Post on 08-Jul-2018
2© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 2
Securing your bank connectivity
Today’s Discussion1) Impact of fraud on bank
connectivity2) Understanding connectivity risks
(and solutions to mitigate those risks)
3) Future of connectivity: opportunities for greater security?
4) Questions and answers
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 3
Fraud Prevention: Before Bangladesh Compromise
Fraud Detection
Payments
Access to Treasury
Technology
Supplier Account
Verification
Investments & Trading
Bank Account
Mgmt
Do I have visibility into every payment?Are my controls consistent for every bank, every region, every person?Do I review my ACKs?
How many bids before a trade?Can Settlement Instructions
be modified?
How many layers of protection exist after
your password
Are there controls to prevent unauthorized change to supplier payment info?
Do I know my account signers?Who can change them?
Does my bank have the same list?
Do I use payment watchlists?Do I have a control center to view all transactions and modifications?
Frrrr
r Crrrrrrrrr
rr Trrrrrrr
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 4
Fraud Prevention: After Bangladesh Compromise
Fraud Detection
Payments
Access to Treasury
Technology
Supplier Account
Verification
Investments & Trading
Bank Account
Mgmt
Do I have visibility into every payment?Are my controls consistent for every bank, every region, every person?Do I review my ACKs?
How many bids before a trade?Can Settlement Instructions
be modified?
How many layers of protection exist after
your password
Are there controls to prevent unauthorized change to supplier payment info?
Do I know my account signers?Who can change them?
Does my bank have the same list?
Do I use payment watchlists?Do I have a control center to view all transactions and modifications?
Connectivity
Can connectivity be compromised?
Frrrr
r Crrrrrrrrr
rr Trrrrrrr
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 5
Can my connectivity be compromised?
Yes, the risk of compromise is real But steps can be taken to minimize
likelihood of attackWhat we learned from Bangladesh issue
and similar events:1) Separation of duties critical2) UserID and Password insufficient3) Preventing Payments Fraud is more than
just protecting initiation/transmission
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 6
TMS or ERP
PD
Encrypted messages and files sent directly to Kyriba
Prior Day and Current Day Reporting•BAI2•MT940•XML CAMT•Regional formats
Bank Reporting Connectivity Workflow
CD
PD
CD
PD
CD
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 7
TMS or ERP
Approved payments sent to Banks
Secure payments sent from HUB to SWIFT Network
1
2
3
Ack Levels transmitted to HUB
Ack/Nacknotification provided to TMS/ERP
Payment Connectivity workflow summary
4
1
4
1
4
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 8
Payment Connectivity Risk Exposures1) Access to software used for payment initiation, approval and
transmission (e.g. TMS, ERP, bank portal)2) Separation of duties and approval limits within payments software3) Transmission to bank connectivity channel (e.g. SWIFT)4) The Bank Connectivity Channel5) Payment Confirmations and Acknowledgements 6) Reconciliation of Payment Transactions7) Workflow Changes within Payments Systems
Understanding Connectivity Risks
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 9
1) Access to software used for payment initiation, approval and transmission
• UserID/Password should not grant access to the system
• Best practice is a combination of password controls:– Password timeouts, resets, history, alphanumeric requirements– Virtual Keypad– Multi-factor authentication (hard or soft token)– IP Filtering– Single Sign-On w/ internal IT environment
Understanding Connectivity Risks
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 10
2) Separation of duties and approval limits within payments software
• Separation of duties is an obvious win• Issue is when separation of duties is inconsistent across different:
– Payment types– Geographies– Systems (e.g. TMS vs. ERP)
• Initiation and Approval Limits: Consistency is key or exceptions will be exploited
• Mandate review of attached documentation that supports payments
Understanding Connectivity Risks
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 11
3) Transmission to Bank Connectivity Channel
• Securing access to the connectivity channel means:1) If multiple systems used (e.g. ERP and SWIFT Gateway) then files
must be secured when traveling in between systems2) If one or many systems, implement good authentication protocols
to ensure authorized access3) Where available, apply digital signatures (e.g. SWIFT 3SKey) to
authenticate exported payment files4) Review un-editable payments vs. sanctions lists (e.g. OFAC)
Understanding Connectivity Risks
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 12
4) The Bank Connectivity Channel
• Multiple channels to automatically connect to bank Host-to-Host Connections Domestic/Regional Networks MT Concentrator Service (i.e. Shared BIC) SWIFT Alliance Lite2 (hosted by SWIFT / integrated to TMS) SWIFTNet Service Bureau SWIFT Alliance Access (hosted by corporate)
Understanding Connectivity Risks
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 13
4) The Bank Connectivity Channel
• Multiple channels to automatically connect to bank• Ensure safeguards of hosted connectivity and service bureaus meet
your organization’s information security policy– Review of SOC1/SOC2 Audits– Penetration Testing– Data Security (e.g. encryption at rest, use of firewalls and
application tiers, who has access to the data)– Business Continuity
Understanding Connectivity Risks
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 14
5) Payment Confirmation and Acknowledgements
• Up to 4 levels of acknowledgment (5 if you count CAMT 054)• Acknowledgements can be viewed in message format or integrated into
a payment dashboard• Monitor each stage of workflow and reconcile against payment log
Understanding Connectivity Risks
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 15
6) Reconciliation of Payment Transactions
• In addition to reviewing payment acknowledgements, reconcile intra-day the outgoing payments with expected payment transactions
1) Generated payments within TMS/ERP will generate cash flows for outgoing payments
2) Intraday reporting from bank will generate actual transactions3) Use standard forecast/actual reconciliation to identify variances
Understanding Connectivity Risks
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 16
7) Workflow changes within payments systems
• Important to monitor changes to payments workflow (e.g. approvals, limits, users, uploaded payment files, sent payment files)
• Often integrated dashboard within ERP/TMS; will track any control changes and present in summarized view
Understanding Connectivity Risks
18© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 18
Future of Bank Connectivity
Instant Payments Movement towards quicker payments
(instant payments in Europe, same day ACH domestically, SWIFT GPII) Increases need to stop unauthorized
payments before they start More difficult to claw back a payment after
it has cleared
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 19
Future of Bank Connectivity
Global Payment Innovation Initiative Initiative by SWIFT; takes effect 2017 Offers same day cross border settlement Also offers greater transparency of
payments – equivalent of a global tracking number (like online shopping & shipping) Transparency allows better audit of where
payment went
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 20
Future of Bank Connectivity
Blockchain/Distributed Ledger Much talk about Blockchain and security
advantages Distributed Ledger Technology (DLT) still
years from mainstream adoption for payments ‘Complete anonymity’ will need to be
addressed to offer improvements in security and reduced threat of unauthorized payments
© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 21
Concluding Remarks
Connectivity channel is not the problem; it is securing access to/from the channel which presents most risk
Securing connectivity starts with understanding exposure points in the connectivity workflow (e.g. payment initiation)
Cloud connectivity offers good advantages if offered as a single system (rather than patchwork of multiple solutions)