The group plans to devise a framework that will divvy up cybersecurity responsibilities between sending and receiving banks, as well as at payment infrastructure providers, the people said.
The guidelines are being put together by the Committee on Payments and Market Infrastructures, which was convened by the Bank for International Settlements to analyse cross-border payment and settlement networks in an effort to protect the banking system.
The effort comes as the financial messaging giant Swift and some of its member banks have attracted scrutiny in the wake of recent cyberattacks at customer sites. In February, cyberthieves made off with $ 81 million from the Bangladesh central bank’s account at the Federal Reserve Bank of New York.
The CPMI aims to set out a global framework for cybersecurity standards where one doesn’t exist. Its challenge is that guidelines from such international groups tend to have limited enforceability by law, because each jurisdiction involved can choose what policies to adopt.
Rep. Barry Loudermilk (R., Ga.)—chairman of the subcommittee on oversight for the US House Science, Space and Technology Committee, which is reviewing the Bangladesh Bank incident—said Federal Reserve explanations of how recent cyberattacks occurred “raise additional questions”.
“It is troubling to me that bad actors were able to successfully extract millions of dollars from the Federal Reserve banking system,” he said in a statement. “My subcommittee is working to find out how this happened and how to prevent it from happening again.”
Workers at the New York Fed don’t manually screen most central bank payment orders as they come in, and instead rely heavily on authentication by Swift, known formally as the Society for Worldwide Interbank Financial Telecommunication.
Internal Fed documents obtained under a Freedom of Information Act request by the Journal help explain how hackers were able to get the New York Fed to send millions of dollars out of the account it maintains for Bangladesh in February.
A template of an account agreement between the Fed’s Central Bank and International Account Services group and account holders shows the New York Fed will presume any order that arrives authenticated by Swift to be genuine and binding on account holders.
The New York Fed acted on five of 70 payment orders sent by the hackers before realising they might not be legitimate. By that time, most of the money sent had vanished.
In June, the New York Fed said there was no evidence its own systems were compromised and it had taken steps to help Bangladesh recover the money. The perpetrators in the Bangladesh case still haven’t been identified, and the Federal Bureau of Investigation is investigating the incident. Bangladeshi officials argue that the Fed never should have approved any of the payments and should have been quicker to recall them once it developed doubts.
This summer, Swift became subject to a new set of cyber rules also developed by the CPMI and the International Organization of Securities Commissions. Those rules, once implemented, will require Swift, as a critical service provider, and financial market infrastructure providers to prove they can resume operations within two hours of a disruption.
Natasha de Teran, a Swift spokeswoman, had no immediate comment on the CPMI work. Guy Bertels, a spokesman for the National Bank of Belgium, which is the lead overseer of Swift, declined to comment on its specific oversight actions on the company.
The Committee on Payments and Market Infrastructures’ chairman is Benoît Cœuré, an executive board member of the European Central Bank. He wasn’t immediately available to comment.
Write to Katy Burne at firstname.lastname@example.org
This article was first published by The Wall Street Journal