SWIFT The Financial Industry Infrastructure for Secure Messaging by yku91514

VIEWS: 532 PAGES: 67

									                                SWIFT:
                                The Financial Industry
                                Infrastructure for Secure
                                Messaging

                                Gabriel Soriano
                                October 4th, 2006
                                NYSSCPA Banking Convention


Corp_present_20060927_v27.ppt                                Slide 1
Agenda
1 Overview of SWIFT
2 Access to the SWIFT interface

3 Access to the SWIFT network

4 Message integrity, confidentiality controls
5 Messaging Service and Interface Control functions




Corp_present_20060927_v27.ppt                         Slide 2
Introducing SWIFT




                                Platform




Corp_present_20060927_v27.ppt              Slide 3
   The SWIFT community
                                                banks
                                             found SWIFT      - broker/dealers
                                                              - central depositories
                   securities market             1973         & clearing institutions
                   data providers                             - exchanges

                                                                        travellers cheque
        fund administrators                                             issuers

                                                                           money brokers
          MA-CUGs
                                                                            - registrars & transfer
                                   2000                                     agents
      securities MIs                                                        - custody providers
                                                                            - trust or fiduciary
                                                                            services companies
- treasury counterparties
- treasury ETC service
providers                                                                investment
                                                                         managers
                                                 1996




        - payments MIs
        - proxy voting agencies                                     trading
        - non-shareholding                                          institutions
        financial institutions
                                          treasury securities ETC
                                          service providers
   Corp_present_20060927_v27.ppt                                                                Slide 4
 SWIFT governance

Oversight              National Bank of Belgium
                       and G-10 Central Banks

Governance Board

                       Board Committees

                       National Member Groups

                       User Groups

                       SWIFT members

                       SWIFT community

Corp_present_20060927_v27.ppt                     Slide 5
Sibos – forum for industry dialogue

 Financial               industry’s premier event
 Global            forum to debate strategic issues
 Conference,                   exhibition, networking
 6,000           executives and technology managers
 2007:           Boston, US, 1-5 October




Corp_present_20060927_v27.ppt                            Slide 6
Working with SWIFT Partners

 Solution              Partners: Providers of business
    applications, middleware, and interfaces
 Service              Partners: Implementation and integration
    of connectivity and SWIFTSolutions
 Business                Partners: Marketing and selling SWIFT
    products
 Network              Partners: AT&T, Colt, Equant, BT Infonet



Corp_present_20060927_v27.ppt                                Slide 7
SWIFT figures (July 2006)

2.5 billion messages per year

7,940 customers

206 countries

Average daily traffic 11.2 million messages

Peak day of 12.8 million messages 30 June 2006


Corp_present_20060927_v27.ppt                    Slide 8
SWIFTNet FIN messages by market (July 2006)

                                Treasury        Trade
                                104 million mgs 27 million mgs


                                                                 Payments
Securities                                   6% 2%               895 million mgs
605 million mgs

                                    37%                   55%




Corp_present_20060927_v27.ppt                                                  Slide 9
Traffic and Pricing
Harnessing economies of scale
Price                                           Traffic
(EURcent/msg)                   (Millions of messages)

  50
                                        3000
  45
                                                  2500
  40
  35                                              2000
  30
                                                  1500
  25
  20                                              1000
  15
                                                  500
  10
   5                                              0



Corp_present_20060927_v27.ppt                         Slide 10
Extending reach
Embracing the business community


                         Corporates

                                          Securities

                                  Banking and
                                   Payments




Corp_present_20060927_v27.ppt                          Slide 11
   Banking Market Infrastructures – July 2006
                                                  Live
Albania (AIP)                Denmark (DDK-KRONOS)         Kuwait (RTGS)             Spain (NSLBE - SLBE)
Algeria (RTGS)               Egypt (CBE)                  Latvia (LVL)              Sri Lanka (LankaSettle)
Angola (PTR)                 EBA Clearing (EURO1/STEP1)   Luxemburg (LIPS)          Sweden (RIX)
Australia (PDS)              ECB (TARGET)                 Malta (MARIS)             Switzerland (Remote Gate)
Austria (ARTIS)              Finland (BOF)                Mauritius (MACSS)         Tanzania (TISS)
Azerbaijan (AZIPS)           France (CRI – PNS/TBF)       Namibia (NISS)            Thailand (BAHTNET/2)
Bahamas (BHS)                Germany (RTGSPlus)           Netherlands (TOP)         Trinidad & Tobago (SAFE-TT)
Barbados (BDS)               Ghana (GISS)                 New Zealand (AVP)         Uganda (UNIS)
Belgium (ELLIPS)             Greece (HERMES)              Norway (NICS)             United Kingdom (CHAPS-£
Bosnia & Herzegovina (BIH)   Guatemala (RTGS)             Oman (RTGS)               CHAPS-€ / Enquiry Link)
Bulgaria (BGN-RINGS)         Hungary (VIBER)              Philippines (PPS)         United States (CHIPS)
Canada (LVTS)                Ireland (IRIS)               Romania (REGIS)           Venezuela (PIBC)
Chile (Netting - LBTR)       Italy (BIREL)                Slovenia (SIPS)           Zambia (RTGS)
CLS Bank                     Jordan (RTGS)                South Africa (BOP -       Zimbabwe (ZETTS)
Croatia (HSVP)               Kenya (KEPSS)                RTGS - SAMOS)             West African States (BCEAO)



                      Implementation                                      Planning/Discussion
    Bahrain (RTGS)                    Lesotho (RTGS)                    Fiji (RTGS)
    Botswana (RTGS)                   Morocco (RTGS)                    Georgia (RTGS)
    Central African States (BEAC)     Pakistan (RTGS)                   Lebanon (RTGS)
    Eurosystem (TARGET2)              Singapore (MEPS+)                 Palestine (RTGS)
    Israel (RTGS)                     Tunisia (RTGS)                    Peru (RTGS)
                                                                        Russian Federation (RTGS)


                                         High-Value Payments
   Corp_present_20060927_v27.ppt                                                                        Slide 12
Community and Business dimensions
                                • Established in 1973 by 239 banks in 15 countries
 Heritage                       • Developed shared messaging platform for financial transactions
                                • Emphasis on security, reliability and availability


                                • Serving over 7,800 financial institutions across 204 countries
 Understanding                  • Payments, Securities, Foreign Exchange, Treasury and Trade
                                • Reducing costs, improving automation, managing risk


                                • Industry-owned community
 Neutrality                     • Overseen by regulatory authorities
                                • Impartial to the data transacted across the messaging platform


                                • Store and forward, file transfer, interactive query & response
 Technology                     • Open standards
                                • IP VPN over fibre-optic backbone


Corp_present_20060927_v27.ppt                                                                Slide 13
SWIFT

 Business      and Technical Messaging
     Communications across the lifecycle of a
     financial transaction
 SWIFT     does NOT provide clearing or
     settlement services
 SWIFT              does not hold accounts or assets
 Participants                  are responsible for their data
 SWIFT              is neutral, apolitical and user-owned

Corp_present_20060927_v27.ppt                                    Slide 14
Introducing SWIFT




                                Platform




Corp_present_20060927_v27.ppt              Slide 15
Message categories
0 System messages
1 Customer transfers & cheques
2 Financial institutions transfer
3 Foreign exchange, money markets & derivatives
4 Collections & cash letters
5 Securities markets
6 Precious metals & syndications
7 Documentary credits & guarantees
8 Travellers cheques
9 Cash management & customer status
Corp_present_20060927_v27.ppt                     Slide 16
Message structure




Corp_present_20060927_v27.ppt   Slide 17
SWIFTStandards development
A business centric approach
                           Business process modelling




                                        Market
      Standards            SWIFTNet                Applications Integration
                                        practice




                                SWIFT                     Partners
Corp_present_20060927_v27.ppt                                            Slide 18
SWIFTStandards
Payments market
                                                                                                                   Single Credit Transfers
                                                                                                                  Exceptions & Investigations
                                                                                                                      Cash Management
           Ordering                                                                                               Bulk Payments (CT + DD)                                                                Beneficiary
        customer’s                                                                                                                                                                                       customer’s
           financial                                                                                                     MT 1xx, 2xx                                                                     financial
         institution                                                                                                      MT 9xx                                                                         institution




                                                                                                                                                                                Exceptions & Investigations
              Payment Initiation (CT + DD)



                                                               Exceptions & Investigations




                                                                                                                                                              Cash Management
                                             Cash Management




                                                                                                                                                                                                              MT 9xx
                                                                                                      MT 9xx
                                                                                             MT 101




                                                                                                      Ordering                                  Beneficiary
                                                                                                      customer                                   customer


Corp_present_20060927_v27.ppt                                                                                    FIN-based         XML-based (under construction)                                                      Slide 19
Introducing SWIFT




                                Platform




Corp_present_20060927_v27.ppt              Slide 20
Single access infrastructure
 Applications                                      Messaging Services
                        ■Payments                  ■ FIN
                        ■Foreign Exchange          ■ FileAct
      Trade                                                                      ABC Bank
                        ■ Securities               ■ InterAct
                        ■Account Reporting         ■ Browse
    Treasury

                                                         SWIFTNet                 XYZ Bank

                             SWIFTNet interface
   Payments

                               One platform               Lower costs
 Investigation                                                                   Other Bank
                               Full STP                   Reduced risk
                               Highest level of           Improved liquidity
                                security and                management
                                resiliency                 Facilitate
                               Standards                   Compliance             Any Bank

Corp_present_20060927_v27.ppt                                                        Slide 21
SWIFT product stack
                                SWIFTSolutions




                                                             SWIFTSolutions
             Payments  Treasury  Trade  Securities
                       Standards                     Rules
                                Quality of service

                                    Messaging Services
              Directories
                  and                      Interfaces
             Information
               Services
                                Secure IP Network (SIPN)

Corp_present_20060927_v27.ppt
                                    Reliability                           Slide 22
Identify potential risks in the following areas :


 Access              to the SWIFT interface
 Access              to the SWIFT network
 Integrity/confidentiality         of the SWIFT messages
 Integrity            of the message flow




Corp_present_20060927_v27.ppt                          Slide 23
SWIFT interfaces
                                – Open and close connection to
                                  STN/SIPN
                                – Send messages to SWIFT
                                – Receive messages from SWIFT
                                – Manually enter messages
                                – Accept messages from a back
                                  office application
                                – Send messages to a back office
                                  application
                                – Send messages to a printer



Corp_present_20060927_v27.ppt                                    Slide 24
SWIFT interfaces
                                – SWIFTAlliance Access
                                – SWIFTAlliance Entry
                                – MERVA/ESA
                                – TURBO SWIFT
                                – STELINK
                                – MINT
                                – FASTWIRE
                                – BESS
                                – NOVA SWIFT
                                – ...

Corp_present_20060927_v27.ppt                            Slide 25
  Connecting to SWIFTNet
  Many ways of implementing…
      Business                    Messaging    Communication
                                                                     SWIFTNet Services
       Layer                        Layer         Layer




Back Office   Middleware
application
                                               Communication
                                  Messaging
                                                               VPN
                                                 Interfaces    box
                                  interfaces
    Back Office                                                         SWIFTNet
    application



Back Office   Middleware
application




    Back Office
    application



                    …….
                                                                                Your
    Back Office
                                                                             counterparty
    application



  Corp_present_20060927_v27.ppt                                                          Slide 26
SWIFTAlliance interface

    Application       Middleware   Messaging       Communication
                                                                          SWIFTNet Services
      Layer             Layer        Layer            Layer



                                   SWIFTAlliance    SWIFTAlliance
                                   Access (SAA)     Gateway
                                                    (SAG)

                                   SWIFTAlliance
                                   Entry (SAE)      SWIFTAlliance
                                                    Starter Set     VPN   SWIFTNet
                                                    (SAS)           box




     You
                                                                                   Your
                                                                                counterparty



Corp_present_20060927_v27.ppt                                                            Slide 27
Signing on to the SWIFT interface




Corp_present_20060927_v27.ppt       Slide 28
Passwords

 Initialisation                password
 Master             password


                Passwords documents available ?
                Access to passwords documents ?




Corp_present_20060927_v27.ppt                      Slide 29
Users of the SWIFT interface

                                 Anonymous
                                 names vs
                                 Personal operator
                                 names

                                 Are  all operators
                                 still using the
                                 interface?



Corp_present_20060927_v27.ppt                     Slide 30
Enabling an operator

 Automatic
     enabled when
     approved by both
     LSO and RSO




Corp_present_20060927_v27.ppt   Slide 31
Disabling an operator

                                 Automaticafter too
                                  many wrong
                                  passwords

                                 Manually  by LSO,
                                  RSO or anybody
                                  with disabling
                                  permission


Corp_present_20060927_v27.ppt                         Slide 32
Security parameters

 List        of configuration parameters
       – e.g. user period, max # of bad passwords…
 only         visible by LSO and RSO




Corp_present_20060927_v27.ppt                   Slide 33
SWIFTAlliance: Segregation of duties




      Creation                  Verification       Authorisation




                                               Approval

   Modification




Corp_present_20060927_v27.ppt                                      Slide 34
Profiles

 Each           operator has minimum one profile
a    profile defines the applications, functions and
     permissions for one or more operators
 one         profile can be given to several operators
 if   permissions change, then the operators are
     disabled. LSO and RSO must re-approve these
     operators



Corp_present_20060927_v27.ppt                             Slide 35
Profile details

A       profile has 3 levels
       – applications
       – functions
       – permissions




Corp_present_20060927_v27.ppt   Slide 36
Permission details

 Prohibited     nothing
     = no restrictions
 Allowed     are all
     MTs starting with
     1, 2 and 9
 SWIFT     FIN
     system MTs not
     allowed


Corp_present_20060927_v27.ppt   Slide 37
What to check in a profile?

 Access              control
 Message                 Creation and Modification
 Message                 Approval
 Message                 File
 Security              Definition




Corp_present_20060927_v27.ppt                         Slide 38
Identify potential risks in the following areas :


 Access              to the SWIFT interface
 Access              to the SWIFT network
 Integrity/confidentiality         of the SWIFT messages
 Integrity            of the message flow




Corp_present_20060927_v27.ppt                          Slide 39
SWIFT’s Secure IP Network (SIPN)
Customer      Swift             Network Partner                      Swift



                                              Network
            VPN                               Partner 1
            box

            VPN
Customer    box                         POP
                                                                   SIPN
                 M-CPE                        Network            Backbone
                                              Partner 2           Network

                   IPsec tunnels provide                                     OPCs
                   end-to-end protection
                  through the ‘untrusted’                 Backbone
                    vendor IP networks                     Access
                                            SIPN Access    Points
                                              Network




                                              SIPN

Corp_present_20060927_v27.ppt                                                  Slide 40
Security equipment needed to connect to FIN

 Card           readers
 Integrated                Circuit Cards (ICCs)


                   Bank A                          Bank B




Corp_present_20060927_v27.ppt                               Slide 41
Secure Card Reader (SCR)

 Functions                related to BKE and SLS services

 Configuring   and
     managing ICCs

 PIN         updates

 SCR           configuration

Corp_present_20060927_v27.ppt                                Slide 42
Integrated Circuit Card (ICC)

 contains              functional elements of microcomputer
 embedded                      chip within the card
 works            only when inserted into card reader
 protected               by 1 or 2 PINs
 unique             reference = SWIFT Card Number (SCN)




Corp_present_20060927_v27.ppt                             Slide 43
Connecting to the SWIFT network
Secure Login and Select (SLS)


                            FIN



                            APC
                                      SELECT


                                LTC

                                      LOGIN



Corp_present_20060927_v27.ppt                  Slide 44
Manual Login and Select

 Insert          USER ICC in the card reader
 use   the CBT to send Login and Select to
     SWIFT




Corp_present_20060927_v27.ppt                   Slide 45
Automated Login and Select

 No        operator intervention
 USER     ICC must be in card reader on Login
     and Select
 or    Session Keys must have been downloaded
     in advance




Corp_present_20060927_v27.ppt                    Slide 46
Disconnecting from the SWIFT network


         FIN



         APC
                                 QUIT



         LTC

                                LOGOUT




Corp_present_20060927_v27.ppt            Slide 47
SWIFTNet FIN Phase 2
                                                       PKI: FIN Access control
                                                       PKI: End-2-end security
                                                       RMA: Relationship mgt.




                                            SWIFTNet
                                PKI                    PKI

               HSM                              FIN
                                      PKI              PKI               HSM

 SWIFTNet FIN                                 PKI             SWIFTNet FIN
   interface                                                    interface




Corp_present_20060927_v27.ppt                                             Slide 48
Identify potential risks in the following areas :


 Access              to the SWIFT interface
 Access              to the SWIFT network
 Integrity/confidentiality         of the SWIFT messages
 Integrity            of the message flow




Corp_present_20060927_v27.ppt                          Slide 49
Authentication

 applied             on user-to-user messages
 assures              identity of sender
 integrity            of message text
 mandatory                     for most message types




Corp_present_20060927_v27.ppt                            Slide 50
Authenticator keys : what to check?

 Keys           regularly changed ?
 Still       correspondent relationship ?
 Keys           securely stored ?
 Procedure                     for unsuccessful BKE ?
 Procedure     for messages that failed
     authentication?



Corp_present_20060927_v27.ppt                            Slide 51
Local Authentication

 authentication
     between back-office
     application and
     SWIFT interface




Corp_present_20060927_v27.ppt   Slide 52
Integrity of the message flow :
session numbers


                                FIN

                                      1281
                                APC
                                         Select

                                      1265
                                LTC
                                         Login




Corp_present_20060927_v27.ppt                     Slide 53
Sequence numbers

                                  472136
                                Input Sequence
                                    Number




                                                 327185
                                            Output Sequence
                                                Number




Corp_present_20060927_v27.ppt                                 Slide 54
Message Input Reference (MIR)



        031020ABNKBEBBAXXX0142123456

                                                    input    input
        input date              sender’s address   session sequence
                                                   number number




Corp_present_20060927_v27.ppt                                         Slide 55
Message Output Reference (MOR)



        031020ABNKBEBBAXXX0142654321

                                                    output  output
       output date              receiver’s address session sequence
                                                   number number




Corp_present_20060927_v27.ppt                                         Slide 56
Routing in the SWIFT interface



                printer 1




                printer 2




                 application



Corp_present_20060927_v27.ppt    Slide 57
Routing in the SWIFT interface

 Are         all messages accounted for ?


 Are         all the messages routed to the right place ?


 Is  there any specific routing for received
     messages with PDE or PDM trailer ?



Corp_present_20060927_v27.ppt                          Slide 58
                                Interface/Network Audit Trails




Corp_present_20060927_v27.ppt                                    Slide 59
Message File

 keeps            copy of all messages
 status   and history of messages can be
     checked




Corp_present_20060927_v27.ppt               Slide 60
Identification of a message : UUMID

 (Unique)               User Message Identifier

                    IBNPAFRPPXXX202TR7823689



         input/output                        sender’s
           message                     MT
                                            reference
                       correspondent


Corp_present_20060927_v27.ppt                           Slide 61
Event Journal

 events            in the SWIFT interface
 actions            initiated by the software or actions by
     users




Corp_present_20060927_v27.ppt                                  Slide 62
Search function in Event Journal

 Search             on
       – date and time
       – class and severity
       – operator
       – description of the event




Corp_present_20060927_v27.ppt       Slide 63
MT 081 Daily Check Report

 lists  number of
     messages sent and          FIN
     received for all APC or                081


     FIN sessions closed
     since previous MT 081      APC
                                      081

 generated      daily at
     approximately midnight     LTC
     local time, provided
     APC and FIN are
     closed
Corp_present_20060927_v27.ppt                     Slide 64
MT 082 Undelivered Message Report

 received              from SWIFT every day
 lists   all undelivered messages at generation
     time : messages sent by your institution but not
     yet received by your correspondent



                                082




Corp_present_20060927_v27.ppt                     Slide 65
Example of an auditor’s profile
      Applications              Functions               Permissions

      Access Control            Signon               Start and End time


      Applic. Interface         Open/Print Partner
                                           First part Local Aut Key = Yes

      BK Management             Open/Print Communicating Pair (pre-agree/keys)
                                Access CP : Prohibited nothing
      Event Journal             -

      Message File              Search      Completely hide messages
                                            of other units=No
      Security Definition       -
Corp_present_20060927_v27.ppt                                               Slide 66
      Making financial messaging
      safer and less costly




Corp_present_20060927_v27.ppt      Slide 67

								
To top