Upload
naseeruddin-mohd
View
80
Download
1
Embed Size (px)
Citation preview
Slide 1 Corp_present_20060927_v27.ppt
Gabriel SorianoOctober 4th, 2006NYSSCPA Banking Convention
SWIFT:SWIFT:The Financial Industry The Financial Industry Infrastructure for Secure Infrastructure for Secure MessagingMessaging
Slide 2 Corp_present_20060927_v27.ppt
Agenda
1 Overview of SWIFT1 Overview of SWIFT
2 Access to the SWIFT interface2 Access to the SWIFT interface
3 Access to the SWIFT network3 Access to the SWIFT network
4 Message integrity, confidentiality controls4 Message integrity, confidentiality controls
5 Messaging Service and Interface Control functions5 Messaging Service and Interface Control functions
Slide 3 Corp_present_20060927_v27.ppt
Introducing SWIFT
Platform
Community Standards
Slide 4 Corp_present_20060927_v27.ppt
The SWIFT community
fund administrators
MA-CUGs
banks found SWIFT
money brokers
trading institutions
- registrars & transfer agents- custody providers- trust or fiduciary services companies
investment managers
- broker/dealers- central depositories & clearing institutions- exchanges
- payments MIs- proxy voting agencies- non-shareholding financial institutions
- treasury counterparties- treasury ETC service providers
travellers cheque issuers
securities MIs
1987
1988
1989
1990
1973
1992
19951998
1999
2000
2001
2002
2004
securities market data providers
1996
treasury securities ETC service providers
Slide 5 Corp_present_20060927_v27.ppt
SWIFT governance
National Bank of Belgiumand G-10 Central Banks
Board
Board Committees
National Member Groups
User Groups
SWIFT members
SWIFT community
OversightOversight
GovernanceGovernance
Slide 6 Corp_present_20060927_v27.ppt
Sibos – forum for industry dialogue
Financial industry’s premier event Global forum to debate strategic issues Conference, exhibition, networking 6,000 executives and technology managers 2007: Boston, US, 1-5 October
Slide 7 Corp_present_20060927_v27.ppt
Working with SWIFT Partners
Solution Partners:Solution Partners: Providers of business applications, middleware, and interfaces
Service Partners:Service Partners: Implementation and integration of connectivity and SWIFTSolutions
Business PartnersBusiness Partners: Marketing and selling SWIFT products
Network Partners:Network Partners: AT&T, Colt, Equant, BT Infonet
Slide 8 Corp_present_20060927_v27.ppt
2.5 billion messages per year
7,940 customers
206 countries
Average daily traffic 11.2 million messages
Peak day of 12.8 million messages 30 June 2006
SWIFT figures (July 2006)
Slide 9 Corp_present_20060927_v27.ppt
SWIFTNet FIN messages by market (July 2006)
2%
55%
6%
37%
PaymentsPayments895 million mgs
TradeTrade27 million mgs
SecuritiesSecurities605 million mgs
TreasuryTreasury104 million mgs
Slide 10 Corp_present_20060927_v27.ppt
Traffic and Pricing Harnessing economies of scale
Traffic
Price
Price(EURcent/msg)
Traffic(Millions of messages)
5
10
15
20
25
30
35
40
45
50
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
E
0
500
1000
1500
2000
2500
3000
Slide 11 Corp_present_20060927_v27.ppt
Extending reachEmbracing the business community
Corporates
Securities
Banking andPayments
Slide 12 Corp_present_20060927_v27.ppt
Banking Market Infrastructures – July 2006
High-Value Payments
Albania (AIP)Algeria (RTGS)Angola (PTR)Australia (PDS)Austria (ARTIS)Azerbaijan (AZIPS)Bahamas (BHS)Barbados (BDS)Belgium (ELLIPS)Bosnia & Herzegovina (BIH)Bulgaria (BGN-RINGS)Canada (LVTS)Chile (Netting - LBTR)CLS BankCroatia (HSVP)
Kuwait (RTGS)Latvia (LVL)Luxemburg (LIPS)Malta (MARIS)Mauritius (MACSS)Namibia (NISS)Netherlands (TOP)New Zealand (AVP)Norway (NICS)Oman (RTGS)Philippines (PPS)Romania (REGIS)Slovenia (SIPS)South Africa (BOP - RTGS - SAMOS)
Bahrain (RTGS) Lesotho (RTGS)Botswana (RTGS) Morocco (RTGS)Central African States (BEAC) Pakistan (RTGS)Eurosystem (TARGET2) Singapore (MEPS+)Israel (RTGS) Tunisia (RTGS)
Live
Spain (NSLBE - SLBE)Sri Lanka (LankaSettle)Sweden (RIX)Switzerland (Remote Gate)Tanzania (TISS)Thailand (BAHTNET/2)Trinidad & Tobago (SAFE-TT)Uganda (UNIS)United Kingdom (CHAPS-£ CHAPS-€ / Enquiry Link) United States (CHIPS)Venezuela (PIBC)Zambia (RTGS)Zimbabwe (ZETTS)West African States (BCEAO)
Denmark (DDK-KRONOS)Egypt (CBE)EBA Clearing (EURO1/STEP1)ECB (TARGET)Finland (BOF)France (CRI – PNS/TBF)Germany (RTGSPlus)Ghana (GISS)Greece (HERMES)Guatemala (RTGS)Hungary (VIBER)Ireland (IRIS)Italy (BIREL)Jordan (RTGS)Kenya (KEPSS)
Implementation
Fiji (RTGS)Georgia (RTGS)Lebanon (RTGS)Palestine (RTGS)Peru (RTGS)Russian Federation (RTGS)
Planning/Discussion
Slide 13 Corp_present_20060927_v27.ppt
Community and Business dimensions• Established in 1973 by 239 banks in 15 countries• Developed shared messaging platform for financial transactions• Emphasis on security, reliability and availability
Heritage
• Serving over 7,800 financial institutions across 204 countries• Payments, Securities, Foreign Exchange, Treasury and Trade• Reducing costs, improving automation, managing risk
Understanding
• Industry-owned community• Overseen by regulatory authorities• Impartial to the data transacted across the messaging platform
Neutrality
• Store and forward, file transfer, interactive query & response• Open standards• IP VPN over fibre-optic backbone
Technology
Slide 14 Corp_present_20060927_v27.ppt
SWIFT
Business and Technical Messaging Communications across the lifecycle of a financial transaction
SWIFT does NOT provide clearing or settlement services
SWIFT does not hold accounts or assets Participants are responsible for their data SWIFT is neutral, apolitical and user-owned
Slide 14
Slide 15 Corp_present_20060927_v27.ppt
Introducing SWIFT
Platform
Community Standards
Slide 16 Corp_present_20060927_v27.ppt
Message categories0 System messages
1 Customer transfers & cheques
2 Financial institutions transfer
3 Foreign exchange, money markets & derivatives
4 Collections & cash letters
5 Securities markets
6 Precious metals & syndications
7 Documentary credits & guarantees
8 Travellers cheques
9 Cash management & customer status
Slide 17 Corp_present_20060927_v27.ppt
Message structure
Slide 18 Corp_present_20060927_v27.ppt
SWIFTStandards developmentA business centric approach
Business process modelling
SWIFTNetMarket
practiceApplications IntegrationStandards
SWIFT Partners
Slide 19 Corp_present_20060927_v27.ppt
SWIFTStandardsPayments market
Ordering customer
Beneficiary customer
Ordering customer’s
financial institution
Beneficiary customer’s financial institution
Bulk Payments (CT + DD)
MT 1xx, 2xx
FIN-based XML-based (under construction)
Pa
ym
en
t In
itia
tio
n (
CT
+ D
D)
MT
10
1
Ex
ce
pti
on
s &
In
ve
sti
ga
tio
ns
Exceptions & Investigations
Exc
epti
on
s &
In
vest
igat
ion
s
MT 9xx
Cash ManagementC
as
h M
an
ag
em
en
t
MT
9x
x
MT
9xx
Cas
h M
anag
emen
t
Single Credit Transfers
Slide 20 Corp_present_20060927_v27.ppt
Introducing SWIFT
Platform
Community Standards
Slide 21 Corp_present_20060927_v27.ppt
Single access infrastructure
SWIFTNet interface
One platform
Full STP
Highest level of security and resiliency
Standards
Lower costs
Reduced risk
Improved liquidity management
Facilitate Compliance
SWIFTNet
■Payments
■Foreign Exchange
■ Securities
■Account Reporting
Messaging Services
■ FIN
■ FileAct
■ InterAct
■ Browse
Applications
Trade
Treasury
Payments
Investigation
ABC Bank
XYZ Bank
Other Bank
Any Bank
Slide 22 Corp_present_20060927_v27.ppt
SWIFTSolutions
Payments Treasury Trade Securities
SWIFT product stackR
esi
lien
ce
Reliability
Quality of service
Se
curity
Directoriesand
InformationServices
Secure IP Network (SIPN)
Standards Rules
Interfaces
SW
IFT
Solutions
Messaging Services
Slide 23 Corp_present_20060927_v27.ppt
Identify potential risks in the following areas :
Access to the SWIFT interface
Access to the SWIFT network
Integrity/confidentiality of the SWIFT messages
Integrity of the message flow
Slide 24 Corp_present_20060927_v27.ppt
SWIFT interfaces
– Open and close connection to STN/SIPN
– Send messages to SWIFT
– Receive messages from SWIFT
– Manually enter messages
– Accept messages from a back office application
– Send messages to a back office application
– Send messages to a printer
Slide 25 Corp_present_20060927_v27.ppt
SWIFT interfaces– SWIFTAlliance Access
– SWIFTAlliance Entry
– MERVA/ESA
– TURBO SWIFT
– STELINK
– MINT
– FASTWIRE
– BESS
– NOVA SWIFT
– ...
Slide 26 Corp_present_20060927_v27.ppt
Connecting to SWIFTNet Many ways of implementing…
SWIFTNet
Messaging
interfaces
Communication
Interfaces
Communication Layer
SWIFTNet ServicesMessaging
LayerBusiness
Layer
Back Office application
Back Office application
Middleware
Your counterparty
Back Office application
VPNbox
Back Office application
Middleware
Back Office application …….
Slide 27 Corp_present_20060927_v27.ppt
SWIFTAlliance interface
SWIFTNet
You
CommunicationLayer
SWIFTNet ServicesMessaging
LayerApplication
LayerMiddleware
Layer
SWIFTAlliance Access (SAA)
SWIFTAlliance Entry (SAE)
SWIFTAlliance Gateway (SAG)
SWIFTAlliance Starter Set (SAS)
Your counterparty
VPNbox
Slide 28 Corp_present_20060927_v27.ppt
Signing on to the SWIFT interface
Slide 29 Corp_present_20060927_v27.ppt
Passwords
Initialisation password Master password
Passwords documents available ? Access to passwords documents ?
Slide 30 Corp_present_20060927_v27.ppt
Users of the SWIFT interface
Anonymous names vs Personal operator names
Are all operators still using the interface?
Slide 31 Corp_present_20060927_v27.ppt
Enabling an operator
Automatic enabled when approved by both LSO and RSO
Slide 32 Corp_present_20060927_v27.ppt
Disabling an operator
Automatic after too many wrong passwords
Manually by LSO, RSO or anybody with disabling permission
Slide 33 Corp_present_20060927_v27.ppt
Security parameters
List of configuration parameters
– e.g. user period, max # of bad passwords… only visible by LSO and RSO
Slide 34 Corp_present_20060927_v27.ppt
SWIFTAlliance: Segregation of duties
Creation Verification Authorisation
Modification
Approval
Slide 35 Corp_present_20060927_v27.ppt
Profiles
Each operator has minimum one profile a profile defines the applications, functions and
permissions for one or more operators one profile can be given to several operators if permissions change, then the operators are
disabled. LSO and RSO must re-approve these operators
Slide 36 Corp_present_20060927_v27.ppt
Profile details
A profile has 3 levels
– applications
– functions
– permissions
Slide 37 Corp_present_20060927_v27.ppt
Permission details
Prohibited nothing = no restrictions
Allowed are all MTs starting with 1, 2 and 9
SWIFT FIN system MTs not allowed
Slide 38 Corp_present_20060927_v27.ppt
What to check in a profile?
Access control Message Creation and Modification Message Approval Message File Security Definition
Slide 39 Corp_present_20060927_v27.ppt
Identify potential risks in the following areas :
Access to the SWIFT interface
Access to the SWIFT network
Integrity/confidentiality of the SWIFT messages
Integrity of the message flow
Slide 40 Corp_present_20060927_v27.ppt
Network PartnerSwift
SWIFT’s Secure IP Network (SIPN)Customer Swift
Customer
M-CPE
BackboneAccessPoints
OPCs
SIPN
SIPN BackboneNetwork
POP
SIPN AccessNetwork
NetworkPartner 2
NetworkPartner 1VPN
box
VPNbox
IPsec tunnels provide end-to-end protection
through the ‘untrusted’ vendor IP networks
Slide 41 Corp_present_20060927_v27.ppt
Security equipment needed to connect to FIN
Card readers Integrated Circuit Cards (ICCs)
Bank A Bank B
Slide 42 Corp_present_20060927_v27.ppt
Secure Card Reader (SCR)
Functions related to BKE and SLS services
Configuring and managing ICCs
PIN updates
SCR configuration
Slide 43 Corp_present_20060927_v27.ppt
Integrated Circuit Card (ICC)
contains functional elements of microcomputer embedded chip within the card works only when inserted into card reader protected by 1 or 2 PINs unique reference = SWIFT Card Number (SCN)
Slide 44 Corp_present_20060927_v27.ppt
Connecting to the SWIFT networkSecure Login and Select (SLS)
FIN
APC
LTC
LOGIN
SELECT
Slide 45 Corp_present_20060927_v27.ppt
Manual Login and Select
Insert USER ICC in the card reader use the CBT to send Login and Select to
SWIFT
Slide 46 Corp_present_20060927_v27.ppt
Automated Login and Select
No operator intervention USER ICC must be in card reader on Login
and Select or Session Keys must have been downloaded
in advance
Slide 47 Corp_present_20060927_v27.ppt
Disconnecting from the SWIFT network
FIN
APC
LTC
QUIT
LOGOUT
Slide 48 Corp_present_20060927_v27.ppt
SWIFTNet FINinterface
SWIFTNet FIN Phase 2
SWIFTNet
FINPKIPKI
PKI PKI
SWIFTNet FINinterface
HSMHSM
PKI
PKI: FIN Access controlPKI: End-2-end securityRMA: Relationship mgt.
Slide 49 Corp_present_20060927_v27.ppt
Identify potential risks in the following areas :
Access to the SWIFT interface
Access to the SWIFT network
Integrity/confidentiality of the SWIFT messages
Integrity of the message flow
Slide 50 Corp_present_20060927_v27.ppt
Authentication
applied on user-to-user messages assures identity of sender integrity of message text mandatory for most message types
Slide 51 Corp_present_20060927_v27.ppt
Authenticator keys : what to check?
Keys regularly changed ? Still correspondent relationship ? Keys securely stored ? Procedure for unsuccessful BKE ? Procedure for messages that failed
authentication?
Slide 52 Corp_present_20060927_v27.ppt
Local Authentication
authentication between back-office application and SWIFT interface
Slide 53 Corp_present_20060927_v27.ppt
Integrity of the message flow :session numbers
FIN
APC
LTCLogin
1265
Select
1281
Slide 54 Corp_present_20060927_v27.ppt
Sequence numbers
472136Input Sequence
Number
327185Output Sequence
Number
Slide 55 Corp_present_20060927_v27.ppt
Message Input Reference (MIR)
031020ABNKBEBBAXXX0142123456
input date sender’s addressinput
session number
input sequencenumber
Slide 56 Corp_present_20060927_v27.ppt
Message Output Reference (MOR)
031020ABNKBEBBAXXX0142654321
output date receiver’s addressoutput
session number
output sequencenumber
Slide 57 Corp_present_20060927_v27.ppt
Routing in the SWIFT interface
application
printer 2
printer 1
Slide 58 Corp_present_20060927_v27.ppt
Routing in the SWIFT interface
Are all messages accounted for ?
Are all the messages routed to the right place ?
Is there any specific routing for received messages with PDE or PDM trailer ?
Slide 59 Corp_present_20060927_v27.ppt
Interface/Network Audit TrailsInterface/Network Audit Trails
Slide 60 Corp_present_20060927_v27.ppt
Message File
keeps copy of all messages status and history of messages can be
checked
Slide 61 Corp_present_20060927_v27.ppt
Identification of a message : UUMID
(Unique) User Message Identifier
IBNPAFRPPXXX202TR7823689
input/output message
correspondent
MTsender’s reference
Slide 62 Corp_present_20060927_v27.ppt
Event Journal
events in the SWIFT interface actions initiated by the software or actions by
users
Slide 63 Corp_present_20060927_v27.ppt
Search function in Event Journal
Search on
– date and time
– class and severity
– operator
– description of the event
Slide 64 Corp_present_20060927_v27.ppt
MT 081 Daily Check Report
lists number of messages sent and received for all APC or FIN sessions closed since previous MT 081
generated daily at approximately midnight local time, provided APC and FIN are closed
FIN
APC
LTC
081081
081081
Slide 65 Corp_present_20060927_v27.ppt
MT 082 Undelivered Message Report
received from SWIFT every day lists all undelivered messages at generation
time : messages sent by your institution but not yet received by your correspondent
082082
Slide 66 Corp_present_20060927_v27.ppt
Example of an auditor’s profile
Access Control Signon Start and End time
Applications FunctionsPermissions
Applic. Interface Open/Print PartnerFirst part
Local Aut Key = Yes
BK Management Open/Print Communicating Pair (pre-agree/keys) Access CP : Prohibited
nothingEvent Journal -
Message File SearchCompletely hide messages
of other units=No
Security Definition -
Slide 67 Corp_present_20060927_v27.ppt
Making financial messagingMaking financial messagingsafer and less costlysafer and less costly