07:09 PM
Connect Directly

SWIFT Has 'Deep' Relationship with Regulators

After starting his career with Banc Agricol in Spain, Lazaro Campos joined SWIFT in 1987. Campos spoke with BS&T senior editor Ivan Schneider about business continuity, regulatory compliance, and know-your-customer regulations.

After starting his career with Banc Agricol in Spain, Lazaro Campos joined SWIFT in 1987. He served in a number of product management roles, before rising in 1995 to become the director of market infrastructure services. In that role, Campos was responsible for domestic and international projects including ECHO, CHAPS Euro, EBA Clearing and TARGET.

Starting in 1998, he became director of treasury products, helping to bring CLS (Continuous Linked Settlement) to the banking community. Since 2000, he has been a member of the SWIFT executive committee, as one of the "keepers of the strategy" responsible for translating strategy into tactical plans for products and their evolution.

Campos spoke with BS&T senior editor Ivan Schneider about business continuity, regulatory compliance, and know-your-customer regulations.

BS&T: These are some pretty exciting times for SWIFT, aren't they?

CAMPOS: Absolutely! Nothing but excitement.

BS&T: What was the impact of the Aug. 14 U.S. power failure for SWIFT?

CAMPOS: Our systems were up throughout. We did not suffer any availability issues whatsoever. The major banks were more prepared, especially after the last two years and all the work they've done with business continuity in the wake of 9/11. They basically put those processes to the test. Some of the mid-tier banks had more trouble, and our contribution was in support of those smaller institutions.

BS&T: How did you help the mid-tier banks to recover?

CAMPOS: We run shifts, 24x7, throughout the world in 20 languages. The shift that was on board when the power failure occurred didn't go home at the end of their shift. So we had, for most of the period, double the number of support personnel on duty, just making sure that we could be more proactive in contacting those members that we didn't see active.

BS&T: Who are your main points of contact at SWIFT member banks?

CAMPOS: In a large organization we have contacts throughout. Not only the operational people who run the interfaces, who put the applications together and so on, but also those people who run the businesses. In most cases, we have different contacts per region and different contacts per business area e.g. securities, banking, treasury, trade finance, which is why we have implemented what we call "global account management." We keep an eye on the total business of a global bank.

BS&T: What is SWIFT's relationship with the national regulators?

CAMPOS: We have a very deep and active relationship with regulators. We have a unique relationship with the Committee on Payment and Settlement Systems (CPSS, part of the Bank for International Settlements). They don't oversee us, but we have a very in-depth relationship with them. We meet with them at two levels: technical and strategic, to share our technology developments and our operational performance. And of course we deal with the Bank of England, the Bundesbank, and the ECB as part of our market infrastructure activities.

Another activity that we've been very involved with is working with regulators and central banks in creating the international processes of business continuity.

One of the lessons learned through 9/11 went beyond whether people had business continuity and crisis management processes in place. What we found was that, yes, everybody has them, but all of those processes need to work together. Prior to 9/11, there was some agreement at local levels. But we found internationally that people were doing work in silos and not necessarily working with each other as they did for Y2K, for example. The command-center structure that was put in place for Y2K did not exist for event-driven crises. So how do we harmonize those crisis management processes, so we are not all trying to clean up our own patch, and letting things fall through the cracks? How do we harmonize and ensure that we have an end-to end crisis management system? That is some of the work that we're doing with regulators and representatives from major institutions.

Banks with an international footprint may be exposed to different processes for recovery in different situations. The harmonization of those processes will help. On an industry level, prior to 9/11 there was little effort in trying to harmonize them. Now, what we've done in the last two years is work with them to see what are the critical requirements and the critical processes that need to be compliant. SWIFT takes a facilitation role, ensuring that everybody sits at the table and talks about the same issue at the same time.

BS&T: How does the SWIFT architecture help banks comply with anti-money laundering regulations?

CAMPOS: When an institution sends us a message with specific content, we are in no position to check whether that content is correct. We don't know if the ordering party is a real customer. What we can do, through the structure of our messages, is make sure that all the data elements required by regulators are included. So we know who the ordering party is, we know the account number, we know the steps and the intermediaries that the transaction needs to go through. We know the beneficiary of the account. We make sure every message contains all of that information, which is what the FATF (Financial Action Task Force, an international organization) or anybody else would be looking for. So our standards are compliant with the internationally agreed-upon requirements.

We take responsibility for the integrity and the security of that transfer. So we can guarantee that a message from Bank A was delivered to Bank B exactly how it was intended to be delivered. At the same time, we guarantee that while in transit, the message content is kept confidential. So no one can tap in and capture that data, or modify that information. But that does not take away the responsibility of sender and receiver to know their customers.

BS&T: How do you validate the members and users of SWIFT?

CAMPOS: We do not accept members that are not in the business of financial services. We have 25 board members representing the entire community, and they are representatives of their national communities. The national member groups are the ones that we ask to endorse a new customer into the community. So the U.S. national member group will tell us that yes, that institution is a regulated institution in our country or in our market, and yes, they are a reputable member of the community.

Second, the members validate every sender and receiver. Correspondent banking relationships will dictate who to exchange security keys with. So if I want to accept your messages, you and I need to agree the scope and service and terms under which I will execute your transactions.

So first, the national communities help us screen, and second, the individual senders and receivers are responsible for their actions, vis a vis the community at large.

BS&T: What if there's a problem with a message?

CAMPOS: SWIFT has articulated, on a per-message basis, what the sender's responsibilities are and what the receiver's responsibilities are. In the case of an issue, we will propose to the sender and receiver who is at fault. Now if they don't agree with that, obviously the issue can be escalated. But in most cases, and I can't think of any in which they haven't, they take our assessment as the decision.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Here is what the client expects us to develop...
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.