The Committee on Payments and Market Infrastructures, of the BIS, has released a report on Reducing the risk of wholesale payments fraud related to endpoint security. This report first discusses the wholesale payment ecosystem and endpoints, and the risk of wholesale payments fraud, stressing the need for a holistic approach and coordination. It then presents the strategy, which comprises seven elements. It then discusses the CPMI’s plan to promote, support and monitor local and global progress in operationalising the strategy, with due recognition of the need for flexibility to reflect the uniqueness of each system and jurisdiction, including the legal, regulatory, operational and technological structures and constraints under which they may operate.
Introduction
In September 2016, responding to the increasing threat of wholesale payments fraud, the Committee on Payments and Market Infrastructures (CPMI) announced the establishment of a task force (TF) to look into the security of wholesale payments that involve banks, financial market infrastructures (FMIs) and other financial institutions.1 This TF developed a strategy to reduce the risk of wholesale payments fraud related to endpoint security (hereafter “wholesale payments fraud”), which the CPMI published for public consultation in September 2017. The final strategy reflects feedback received during that consultation.
The strategy’s primary aim is to encourage and help focus industry efforts to reduce the risk of wholesale payments fraud and, in doing so, support financial stability. To that end, each CPMI member central bank, and the CPMI as a whole, is committed to acting as a catalyst for effective and coherent operationalisation of the strategy within and across jurisdictions and systems and will monitor progress throughout 2018 and 2019 to determine the need for further action.
(…)
Wholesale payment ecosystem and endpoints
A safe, reliable, secure and efficient wholesale payment system is an essential component of a well functioning financial system. A wholesale payment system is connected by a supporting messaging network with banks, FMIs and other financial institutions and service providers, forming a complex ecosystem. Central banks have long had a special interest in the wholesale payment ecosystem, both as owners and operators of wholesale payment systems and as overseers of these systems. Further, central banks use a wholesale payment system for their monetary policy implementation and provision of liquidity to maintain financial stability.
Fraud in the wholesale payment ecosystem is becoming increasingly sophisticated, and recent examples have shown that weaknesses in security at one endpoint in the ecosystem can be exploited to commit payments fraud. For the purposes of this note, an endpoint in the wholesale payment ecosystem is defined to be a point in place and time at which payment instruction information is exchanged between two parties in the ecosystem, such as between a payment system and a messaging network, between a messaging network and a participant in the network, or between a payment system and a participant in the system. Endpoint security is built upon measures taken with respect to endpoint hardware, software, physical access, logical access, organisation and processes.
Risk of wholesale payments fraud and need for a holistic approach and coordination
While wholesale payments fraud can cause material risks to individual financial institutions, it may also have a broader systemic impact on a payment system, its ecosystem and the broader economy. Given the interconnectedness of various stakeholders in the wholesale payment ecosystem, fraud may not only result in financial losses and reputational risk at the compromised endpoint but, in an extreme case and in the absence of appropriate arrangements within the ecosystem for preventing, detecting, responding to and communicating about fraud, may also undermine confidence in the integrity of the entire system. If participants have concerns about the security of the payments network, their own security or the security of other participants, each of them may implement additional controls before releasing payments or may limit or halt payment instruction processing. When confidence in the integrity of the entire system has been lost, such individual precautionary actions could, in aggregate, create significant gridlock in payment processing, reduce overall liquidity in the financial markets and potentially cause a build-up of unsettled positions and bilateral credit exposures among financial institutions. In extremis, these actions could ultimately impede economic activity and disrupt financial stability.
In addressing the potential risk of wholesale payments fraud to the financial system and broader economy, a wholesale payment ecosystem faces distinct challenges. First, wholesale payments fraud is becoming increasingly sophisticated and is expected to evolve further. Second, wholesale payments are typically large-value, immediate and final, which may make them more susceptible to be targeted for fraud in the first place and increase complexities in addressing the risk. Third, operators of wholesale payment systems and messaging networks alone cannot verify and control every aspect of endpoint security, and need to rely on those who control the endpoints or are closer to them to ensure that appropriate controls are in place and operating effectively. Given the interconnectedness of financial networks, the efforts of single parties may not achieve the expected benefit unless other connected parties also undertake complementary efforts. Lastly, each participant of payment systems and messaging networks has inherent incentives to guard against the risk of wholesale payments fraud to avoid potentially large financial losses and reputational damage, and should be expected to bear primary responsibility for taking necessary action. However, the broader economic impacts and social costs as described above may not be sufficiently anticipated and internalised by all relevant parties, resulting in an insufficient level of action and investment – individually and collectively – to reduce the risk of wholesale payments fraud.
All these factors point to the criticality of better understanding the full range of risks and the need for better coordination. It is vital that all relevant stakeholders, including operators of wholesale payment systems and messaging networks, their participants and relevant authorities, take a holistic and more coordinated approach to guarding against the potential loss of confidence in the integrity of the wholesale payment ecosystem as a whole.
(…)
You can rad the full version of this article on the website of the BIS.
Source: https://www.bis.org/
