to run that infrastructure,” says Smeyers. Better understanding of volumes in relation to bank infrastructure is crucial to helping institutions to more effectively deploy resources, says Pronce: “Data is important, but if you don’t know exactly what that data represents, it is of little value. For example, knowing the number of transactions in isolation is not as useful as knowing the number of transactions in relation to how much of the infrastructure that volume of transactions consumes. If FIs know at any given moment how much of their infrastructure is in use, they now how much capacity they have for new business.” Reducing risk Here are some examples of areas in which data mining can be used to help eliminate risk: SWIFT certificate management and Relationship Management Applications (RMAs). Data analysis of SWIFT certificates can reveal how the certificates are being used. Because certificates determine access to the SWIFT network and SWIFT services, incorrect use can leave institutions open to significant operational risk. “SWIFT knows exactly how many certificates have been issued to individual entities. We also know the status of those certificates. At present, a significant percentage of certificates are not in the correct stages of their lifecycles, for example, some may be obsolete,” says Pronce. Institutions may be continuing to pay for certificates that are no longer active. Moreover, if the employee associated with the certificate has left the bank there is a potential security problem. Data mining, in conjunction with SWIFT, will help an institution to see the bigger picture – how many certificates are in circulation, which ones are in the correct stages and which are not and which certificates need to be eliminated. A similar approach applies to the Relationship Management Application (RMA), which is a method for setting up and maintaining correspondent relationships in the SWIFT environment. The RMA is used to establish the exact relationship correspondents have with each other in terms of messaging. They can be based on short-term business needs or be more long-term, and can cover all message types or be restricted to particular messages. For this reason, says Pronce, the RMAs must be managed closely. Analysis of RMAs may reveal out-of-date records that are no longer valid and which are therefore exposing an organisation to operational risk. Before RMAs, institutions typically set up generic relationships between groups, whereby all the branches of one institution could send messages to all the branches of another. Some institutions migrated these generic relationships into the RMA, creating many relations that are never used. “With data mining and with the help of SWIFT, financial institutions will be able to manage their RMAs more cost effectively and eliminate risk at the same time,” says Pronce. Delivering benefits It’s clear that data mining can deliver benefits right across a financial institution – from improving technical understanding to offering insight into the business. Says Smeyers: “Whether involved in managing the infrastructure or involved in payments or securities operations, everyone is looking to improve efficiency, cut costs and eliminate risks. Data mining can help institutions to pinpoint risks, identify areas for improvement and gain a real understanding of how their businesses work.” Fig. 2: SWIFT PKI Certificates annually paid by the industry 18% of all signing certificates are no longer valid Expired certificate Active certificate Revoked certificate
  12. 12. 10 Special Report | SWIFT Consulting Services Disaster Recovery: Thinking the unthinkable and finding new ways to prepare When it comes to business continuity (BC), financial institutions have nowhere to hide. Operations can be disrupted by systems failures, cybercrime attacks, or natural disasters. They also can be disrupted if for any reason key people become unavailable. In both wholesale and retail banking activities, an inability to continue operations can have a profound impact on reputations and on bottom lines. A system outage – be it on a trading floor or in a retail banking system – is inevitably accompanied by intense media scrutiny and speculation. However, a well thought-out and structured disaster recovery plan can alleviate the impact of any disaster and ensure that initial responses do not exacerbate the situation. “In the event of a disaster, a financial institution must be able to think things through clearly, albeit in dire circumstances,” says Isabel Snoeckx, Business Continuity and Command Centre Manager at SWIFT. “This can happen if the organisation has clarity regarding the initial reactions it should take to any disruption.” “ IT IS IMPORTANT TO REMEMBER THAT A COMPANY’S MISSION AND OBJECTIVES STILL NEED TO BE FULFILLED – EVEN UNDER A STRESSFUL DISASTER SITUATION ” Isabel Snoeckx Be prepared In formulating continuity and recovery strategies, businesses should “think the unthinkable and find new ways to prepare”, says Snoeckx. Business continuity objectives must be aligned to an individual company’s missions and global objectives. If, for example, a company states that customer service is its paramount focus, then activities related to customer service must be prioritised for recovery. For companies involved in the capital markets, the priority may be different – access to market data is critical and needs to be re-established within seconds. This alignment can be achieved via a series of measures. These include ensuring senior management are involved in and support the BC programme. “Any company that has senior management support of the disaster recovery and continuity programme recovers faster than those companies where this is not the case,” says Snoeckx. During times of crisis senior management want to be involved in the recovery programme and to influence the messages that go out, particularly in cases where the reputation of the company may be at stake. If senior managers are aware of the BC plans and agree with the priorities that have been set they will be at ease with the procedures that are taking place. If not, there could be delays in implementing plans and recovery will not be as smooth as it could be. It is not only senior management that should be aware of the BC plan; stakeholders and the customer community also benefit from understanding the value of such plans. A smooth running recovery programme instils confidence in all concerned; a chaotic recovery plan will only heighten the concerns of stakeholders and customers and may result in lost business. Prioritising the most critical services, products and projects that support the company’s mission and objectives will also help to achieve alignment. It may, of course, result in other parts of the company having to wait until normal operations resume, but focusing on items that are not critical to recovery will be a distraction. “It is important to remember that a company’s mission and objectives still need to be fulfilled – even under a stressful disaster situation,” says Snoeckx. “Companies should not focus on items that they can survive without.” Another area that should command the attention of operational managers is service and product development. Snoeckx says recovery objectives and resilience requirements should be defined at the early stage of development in order to ensure products and services can be brought back into operation as rapidly as possible. Business continuity teams also should be involved in procurement processes to ensure that BC requirements are specified in the contracts of key suppliers. This is particularly important, she says, with the growing trend towards cloudbased products and services.
  13. 13. 11 2 4 Special Report | SWIFT Consulting Services Fig. 1: Thinking the unthinkable Internal Threats Networks A crucial element of a BC plan is to instill a culture within the organisation that ‘failure is not an option’ (FNAO). There should be global awareness within the firm of the concepts of the BC plan and the objectives of the recovery. Moreover, operational managers should seek continuous improvement of their recovery procedures and processes. The key lessons of any testing exercise should be learned and remembered; complacency could lead to failure. Snoeckx believes that members of the BC team should have high recognition not only within a company itself but also in the wider financial industry. Those responsible for continuity should be able to promote best practices among their peers within the industry so that the industry as a whole benefits. Staff Systems Buildings Putting BC plans to the test Disaster recovery and business continuity plans are not static; new threats to operations emerge and business objectives can evolve. Operations managers should implement testing exercises on a regular basis throughout the year. “A business continuity or recovery plan does not really exist until it has been extensively tested,” says Snoeckx. “It is not only the system that should be checked, but also the people, communications and processes that form the whole of the BC plan.” Individual institutions should involve employees at all levels along with all command and crisis teams in this testing. “Companies should not underestimate the sustainability phase that follows a recovery from disaster,” says Snoeckx. “The testing exercises should ensure that coordination and communication between players in the financial sector is facilitated both during and after the recovery process.” Just as BC plans should be well thought-out, so too should the exercises to test those plans. As much reputational damage could be inflicted on a company if it undertakes a poor BC exercise as could occur during a real disaster. The testing exercise should include analysis of the costs, effort and risks involved in the plans. All testing exercises should be managed as projects with pre-defined support plans. Sharing best practices and engaging in community-wide testing exercises is critical to the success of business continuity. “BC plans should be formulated and tested with a cooperative spirit. This gives everyone confidence in the plans and delivers peace of mind to all stakeholders,” says Snoeckx. Fig. 2: A culture of constant improvement the Organi M in zat BC ion ’s ng di C d e Understanding the Organization re tu ul In the wider world, institutions should inform the relevant local authorities of how their plans will interact with those authorities’ disaster recovery strategies. Customers, too, should be involved in BC exercises in order to ensure that they are aware of their recovery procedures. The promotion of industry-recognised standardisation is also important to ensure BC team members have the necessary competencies and skills. “The British Standards Institute was one of the first organisations to publish a standard on business continuity. This has since been converted into an international standard by ISO. There is now going to be an international standard towards which companies can drive.” ISO 22301 specifies the requirements for a management system to protect against, reduce the likelihood of, and ensure businesses recover from disruptive incidents. Em b Services Continuous improvement Exercising Maintaining and Reviewing BCM Programme Management Developing and Implementing BCM Response Determing BCM Strategy
  14. 14. 12 Special Report | SWIFT Consulting Services Cyber Crime: Take a holistic approach to fight cyber criminals From DDoS to APT to Zero Day attacks, financial institutions face an ever more aggressive and sophisticated battle in cyberspace. Assuming the worst, understanding your enemy and prioritising the risks are the first lines of defence. There is a continual battle between financial institutions and cyber criminals, characterised by innovation in both defence and attack as banks seek to protect themselves from a growing barrage of cyber crimes. While myriad other cyber risks are growing in frequency and intensity, Distributed Denial of Service (DDoS) attacks on banks during the past year have gained the most headlines. For example, more than 30 US banks have suffered DDoS attacks since September 2012, allegedly perpetrated by a group calling itself the al-Qassam Cyber Fighters. The banks’ retail websites were targeted by sophisticated algorithms that exhausted their bandwidth and brought down their systems. “These attacks have pushed DDoS to new heights,” says Dr Jacques Hagelstein, Head of Security Risk Management, SWIFT. “Within a year the average intensity of such attacks has increased tenfold and now involves traffic volume of more than 50 gigabits per second.” Other cyber crime attacks include Advanced Persistent Threats (APTs), which target particular entities often using insidious social engineering techniques to penetrate organisations. The attacks then deploy customised malware that can live, undetected, inside systems for months. Later, these programs can be remotely activated to steal information such as credit card data. Zero Day attacks involve previously unknown computer viruses or other malware for which specific anti-virus software signatures are not yet available. There is also a flourishing black-market of malware, including Trojans and viruses, that enables criminal groups and individuals to more easily launch sophisticated cyber attacks. “In the past, most cyber attacks were very general, launched on to the internet by an individual or small group in the hope that they would be able to inflict damage somewhere,” says Hagelstein. “Today attacks can be very targeted with specific tasks such as stealing information or even damaging physical equipment, as happened with the Stuxnet virus attack on Iran’s nuclear power facilities.” “ PEOPLE ARE OFTEN THE WEAKEST LINK IN THE CHAIN THROUGH WHICH MALWARE ENTERS AN INFRASTRUCTURE. STAFF SHOULD BE PROPERLY EDUCATED AND KEPT AWARE OF THE RISKS OF MALWARE. Dr Jacques Hagelstein ” The sophistication of cyber attacks reflects the changing nature of those involved. As Hagelstein points out, many attacks are now perpetrated by government agencies and defence forces, organised activist groups, such as Anonymous and mafia-type criminal gangs. The image of a lone hacker working from a garage is no longer relevant. Developing protective measures “Classical defences are no longer sufficient,” he says. “Zeroday exploits cannot be detected by anti-virus software and APTs make every effort at being stealthy. There is a growing agreement among computer security experts that, although protective measures such as security software and firewalls must continue to be refined, security teams should also work towards detection and containment of cyber attacks, under the assumption that the defences have been broken.” Financial institutions should approach their defence against cyber attack in the same way that they undertake any risk management program: determine which risks are the most relevant to the institution and invest in countering these specific risks as a priority. “Initially, and on an ongoing basis, some amount of time and resources should be spent on keeping abreast of what is going on in the fast-moving world of cyber crime,” says Hagelstein. “Knowing the types of attacks that are being perpetrated and the elements being targeted will help FIs to analyse whether particular types of attacks are relevant to them.”
  15. 15. 13 2 4 Special Report | SWIFT Consulting Services Gbps Fig. 1: Peak DDoS Attack Size (January 2010-Present) 400 380 MARCH 2013 300+Gbps 360 340 320 MARCH 2013 300+Gbps 300 280 260 240 220 200 180 160 140 120 105.21 100.84 100 86.53 82.61 80 60 40 20 0 J F M A M J J A S O N D J F M A M J J A S O N D J F M A M J J A S O N D J F M A 2010 2011 2012 2013 Source: ATLAS Q@ 2013 Update, Arbor Networks The impact of an attack can vary greatly – malware that targets customer or prospect lists will have much less impact than a program that steals account passwords that enable customers to make payments, for example. But every attack, says Hagelstein, will have an impact on a bank. A holistic approach Prioritising defences “People are often the weakest link in the chain through which malware enters an infrastructure,” says Hagelstein. “Staff should be properly educated and kept aware of the risks of malware.” This can be done via mandatory training, social engineering tests (where staff reactions to suspicious emails are studied) and regular awareness programs. FIs should also consider establishing links to multiple sources of information about cyber crime including commercial and industry groups as well as official agencies. A number of steps should be taken to determine the best security investments. These include: • onitoring the threat landscape and analysing the top risks M (by combining likelihood and impact); • etermining the best preventive or detection mechanisms D available and prioritising investment according to the risk; • reating investment as a continuous exercise and bringing T together internal experts to imagine worst case scenarios in their particular areas of activity; and • eveloping ‘defence in depth’ in order to counter highly D sophisticated attacks by accumulating several layers of defence rather than relying on a single barrier. There are three major dimensions to any cyber attack that banks should consider, says Hagelstein. These are confidentiality, integrity and availability. If data is stolen as a result of an attack, a bank’s confidentiality is breached. This can have wider implications, depending on a country’s data privacy laws. Integrity can be affected if a piece of malware modifies data, such as creating false payments. Finally, attacks on availability, such as through the recent DDoS incidents in the US, prevent banks from offering services to their customers. Protecting against cyber attacks requires investment not only in technology, but also in processes and people. Preparing staff to defend against attacks is as important as implementing antivirus software and firewall technology. One of the key challenges in defending against cyber attacks is that the organisation must be prepared to deal with the unexpected. Increasingly sophisticated malware can circumvent the best efforts of defences that have been built up during many years. “Effective reactions to cyber attacks are a matter of processes being well defined and also regularly rehearsed,” says Hagelstein. “These rehearsals should be made a part of a bank’s business continuity exercises.”
  16. 16. Look within Consulting services You’re looking to get the most out of your business. From payments to securities, treasury or best practice and benchmarking, we are perfectly positioned to help you view your business from a different perspective. With the unique industry insights of our consultants, you can take a fresh look at your business and relationship with SWIFT. Whether you are looking to streamline, implement, reduce risk or identify growth opportunities, for a unique perspective on optimisation, see SWIFT. www.swift.com Excellence. Communities. Innovation.