U.S. Regulators Step Up Scrutiny Around Swift

Aug 24, 2016
In The News

U.S. banking regulators are ramping up oversight around financial messaging system Swift, a key intermediary in global payments that faces greater scrutiny following a rash of cyberattacks on its users.

The Federal Reserve, Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. have told their examiners to look more closely at the security of banks’ links to the Swift network. The Fed, which is part of a panel of central banks tasked with overseeing Belgium-based Swift, also said it is actively monitoring Swift’s own response to the cyberattacks, which have led to the theft of tens of millions of dollars from banks in Bangladesh and Ecuador.

The steps were disclosed in a letter, reviewed by The Wall Street Journal, that the regulators sent Aug. 17 to Rep. Carolyn B. Maloney (D., N.Y.). The letter was signed by Fed Chairwoman Janet Yellen, Comptroller of the Currency Thomas Curry and FDIC Chairman Martin Gruenberg.

Ms. Maloney, who serves on the House Financial Services Committee, asked the regulators on May 23 what steps they were taking since hackers were able to spirit $81 million from Bangladesh’s account at the Federal Reserve Bank of New York by stealing Swift credentials for the South Asian country’s central bank.

In a statement, Ms. Maloney said she was encouraged by the steps described by the regulators so far, but remained worried about future breaches.

The moves show how regulators are starting to pay more attention to Swift, a cooperative that runs the international messaging system between banks, whose security was taken almost for granted for decades. As earlier reported by the Journal, the New York Fed’s procedures with central bank clients had specified that it would presume any communication authenticated by Swift to be genuine and binding.

Hackers, however, have found some of Swift’s customers to be a weak spot, allowing them to send fraudulent messages over the network and in the process raising questions about controls.

Swift has been pressing its customers to tighten up security. “Cybersecurity is a long-term, industrywide challenge,” said Natasha de Teran, a spokeswoman for Swift, formally called the Society for Worldwide Interbank Financial Telecommunication.

She added that Swift is working with regulators and banks to address increasingly sophisticated cyberthreats. Swift previously has said the network itself wasn’t breached. Its CEO, Gottfried Leibbrandt, had asked for regulators’ help ensuring users’ sites are secure.

“We cannot do it on our own,” he told The Wall Street Journal in a June interview.

Andrea Priest, a spokeswoman for the New York Fed, had no comment on the bank’s reliance on Swift.

The regulators issued a reminder to banks and other financial institutions on June 7 to actively monitor risks to their interbank messaging systems. They are also telling their own examiners to keep a closer watch on such issues as they supervise banks.

The OCC provided guidance to examiners on July 21 in the form of a “supervision tip,” agency spokesman Bryan Hubbard said. Such tips are rare and are intended to highlight the background to an issue and action the examiners should take, he said.

The Fed issued an internal alert to its banking supervisors on May 25 asking them to make sure institutions that had dealings with Swift were adequately mitigating the threats.

The letter said the FDIC sent an internal alert about the Swift threat to examiners on May 18 along with instructions for conducting what it called “an expanded review of cyber controls related to Swift or any wholesale payment system at future examinations.” The FDIC also sent guidance to banks on June 1 about mitigating cyberthreats and malware used to target specific Swift software.

Spokesmen for the Fed and the FDIC had no comment beyond the letter.