View
104
Download
0
Category
Preview:
Citation preview
Tom Hunt | Director of Treasury Services | AFP Bob Stark | Vice President, Strategy | Kyriba
Securing Your Bank Connectivity December 14th, 2016
2 © 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 2
Tom Hunt
Director of Treasury Services
AFP
thunt@afponline.org
Bob Stark
VP Strategy
Kyriba Corporation
bob@kyriba.com
@treasurybob
Today’s speakers
3 © 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL.
3
3
Securing Your Bank Connectivity
Today’s Discussion Points
1) Impact of fraud on bank connectivity
2) Payment connectivity
3) Bank statement reporting
4) Future of connectivity: opportunities for greater security?
5) Questions and answers
© 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 4
Fraud Prevention: Before Bangladesh Compromise
Fraud
Detection
Payments
Access to
Treasury
Technology
Supplier
Account
Verification
Investments
& Trading
Bank
Account
Mgmt
Do I have visibility into every payment?
Are my controls consistent for every
bank, every region, every person?
Do I review my ACKs?
How many bids before a trade?
Can Settlement Instructions
be modified?
How many layers of
protection exist after
your password
Are there controls to prevent
unauthorized change to
supplier payment info?
Do I know my account signers?
Who can change them?
Does my bank have the same list?
Do I use payment watchlists?
Do I have a control center to
view all transactions and
modifications?
Fraud & Cybercrime in Treasury
© 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 5
Fraud Prevention: After Bangladesh Compromise
Fraud
Detection
Payments
Access to
Treasury
Technology
Supplier
Account
Verification
Investments
& Trading
Bank
Account
Mgmt
Do I have visibility into every payment?
Are my controls consistent for every
bank, every region, every person?
Do I review my ACKs?
How many bids before a trade?
Can Settlement Instructions
be modified?
How many layers of
protection exist after
your password
Are there controls to prevent
unauthorized change to
supplier payment info?
Do I know my account signers?
Who can change them?
Does my bank have the same list?
Do I use payment watchlists?
Do I have a control center to
view all transactions and
modifications?
Connectivity
Can connectivity be
compromised?
Fraud & Cybercrime in Treasury
© 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 6
Can My Connectivity Be Compromised?
Yes, connectivity workflows can be at risk
Steps can be taken to minimize likelihood of attack
What we learned from Bangladesh issue and similar events:
1) Separation of duties critical
2) UserID and Password insufficient
3) Preventing Payments Fraud is more than just protecting initiation/transmission
© 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 7
TMS or ERP
PD
Encrypted messages and files sent directly to Kyriba
Prior Day and Current Day Reporting •BAI2 •MT940 •XML CAMT •Regional formats
Bank Reporting Connectivity Workflow
CD
PD
CD
PD
CD
© 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 8
TMS or ERP
Approved payments sent to Banks
Secure payments sent from HUB to SWIFT Network
1
2
3
Ack Levels transmitted to HUB
Ack/Nack notification provided to TMS/ERP
Payment Connectivity workflow summary
4
1
4
1
4
© 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 9
Payment Connectivity Risk Exposures
1) Access to software used for payment initiation, approval and transmission (e.g. TMS, ERP, bank portal)
2) Separation of duties and approval limits within payments software
3) Transmission to bank connectivity channel
4) The Bank Connectivity Channel
5) Payment Confirmations and Acknowledgements
6) Reconciliation of Payment Transactions
7) Workflow Changes within Payments Systems
Understanding Connectivity Risks
© 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 10
1) Access to software used for payment initiation, approval and transmission
• UserID/Password should not grant access to the system
• Best practice is a combination of password controls:
– Password timeouts, resets, history, alphanumeric requirements
– Virtual Keypad
– Multi-factor authentication (hard or soft token)
– IP Filtering
– Single Sign-On w/ internal IT environment
Understanding Connectivity Risks
© 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 11
2) Separation of duties and approval limits within payments software
• Separation of duties is an obvious win
• Issue is when separation of duties is inconsistent across different: – Payment types – Geographies – Systems (e.g. TMS vs. ERP)
• Initiation and Approval Limits: Consistency is key or exceptions will be exploited
• Mandate review of attached documentation that supports payments
Understanding Connectivity Risks
© 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 12
3) Transmission to Bank Connectivity Channel
• Securing access to the connectivity channel means:
1) If multiple systems used then files must be secured when traveling in between systems
2) If one or many systems, implement good authentication protocols to ensure authorized access
3) Where available, apply digital signatures (e.g. SWIFT 3SKey) to authenticate exported payment files
4) Review un-editable payments vs. sanctions lists (e.g. OFAC)
Understanding Connectivity Risks
© 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 13
4) The Bank Connectivity Channel
• Multiple channels to automatically connect to bank
Host-to-Host Connections
Domestic/Regional Networks
MT Concentrator Service (i.e. Shared BIC)
SWIFT Alliance Lite2 (hosted by SWIFT / integrated to TMS)
SWIFTNet Service Bureau
SWIFT Alliance Access (hosted by corporate)
Understanding Connectivity Risks
© 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 14
4) The Bank Connectivity Channel
• Multiple channels to automatically connect to bank
• Ensure safeguards of hosted connectivity and service bureaus meet your organization’s information security policy
– Review of SOC1/SOC2 Audits
– Penetration Testing
– Data Security (e.g. encryption at rest, use of firewalls and application tiers, who has access to the data)
– Business Continuity
Understanding Connectivity Risks
© 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 15
5) Payment Confirmation and Acknowledgements
• Up to 4 levels of acknowledgment (5 if you count CAMT 054)
• Acknowledgements can be viewed in message format or integrated into a payment dashboard
• Monitor each stage of workflow and reconcile against payment log
Understanding Connectivity Risks
© 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 16
6) Reconciliation of Payment Transactions
• In addition to reviewing payment acknowledgements, reconcile intra-day the outgoing payments with expected payment transactions
1) Generated payments within TMS/ERP will generate cash flows for outgoing payments
2) Intraday reporting from bank will generate actual transactions
3) Use standard forecast/actual reconciliation to identify variances
Understanding Connectivity Risks
© 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 17
7) Workflow changes within payments systems
• Important to monitor changes to payments workflow (e.g. approvals, limits, users, uploaded payment files, sent payment files)
• Often integrated dashboard within ERP/TMS; will track any control changes and present in summarized view
Understanding Connectivity Risks
18 © 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 18
Future of Bank Connectivity
Instant Payments
Movement towards quicker payments (instant payments in Europe, same day ACH domestically, SWIFT GPII)
Increases need to stop unauthorized payments before they start
More difficult to claw back a payment after it has cleared
© 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 19
Future of Bank Connectivity
Global Payment Innovation Initiative
Initiative by SWIFT; takes effect 2017
Offers same day cross border settlement
Also offers greater transparency of payments – equivalent of a global tracking number (like online shopping & shipping)
Transparency allows better audit of where payment went
© 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 20
Future of Bank Connectivity
Blockchain/Distributed Ledger
Much talk about Blockchain and security advantages
Distributed Ledger Technology (DLT) still years from mainstream adoption for payments
‘Complete anonymity’ will need to be addressed to offer improvements in security and reduced threat of unauthorized payments
© 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 21
Concluding Remarks
Connectivity channel (e.g. SWIFT) is not the problem; it is securing access to/from the channel which presents most risk
Securing connectivity starts with understanding exposure points in the connectivity workflow (e.g. payment initiation)
Cloud connectivity offers good advantages if offered as a single system (rather than patchwork of multiple solutions)
22 © 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 22
AFP TIP Guide ‘Putting Your Connectivity on Lockdown’
Further reading
Questions?
Tom Hunt thunt@afponline.org
Bob Stark bob@kyriba.com
@treasurybob
© 2016 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 24
Thanks for attending
facebook.com/kyribacorp
twitter.com/kyribacorp
linkedin.com/company/kyriba-corporation
youtube.com/kyribacorp
slideshare.com/kyriba
kyriba.com/blog
Recommended