Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing your Bank Connectivity

Webinar presented by Tom Hunt of AFP and Bob Stark of Kyriba on Securing your Bank Connectivity.

  • Be the first to comment

  • Be the first to like this

Securing your Bank Connectivity

  1. 1. Tom Hunt | Director of Treasury Services | AFP Bob Stark | Vice President, Strategy | Kyriba Securing Your Bank Connectivity December 14th, 2016
  2. 2. 2© 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 2 Tom Hunt Director of Treasury Services AFP thunt@afponline.org Bob Stark VP Strategy Kyriba Corporation bob@kyriba.com @treasurybob Today’s speakers
  3. 3. 3© 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 3 Securing Your Bank Connectivity Today’s Discussion Points 1) Impact of fraud on bank connectivity 2) Payment connectivity 3) Bank statement reporting 4) Future of connectivity: opportunities for greater security? 5) Questions and answers
  4. 4. © 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 4 Fraud Prevention: Before Bangladesh Compromise Fraud Detection Payments Access to Treasury Technology Supplier Account Verification Investments & Trading Bank Account Mgmt Do I have visibility into every payment? Are my controls consistent for every bank, every region, every person? Do I review my ACKs? How many bids before a trade? Can Settlement Instructions be modified? How many layers of protection exist after your password Are there controls to prevent unauthorized change to supplier payment info? Do I know my account signers? Who can change them? Does my bank have the same list? Do I use payment watchlists? Do I have a control center to view all transactions and modifications? Fraud & Cybercrime in Treasury
  5. 5. © 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 5 Fraud Prevention: After Bangladesh Compromise Fraud Detection Payments Access to Treasury Technology Supplier Account Verification Investments & Trading Bank Account Mgmt Do I have visibility into every payment? Are my controls consistent for every bank, every region, every person? Do I review my ACKs? How many bids before a trade? Can Settlement Instructions be modified? How many layers of protection exist after your password Are there controls to prevent unauthorized change to supplier payment info? Do I know my account signers? Who can change them? Does my bank have the same list? Do I use payment watchlists? Do I have a control center to view all transactions and modifications? Connectivity Can connectivity be compromised? Fraud & Cybercrime in Treasury
  6. 6. © 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 6 Can My Connectivity Be Compromised? Yes, connectivity workflows can be at risk  Steps can be taken to minimize likelihood of attack  What we learned from Bangladesh issue and similar events: 1) Separation of duties critical 2) UserID and Password insufficient 3) Preventing Payments Fraud is more than just protecting initiation/transmission
  7. 7. © 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 7 TMS or ERP PD Encrypted messages and files sent directly to Kyriba Prior Day and Current Day Reporting •BAI2 •MT940 •XML CAMT •Regional formats Bank Reporting Connectivity Workflow CD PD CD PD CD
  8. 8. © 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 8 TMS or ERP Approved payments sent to Banks Secure payments sent from HUB to SWIFT Network 1 2 3 Ack Levels transmitted to HUB Ack/Nack notification provided to TMS/ERP Payment Connectivity workflow summary 4 1 4 1 4
  9. 9. © 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 9 Payment Connectivity Risk Exposures 1) Access to software used for payment initiation, approval and transmission (e.g. TMS, ERP, bank portal) 2) Separation of duties and approval limits within payments software 3) Transmission to bank connectivity channel 4) The Bank Connectivity Channel 5) Payment Confirmations and Acknowledgements 6) Reconciliation of Payment Transactions 7) Workflow Changes within Payments Systems Understanding Connectivity Risks
  10. 10. © 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 10 1) Access to software used for payment initiation, approval and transmission • UserID/Password should not grant access to the system • Best practice is a combination of password controls: – Password timeouts, resets, history, alphanumeric requirements – Virtual Keypad – Multi-factor authentication (hard or soft token) – IP Filtering – Single Sign-On w/ internal IT environment Understanding Connectivity Risks
  11. 11. © 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 11 2) Separation of duties and approval limits within payments software • Separation of duties is an obvious win • Issue is when separation of duties is inconsistent across different: – Payment types – Geographies – Systems (e.g. TMS vs. ERP) • Initiation and Approval Limits: Consistency is key or exceptions will be exploited • Mandate review of attached documentation that supports payments Understanding Connectivity Risks
  12. 12. © 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 12 3) Transmission to Bank Connectivity Channel • Securing access to the connectivity channel means: 1) If multiple systems used then files must be secured when traveling in between systems 2) If one or many systems, implement good authentication protocols to ensure authorized access 3) Where available, apply digital signatures (e.g. SWIFT 3SKey) to authenticate exported payment files 4) Review un-editable payments vs. sanctions lists (e.g. OFAC) Understanding Connectivity Risks
  13. 13. © 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 13 4) The Bank Connectivity Channel • Multiple channels to automatically connect to bank  Host-to-Host Connections  Domestic/Regional Networks  MT Concentrator Service (i.e. Shared BIC)  SWIFT Alliance Lite2 (hosted by SWIFT / integrated to TMS)  SWIFTNet Service Bureau  SWIFT Alliance Access (hosted by corporate) Understanding Connectivity Risks
  14. 14. © 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 14 4) The Bank Connectivity Channel • Multiple channels to automatically connect to bank • Ensure safeguards of hosted connectivity and service bureaus meet your organization’s information security policy – Review of SOC1/SOC2 Audits – Penetration Testing – Data Security (e.g. encryption at rest, use of firewalls and application tiers, who has access to the data) – Business Continuity Understanding Connectivity Risks
  15. 15. © 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 15 5) Payment Confirmation and Acknowledgements • Up to 4 levels of acknowledgment (5 if you count CAMT 054) • Acknowledgements can be viewed in message format or integrated into a payment dashboard • Monitor each stage of workflow and reconcile against payment log Understanding Connectivity Risks
  16. 16. © 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 16 6) Reconciliation of Payment Transactions • In addition to reviewing payment acknowledgements, reconcile intra- day the outgoing payments with expected payment transactions 1) Generated payments within TMS/ERP will generate cash flows for outgoing payments 2) Intraday reporting from bank will generate actual transactions 3) Use standard forecast/actual reconciliation to identify variances Understanding Connectivity Risks
  17. 17. © 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 17 7) Workflow changes within payments systems • Important to monitor changes to payments workflow (e.g. approvals, limits, users, uploaded payment files, sent payment files) • Often integrated dashboard within ERP/TMS; will track any control changes and present in summarized view Understanding Connectivity Risks
  18. 18. 18© 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 18 Future of Bank Connectivity Instant Payments  Movement towards quicker payments (instant payments in Europe, same day ACH domestically, SWIFT GPII)  Increases need to stop unauthorized payments before they start  More difficult to claw back a payment after it has cleared
  19. 19. © 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 19 Future of Bank Connectivity Global Payment Innovation Initiative  Initiative by SWIFT; takes effect 2017  Offers same day cross border settlement  Also offers greater transparency of payments – equivalent of a global tracking number (like online shopping & shipping)  Transparency allows better audit of where payment went
  20. 20. © 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 20 Future of Bank Connectivity Blockchain/Distributed Ledger  Much talk about Blockchain and security advantages  Distributed Ledger Technology (DLT) still years from mainstream adoption for payments  ‘Complete anonymity’ will need to be addressed to offer improvements in security and reduced threat of unauthorized payments
  21. 21. © 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 21 Concluding Remarks  Connectivity channel (e.g. SWIFT) is not the problem; it is securing access to/from the channel which presents most risk  Securing connectivity starts with understanding exposure points in the connectivity workflow (e.g. payment initiation)  Cloud connectivity offers good advantages if offered as a single system (rather than patchwork of multiple solutions)
  22. 22. 22© 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 22  AFP TIP Guide ‘Putting Your Connectivity on Lockdown’ Further reading
  23. 23. Questions? Tom Hunt thunt@afponline.org Bob Stark bob@kyriba.com @treasurybob
  24. 24. © 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 24 Thanks for attending facebook.com/kyribacorp twitter.com/kyribacorp linkedin.com/company/kyriba-corporation youtube.com/kyribacorp slideshare.com/kyriba kyriba.com/blog

×