Page 1

Agenda
1. Who is SWIFT
2. Connecting to SWIFT: access models,
Key Security features of SWIFT
interfaces and resiliency
financial messaging and what it
means for auditing an 3. Security environment
institution’
institution’s SWIFT operations 4. The FIN service: message security and
monitoring
Daniel De Weyer 5. Summary elements in the scope of a
SWIFT Senior Relationship Manager SWIFT operations audit
ISACA Hong Kong
13 November 2007
ISACA 2007
Slide 1 Slide 2

Who is SWIFT? SWIFTNet - Single window access to the

financial world
Market infrastructures SWIFTNet FIN

A co-operative organisation serving the Single window Enabling the

financial services industry access to MIs community

A provider of highly secure ‘Serving you to SWIFTSolutions

financial messaging services serve your customer’
BANKCCLL

The financial standardisation body Extended Harnessing business

process modelling
client reach

Standards, platform, community

ISACA 2007 ISACA 2007
Slide 3 Slide 4

www.swift.com © S.W.I.F.T. SCRL 2002

 Page 2

Agenda Multi Vendor architecture overview

1. Who is SWIFT Customer premises Local loops Access networks Backbone

2. Connecting to SWIFT: access models, Network

interfaces and resiliency VPN
box
Partner 1

3. Security environment Customer

A
VPN
box
SIPN
4. The FIN service: message security and M-CPE Network Backbone
Network
Partner 2
monitoring OPCs
VPN
5. Summary elements in the scope of a
Modem
box (TA)
POP Backbone
Access
SWIFT operations audit Dial-up Network Points
Partner 3
Customer
B

ISACA 2007 ISACA 2007

Slide 5 Slide 6

MV-
MV-SIPN the co-
co-existence of network partners Direct Connectivity
COST

Dual-P

Multi-Line (Single-P’s)

Dual-I

Orange Business Dual-I DSL

Services
(ex Equant) Dual-I ISP
(Dial-up)

F UN C T I O N A L I T Y
ISACA 2007 ISACA 2007
Slide 7 Slide 8

www.swift.com © S.W.I.F.T. SCRL 2002

 Page 3

SWIFT Platform Overview SWIFTAlliance Gateway Legend: Primary route(s)

Secondary route
Ex:Highly
Ex:Highly resilient config.
config. Cold-Backup route

Application & Desktop Messaging Communication Network Layer &

Layer Layer Layer SWIFTNet Services Site 1 Site 2
MT- MX SAM FIN CLS SAB FIN CLS SAB
Interface gateway Interface gateway
Browser SWIFTAlliance
App Access / Entry
WebServer
SWIFTAlliance
MT-MX
MT-MX Gateway MQ RA RA RA MQ RA RA RA
MT-MX-FpML VPN
Financial MT-MX
MT-MX
box SWIFTNet
Application Automation FpML
FpML

SA-Workstation MT
RMA
SAG 1 SAG 2
SA-Webstation Browse, FileAct, InterAct & SAG admin.

SAG
Financial Service specific
application interface DMZ DMZ

E-mail SWIFTNet
client
Mail Dual-P Dual-P
ISACA 2007 E-mail ISACA 2007
server
Slide 9 Slide 10

Integration into SWIFTAlliance Gateway SWIFTAlliance Access / Workstation

SNL
SNL API
SWIFTAlliance Gateway
User
Application
FTI command line

RAHA WSHA RAHA MQHA FTA FTI

InterAct &
FileAct

SOAP over SNL API

TDA HTTPs
IBM MQ API
SAG API
Application Application
Application Application Application

New FileAct
6.0 InterAct & managed by
IBM MQ API FileAct SAG
Application
ISACA 2007 ISACA 2007
SWIFTNet unaware Slide 11 Slide 12

www.swift.com © S.W.I.F.T. SCRL 2002

 Page 4

Integration into SWIFTAlliance Access SWIFTAlliance WebStation

Browser-based SWIFTNet Interface

SWIFTAlliance Access – includes SNL running in browser

– includes SWIFTNet administrative GUIs
CAS ADK APIs AFT ADK APIs Focus on person-to-application communications
Only client role (cannot be called by a Requestor)

MQSA
User
Application
CASmf

Self-made
CASmf APIs
CAS text IBM MQ APIs request
InterAct
User User User User FileAct
reply
Application Application Application Application
client server

ISACA 2007 ISACA 2007

Slide 13 Slide 14

SWIFTAlliance WebStation SWIFTAlliance WebStation

Supports two types of solutions

Two ways to install SWIFTAlliance WebStation :
– (1) Directly connected to the network
– Browsing solution – (2) Connected to the network via SWIFTAlliance Gateway.
– Service specific workstation : additional software must
be installed locally for GUI functionality

(1)

SIPN
https SAG SNL
request InterAct
FileAct (2)
reply

client server

ISACA 2007 ISACA 2007

Slide 15 Slide 16

www.swift.com © S.W.I.F.T. SCRL 2002

 Page 5

SWIFTAlliance WebStation GUI SWIFTAlliance Messenger

Functional Overview
Browser based message entry facility for both “MX” and “MT” messages
PKI Management Verification [MT], and authorisation of messages in line with the SAA 4-eyes principle configuration
Managing SAG Querying recent and archived messages
Validates the input messages before submitting them, and assists the user in correcting errors
File Transfer On line help facility
Message printing facility
Browser Offers functionality to create and share re-usable templates
Can be customized to corporate look and feel

ISACA 2007 ISACA 2007

Slide 17 Slide 18

SWIFTAlliance Messenger
Welcome screen
Agenda
1. Who is SWIFT
2. Connecting to SWIFT: access models,
interfaces and resiliency
3. Security environment
4. The FIN service: message security and
monitoring
5. Summary elements in the scope of a
SWIFT operations audit

ISACA 2007 ISACA 2007

Slide 19 Slide 20

www.swift.com © S.W.I.F.T. SCRL 2002

 Page 6

SWIFTNet messaging services

BKE process flow
SWIFTNet – Messages with MT standards and rules SCR Dialogues with
Initiator MT960 Responder SCR Dialogues with
– Store-and-forward SWIFT Interface BKE initiation SWIFT Interface

FIN – Feature-rich MT964 Checks NOK

Process BK BKE error message Checks OK
Generate request
MT961
– Messages and query-and-response
SWIFTNet – MX standards (XML-based) and rules
BKE initiation Resp.
Checks NOK
InterAct – Store-and-forward and real-time
MT962
Key Service Message
MT962
Process BK Process BK
Generate Response MT963 Receipt-Response
BKE Key Ack
– File transfer for data intensive applications Initiator verifies MAC, if OK: update BK file MT963
SWIFTNet – Standards and rules MT965 Process BK
Receipt-Request
FileAct – Store-and-forward and real-time
BKE Key error message

Checks at Initiator’s SCR: Checks at responder’s SCR:

- validates responder’s CV, - determine value of new key,
- determines the value of its public key - verify signature of initiator’s enciphered key (via public key of
- creates a new Bilateral key (by using responder’s public initiator)
SWIFTNet – Secure browsing key -Decipher enciphered key (via public key of initiator)
– Complements InterAct, FileAct, and FIN - Signs the result using initiator’s Secret key - new (enciphered) bilateral key is returned to interface and stored
Browse on disk

ISACA 2007 ISACA 2007

Slide 21 Slide 22

BKE compared to RMA New relationship management in 2008

BKE RMA
Bilateral Unilateral CUST A CUST B
Renewal Permanent
Manual key possible No manual key possible
CBT CBT
FIN InterAct store-and-forward
BIC4/6/8 BIC8 only
No granularity Granularity
BKE for T&T RMA optional for T&T
Previous/Current/Future Current only
Pre-agreements No pre-agreements
Weekly distribution Daily/Real-time distribution
HSM HSM
FIN access control security
PKI

FIN user-to-user security

PKI

Relationship management
BKE RMA
ISACA 2007 ISACA 2007
Slide 23 Slide 24

www.swift.com © S.W.I.F.T. SCRL 2002

 Page 7

Relationship Management Application (RMA) Agenda

Managing correspondents in a many-to-many world
1. Who is SWIFT
– RMA as mechanism to control WHO can
2. Connecting to SWIFT: access models,
send you traffic
Managing the correspondent’s business interfaces and resiliency
– RMA as mechanism to control WHAT a 3. Security environment
correspondent can send to you
4. The FIN service: message security and
monitoring
5. Summary elements in the scope of a
SWIFT operations audit
Objective: preventing unwanted traffic

ISACA 2007 ISACA 2007

Slide 25 Slide 26

Types of messages Categories of messages

• User to user messages 0 System messages
1 Customer transfers & cheques
2 Financial institutions transfers
• System messages 3 Foreign exchange, money markets & derivatives
4 Collections & cash letters
5 Securities markets

• Service messages 6 Precious metals & syndications

7 Documentary credits & guarantees
8 Travellers cheques
9 Cash management & customer status
ISACA 2007 ISACA 2007
Slide 27 Slide 28

www.swift.com © S.W.I.F.T. SCRL 2002

 Page 8

Common group message types Flow & acknowledgements

n90 Advice of charges,
Interest and other adjustments
n91 Request for payment of
charges,
Input Output
Interest or other expenses
n92 Request for cancellation
n95 Queries
ACK/NAK UAK/UNK
n96 Answers
n98 Proprietary message Sende Receive
r r

n99 Free format

ISACA 2007 ISACA 2007
Slide 29 Slide 30

Structure --------------------Instance Type and Transmission------------------

Structure
Notification (Transmission) of Original sent to SWIFT (ACK)
Network Delivery Status :Network Ack
Priority/Delivery :Normal

Order Form
Message Input Reference : 1705 021115KWHKHKHHAXXX0135007653
------------------------------Message Header------------------------
Swift Input : FIN 103 Single Customer Credit Transfer
What does a SWIFT message look like ?
Sender : KWHKHKHHXXX
Citic Ka Wah Bank
Hong Kong

Please pay ....

Receiver : BNPAFRPPXXX
BNP-PARIBAS SA
(FORMELY BANQUE NATIONALE DE PARIS S.A.)
Paris, France Screen
to ...
MUR : MC12
------------------------------Message Text--------------------------
20:Sender's Reference
PAY/09

from ...
23B:Bank Operation Code
CRED
32A:Value Date, Currency and Interbank Settled Amount
Date :18 November 2002

on .....
Currency : EUR (EURO)
Amount : #65000,#
50K:Ordering Customer
/123001043212 SWIFT Network
at ...
MR LEE
10 QUEENSWAY
HK-HONG KONG
57A:Account with Institution - BIC

for ...
BNPAFRPPCAN
BNP-PARIBAS SA (FORMELY BANQUE NATIONALE DE PARIS S.A.)
CANNES FR
59:Beneficiary Customer

... /12345543210100001M02211
MR DUPONT
6 RUE LAFAYETTE
FR-CANNES
70:Remittance Information
/INV/52
71A:Details of Charges
Printout
SHA

------------------------------Message Trailer----------------------
ISACA 2007 {MAC:098446CF} ISACA 2007
{CHK:45946964876B}
Slide 31 Slide 32

www.swift.com © S.W.I.F.T. SCRL 2002

 Page 9

An example of the header of a payment message : An example of the header of a payment message :
MT 103 MT 103

ISACA 2007 ISACA 2007

Slide 33 Slide 34

An example of the header of a payment message : An example of the header of a payment message :
MT 103 MT 103

ISACA 2007 ISACA 2007

Slide 35 Slide 36

www.swift.com © S.W.I.F.T. SCRL 2002

 Page 10

An example of the header of a payment message : An example of the header of a payment message :
MT 103 MT 103

ISACA 2007 ISACA 2007

Slide 37 Slide 38

An example of the header of a payment message :

Delivery monitoring options MT 103

MT 103/ MT 103
MT 541 ACK U3
U3
MT010 UAK
MT011

KWHKHKHH BNPAFRPP

10 AM 3 AM
10.15 03.15
15.00
ISACA 2007 08.00 ISACA 2007
Slide 39 Slide 40

www.swift.com © S.W.I.F.T. SCRL 2002

 Page 11

An example of the header of a payment message : An example of the header of a payment message :
MT 103 MT 103

ISACA 2007 ISACA 2007

Slide 41 Slide 42

An example of the text of a payment message : Format MT 103

MT 103 Single Customer Credit Transfer
M/O Tag Field Name Content/ Options

M 20 Sender’s Reference 16x

- - ->
O 13C Time Indication /8c/4!n1!x4!n
---
M 23B Bank Operation Code 4!c
- - ->
O 23E Instruction Code 4!c[/30x]
---
O 26T Transaction Type Code 3!a
M 32A Value Date/Currency/Interbank 6!n3!a15d
Settled Amount
O 33B Currency/Instructed Amount 3!a15d
O 36 Exchange Rate 12d
M 50a Ordering Customer A or K
ISACA 2007 ISACA 2007
Slide 43 Slide 44

www.swift.com © S.W.I.F.T. SCRL 2002

 Page 12

Input message - SWIFT network Input payments message - SWIFT network

block structure block structure
{1:F01KWHKHKHHAXXX0135007653}
{2:I103BNPAFRPPXXXXU3003}
1. Basic Header Block {3:{108:MC12}}
Headers 2. Application Header Block
{4:
:20:PAY09
:23B:CRED
3. User Header Block :32A:021118EUR65000,
:50K:/123001043212
MR LEE
10 QUEENSWAY
HK-HONG KONG
Text 4. Text Block :57A:BNPAFRPPCAN
:59:/12345543210100001M02211
MR DUPONT
6 RUE LAFAYETTE
FR-CANNES
Trailers 5. Trailer Block :70:/INV/52
:71A:SHA
-}
ISACA 2007 ISACA 2007
{5:{MAC:DB347698}
Slide 45 {CHK:76543BA90123}} Slide 46

------------------------------Message Text-------------------------- ------------------------------Message Text--------------------------

20:Sender's Reference 20:Sender's Reference

PAY/09
23B:Bank Operation Code
CRED
Example of printout PAY/09
23B:Bank Operation Code
CRED
Example of printout
32A:Value Date,Currency and Interbank Settlement Amount 32A:Value Date,Currency and Interbank Settlement Amount
Date : 18 November 2002 Date : 18 November 2002
Currency : EUR (EURO) Currency : EUR (EURO)
Amount : #65000,# Amount : #65000,#
50K:Ordering Customer 50K:Ordering Customer
------------------------------Message Header------------------------ ------------------------------Message Header------------------------
/123001043212 /123001043212
Swift Input : FIN 103 Single Customer Credit Transfer Swift Input : FIN 103 Single Customer Credit Transfer
Sender MR LEE: KWHKHKHHXXX Sender MR LEE: KWHKHKHHXXX
10 QUEENSWAY
--------------------Instance Type and Transmission------------------ 10 QUEENSWAY
--------------------Instance Type and Transmission------------------
Citic Ka Wah Bank
------------------------------Message Trailer---------------------- Citic Ka Wah Bank
------------------------------Message Trailer----------------------
HK-HONG (Transmission)
Notification KONG of Original sent to SWIFT (ACK) HK-HONG
Original KONG
received
{MAC:098446CF} Hong Kong {MAC:098446CF} Hong from
Kong SWIFT
57A:Account
Network
Receiver Deliverywith Institution
Status
: BNPAFRPPXXX :Network- Ack
BIC 57A:Account
Priority
Receiver with Institution - BIC
:Urgent
: BNPAFRPPXXX
{CHK:45946964876B}
BNPAFRPPCAN : Urgent/Non-Deliv Warning & Deliv Notif {CHK:45946964876B}
BNPAFRPPCAN
Priority/Delivery
BNP-PARIBAS SA Message OutputBNP-PARIBAS
Reference SA :0806 021115BNPAFRPPAXXX0987012098
BNP-PARIBAS
Message SA (FORMELY
Input (FORMELY
Reference: BANQUE
1705NATIONALE
BANQUE NATIONALE
DE PARISDES.A.)
PARIS S.A.)
021115KWHKHKHHAXXX0135007653 BNP-PARIBAS
Correspondent InputSA Reference
(FORMELY (FORMELY BANQUE NATIONALE
:1705
BANQUE NATIONALE PARISDES.A.)
PARIS S.A.)
DE021115KWHKHKHHAXXX0135007653
CANNES FR CANNES FR
Paris, France Paris, France
59:Beneficiary Customer 59:Beneficiary Customer
MUR: MC12 MUR: MC12
/12345543210100001M02211 /12345543210100001M02211
MR DUPONT MR DUPONT
6 RUE LAFAYETTE 6 RUE LAFAYETTE
FR-CANNES FR-CANNES
70:Remittance Information 70:Remittance Information
/INV/52 /INV/52
71A:Details of Charges 71A:Details of Charges
SHA SHA

ISACA 2007 ISACA 2007

Slide 47 Slide 48

www.swift.com © S.W.I.F.T. SCRL 2002

 Page 13

Message referencing Message referencing

• Sender’s
Reference Sender’s Reference (field 20)
(16x)
• MUR MUR : Message User Reference
(16x)
• MIR

• MOR
ISACA 2007 ISACA 2007
Slide 49 Slide 50

Message referencing Message referencing

MIR : Message Input Reference MOR : Message Output Reference

041115 KWHKHKHHAXXX 0135 007653 041115 BNPAFRPPAXXX 0987 012098

Input date Output date Receiver’s address Session number OSN
Sender’s address Session number ISN

ISACA 2007 ISACA 2007

Slide 51 Slide 52

www.swift.com © S.W.I.F.T. SCRL 2002

 Page 14

Agenda Summary elements of a SWIFT audit

1. Who is SWIFT
Check SWIFT system configuration for links, back-up, contingency
2. Connecting to SWIFT: access models, Reports on contingency and BCP tests
interfaces and resiliency Physical access procedures to SWIFT room
Release management
3. Security environment
Match HR lists to operators in SWIFT interface
4. The FIN service: message security and Check operator permission lists with SWIFT Security Officers
monitoring BKE refresh procedures
Check procedures for delivery monitoring
5. Summary elements in the scope of a Archiving procedures
SWIFT operations audit MIS statistics of average number of messages IN/OUT, average value

ISACA 2007 ISACA 2007

Slide 53 Slide
Slide 54

SWIFT Education programmes

SWIFT Audit Guidelines:

a 2 day training
programme for Auditors

For training schedule
see:

www.swift.com
Thank you
ISACA 2007
ISACA2007 Slide 55 Slide 56

www.swift.com © S.W.I.F.T. SCRL 2002