Blog single

SWIFT CSP 2.9 CONTROLS: What Financial Institutions need to know!

SWIFT CSP 2.9 CONTROLS: What Financial Institutions need to know!

Financial frauds and breaches have wrapped up the previous year of 2021. As reported by Federal Trade Commission, last year marked a 70 % increase in the reported volume of financial losses than the previous stat. Online payment frauds show no cessation, and as mitigation, the SWIFT network has created the Customer Security Control Framework (CSCF).

The CSCF is a part of the SWIFT Customer Security Program (CSP). The framework entails mandatory and advisory security controls for Financial Institutions (FIs) that scope under it. And we are here to picture some facts about the mandatory requirement in CSCF v.2022 – Control 2.9 Transaction Business Controls. The blog takes you to how the change impacts the FIs and how they can cope efficiently with the same.

Control 2.9 Transaction Business Controls

SWIFT security controls of the CSCF framework undergo annual updations. It is in retort to the shifting cybersecurity landscape and connected cyber risks. 2.9 Transaction Business Controls were advisory controls in the SWIFT CSCF v2021, whereas now it has flipped to a mandatory one in CSCF v2022. All financial institutions should adhere to the mandatory control as a part of the SWIFT CSP attestation and compliance program.

What SWIFT defines control 2.9 as: –

  • The control objective is to minimize and eliminate the chance of inbound or outbound fraudulent payments.
  • Requires FIs to deploy measures of control that can detect, protect & validate transactions within the leaps of normal business.
  • Some areas impacted by the mandatory control include the GUI, communication & messaging interface, and the SWIFT & customer connector.

However, SWIFT doesn’t prescribe the actual implementation of measures as stated above. But it has provided example measures around four key areas for a successful SWIFT CSP attestation and control implementation.

Best practices to be followed by FI for the control implementation

  • Transaction limit outside business hours

    A time limit set for SWIFT message transactions can help minimize deceitful transactions. But, if FIs have intersecting business hours between their units, deploying transaction control limits outside business hours won’t be smooth as planned. Additionally, these fraudsters can also mix SWIFT messages inside corporate hours, and hence they must be keenly monitored.

  • Setting limits on a transaction basis

    Placing limits or restrictions on transaction amounts can be helpful in reducing the impact of the fraud. However, new-gen fraudster tactics use small transaction amounts to evade the particular situation. In that circumstance, FIs need to deploy the rule mindfully.

  • Identification of abnormal activity

    SWIFT furnishes a baseline to check for any abnormal activities or transactions. The main intention behind the baseline standard is to identify and cease those deviated transactional activities. Usage of AI-based fraud solutions combined with the baseline check can prove very effective in the present time.

  • Message validation/verification

    SWIFT also recommends using message validation during mid-day or end of the day to detect and stop financial frauds. However, the mechanism increases manual work and needs proper care before deployment. Message validation requires an accurate and meticulous approach to confirming its benefits.

How FI’s can fulfil SWIFT CSP 2.9 business control requirements?

The CSP 2.9 Transaction Business Control change from advisory to mandatory means that SWIFT CSP attestation requires every FIs to meet its specified requirements. The attestation period for FIs can extend up to the end of the year 2022. But, FIs must find a solution that sticks to the stated requirements and, at the same time, minimize any operational impacts. The best option for financial institutions is to partner with expert SWIFT CSP Assessment Providers who can give effective advisory solutions. Some tips to stick in line with the control change are as follows: –

  • Limiting traffic outside business hours

Limiting transactions outside business hours can impact the operational flow of businesses. Therefore, the solution needs to be deployed mindfully without disturbing the existing payment flows. Your third-party partner should have the technological capability to differentiate between outgoing traffic that is source dependent. Use the perfect mix of conventional and machine learning models to determine traffic timing per user/business unit.

  • Limiting traffic that stretches beyond the business boundary

If an FI transaction goes outside the specified limit, an alert should get generated to examine the transaction before pushing it to the SWIFT network. FIs can use aggregation rules sticking to transactional properties, context, and instructions. Enterprises can try setting a threshold amount and move to the next level using AI and other statistical models. These models help detect any anomaly connected to the made criteria or threshold.

  • Message validation and reconciliation

A suggestive measure in the CSCF is to utilize MT900 and MT910 confirmation. These messages confirm a debit from the sender’s bank account by executing the received transaction. FIs need to validate if this confirmation matches the underlying payment. Utilizing AI-enabled models can verify the underlying payment against the defined fraud scenarios and help in the automated matching of messages. The standard requires any messages sent to the SWIFT network are present in the back-office application of the financial firm. Enabling a real-time reconciliation model can validate this scenario.

  • Monitoring logging sessions

Control 2.9 also requires that terminal login session numbers get monitored, ensuring zero gaps in session numbers. Utilizing a warning model to detect these gaps can be healthy. The model should be able to monitor and analyse the logical terminal session numbers to provide accurate findings.

Discovering abnormal behaviours

Discovering abnormalities in the financial payment division is one of the foremost objectives in the SWIFT security controls. These unusual behaviours can be prone to variables such as timing, currency, amounts, correspondence etc. Detecting these is a task at hand considering the complexity of a message. The solution is to leverage statistical and AI models that help discover transaction anomalies.

Final Thoughts

Fraudulent payments are rising high, and it is because of the very that SWIFT CSCF Control 2.9 has pushed from advisory to a mandatory requirement. These controls require a smart deployment without affecting the operational workflow of financial institutions. Partner with an expert SWIFT consulting and assessment provider to meet these fine-grained requirements and confirm your SWIFT CSP attestation.