On 8 May 2018, the Committee on Payments and Market Infrastructures (CPMI) published a report, Reducing the risk of wholesale payments fraud related to endpoint security. The report sets out a strategy to encourage and help focus industry efforts to reduce the risk of wholesale payments fraud related to endpoint security.
The report discusses the wholesale payment ecosystem and endpoints, and the risk of wholesale payments fraud, stressing the need for a holistic approach and coordination (section 1). It then presents a strategy, which comprises seven elements (section 2). It then discusses the CPMI’s plan to promote, support and monitor local and global progress in operationalising the strategy (section 3), with due recognition of the need for flexibility to reflect the uniqueness of each system and jurisdiction, including the legal, regulatory, operational and technological structures and constraints under which they may operate.
The seven elements that comprise the strategy are:
- Identify and understand the range of risks;
- Establish endpoint security requirements;
- Promote adherence;
- Provide and use information and tools to improve prevention and detection;
- Respond in a timely way to potential fraud;
- Support ongoing education, awareness and information-sharing; and
- Learn, evolve and coordinate.
The strategy is relevant for a number of risk management topics that are covered by the 24 principles of the CPMI-IOSCO Principles for financial market infrastructures (PFMI), the expectations in Annex F of the PFMI (Oversight expectations applicable to critical service providers) and related guidance, including the CPMI-IOSCO Guidance on cyber resilience for financial market infrastructure, although it is not intended to replace or supersede them. However, since the scope of this strategy complements some of these principles and expectations, the strategy could be taken into account by wholesale payment systems and messaging networks as they consider their approaches for observing the principles and expectations, where applicable and appropriate. More generally, the strategy is designed to be taken into account by all relevant public and private sector stakeholders in reducing the risk of wholesale payments fraud, including operators of a wholesale payment system or a messaging network, their respective participants and the respective regulators, supervisors and overseers of these operators and participants.