RHTLaw Taylor Intellectual Property & Technology Partner Rizwi Wun and Senior Associate Jack Ow authored an article titled “The Swift attacks: should you be worried?” for The Business Times.
The article was first published in The Business Times on 26 May 2016.
The Swift attacks: should you be worried?
SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, is a messaging network that financial institutions use to securely transmit information and instructions through a standardised system of codes. This is an established and trusted system used by many banks for the payment of funds.
Source: The Business Times
Date: 26 May 2016
Author: Rizwi Wun and Jack Ow
However, the recent spate of reports of actual and perceived cyber threats to banks and other financial institutions - going through the Swift payment system - has raised alarms with widespread repercussions:
In February, Bangladesh Bank (the country's central bank) was reported to have lost US$81 million when hackers infiltrated its computer systems for authentic Swift codes to make fraudulent payment instructions on the central bank's accounts at the Federal Reserve Bank of New York.
In May, it emerged that Vietnam's Tien Phong Commercial Joint Stock Bank was subject to a similar computer attack through the bank's Swift payment system last December for more than US$1.13 million, but the bank fortunately managed to foil the attempt.
A third case has emerged this same month. In a lawsuit filed in New York by Ecuador's Banco del Austro, Wells Fargo in the US is facing claims for failing to prevent fraudulent transfers of about US$12 million to bank accounts in Hong Kong that were requested over the Swift payment system in January 2015. It is believed that the funds were stolen through properly processed wire instructions received via authenticated Swift messages originating from hackers.
As a result, confidence and trust in the Swift payment system has been somewhat shattered, perhaps even irretrievably.
It would be naive to believe that banks are the only affected parties. As a backbone of international banking, the Swift payment system has traditionally been relied upon for its integrity to authenticate and fulfil payments. Anyone who relies on the banking system for any trade and money transfers would inevitably be exposed to risk of loss resulting from compromises in the Swift payment system.
So what does all this mean for Swift and, more importantly, for all who rely on this trusted payment system?
This raises the issue of to whom bank customers can attribute fault and liability for such loss arising from fraudulent payment instructions. If customers wish to take action against the paying bank, they will need to show their bank was reckless or negligent in failing to be alert to fraudulent payment instructions. The role of Swift also cannot be ruled out. However, what cannot be denied is that the weakness in its own system allowed the cyber criminals to gain access to its system, to begin with.
Realistically, this might mean a migration of massive numbers of organisations to a new payment system - or, alternatively, introducing vast improvements to the security measures of the existing system.
If the first option requires organisations to undertake a massive infrastructural switch, then this could pose a massive logistical and administrative challenge to the banks currently using the Swift payment system. The intentions behind the second option may be good, but brings no reassurance that the pre-existing threat would be removed, given the sophistication of cyber criminals.
All the concerned reaction and discussion among the higher echelons of the global banking and financial industry in re-evaluating the current Swift system or seeking assurances from Swift does not address the main problems, which are that:
There is no guarantee that there will not be a recurrence of the cyber threats, even with a new system; and
The cyber criminals - the actual culprits executing this - are not being stopped.
However, all is not lost. There is a school of thought that these attacks will accelerate the rise in the application of blockchain technology as the solution to the current problem. We reliably understand that Swift has already commenced a blockchain initiative. It has also been reported that steps have already been taken by several banks throughout the world to conduct extensive research and development of blockchain technology as an alternative means of payment system. It is not yet clear how long the banks will take to create a new workable system.
In today's fast-paced world, blockchain technology has some unattractive qualities, but at least its possible availability means that an alternative payment system could nonetheless be used, albeit at a much slower pace.
Other organisations have far advanced technology that would enable early and effective detection of cyber attacks.
Many have already developed technologies to help organisations know early on whether they have suffered cyber intrusions. This is not a panacea to all the ills that could flow from a cyber breach, but in this case, being forewarned is definitely being forearmed. The only possible major stumbling block in gaining access to such technologies could possibly be the added cost of using them. So, in effect:
Subject to affordability, there is technology available to assist companies to detect cyber attacks early on;
Assuming blockchain technology takes off, it could assume the mantle of the new payment system standard; and
There is always the fallback solution of cyber security insurance that could help defray some of the compensation payable.
Banks should take heart from the fact that regulators worldwide have been viewing this threat seriously, and are monitoring the situation closely with Swift.
The emergence of this new threat could be viewed as a catalyst for greater research into technologies for authenticity and verification within payment systems as part of a necessary evolution of the system against this new cyber threat.
It would also spur greater collaborative and coordinated industry-led action between regulators and all stakeholders to address the threats to the payment system.
RHTLaw Taylor Wessing Partner Nizam Ismail was featured in Bloomberg, Channel NewsAsia and TODAY.
All three reports were in relation to the Monetary Authority of Singapore’s (MAS) orders to shut down BSI Bank in Singapore. BSI Bank breached anti-money laundering rules and failed to conduct due diligence on high-risk accounts and monitor suspicious customer transactions.
Nizam’s comments regarding MAS’ decision, “This will send a chilling message to bankers here, pushing them to ensure robust anti-money laundering and counter-terrorism-financing strategies are at play, as otherwise the risk of losing their regulatory licences is now more pronounced. Worse of all, there is also the real threat of personal criminal liability.”
Nizam’s full features can be found in the following news reports:
“BSI Shut by Singapore as Swiss Start Probe; EFG Takes Over Bank” – Bloomberg, 24 May 2016
Primetime Asia – Channel NewsAsia, 24 May 2016
Singapore Tonight – Channel NewsAsia, 24 May 2016
“Bank Remains Solvent, MAS Reassures BSI Clients” – TODAY, 25 May 2016
“BSI Bank Shutdown ‘shows zero tolerance towards abuse of financial system’” - TODAY, 25 May 2016
Nizam Ismail is also a Co-Founder at RHT Compliance Solutions.
RHTLaw Taylor Wessing’s Managing Partner Tan Chong Huat shared his views in this week’s topic in the Business Times’ weekly column, Views from the Top.
This article was first published in The Business Times on 23 May 2016.
Ushering In a New Era
MAY 23, 2016 5:50 AM
THIS WEEK'S TOPIC: How will the rise of fintech impact banking and the business landscape?
Tan Chong Huat
RHTLaw Taylor Wessing
Fintech will disrupt and revolutionise the delivery of financial services, with the promise of more efficient, more transparent and customer-focused services.
Banks and financial institutions have started innovation labs, to bring fintech platforms under their wings. It is not surprising that MAS has aggressively promoted Singapore's FinTech festival with roadshows in major global financial centres.
To be sustainable, fintech platforms must have robust compliance and risk frameworks, as they are delivering core financial services to consumers.
Regulators need to also review their rulebooks, making sure that regulations do not stifle innovation, and are suited to the peculiar needs of fintech.
RHTLaw Taylor Wessing has been nominated as a finalist in eight categories by Asian Legal Business Southeast (ALB SE) Asia Law Awards 2016.
The nominated categories are:
Arbitration Law Firm of the Year
Banking and Financial Services Law Firm of the Year
Commercial Litigation Law Firm of the Year
Construction and Real Estate Law Firm of the Year
Corporate Citizenship Law Firm of the Year
Intellectual Property Law Firm of the Year
Matrimonial Law Firm of the Year
Managing Partner of the Year
Asian Legal Business is hosting the presentation of 36 awards before Southeast Asia's legal circle. This black-tie banquet will be graced by illustrious members of the bench, legal associations and business circles, law firms, in-house departments, and the legal academe from across Southeast Asia.