Securing your Bank Connectivity

Tom Hunt | Director of Treasury Services | AFP Bob Stark | Vice President, Strategy | Kyriba

Securing Your Bank Connectivity December 14th, 2016

2 © 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 2

Tom Hunt

Director of Treasury Services

AFP

[email protected]

Bob Stark

VP Strategy

Kyriba Corporation

[email protected]

@treasurybob

Today’s speakers

mailto:[email protected]


3 © 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL.

3

3

Securing Your Bank Connectivity

Today’s Discussion Points

1) Impact of fraud on bank connectivity

2) Payment connectivity

3) Bank statement reporting

4) Future of connectivity: opportunities for greater security?

5) Questions and answers

© 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 4

Fraud Prevention: Before Bangladesh Compromise

Fraud

Detection

Payments

Access to

Treasury

Technology

Supplier

Account

Verification

Investments

& Trading

Bank

Account

Mgmt

Do I have visibility into every payment?

Are my controls consistent for every

bank, every region, every person?

Do I review my ACKs?

How many bids before a trade?

Can Settlement Instructions

be modified?

How many layers of

protection exist after

your password

Are there controls to prevent

unauthorized change to

supplier payment info?

Do I know my account signers?

Who can change them?

Does my bank have the same list?

Do I use payment watchlists?

Do I have a control center to

view all transactions and

modifications?

Fraud & Cybercrime in Treasury


Fraud Prevention: After Bangladesh Compromise

Fraud

Detection

Payments

Access to

Treasury

Technology

Supplier

Account

Verification

Investments

& Trading

Bank

Account

Mgmt

Do I have visibility into every payment?

Are my controls consistent for every

bank, every region, every person?

Do I review my ACKs?

How many bids before a trade?

Can Settlement Instructions

be modified?

How many layers of

protection exist after

your password

Are there controls to prevent

unauthorized change to

supplier payment info?

Do I know my account signers?

Who can change them?

Does my bank have the same list?

Do I use payment watchlists?

Do I have a control center to

view all transactions and

modifications?

Connectivity

Can connectivity be

compromised?

Fraud & Cybercrime in Treasury


Can My Connectivity Be Compromised?

Yes, connectivity workflows can be at risk

Steps can be taken to minimize likelihood of attack

What we learned from Bangladesh issue and similar events:

1) Separation of duties critical

2) UserID and Password insufficient

3) Preventing Payments Fraud is more than just protecting initiation/transmission


TMS or ERP

PD

Encrypted messages and files sent directly to Kyriba

Prior Day and Current Day Reporting •BAI2 •MT940 •XML CAMT •Regional formats

Bank Reporting Connectivity Workflow

CD

PD

CD

PD

CD


TMS or ERP

Approved payments sent to Banks

Secure payments sent from HUB to SWIFT Network

1

2

3

Ack Levels transmitted to HUB

Ack/Nack notification provided to TMS/ERP

Payment Connectivity workflow summary

4

1

4

1

4


Payment Connectivity Risk Exposures

1) Access to software used for payment initiation, approval and transmission (e.g. TMS, ERP, bank portal)

2) Separation of duties and approval limits within payments software

3) Transmission to bank connectivity channel

4) The Bank Connectivity Channel

5) Payment Confirmations and Acknowledgements

6) Reconciliation of Payment Transactions

7) Workflow Changes within Payments Systems

Understanding Connectivity Risks


1) Access to software used for payment initiation, approval and transmission

• UserID/Password should not grant access to the system

• Best practice is a combination of password controls:

– Password timeouts, resets, history, alphanumeric requirements

– Virtual Keypad

– Multi-factor authentication (hard or soft token)

– IP Filtering

– Single Sign-On w/ internal IT environment



2) Separation of duties and approval limits within payments software

• Separation of duties is an obvious win

• Issue is when separation of duties is inconsistent across different: – Payment types – Geographies – Systems (e.g. TMS vs. ERP)

• Initiation and Approval Limits: Consistency is key or exceptions will be exploited

• Mandate review of attached documentation that supports payments



3) Transmission to Bank Connectivity Channel

• Securing access to the connectivity channel means:

1) If multiple systems used then files must be secured when traveling in between systems

2) If one or many systems, implement good authentication protocols to ensure authorized access

3) Where available, apply digital signatures (e.g. SWIFT 3SKey) to authenticate exported payment files

4) Review un-editable payments vs. sanctions lists (e.g. OFAC)




• Multiple channels to automatically connect to bank

Host-to-Host Connections

Domestic/Regional Networks

MT Concentrator Service (i.e. Shared BIC)

SWIFT Alliance Lite2 (hosted by SWIFT / integrated to TMS)

SWIFTNet Service Bureau

SWIFT Alliance Access (hosted by corporate)




• Multiple channels to automatically connect to bank

• Ensure safeguards of hosted connectivity and service bureaus meet your organization’s information security policy

– Review of SOC1/SOC2 Audits

– Penetration Testing

– Data Security (e.g. encryption at rest, use of firewalls and application tiers, who has access to the data)

– Business Continuity



5) Payment Confirmation and Acknowledgements

• Up to 4 levels of acknowledgment (5 if you count CAMT 054)

• Acknowledgements can be viewed in message format or integrated into a payment dashboard

• Monitor each stage of workflow and reconcile against payment log



6) Reconciliation of Payment Transactions

• In addition to reviewing payment acknowledgements, reconcile intra-day the outgoing payments with expected payment transactions

1) Generated payments within TMS/ERP will generate cash flows for outgoing payments

2) Intraday reporting from bank will generate actual transactions

3) Use standard forecast/actual reconciliation to identify variances



7) Workflow changes within payments systems

• Important to monitor changes to payments workflow (e.g. approvals, limits, users, uploaded payment files, sent payment files)

• Often integrated dashboard within ERP/TMS; will track any control changes and present in summarized view



Future of Bank Connectivity

Instant Payments

Movement towards quicker payments (instant payments in Europe, same day ACH domestically, SWIFT GPII)

Increases need to stop unauthorized payments before they start

More difficult to claw back a payment after it has cleared



Global Payment Innovation Initiative

Initiative by SWIFT; takes effect 2017

Offers same day cross border settlement

Also offers greater transparency of payments – equivalent of a global tracking number (like online shopping & shipping)

Transparency allows better audit of where payment went



Blockchain/Distributed Ledger

Much talk about Blockchain and security advantages

Distributed Ledger Technology (DLT) still years from mainstream adoption for payments

‘Complete anonymity’ will need to be addressed to offer improvements in security and reduced threat of unauthorized payments


Concluding Remarks

Connectivity channel (e.g. SWIFT) is not the problem; it is securing access to/from the channel which presents most risk

Securing connectivity starts with understanding exposure points in the connectivity workflow (e.g. payment initiation)

Cloud connectivity offers good advantages if offered as a single system (rather than patchwork of multiple solutions)


AFP TIP Guide ‘Putting Your Connectivity on Lockdown’

Further reading

http://www.kyriba.com/sites/default/files/content/kyribafactsheet-connectivity.pdf

http://info.kyriba.com/AFP-Tip-Guide-Connectivity-December-2016?utm_source=KYR&utm_medium=WBPPT&utm_content=WB&utm_campaign=AFP-Tip-Guide-121316







Questions?

Tom Hunt [email protected]

Bob Stark [email protected]

@treasurybob




Thanks for attending

facebook.com/kyribacorp

twitter.com/kyribacorp

linkedin.com/company/kyriba-corporation

youtube.com/kyribacorp

slideshare.com/kyriba

kyriba.com/blog

Securing your Bank Connectivity

Software

Transcript of Securing your Bank Connectivity