Ejecting banks from SWIFT payment system would reduce protection for business and the public, says expert

Such a move would risk a reduction in fraud protection for business and for individuals, said civil fraud and asset recovery expert Alan Sheeley of Pinsent Masons, the law firm behind Out-Law.com.

SWIFT chief executive Gottfried Leibbrandt told the Financial Times that if a bank's security "is not in order we could cut you off, you shouldn't be on the network".

The move would "provide clarity that if you are on the SWIFT network you meet minimum standards", although it would risk driving people to "unsafe channels", Leibbrandt told the newspaper.

Sheeley said: "If SWIFT stops acting for banks that have weak cybersecurity, how long will it be before banks either stop acting for customers or provide no protection for corporates, and possibly individuals, if they have weak systems and are subject to fraud?"

"Naturally most corporates, and definitely individuals, will always have weak systems compared with banks. Therefore, this would lead to banks not covering corporates and more importantly the public against fraud," he said.

SWIFT has been talking to financial regulators about making its own security requirements part of global standards, and will also set up a certification programme for cybersecurity auditors who will check the security of members, Leibbrandt said.

Leibbrandt said last month that cyber attacks have the potential to put banks out of business.

In a speech in Brussels, he said that cyber fraud is "a big deal" that "gets to the heart of banking".

"It’s not like retailers losing credit card details or telcos losing customer details … When banks lose control of access to their payment channels, it’s different," Leibbrandt said.

Leibbrandt outlined a "five-part customer security programme" to help address cyber risks facing banks, including improved information sharing across the global financial community, tougher security requirements for customer-managed software, better guidelines and security audit frameworks for customers, and supporting banks in the use of "payment pattern controls" to identify suspicious behaviour. SWIFT will also introduce certification requirements for third party providers, Leibbrandt said.

In April, SWIFT warned customers over malware that reduces the ability of financial institutions to identify fraudulent transactions, and also said that financial institutions' own internal vulnerabilities have been exploited.

SWIFT was responding to reports that attackers have been sending fraudulent messages over its system.

Reuters had reported that, in a message to its customers, SWIFT said it was "aware of a number of recent cyber incidents in which malicious insiders or external attackers have managed to submit SWIFT messages from financial institutions' back offices, PCs or workstations connected to their local interface to the SWIFT network".

SWIFT issued a mandatory software update to counter the malware.