Prevent Endpoint Payment Fraud

In today's highly connected digital environment, cyberattacks are a seemingly everyday occurrence that threatens everyone's financial security. But are banks and the financial institutions that participate in the clearing and settlement of large electronic value transfers, also known as wholesale payments, vulnerable to the same types of fraud as businesses and individuals?

The short and very expensive answer is yes. Here's what businesses need to know about endpoint payment fraud—what it is, how it works and what's being done to prevent it.

What is the wholesale payment system?

Every day, billions of dollars are transferred between banks and countries over wholesale payment systems. These systems are overseen and connected to central banks around the world to ensure smooth inter-bank and inter-country transactions. These large-value, time-critical payments are processed electronically and are used primarily for transfer services for US government and agency securities, real estate transactions, foreign exchange transactions and similar financial market transactions.

There are two steps in the wholesale payment process: clearing and settlement. Clearing is the sending and confirmation of the request between two financial institutions, while settlement is the actual transfer of funds from one financial firm to the other.

Some of these clearing and settlement systems include:

• Fedwire Funds Services
• Clearing House Interbank Payments System, or CHIPS
• National Settlement Services, or NSS
• The messaging system known as the Society for Worldwide Interbank Financial Telecommunication, or SWIFT

How does endpoint payment fraud happen?

An endpoint in the wholesale payment network is any step or instance when payment request, instructions and information is exchanged between the participants. These participants include the requesting banks and financial institutions, the receiving banks or financial institutions and the clearing and settlement systems relaying and fulfilling that request. It's at these points in the wholesale payment system that a cyberattacker can compromise that data and commit endpoint payment fraud.

For example, over a 10-day period in 2015, hackers were able to use Ecuador's Banco del Austro's secured SWIFT messaging system to transfer $12 million from the bank's Wells Fargo accounts to bank accounts around the world. And in 2016, hackers were able to use the Bank of Bangladesh's SWIFT messaging system to steal $81 million from the bank's Federal Reserve account and transfer the funds to casinos in the Philippines. Only $18 million was ever recovered.

This type of fraud can have huge consequences for not only the parties involved but also the entire international financial infrastructure. Wholesale payments are critical to organizations across the entire economy. Any vulnerability is a shared one, and a major attack could compromise resiliency and create disruption across the entire supply chain.

Opportunities and risks in innovation

New wholesale payment platforms—and the possibility of depository institutions transacting on them with tokenized forms of central bank digital currency, or wholesale CBDC—bring many benefits. Currently, 98% of the global economy's central banks are exploring CBDCs. The benefits include:

• Transacting tokenized forms of money and assets
• Enhancing the programmability of payments through the transfer of money using smart contracts
• Improving the efficiency of payment, clearing and settlement of cross-border transactions
• Preserving the role of central bank money

But these benefits also bring risks. One model currently under consideration is a shared ledger to facilitate digital asset transactions. There are many efficiencies of a shared ledger, but it could also allow central bank money to circulate on a platform not owned or operated by the central bank, which raises many legal, policy and operational questions.

Some perceived payment limitations exist because of current policies—many of which exist to protect consumer financial information and deter crime. While some payment issues can be improved with technological innovations, others may continue to exist to avoid compromising the safety of wholesale payments. As innovation happens quickly, the government and banks must responsibly weigh the benefits and risks before choosing which technology they may adopt.

Best practices for prevention and response

Not surprisingly, stakeholders throughout the wholesale payment system are taking steps to mitigate wholesale payment fraud. In 2016, SWIFT introduced its Customer Security Program with three components: information sharing, enhanced tools and a customer security controls framework.

Some progress has been made on defending institutions against fraud. The Federal Reserve has proposed a policy requiring real-time monitoring of all Fedwire payments and a cap on certain transactions. The Federal Financial Institution Examination Council put forth suggestions on securing wholesale payment systems, including using authentication and encryption technology.

The most robust effort, however, has been by led by the Committee on Payments and Market Infrastructures, or CMPI. In 2018, CMPI issued a final strategy report on reducing endpoint payment fraud containing seven elements for operators and participants of a wholesale payment system. These elements include establishing endpoint security requirements and using information and tools to improve prevention and detection.

The bottom line

The best way business owners can help protect themselves against fraud is by communicating with their banks. Ask your banks what type of wholesale payment systems they use, what they're doing to protect themselves from endpoint payment fraud and what precautions they're taking to protect their customers' funds.