Published: 28 November 2017
>> See .pdf version
ESBG-WSBI is delighted to be given the opportunity to comment on this CPMI Discussion Note. Wholesale payment systems play an essential role in the implementation of monetary policy, the support of financial markets as well as large value commercial transactions, and in the settlement of a large range of ancillary systems. The nominal size of the transactions as well as the reputation of participants make wholesale payment systems an attractive magnet for attacks and fraud. These are unfortunately bound to initially increase, as stakeholders come to terms with the challenges of an increasingly digitized society. ESBG-WSBI therefore welcomes the CPMI’s initiative to propose a strategy to reduce the risk of wholesale payments fraud related to endpoint security (referred to in the Discussion Note as “wholesale payments fraud”).
The September 2017 Discussion Note calls from ESBG-WSBI’s perspective for the following remarks (acknowledging upfront that some of the recommendations in the Discussion Note may inevitably apply not only to end point security as such, but also to payment system security in general): Definition of “endpoint” The Discussion Note proposes that “an endpoint in the wholesale payment ecosystem is defined to be a point in place and time at which payment instruction information is exchanged between two parties in the ecosystem, such as between a payment system and a messaging network, between a messaging network and a participant in the network, or between a payment system and a participant in the system”. This definition may prove insufficient for at least two reasons:
The reference to a point of payment instruction information exchange could inadequately suggest that the latter are the only vector for wholesale payment fraud. Reference should also be made to points of identification and authentication of parties and devices.
In a digitized world – in particular with the transition to Open Banking – participants’ customers will also become vectors of wholesale payment fraud, hence interfaces between participants’ customers and payment system participants should be covered by the above definition.
ESBG-WSBI concur with the tenor of section 3. However, the statement that “operators of payment systems and messaging networks alone cannot verify and control every aspect of endpoint security, and need to rely on those who control the endpoints or are closer to them to ensure that appropriate controls are in place and operating effectively” could be read as exempting ex ante operators, participants, and authorities of potential mishaps because of the very complexity of payment systems. ESBG-WSBI would recommend to take a more ambitious stance, which can be effectively supported by policies and supervision and auditing, themselves increasingly facilitated by advances in technology.
The risks related to endpoint security should indeed be identified and understood by operators and participants. A granular approach to the identification of such risks is recommended, i.e. differentiating between roles as originating or beneficiary participant, or intermediary receiver or sender. The risks identified should be formally reviewed on an annual basis to ensure that the latest threat developments (both actual and potential) are taken into consideration.
Indeed, both payment system and messaging network operators, and participants thereto, should identify and establish their security requirements as needed. In so doing, payment system and messaging network operators should not fail to communicate these (and their updates) timely to their participants. Whilst the recommendation of “alerting the broader payments network community to evolving fraud threats” is wholly supported, the attention of CPMI is drawn to the reality that such sharing of information between industry members may not be allowed in all jurisdictions – a situation which needs to be remedied urgently.
Indeed payment system and messaging network operators should to devise, communicate and implement procedures and means to check compliance with these requirements, as well as measures to remedy imperfect compliance. Participants to such systems should devise, communicate and implement their own, relevant requirements, as well as the related procedures and means to check compliance with respect to interfacing with their own customers and counterparties.
An increasing range of technology tools is becoming available and usable for the prevention and detection of wholesale payment fraud. Whilst the CPMI paper should remain technology-neutral, it should encourage payment system and messaging network operators, and participants thereto, to continuously assess, test, and where relevant implement the more advanced means that become available.
Payment system and messaging network operators, and participants thereto, should define target timeframes for responding to actual or suspected fraud – which would contribute to drive the resources that will be set aside for this purpose (being noted that in some jurisdictions such timeframe(s) is (are) set by supervisory authorities).
Where appropriate, these actions should be extended by payment system and messaging network participants to their own customers and counterparties. With respect to information sharing, the remark made under Element 2 applies.
Operationalising the strategy ESBG-WSBI welcomes that guidance will be formulated on the basis of these 7 elements. It is recommended that guidance proposals incorporate relevant work already done by national or regional supervisors (with a view to inducing harmonisation), be the object of a market consultation, and then be regularly assessed in function of experience and threat developments, and revised if required.