Naseer Swift

SWIFT:
The Financial Industry Infrastructure for Secure Messaging

Gabriel Soriano October 4th, 2006 NYSSCPA Banking Convention
Corp_present_20060927_v27.ppt
Slide 1
Agenda
1 Overview of SWIFT 2 Access to the SWIFT interface
3 Access to the SWIFT network

4 Message integrity, confidentiality controls 5 Messaging Service and Interface Control functions
Slide 2
Introducing SWIFT
Platform
Slide 3
The SWIFT community

securities market data providers fund administrators MA-CUGs securities MIs - treasury counterparties - treasury ETC service providers 2000 banks found SWIFT 1973 - broker/dealers - central depositories & clearing institutions - exchanges travellers cheque issuers money brokers - registrars & transfer agents - custody providers - trust or fiduciary services companies 1996 investment managers trading institutions
- payments MIs - proxy voting agencies - non-shareholding financial institutions

treasury securities ETC service providers

Slide 4
SWIFT governance
Oversight
National Bank of Belgium and G-10 Central Banks
Governance Board Board Committees National Member Groups User Groups SWIFT members
SWIFT community
Corp_present_20060927_v27.ppt Slide 5
Sibos forum for industry dialogue

Financial Global
industrys premier event
forum to debate strategic issues
Conference, 6,000 2007:
exhibition, networking
executives and technology managers Boston, US, 1-5 October
Slide 6
Working with SWIFT Partners

Solution Service
Partners: Providers of business
applications, middleware, and interfaces
Partners: Implementation and integration
of connectivity and SWIFTSolutions

Business
Partners: Marketing and selling SWIFT
products
Network
Partners: AT&T, Colt, Equant, BT Infonet
Slide 7
SWIFT figures (July 2006)

2.5 billion messages per year 7,940 customers 206 countries
Average daily traffic 11.2 million messages

Peak day of 12.8 million messages 30 June 2006
Slide 8
SWIFTNet FIN messages by market (July 2006)

Treasury Trade
104 million mgs 27 million mgs
Securities
605 million mgs
6% 2% 37% 55%
Payments
895 million mgs
Slide 9
Traffic and Pricing Harnessing economies of scale

Price (EURcent/msg) Traffic (Millions of messages)
50 45 40 35 30 25 20 15 10 5
3000 2500 2000 1500 1000 500 0
Slide 10
Extending reach Embracing the business community
Corporates Securities
Banking and Payments
Slide 11
Banking Market Infrastructures July 2006

Live
Albania (AIP) Algeria (RTGS) Angola (PTR) Australia (PDS) Austria (ARTIS) Azerbaijan (AZIPS) Bahamas (BHS) Barbados (BDS) Belgium (ELLIPS) Bosnia & Herzegovina (BIH) Bulgaria (BGN-RINGS) Canada (LVTS) Chile (Netting - LBTR) CLS Bank Croatia (HSVP) Denmark (DDK-KRONOS) Egypt (CBE) EBA Clearing (EURO1/STEP1) ECB (TARGET) Finland (BOF) France (CRI PNS/TBF) Germany (RTGSPlus) Ghana (GISS) Greece (HERMES) Guatemala (RTGS) Hungary (VIBER) Ireland (IRIS) Italy (BIREL) Jordan (RTGS) Kenya (KEPSS) Kuwait (RTGS) Latvia (LVL) Luxemburg (LIPS) Malta (MARIS) Mauritius (MACSS) Namibia (NISS) Netherlands (TOP) New Zealand (AVP) Norway (NICS) Oman (RTGS) Philippines (PPS) Romania (REGIS) Slovenia (SIPS) South Africa (BOP RTGS - SAMOS)
Spain (NSLBE - SLBE) Sri Lanka (LankaSettle) Sweden (RIX) Switzerland (Remote Gate) Tanzania (TISS) Thailand (BAHTNET/2) Trinidad & Tobago (SAFE-TT) Uganda (UNIS) United Kingdom (CHAPS- CHAPS- / Enquiry Link) United States (CHIPS) Venezuela (PIBC) Zambia (RTGS) Zimbabwe (ZETTS) West African States (BCEAO)
Implementation
Bahrain (RTGS) Botswana (RTGS) Central African States (BEAC) Eurosystem (TARGET2) Israel (RTGS) Lesotho (RTGS) Morocco (RTGS) Pakistan (RTGS) Singapore (MEPS+) Tunisia (RTGS)
Planning/Discussion
Fiji (RTGS) Georgia (RTGS) Lebanon (RTGS) Palestine (RTGS) Peru (RTGS) Russian Federation (RTGS)
High-Value Payments
Slide 12
Community and Business dimensions

Heritage
Established in 1973 by 239 banks in 15 countries Developed shared messaging platform for financial transactions Emphasis on security, reliability and availability Serving over 7,800 financial institutions across 204 countries Payments, Securities, Foreign Exchange, Treasury and Trade Reducing costs, improving automation, managing risk Industry-owned community Overseen by regulatory authorities Impartial to the data transacted across the messaging platform Store and forward, file transfer, interactive query & response Open standards IP VPN over fibre-optic backbone
Slide 13
Understanding
Neutrality
Technology
SWIFT
Business
and Technical Messaging Communications across the lifecycle of a financial transaction does NOT provide clearing or settlement services does not hold accounts or assets are responsible for their data
SWIFT SWIFT
Participants
SWIFT
is neutral, apolitical and user-owned

Slide 14
Introducing SWIFT
Platform
Slide 15
Message categories
0 System messages
1 Customer transfers & cheques

2 Financial institutions transfer 3 Foreign exchange, money markets & derivatives 4 Collections & cash letters 5 Securities markets 6 Precious metals & syndications 7 Documentary credits & guarantees 8 Travellers cheques
9 Cash management & customer status

Message structure
Slide 17
SWIFTStandards development A business centric approach

Business process modelling
Standards
SWIFTNet
Market practice
Applications Integration
SWIFT
Partners
Slide 18
SWIFTStandards Payments market

Single Credit Transfers Exceptions & Investigations Cash Management
Ordering customers financial institution
Bulk Payments (CT + DD) MT 1xx, 2xx MT 9xx
Beneficiary customers financial institution

Exceptions & Investigations
Payment Initiation (CT + DD)
Exceptions & Investigations
Cash Management
Cash Management
MT 101
Ordering customer FIN-based
MT 9xx
Beneficiary customer XML-based (under construction)
MT 9xx
Slide 19
Introducing SWIFT
Platform
Slide 20
Single access infrastructure

Applications Trade Payments Foreign Exchange Securities Account Reporting Messaging Services FIN FileAct InterAct Browse
ABC Bank
Treasury SWIFTNet XYZ Bank
SWIFTNet interface
Payments
Investigation

One platform Full STP Highest level of security and resiliency Standards
Lower costs Reduced risk Improved liquidity management Facilitate Compliance
Other Bank
Any Bank
Slide 21
SWIFT product stack

SWIFTSolutions
SWIFTSolutions
Payments Treasury Trade Securities Standards

Quality of service
Rules
Messaging Services Directories and Information Services Interfaces Secure IP Network (SIPN)
Reliability
Slide 22
Identify potential risks in the following areas :
Access
to the SWIFT interface
Access
to the SWIFT network

of the SWIFT messages of the message flow
Integrity/confidentiality Integrity
Slide 23
SWIFT interfaces
Open and close connection to
STN/SIPN
Send messages to SWIFT Receive messages from SWIFT
Manually enter messages

Accept messages from a back
office application
Send messages to a back office
application
Send messages to a printer
Slide 24
SWIFT interfaces
SWIFTAlliance Access SWIFTAlliance Entry MERVA/ESA TURBO SWIFT
STELINK
MINT FASTWIRE
BESS
NOVA SWIFT ...
Connecting to SWIFTNet
Many ways of implementing
Business Layer Messaging Layer Communication Layer
SWIFTNet Services
Back Office application
Middleware
Messaging Back Office application interfaces
Communication Interfaces
VPN box
SWIFTNet
Middleware
Your counterparty
Slide 26
SWIFTAlliance interface
Application Layer Middleware Layer Messaging Layer Communication Layer SWIFTNet Services
SWIFTAlliance Access (SAA)
SWIFTAlliance Gateway (SAG)
SWIFTAlliance Entry (SAE)
SWIFTAlliance Starter Set (SAS)
VPN box
SWIFTNet
You Your counterparty
Slide 27
Signing on to the SWIFT interface
Slide 28
Passwords
Initialisation Master
password
password
Passwords documents available ? Access to passwords documents ?
Slide 29
Users of the SWIFT interface

Anonymous
names vs Personal operator names

Are
all operators still using the interface?
Slide 30
Enabling an operator
Automatic
enabled when approved by both LSO and RSO
Slide 31
Disabling an operator
Automatic
after too many wrong passwords by LSO, RSO or anybody with disabling permission
Manually
Slide 32
Security parameters
List
of configuration parameters
e.g. user period, max # of bad passwords

only
visible by LSO and RSO
Slide 33
SWIFTAlliance: Segregation of duties
Creation
Verification
Authorisation
Approval
Modification
Slide 34
Profiles
Each a
operator has minimum one profile
profile defines the applications, functions and permissions for one or more operators profile can be given to several operators permissions change, then the operators are disabled. LSO and RSO must re-approve these operators
one if
Slide 35
Profile details
A
profile has 3 levels
applications
functions
permissions
Slide 36
Permission details
Prohibited Allowed
nothing = no restrictions are all MTs starting with 1, 2 and 9 FIN system MTs not allowed
SWIFT
Slide 37
What to check in a profile?

Access
control Creation and Modification
Message Message Message Security
Approval
File
Definition
Slide 38
Access
Access

Slide 39
SWIFTs Secure IP Network (SIPN)

Customer Swift Network Partner Swift
VPN box Customer VPN box M-CPE
Network Partner 1
POP
Network Partner 2
SIPN Backbone Network OPCs Backbone Access Points
IPsec tunnels provide end-to-end protection through the untrusted vendor IP networks
SIPN Access Network
SIPN Corp_present_20060927_v27.ppt Slide 40
Security equipment needed to connect to FIN

Card
readers Circuit Cards (ICCs)
Integrated
Bank A
Bank B
Slide 41
Secure Card Reader (SCR)

Functions
related to BKE and SLS services
Configuring
and managing ICCs updates configuration

Slide 42
PIN
SCR
Integrated Circuit Card (ICC)

contains
functional elements of microcomputer chip within the card
embedded works
only when inserted into card reader

by 1 or 2 PINs reference = SWIFT Card Number (SCN)
protected unique
Slide 43
Connecting to the SWIFT network Secure Login and Select (SLS)
FIN
APC SELECT LTC LOGIN
Slide 44
Manual Login and Select

Insert use
USER ICC in the card reader
the CBT to send Login and Select to SWIFT
Slide 45
Automated Login and Select

No
operator intervention
USER or
ICC must be in card reader on Login and Select Session Keys must have been downloaded in advance
Slide 46
Disconnecting from the SWIFT network
FIN
APC
QUIT
LTC LOGOUT
Slide 47
SWIFTNet FIN Phase 2

PKI: FIN Access control PKI: End-2-end security RMA: Relationship mgt.
SWIFTNet
PKI
HSM
PKI
FIN
PKI PKI PKI
HSM
SWIFTNet FIN interface
SWIFTNet FIN interface
Slide 48
Access
Access

Slide 49
Authentication
applied assures integrity
on user-to-user messages identity of sender
of message text
for most message types
mandatory
Slide 50
Authenticator keys : what to check?

Keys Still
regularly changed ?
correspondent relationship ?
Keys
securely stored ?
for unsuccessful BKE ?
Procedure Procedure
for messages that failed authentication?
Slide 51
Local Authentication
authentication
between back-office application and SWIFT interface
Slide 52
Integrity of the message flow : session numbers
FIN
1281
APC
Select
1265
LTC
Login
Slide 53
Sequence numbers
472136
Input Sequence Number
327185
Output Sequence Number
Slide 54
Message Input Reference (MIR)
031020ABNKBEBBAXXX0142123456
input date senders address
input input session sequence number number
Slide 55
Message Output Reference (MOR)
031020ABNKBEBBAXXX0142654321
output date
output output receivers address session sequence number number
Slide 56
Routing in the SWIFT interface
printer 1
printer 2
application
Slide 57
Routing in the SWIFT interface

Are
all messages accounted for ?
Are
all the messages routed to the right place ?
Is
there any specific routing for received messages with PDE or PDM trailer ?
Slide 58
Interface/Network Audit Trails
Slide 59
Message File
keeps status
copy of all messages
and history of messages can be checked
Slide 60
Identification of a message : UUMID

(Unique)
User Message Identifier
IBNPAFRPPXXX202TR7823689
input/output message
MT
senders reference
correspondent
Slide 61
Event Journal
events actions
in the SWIFT interface initiated by the software or actions by
users
Slide 62
Search function in Event Journal

Search
on
date and time
class and severity

operator description of the event
Slide 63
MT 081 Daily Check Report

lists
number of messages sent and received for all APC or FIN sessions closed since previous MT 081 daily at approximately midnight local time, provided APC and FIN are closed
FIN
081
APC
081
generated
LTC
Slide 64
MT 082 Undelivered Message Report

received lists
from SWIFT every day
all undelivered messages at generation time : messages sent by your institution but not yet received by your correspondent
082
Slide 65
Example of an auditors profile

Applications Access Control Applic. Interface Functions Signon Permissions Start and End time
Open/Print Partner First part Local Aut Key = Yes
BK Management
Open/Print Communicating Pair (pre-agree/keys) Access CP : Prohibited nothing
Event Journal
Message File Security Definition
Search Slide 66
Completely hide messages of other units=No
Making financial messaging safer and less costly
Slide 67

Naseer Swift

Uploaded by

Copyright:

Available Formats

Naseer Swift

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Naseer Swift

Uploaded by

Copyright:

Available Formats

SWIFT:

The Financial Industry Infrastructure for Secure Messaging

3 Access to the SWIFT network

The SWIFT community

- payments MIs - proxy voting agencies - non-shareholding financial institutions

treasury securities ETC service providers

Sibos forum for industry dialogue

industrys premier event

forum to debate strategic issues

Conference, 6,000 2007:

executives and technology managers Boston, US, 1-5 October

Working with SWIFT Partners

Partners: Providers of business

applications, middleware, and interfaces

Partners: Implementation and integration

of connectivity and SWIFTSolutions

Partners: Marketing and selling SWIFT

Partners: AT&T, Colt, Equant, BT Infonet

SWIFT figures (July 2006)

Average daily traffic 11.2 million messages

SWIFTNet FIN messages by market (July 2006)

104 million mgs 27 million mgs

Traffic and Pricing Harnessing economies of scale

3000 2500 2000 1500 1000 500 0

Extending reach Embracing the business community

Banking Market Infrastructures July 2006

Community and Business dimensions

is neutral, apolitical and user-owned

1 Customer transfers & cheques

9 Cash management & customer status

SWIFTStandards development A business centric approach

SWIFTStandards Payments market

Ordering customers financial institution

Bulk Payments (CT + DD) MT 1xx, 2xx MT 9xx

Beneficiary customers financial institution

Payment Initiation (CT + DD)

Exceptions & Investigations

Ordering customer FIN-based

Beneficiary customer XML-based (under construction)

Single access infrastructure

Treasury SWIFTNet XYZ Bank

Lower costs Reduced risk Improved liquidity management Facilitate Compliance

SWIFT product stack

Payments Treasury Trade Securities Standards

Identify potential risks in the following areas :

to the SWIFT interface

to the SWIFT network

Manually enter messages

Back Office application

Messaging Back Office application interfaces

Back Office application

Back Office application

Back Office application

SWIFTAlliance Access (SAA)

SWIFTAlliance Gateway (SAG)

SWIFTAlliance Entry (SAE)

SWIFTAlliance Starter Set (SAS)

You Your counterparty

Signing on to the SWIFT interface

Passwords documents available ? Access to passwords documents ?