The evolving use of technology in the banking industry has inevitably led to the increased risk of cyber-attacks on electronic payment systems.
There have been a number of high profile incidents which have affected retail customers and Which?, the consumer rights group, has made a super complaint to the Payment Services Regulator highlighting the increasing concern and focus about these issues.
The risks are not limited to the retail space as highlighted by the series of attacks on the SWIFT messaging system recently, with the banks that have fallen victim to those attacks suffering significant reputational and financial damage as a result. But as defrauded parties look to recover their losses, there is also an increasing scrutiny on the actions of paying banks with defrauded parties claiming that those banks should be investigating payment requests to ensure they are genuine before they make payment.
Last year, there were a number of reported incidents of fraudsters hacking into banks' SWIFT messaging system (known examples include Bank Bangladesh, Tien Phong Bank, Banco del Austro) and subsequently transmitting, or attempting to in the case of Tien Phong, seemingly genuine transfer orders to correspondent banks instructing the transfer of funds to a third party.
In the case of Bank Bangladesh, hackers transmitted a series of 'fraudulent' payment instructions via SWIFT to the New York Federal Reserve (the Fed) ordering the transfer of large tranches of money from Bank Bangladesh's account there. The Fed, believing the messages had been authenticated in accordance with the SWIFT protocols, transferred approximately $101 million to banks in Sri Lanka and the Philippines. Although a proportion of funds were retrieved, significant amounts remain outstanding with reports that some of the funds had been laundered through casinos.
The same methodology was adopted in a cyber-attack on the Ecuadorian bank, Banco del Austro in 2015. As a result of fraudulent payment instructions sent via Banco del Austro's SWIFT account, Wells Fargo transferred approximately $12 million to third parties causing a significant loss to the Ecuadorian bank. However, whilst Wells Fargo acted on apparently 'genuine' authenticated payment instructions, Banco del Austro has filed a claim in the US courts against Wells Fargo seeking to blame it for the losses because it failed to cross check the instructions before making payment. Likewise, Bank Bangladesh has reportedly considered suing the Fed.
Wells Fargo has denied liability on the basis that it acted on an instruction authenticated in accordance with SWIFT protocols.
According to the SWIFT user guide, authentication is "a process that SWIFT uses to confirm the identity of the sender or the receiver of a message, or to prove the integrity of specific information. Message authentication determines the source of a message, and verifies that no-one has modified or replaced the message during transit."
As the fraudulent messages were sent via genuine SWIFT accounts, Wells Fargo is arguing that the messages met these authentication procedures.
Whilst some of the central arguments in that case relate specifically to the New York Uniform Commercial Code, it is not an isolated example of parties seeking to apportion liability on the paying bank for failing to take adequate steps prior to making the payment.
The arguments in the above case are predominantly US-centric, however the final ruling on this matter could have wider implications for SWIFT payment instructions. If it is determined that placing sole reliance on the SWIFT authentication security procedures are not 'reasonable', it may support a wider expectation that banks should carry out additional checks before processing payments - even when acting on instructions in an authenticated SWIFT message.
This comes at a time when there is increasing regulatory pressure on banks to improve their security systems for detecting and preventing financial crime. It may have significant financial and operational implications for banks while they upgrade their systems and refine their procedures for processing payments.
The inevitable consequence of these claims is increased focus on the payment instruction. The claimant bank may argue that the circumstances of the payment should have raised suspicions for the payment bank, which should have investigated its authenticity prior to processing the payment.
It also begs the question whether the possible transfer of liability to banks processing SWIFT payment instructions would undermine the very nature of a system designed to enable efficiency with minimum manual intervention and limited use of its operational resources.
It is reasonable to argue that these claims seek to unfairly push the liability for the attack away from the bank whose systems were hacked, and which may therefore have had inadequate security in place, onto a third party bank which responds to the instructions.
The result of which may be to disincentivise smaller banks from investing in their cyber security systems to prevent such attacks. Although to some extent, that risk is mitigated by SWIFT's response to these incidents.
In September 2016, SWIFT announced the introduction of a set of core security standards which will become mandatory for its customers in Q2 2017. SWIFT has made clear that "applying these standards will further support customers in their efforts to prevent and detect fraudulent use of their infrastructure". SWIFT will require self-attestation of compliance to these standards.
It is worth noting that cyber fraud does not always immediately generate a palpable loss and fraud can be perpetrated via the SWIFT network in other ways, which can sometimes go undetected. For example, there were reports last month that hackers have accessed the SWIFT system of three banks in India and inputted fake letters of credits and demand guarantees.
Whilst these attacks were uncovered before any further steps were taken, the expectation was that the fraudsters intended to raise demands under those instruments to trigger the release of funds. In response to those attacks the Reserve Bank of India has mandated that (mirroring the arguments set out above) banks should check the electronic SWIFT documents against the underlying documentation to cross-check their authenticity.
Contributor: Shibani Kapur