Central banks seek better security on inter-bank payments

LONDON (Reuters) - Central banks from some the world’s biggest economies proposed measures on Thursday to improve security of inter-bank payments and messaging systems, after the systems were used to steal tens of millions of dollars in Bangladesh and elsewhere last year.

The Committee on Payments and Market Infrastructures (CPMI), an affiliate body of the Bank for International Settlements, said institutions needed to up their game to protect the stability of the global financial system.

“Wholesale payments fraud is becoming increasingly sophisticated and is expected to evolve further. We need to move fast, and together, to guard against any loss of confidence in the system,” said CPMI Chairman Benoît Coeure.

Hackers attempted to steal nearly $1 billion from the Bangladesh central bank’s account at the Federal Reserve Bank of New York last year and made off with over $80 million before being detected.

The Bangladesh authorities said the theft was in part due to weak security around Bangladesh Bank’s SWIFT terminal.

Banks send payment instructions via SWIFT and until last year most banks took the messages on face value, using them to transfer trillions of dollars each day.

The CPMI proposed seven measures that payment systems such as Britain’s CHAPS system, or messaging services such as SWIFT, should take to ensure their systems were safe.

These involved ensuring rapid reporting of fraud and attempted fraud, education of users and risk audits. CPMI also highlighted the need to closely oversee the access points to systems, which are often the entry points for fraudsters.

The proposals are contained in a consultation paper and, subject to input from stakeholders, will be published in a guidance document due by early 2018.

The guidance will not be binding upon institutions but regulators will likely use the guidance as a basis for how they oversee money transfer and messaging systems.

This could lead to tighter oversight of some bodies including SWIFT, whose lead overseer the National Bank of Belgium previously approved of an approach that put relatively little focus on end-user security.