ECOFIN Topic 1 – Issue Briefing Pack

The Question of the Regulations and Protections of International Financial Transfer Systems- How should we monitor International Financial Transfer Systems?

Introduction 

Financial transfer systems are used by banks to send instructions for monetary transfers. For example, a bank may send a request to an account holder to move money from their account to the account of another bank. SWIFT is currently the only major international financial transfer messaging system. In recent years it has suffered several cyberattacks such as the 2016 attack on the Bank of Bangladesh, in which attackers stole $101 million. These attacks have mostly occurred in countries with a low Corruption Perception Index score (CPI). 

A solution could be to regulate the access of these countries to the SWIFT system, as has been done to Iran. However, this can have dire consequences for a country’s economy. This also leads to the question of who should be allowed to regulate such a system (SWIFT is a private organisation regulated by the US government). Some interbank payment systems such as Russia’s SPFS have been created in response to the threat of being banned from SWIFT. However, these have seen little use outside of a national scope, demonstrating the difficulties in creating a trustworthy system. Delegates should aim to find a solution, through regulation or otherwise, that mitigates the political and economic threats that current systems face.

Background 

SWIFT was established in 1973 to replace the Telex messaging system used by most banks. It is a cooperative society headquartered in and governed under Belgium, and sends over 4 million messages a day between more than 11,000 financial institutions located in over 200 countries. SWIFT offers several products and services, but their primary focus is on the maintenance of their interbank messaging system: SWIFTnet. This is a secure interbank messaging system, with a predefined set of protocols, that is used by banks to authorise transactions. It can also be used for compliance, securities trading and foreign exchange messages. 

Despite being a neutral cooperative society, SWIFT has found itself in the eye of several political debacles. On the 23rd June 2006, it was revealed that the United States government, under the Terrorist Finance Tracking program, gained access to SWIFT’s transaction database in a response to the 11 September attacks. The relationship between the US government and SWIFT was quickly denounced to be a breach of European privacy laws by several countries, an occurrence that triggered a set of policy changes within SWIFT. Later, the European Union negotiated terms with the  US government to allow the transfer of intra-EU SWIFT transaction information to the US, within certain circumstances. However, this transpired without the approval of the European Parliament, who rejected this interim agreement months later.

The NSA has reportedly been involved in monitoring SWIFT transactions, according to confidential files released by a hacker group.  These documents assert that the NSA has been intercepting and retaining data transmitted by SWIFT transactions, compromising the information of multiple international banks. These claims were corroborated by documents leaked by whistleblower Edward Snowden. 

The Danish newspaper Berlingske reported the US seizing of Danish monetary assets. Whilst the transaction was intended to have been between German and Danish parties, the US government was able to seize $26,000 worth of assets.  The controversy revealed the US government to have sufficient authority over SWIFT to control transactions, even within jurisdictions such as the EU.

Due to SWIFT’s pervasiveness in the global financial system, cutting banks out of the payment network can be used as a political weapon. In 2012, SWIFT cut certain Iranian banks out of their network for violating EU sanctions. This essentially made it impossible for Iran to trade oil or import goods, seriously damaging their economy. Although these sanctions were relinquished in 2016, they have since been reinstated due to US pressure in 2018. However, in other cases, SWIFT has refused international pressure to apply sanctions. After Russia’s annexation of the Crimea in 2014, SWIFT refused to impose sanctions, stating that they were a neutral body and not in a position of authority to make sanction decisions. 

Another major issue is the rise of cyber security threats against the SWIFT system, mostly through authorizing large monetary transactions on the SWIFT mainframes hosted in banks. In February of 2016 the Lazarus hacking group attempted to steal over $1 billion from the Bank of Bangladesh through fraudulent SWIFT transfers. Although some of the transactions were detected and cancelled, the hackers still managed to take around $81 million. Since then there have been numerous attacks on SWIFT mainframes in banks, attempting to fraudulently divert funds. To date, no attack has been successfully carried out on SWIFT’s main architecture. Instead, attacks are focused on manipulating the SWIFT mainframe in each bank: the computer through which SWIFT messages are sent. 

In the aftermath of  the Bangladesh attack, SWIFT released a new Customer Security Programme (CSP) to advise banks on protecting their SWIFT connected infrastructure. This is based on three overarching principles: secure your environment, know and limit access, and detect and respond. Although there have been several attacks on banks since its release, money is recovered in most cases, and fraudulent transactions are more likely to be detected on the way to being executed. 

In response to the sanctions listed above, and US transaction monitoring, China, Russia, and Mexico have created alternative interbank messaging systems. Russia’s SPFS currently only operates nationally, and is designated as an emergency alternative to SWIFT due to limitations of the system. China’s CIPS system is more widespread, covering 47 countries, including Russia. However, its use has been limited to cross border Yuan transactions. Mexico’s SPEI system was introduced in 2004 by Banco de Mexico – the central bank. It  can be used for both interbank and consumer payments, and was made to better service Mexico’s banks. 

Questions to consider

  • What are the potential consequences of the SWIFT monopoly on global financial transfers?
  • Who should be in charge of regulating SWIFT?
  • What are the potential economic consequences of being removed from the SWIFT network?
  • Should governments be held accountable for pressuring SWIFT into actions that may be unlawful in the countries they operate in?
  • Should SWIFT be allowed to block countries with poor digital security, or pervasive corruption?

Further Reading List

SPEI – Principles for Financial Market Infrastructure Disclosure

SWIFT – Anatomy of a Cyberattack

SWIFT – Sanctions Statement

Bangladesh – 2016 Cyberattack

How SWIFT Works

SPFS – Russia’s Alternative Payment Network

Iran SWIFT Sanctions

SWIFT disconnects from Iran’s banks

European circumvention of US sanctions on Iran

Potential issues facing SWIFT

CIPS – China’s SWIFT Alternative