While there’s been a recent influx of start-up solutions working to disrupt the global payments landscape, SWIFT’s financial messaging service continues to be the backbone of the international banking community. More than 11,000 institutions in 200 countries rely on its ironclad standards to carry out secure transactions, which have gained unanimous trust across the industry due to SWIFT’s stringent and unwavering customer security controls.
The bulk of those controls centre on relatively complicated global know your customer (KYC) regulations – and in order to maintain the security of local SWIFT networks and manage the compliance of its members, last year SWIFT changed its rules so that users would be required to submit an annual attestation of compliance through its new KYC Security Attestation (KYC-SA) application.
Uptake has been dramatically positive. SWIFT reported at the end of 2017 that 89% of network users had already connected and attested their level of compliance using the KYC-SA app. That being said, it’s worth bearing in mind those customers using the app also account for over 99% of all FIN messages sent over the SWIFT network – and so it has actually hit almost universal compliance using the KYC-SA app.
The app is essentially a submission tool designed to ensure users share their self-attestation data with counterparties, and conversely empowers SWIFT users to demand the data of those other parties in order to apply risk-based decision-making towards various elements of their business relationships. Institutions using the app reserve the right to withhold compliance data from counterparties when desired.
Use of the app has been mandatory since its launch in 2017, and at the end of June SWIFT announced some major changes to the KYC-SA app that will further enhance transparency across networks and should ultimately streamline improved decision-making for SWIFT users.
First and foremost, SWIFT has enhanced the app so that users now have the ability to search for all counterparties they have exchanged SWIFT traffic with over a 13-month period. This has been introduced in order to address the ongoing teething issue customers had been facing in trying to identify which counterparties they actually needed to access on the app.
June’s KYC-SA update has also given users the power to bulk process requests and whitelist counterparties upfront – which means that customers will no longer need to handle access requests one at a time.
Finally, this latest version of the app has introduced a new ‘security officer’ role that has been tasked with generating sensitive business reports using secure data extracts. SWIFT has said these reports should ultimately assist managers in their risk management processes and guide improved decision-making in terms of business relationships.
SWIFT users also need to be aware of another crucial change they’ll experience from July 2019, which is a series of updates to the security controls that dictate KYC compliance and what information will need to be sent using the app in future.
On August 13, SWIFT announced plans to promote three of the advisory controls on its Customer Security Controls Framework (CSCF) to become mandatory. That means by the end of 2019, KYC-SA application submissions will need to demonstrate compliance with new mandatory rules on secure operator sessions, annual vulnerability scans and physical and logical password storage.
Two new advisory controls outlining best practice on virtualisation platform protection and application hardening have also been added to the CSCF, although user compliance is optional for the time being.