In September 2016, responding to the increasing threat of wholesale payment fraud, the Committee on Payments and Market Infrastructures (CPMI) announced the establishment of a task force (TF) to look into the security of wholesale payments that involve banks, financial market infrastructures and other financial institutions.
The CPMI has now published a discussion paper on reducing the risk of wholesale payments fraud relating to endpoint security. The strategy’s aim is to encourage and help focus industry efforts to reduce the risk of wholesale payments fraud and in doing so, support financial stability. The strategy is composed of the following seven elements:
- identifying and understanding the range of risks. The operator and participants of a payment system and those of a messaging network should identify and understand the risks related to endpoint security that they face individually and collectively, including risks related to the potential loss of confidence in the integrity of the payment system or messaging network itself;
- establishing endpoint requirements. The operator of a payment system or a messaging network should establish clear endpoint security requirements for its participants as part of its participation requirements;
- promoting adherence. Based upon the understanding of risks and the endpoint requirements of a payment system or a messaging network, the operator and participants of the payment system or messaging network should establish processes as necessary to help ensure adherence to their respective endpoint security requirements;
- providing and using information and tools to improve prevention and detection. To the extent reasonably possible, the operator and participants of a payment system or a messaging network should support the provision and use of information and tools that would enhance their and each other’s respective capabilities to prevent and detect in a timely manner attempted wholesale payments fraud;
- responding in a timely way to potential fraud. The operator and participants of a payment system or a messaging network should adopt procedures and practices, and deploy sufficient resources, to respond to actual or suspected fraud in a timely manner;
- supporting ongoing education, awareness and information-sharing. The operator and participants of a payment system or a messaging network should collaborate to identify and promote the adoption of procedures and practices, and the deployment of sufficient resources, that would support ongoing education, awareness and, to the extent appropriate and legally permissible, information-sharing about evolving endpoint security risks and risk controls; and
- learning, evolving and coordinating. The operator and participants of a payment system or a messaging network should monitor evolving endpoint security risks and risk controls, and review and update their endpoint security requirements, procedures, practices and resources accordingly.
The elements are designed to work holistically to address all areas relevant to preventing, detecting, responding to and communicating about fraud. They describe what should be done at a high level, recognising the need for flexibility when approaching each element. Such flexibility would allow payment systems and messaging networks to adopt and operationalise the elements in accordance with their unique architecture and processes, while taking into account the changes to their risk environment and the evolution of risk management technologies and tools.
The CPMI is also seeking input that would assist in developing the prospective guidance for taking forward the strategy and also welcomes suggestions on how progress in reducing the risk of wholesale payments fraud could be monitored and measured.
The deadline for comments on the discussion paper is 28 November 2017.
View CPMI discussion paper on reducing risk of wholesale payments fraud relating to endpoint security, 28 September 2017
