Auditing a SWIFT system

Association of Chartered Accountants

10th March 2018
Arif Ahmed, Partner:
Arif Ahmed and Associates
What is SWIFT
The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a
non-state actor and one of the non-state form of regulation that had a profound
impact on how the modern world was shaped.
• SWIFT serves the financial services sector for over last four decades primarily
as a proprietary communications platform, a provider of products and services,
and a standards developer
• The system was originally designed to gradually replace the inefficient telegram
and telex messaging systems for international payments. Now SWIFT forms a
core part of the global financial services infrastructure serving more than 200
countries and territories and over 10,000 financial and non-financial customers.

SWIFT is more than a widely used provider of financial services considering the
extent to which this non-state “society” has overseen the creation of an extensive
and highly developed form of communication and regulation, and unique example
of “creeping global governance”.

Research by South Asian Management Technologies Foundation

SWIFT as a payment system
What is SWIFT
• SWIFT is not a payment system but serves as a transport network for a large
number of major payment and securities infrastructures.
• SWIFT’s Bylaws (2012): “the object of the Company is for the collective benefit
of the Shareholders of the Company, the study, creation, utilisation and
operation of the means necessary for the telecommunication, transmission, and
routing of private, confidential and proprietary financial messages”.
• SWIFT is not a bank or a clearing and settlement institution; it does not manage
accounts on behalf of customers nor does it hold funds.
• Majority of financial institutions use SWIFT to send and receive information
about financial transactions. SWIFT does not maintain financial information on
an ongoing basis and data are only held for a limited period of time.

Research by South Asian Management Technologies Foundation

SWIFT as a messaging system
SWIFT is more of a messaging system trusted for its reliability
• SWIFT is responsible for providing the network, standards, products, and
services that allow member institutions to connect and exchange financial
information.
• Financial service professionals say that the most critical part of SWIFT’s role is
achieving the secure exchange of proprietary data – in other words: reliability,
confidentiality, and integrity.
• Some practitioners recognise the SWIFT infrastructure as a key-operating
asset, others simply regard it as the necessary but fundamentally uninteresting
sector-wide “plumbing”.

Research by South Asian Management Technologies Foundation

How is SWIFT used
• The most widely used SWIFT messaging service is SWIFTNet FIN, which
allows the exchange of messages formatted with the traditional SWIFT MT
standards.
• SWIFTNet FIN and a range of other products and messaging services are
delivered using SWIFTNet, an IP-based messaging platform which acts as a
“single window environment” for the messaging needs of SWIFT users.

Research by South Asian Management Technologies Foundation

How SWIFT works
Functioning of SWIFT, the non-technical way
• SWIFT system allow consumers to send payments in various currencies, from
one bank to virtually any other bank in the world.
• Say Garrulous Grocer from India would like to make a payment of US$100,000
to their supplier, Shiny Stones in USA, they would contact their local bank
office, in India. Garrulous Grocer would instruct its bank to send a payment,
and would provide the name and account of the beneficiary (in this case, Shiny
Stones), the amount to be transferred, and the receiving bank’s SWIFT Code.
• Once bank of Garrulous Grocer receives the instruction (and confirms that it is
legitimate), the bank then debits their account of the US $100,000. It sends a
SWIFT message to bank of Shiny Stones in USA, with the instruction to credit
Shiny Stones account with US $100,000.

Research by South Asian Management Technologies Foundation

How SWIFT Works
Transaction Infrastructure Services
• Authentication and identification of the agents that take part in the transaction
process by using encryption technologies
• Validation of the payment means against the system
• Verification of the ability the payer has to pay
• Authorization for the transfer of funds between the parties involved
• Processing and recording payment instructions
• The communication of the information between the financial institutions

Research by South Asian Management Technologies Foundation

 Message Flow

Research by South Asian Management Technologies Foundation

SWIFT Alliance Workstation

Research by South Asian Management Technologies Foundation

SWIFT Alliance Components
• Application Interface
- Connects with the host application like CBS with the messaging software

• BK Management:
- Bilateral key management; This holds the key of sending bank and the auditor can get
a trail of banks with whom transaction has taken place

• Calendar setting:
- Holiday setting

• Event Journal:
- Acknowledgement (ACK) and Negative Acknowledgement (NACK) messages are
stored there. This shows if the message reached the recipient

• Message Approval / Creation / Modification

• Message File
Research by South Asian Management Technologies Foundation
- Stores all inbound and outbound messages
SWIFT Alliance Components
• Monitoring
- Shows total number of messages and amount of money transfer

• Routing
- How the communication will be routed

• Security Definition
- Contains security policies

• SWIFT Interface
- Interface with messaging software and communication software

Research by South Asian Management Technologies Foundation

SWIFTNet
SWIFTNet FIN:
• enables exchange of messages with the SWIFT MT standards.
• MT is short for “Message Type”
• Each MT is followed by a 3 digit number.
• The first digit represents the Category.
- A category denotes messages grouped together because they all relate to particular
financial instruments or services.

Research by South Asian Management Technologies Foundation

What is SWIFT Code
SWIFT Code is a unique identification code, that identifies the specific bank to
which the currency is being sent. The SWIFT code, also called Bank Identifier
Codes (BIC), are composed of eight or eleven characters, and contain the
following information:
• First 4 characters identify the bank, and are usually closely related to the bank’s
name or abbreviated name.
• Next 2 characters are the country code, identifying which country the bank is
located in.
• Next 2 characters (letters or numbers) identify which city in that country the
bank’s head office is.
• Last 3 optional characters (letters or numbers) identify the bank’s specific
branch office, instead of its national head office.

Research by South Asian Management Technologies Foundation

Security of SWIFT payment?
Strengths and weaknesses of SWIFT
• SWIFT Payments are an easy to use, safe, secure, and quick way of making
payments and transfer international currencies. Several security checks, like
the following, are usually performed when a SWIFT payment is initiated:
- Checks to ensure fraud is not being committed by the sender (“Know Your Client”
rules), and Anti Money Laundering (AML) checks as well.
- Receiving bank also conducts similar checks, to ensure the funds are being disbursed
to the correct account.
- This can add time to the process of sending and receiving the SWIFT Payment, and
currency transfers can therefore sometime take two to three days.

• These security checks are not always a guarantee that the person or business
receiving the funds is not fraudulent, or that they will deliver the services or
goods they are obliged to deliver

Research by South Asian Management Technologies Foundation

SWIFT message standards
SWIFT messages consist of five blocks of the data including three headers,
message content, and a trailer. Message types are crucial to identifying content.
• All SWIFT messages include the word "MT" (Message Type), followed by a 3
digit number denoting the message category, group and type viz. MT103
- The first digit represents the category. A category denotes messages that relate to
particular financial instruments or services such as Cash Transfer (1), Precious Metals
(6), Treasury (3), etc.
- The second digit represents a group of related parts in a transaction life cycle. For
example 0 indicates a Financial Institution Transfer.
- The third digit is denotes the specific message. There are several hundred message
types across the categories. For example type represented by 3 is a notification

• The SWIFT MT messages are categorised in to 10 categories based on the

type of functionality they support.

Research by South Asian Management Technologies Foundation

SWIFT message standards - MT
Types Description
MT0xx System messages
MT1xx Customer Payments and Cheques
MT2xx Financial Institution Transfers
MT3xx Treasury Markets
MT4xx Collection and Cash Letters
MT5xx Securities Markets
MT6xx Treasury Markets, Metals, and Syndication
MT7xx Documentary credit and Guarantees
MT8xx Travellers Cheques
MT9xx Cash Management and Customer Status

Research by South Asian Management Technologies Foundation

Example: MT 1XX: Customer Payments and Cheques
SWIFT MT Description
MT 101 Request for Transfer
MT 102 Multiple Customer Credit Transfer
MT 102+(STP) Multiple Customer Credit Transfer (STP)
MT 103 Single Customer Credit Transfer
MT 103+ (REMIT) Single Customer Credit Transfer (REMIT)
MT 103+ (STP) Single Customer Credit Transfer (STP)
MT 104 Direct Debit and Request for Debit Transfer Message (STP)
MT 105 EDIFACT Envelope
MT 106 EDIFACT Envelope
MT 107 General Direct Debit Message
MT 110 Advice of Cheque(s)
MT 111 Request for Stop Payment of a Cheque
MT 112 Status of a Request for Stop Payment of a Cheque
MT 121 Multiple Interbank Funds Transfer (EDIFACT FINPAY Message)
MT 190 Advice of Charges, Interest and Other Adjustments
MT 191 Request for Payment of Charges, Interest and Other Expenses
MT 192 Request for Cancellation
MT 195 Queries
MT 196 Answers
MT 198 Proprietary Message
MT 199 Free Format Message

Research by South Asian Management Technologies Foundation

Understanding a SWIFT Message

Message blocks
A message consists of blocks enclosed in curly
braces. The first colon separates the block name and
content. The block content can consist of sub-blocks.
A typical SWIFT. user-to-user message may consist
of:

1: BASIC HEADER BLOCK

2: APPLICATION HEADER BLOCK
3: USER HEADER BLOCK
4: TEXT BLOCK
5: TRAILER BLOCK

Research by South Asian Management Technologies Foundation

Understanding a SWIFT Message

1. Basic header block containing information about message

source.
• The Basic header block
{1:F01TESTBIC12XXX0360105154} contains five fixed-
length fields:
- F — Application ID
- 01 — Service ID
- TESTBIC12XXX — Logical terminal address of the message
source
- 0360 — Session number
- 105154 — Sequence number

Research by South Asian Management Technologies Foundation

Understanding a SWIFT Message

2. Application header block with - 1057 — Input time

information about message - 130214 — Input date
type and destination of the - TESTBIC34XXX — Logical
message. terminal address of the
message destination
• This block can be either of
- 2626 — Session number
type Input or Output. The
- 493828 — Sequence number
instant Output block
- 130214 — Output date
{2:O5641057130214TESTBIC
- 1757 — Output time
34XXX262649382813021417
- N — Priority
57N} contains a set of fixed-
length fields: • An input block has a different
- O — Direction structure and consists of six
- 564 — Message type fixed-length fields.

Research by South Asian Management Technologies Foundation

Understanding a SWIFT Message

3: Optional User header block contains sub-blocks with optional

processing instructions. In this example the block
{3:{103:CAD}{108:2RDRQDHM3WO}} the sub-block 103
specifies a Service identifier and 108 a Message user
reference.

4: Text block with the actual content of the message. The

format of the text block is described later.

5: User trailer block. The trailer consists of sub-blocks. In the

example {5:{CHK:C77F8E009597}} it contains a Checksum.

Research by South Asian Management Technologies Foundation

MT 799 from Issuing Bank

• MT message ending with 99 is a free format message – needs confirmation.

• Research
If thereby South Asian Management Technologies Foundation
is a standard message format for a message, free format use would be
unusual.
Daily Validation Reports
This report is generated from the “Monitoring” option
• Activity and risk reporting of inbound and outbound messages
• Highlights new counterparty relationships and payment flows
• Risk review of large or unusual transaction values and volumes
• Currency, country and direct and indirect activity breakdowns
• Out-of-hours transactions

Research by South Asian Management Technologies Foundation

The PNB story and SWIFT
• What happened?
- Core banking system of PNB was bypassed to raise payment notes to overseas
branches of other Indian banks, including Allahabad Bank, Axis Bank, and Union Bank
of India, using SWIFT.

• So why are we talking about SWIFT

- SWIFT is not where the scam took place but was the tool used to intimate foreign
branches about issuance of LoU. Like a car used for a robbery!
- Question is how did such transfers did not go through the strict checks and balances
that every banking transaction goes through

Research by South Asian Management Technologies Foundation

SWIFT Security Control Framework

Scope of security control - SWIFTNet Link

- Connector
• Data exchange layer
- SWIFT hardware
• Local SWIFT infrastructure - Firewalls, routers, etc
- Secure zone - Operators
- Messaging interface - Operator PC
- Communication interface

Research by South Asian Management Technologies Foundation

SWIFT Security Control Framework: Architecture

Architecture A1 – Full stack

• Both the messaging interface and communication interface are within the user
environment.

Research by South Asian Management Technologies Foundation

SWIFT Security Control Framework: Architecture

Architecture A2– Partial stack

• The messaging interface is within the user environment, but a service provider
(for example, a service bureau, SWIFT Alliance Remote Gateway or a group
hub) owns the licence for and manages the communication interface. .
Research by South Asian Management Technologies Foundation
SWIFT Security Control Framework: Architecture

Architecture A3 – Connector
• A software application (for example, Alliance Lite2 AutoClient, file transfer
solutions) is used within the user environment to facilitate application-to-
application communication with an interface at a service provider

Research by South Asian Management Technologies Foundation

SWIFT Security Control Framework: Architecture

Architecture B – No local user footprint

• No SWIFT-specific infrastructure component is used within the user
environment.
- Users only access SWIFT services via a GUI application at the service provider
- Users' back-office applications communicate with service provider using a middleware

Research by South Asian Management Technologies Foundation

SWIFT Security Control Framework: Applicability
SWIFT has come out with a detailed security control framework
• Security controls applicable for architectures A1, A2, and A3 are identical.
• Number of security controls applicable to users of architecture type "B”. is fewer
• Each control is provided an unique number and title
• The controls are of two types
- Mandatory:
- Advisory: In case of advisory control, the control number is appended with an "A",

Research by South Asian Management Technologies Foundation

Security Control Summary

Research by South Asian Management Technologies Foundation

Security Control Summary

Research by South Asian Management Technologies Foundation

 Thank You!
For more detailed discussion log in:

[Link]

Research by South Asian Management Technologies Foundation