Securing Your Bank Connectivity - SoCal EXPO Your Bank Connectivity Tim Ray Vice President. April...

Securing Your Bank Connectivity

Tim RayVice PresidentApril 20th, 2017

2© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 2

Securing your bank connectivity

Today’s Discussion1) Impact of fraud on bank

connectivity2) Understanding connectivity risks

(and solutions to mitigate those risks)

3) Future of connectivity: opportunities for greater security?

4) Questions and answers

© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 3

Fraud Prevention: Before Bangladesh Compromise

Fraud Detection

Payments

Access to Treasury

Technology

Supplier Account

Verification

Investments & Trading

Bank Account

Mgmt

Do I have visibility into every payment?Are my controls consistent for every bank, every region, every person?Do I review my ACKs?

How many bids before a trade?Can Settlement Instructions

be modified?

How many layers of protection exist after

your password

Are there controls to prevent unauthorized change to supplier payment info?

Do I know my account signers?Who can change them?

Does my bank have the same list?

Do I use payment watchlists?Do I have a control center to view all transactions and modifications?

Frrrr

r Crrrrrrrrr

rr Trrrrrrr


Fraud Prevention: After Bangladesh Compromise

Fraud Detection

Payments

Access to Treasury

Technology

Supplier Account

Verification

Investments & Trading

Bank Account

Mgmt

Do I have visibility into every payment?Are my controls consistent for every bank, every region, every person?Do I review my ACKs?

How many bids before a trade?Can Settlement Instructions

be modified?

How many layers of protection exist after

your password

Are there controls to prevent unauthorized change to supplier payment info?

Do I know my account signers?Who can change them?

Does my bank have the same list?

Do I use payment watchlists?Do I have a control center to view all transactions and modifications?

Connectivity

Can connectivity be compromised?

Frrrr

r Crrrrrrrrr

rr Trrrrrrr


Can my connectivity be compromised?

Yes, the risk of compromise is real But steps can be taken to minimize

likelihood of attackWhat we learned from Bangladesh issue

and similar events:1) Separation of duties critical2) UserID and Password insufficient3) Preventing Payments Fraud is more than

just protecting initiation/transmission


TMS or ERP

PD

Encrypted messages and files sent directly to Kyriba

Prior Day and Current Day Reporting•BAI2•MT940•XML CAMT•Regional formats

Bank Reporting Connectivity Workflow

CD

PD

CD

PD

CD


TMS or ERP

Approved payments sent to Banks

Secure payments sent from HUB to SWIFT Network

1

2

3

Ack Levels transmitted to HUB

Ack/Nacknotification provided to TMS/ERP

Payment Connectivity workflow summary

4

1

4

1

4

Presenter

Presentation Notes

I like this slide and it is quick to talk through


Payment Connectivity Risk Exposures1) Access to software used for payment initiation, approval and

transmission (e.g. TMS, ERP, bank portal)2) Separation of duties and approval limits within payments software3) Transmission to bank connectivity channel (e.g. SWIFT)4) The Bank Connectivity Channel5) Payment Confirmations and Acknowledgements 6) Reconciliation of Payment Transactions7) Workflow Changes within Payments Systems

Understanding Connectivity Risks


1) Access to software used for payment initiation, approval and transmission

• UserID/Password should not grant access to the system

• Best practice is a combination of password controls:– Password timeouts, resets, history, alphanumeric requirements– Virtual Keypad– Multi-factor authentication (hard or soft token)– IP Filtering– Single Sign-On w/ internal IT environment



2) Separation of duties and approval limits within payments software

• Separation of duties is an obvious win• Issue is when separation of duties is inconsistent across different:

– Payment types– Geographies– Systems (e.g. TMS vs. ERP)

• Initiation and Approval Limits: Consistency is key or exceptions will be exploited

• Mandate review of attached documentation that supports payments



3) Transmission to Bank Connectivity Channel

• Securing access to the connectivity channel means:1) If multiple systems used (e.g. ERP and SWIFT Gateway) then files

must be secured when traveling in between systems2) If one or many systems, implement good authentication protocols

to ensure authorized access3) Where available, apply digital signatures (e.g. SWIFT 3SKey) to

authenticate exported payment files4) Review un-editable payments vs. sanctions lists (e.g. OFAC)



4) The Bank Connectivity Channel

• Multiple channels to automatically connect to bank Host-to-Host Connections Domestic/Regional Networks MT Concentrator Service (i.e. Shared BIC) SWIFT Alliance Lite2 (hosted by SWIFT / integrated to TMS) SWIFTNet Service Bureau SWIFT Alliance Access (hosted by corporate)



4) The Bank Connectivity Channel

• Multiple channels to automatically connect to bank• Ensure safeguards of hosted connectivity and service bureaus meet

your organization’s information security policy– Review of SOC1/SOC2 Audits– Penetration Testing– Data Security (e.g. encryption at rest, use of firewalls and

application tiers, who has access to the data)– Business Continuity



5) Payment Confirmation and Acknowledgements

• Up to 4 levels of acknowledgment (5 if you count CAMT 054)• Acknowledgements can be viewed in message format or integrated into

a payment dashboard• Monitor each stage of workflow and reconcile against payment log



6) Reconciliation of Payment Transactions

• In addition to reviewing payment acknowledgements, reconcile intra-day the outgoing payments with expected payment transactions

1) Generated payments within TMS/ERP will generate cash flows for outgoing payments

2) Intraday reporting from bank will generate actual transactions3) Use standard forecast/actual reconciliation to identify variances



7) Workflow changes within payments systems

• Important to monitor changes to payments workflow (e.g. approvals, limits, users, uploaded payment files, sent payment files)

• Often integrated dashboard within ERP/TMS; will track any control changes and present in summarized view


Does the future offer more security?

18© 2017 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 18

Future of Bank Connectivity

Instant Payments Movement towards quicker payments

(instant payments in Europe, same day ACH domestically, SWIFT GPII) Increases need to stop unauthorized

payments before they start More difficult to claw back a payment after

it has cleared



Global Payment Innovation Initiative Initiative by SWIFT; takes effect 2017 Offers same day cross border settlement Also offers greater transparency of

payments – equivalent of a global tracking number (like online shopping & shipping) Transparency allows better audit of where

payment went



Blockchain/Distributed Ledger Much talk about Blockchain and security

advantages Distributed Ledger Technology (DLT) still

years from mainstream adoption for payments ‘Complete anonymity’ will need to be

addressed to offer improvements in security and reduced threat of unauthorized payments


Concluding Remarks

Connectivity channel is not the problem; it is securing access to/from the channel which presents most risk

Securing connectivity starts with understanding exposure points in the connectivity workflow (e.g. payment initiation)

Cloud connectivity offers good advantages if offered as a single system (rather than patchwork of multiple solutions)

Securing Your Bank Connectivity - SoCal EXPO Your Bank Connectivity Tim Ray Vice President. April...

Documents

Transcript of Securing Your Bank Connectivity - SoCal EXPO Your Bank Connectivity Tim Ray Vice President. April...