Gottfried Leibbrandt, chief executive officer of the Society for Worldwide Interbank Financial Telecommunication (SWIFT), shares how SWIFT has balanced its focus on compliance and the business of banking, while strengthening itself as a co-operative organisation amidst increasing threats in cyber security.
- Leibbrandt believes that the only way to solve existing challenges in cyber security is for the different stakeholders – banks, regulators, IT service providers, suppliers – to work as a community
- The whole focus of SWIFT is to offer community products that works in a co-operative space
- Blockchain is an exciting technology and SWIFT is looking for opportunities to embed it in their existing products and services
Here is the transcript of the video.
Emmanuel Daniel (ED): Gottfried Leibbrandt, it’s so good to see you again at yet another very successful looking Sibos here in Geneva. And you’ve been sort of transforming the organisation, and I’m trying to make sense of how everything that you have been doing in SWIFT is showing itself to the user here in Geneva. It seems to be a very strong focus on compliance and all the good things taking place in cyber security. And then on top of that, you know, there’s a shadow of building the culture around financial services.
Balancing focus on compliance and the business of banking as a “community”
We are in a realm where were dealing with the software aspects of the banking industry, and in order to build that part of the infrastructure, preparing it for the digital age as we think it will evolve. Is there such a thing as too much focus on compliance and regulation and all the control aspects, and too little focus on the business of banking?
Gottfried Leibbrandt (GL): What we are doing reflects the needs of our customers. Our customers’ businesses, a lot of which is transaction and correspondent banking, face an interesting set of challenges. Financial crime compliance is not going to go away, for instance. On top of that, on the business side, they are facing low interest rates and challenges from fintech and cyber security – amongst other things.
We are helping them face those challenges. At the same time, correspondent banking is a unique asset. It needs to be kept running. If correspondent banking has a glitch anywhere, people notice. So of course we continue to focus heavily on the basics of our business – on ensuring operational excellence, and we always will. Our core mission is paramount. Then there is compliance. Several years ago, we started to help the banks on financial crime compliance, an effort that has now reached a mature state. Here at Sibos., for instance we have all the compliance officers of the major banks engaging with us On the product side, we are also progressing well: we have 500 customers on Sanctions Screening, and close to 3,000 on our KYC Registry.
Cyber security, is a similar challenge as I mentioned; recent events have been a wakeup call to the industry. We have really put a lot of effort on customers’ cyber challenges, together with our banks and we are showcasing these efforts here at Sibos. I see this cyber security initiative going in the same direction as our compliance initiative. We have a large number of CISOs here this year for the first time. I hope it’s the first of many, as I would really like to see SWIFT play the same sort of role in cyber security, as we are playing in financial crime compliance,
ED: Could it be that given what needs to be built to make the banking industry, or the financial services industry resilient in a cyber world that Sibos should have focused a lot more on the community aspect of cyber security, the collaboration, the global collaboration that should be taking shape, so that information is shared more widely? And it’s a role that perhaps would have been something natural for SWIFT more than any other organisation.
Because I’ve noticed that a lot of the issues discussed at Sibos this year had a very strong product level focus, at a technical level a domestic internal focus, rather than the community element.
GL: The community element is key. Our diagnosis of the security situation, is that the only way to solve this, is as a community. It has to involve SWIFT, customers, regulators, the suppliers to the industry; the IT services providers, and so on. This is exactly who we’re involving in the Customer Security Programme that we are rolling out. For instance, through our information sharing initiative, we aim to make sure that banks share all the details of security breaches with us. We then make this information available to other banks in anonymised form, so that they can take action and protect themselves.
Then there is our assurance framework. This is a set of guidelines and a set of security mandatory controls – that customers have to comply with. We will make the results transparent to their counterparts, so they know who they’re doing business with, so they know what their counterparts comply with, and so they can adapt their controls accordingly. We are also looking at pattern recognition at the sending and at the receiving bank, so that checks can be put in place along the chain. So the Customer Security Programme that we’re rolling out is exactly that, it’s a community initiative that requires effort from the whole community.
ED: But it only takes a life of its own if the community uses it.
GL: Absolutely.
A big part of what we need is communication and education, which came out here again at Sibos. Take the 10,000 banks on the SWIFT network – a lot of which are going to have to have a close look at their own security – and at a far broader level than their SWIFT environments, by the way. So a lot of the CSP will depend on community outreach, on our going to customers, gathering them together and educating them: this is what you need to do; this is how you do it; this is how you deal with your correspondent.
Strengthening SWIFT as a co-operative platform
ED: How much of SWIFT is a co-operative and how much of SWIFT is a product community? Given the way in which your own staff are incentivised today, and in fact driven to make certain aspects work, or certain business lines work. You have got your compliance solutions and so on, Sanction Screening, which seems to be working very well. So as a product it works well, but SWIFT has this responsibility as a community platform.
GL: Absolutely we have a responsibility to our community – we are a co-operative at the end of the day. We really always make a conscious choice that the products we develop are community products and that we do, we do is in the co-operative space. We have to act in areas in which banks are better off doing things together. The KYC Registry is a perfect example. The Registry is something that only works if there’s a network effect, if people put in their data, and other banks are able to access it.
Of course, we have to undertake a commercial effort to get our products and services to customers, but that’s inevitable – our products and services will only give value to the community if there’s a critical mass of people adopting them. Our whole focus is on the community.
ED: How much of the community aspect is moving away from you? Agendas that are not necessarily SWIFT driven, and other platforms are becoming, you know, the natural place, especially for regulator driven initiatives, like the FSB and so on, claim the role of creating that global surveillance mechanism that needs to be put in place.
Gottfried: And we of course welcome that – we are not regulators. This can only be done with and by regulators. Additionally, of our interesting challenges is that we operate in 200 countries. How do you engage regulators in 200 countries? Even the FSB is just the G20 if I’m not mistaken, the CPMI includes 30 countries; how we all engage across those 200 countries is going to be an interesting challenge.
ED: Are you an active participant in those dialogues? Are you rolling this out?
Gottfried: We engage with our overseers and we engage with regulators around the world. Absolutely we are engaging with them as roll out this programme. All of this has to be understood though in the proper context: the regulators have their responsibility, and are in charge.
ED: When you woke up one morning and the Bangladesh fraud opened up, I’m not sure whether it came to you in the form of a call at 2:00 in the morning, but what first struck you, and how did that whole learning evolve in you, in terms of what you thought that you were dealing with, and what you thought that you need to put in place as you went along?
GL: First of all, I don’t think it was sudden; the information came out slowly. Better information sharing would have been good. As we got more information, we realised fairly quickly that this was a challenge for the community as a whole. We also realised that what happened to Bangladesh could well happen to other banks, and that facing up to this challenge would require an industry-wide effort. We then crafted that effort formalising the Customer Security Programme, which is what we’re focusing on now.
ED: The initial comments that you were quoted in the various newspapers focused a lot on the individual members. And perhaps a need to audit them in order to make sure that they were either compliant, or they had enough processes in place, and then at the entry level that you started to need to screen your members themselves. Is that still a focus or what do you need to do in all the multiple entry points that you have?
GL: I would need to go back to my original statements, but one of the things we realised was that this would require an effort by a lot of banks to improve their security. Banks’ security is of course something we don’t control. This has always been in the banks remit, and that’s where it belongs. But it’s exactly because of that we are now rolling out these mandatory controls, and finding ways to make sure banks actually stick with them. There’s pressure on these banks from us, from their counterparties, from their overseers, to really make sure that we, as a community, lift the security level.
ED: Going forward will there be banks or institutions that you would not admit as members if they don’t pass a certain audit in order to become participating members?
GL: That’s a process we’re now in as a community. We’re consulting on these controls for the next three months. Then, once the framework is fully in place, we will to rely on multiple mechanisms to make sure that customers adopt these controls, including the transparency measures I just mentioned. As we have always said, in terms of ultimate enforcement nothing is off the table, and as we continue we’ll see how that evolves.
Transforming SWIFT through technology and collaboration
ED: SWIFT2020, a lot seems to focus on compliance and regulation, rather than being part of the revolution that’s taking place on the internet and digital, and being part of the supply chain, the value processes that are evolving right now. Because if you look at the way in which banks are being disintermediated, non-banks are able to provide payment platforms, you know, information sharing and so on. Is SWIFT2020 adequate for what it’s supposed to achieve, or is that something that should be tweaked a little bit further?
GL: I think it is adequate, yes. And if you look at SWIFT2020 a lot of it is about innovation. We have real time payments and we have a big focus on market infrastructures in SWIFT2020. The MI space is a rapidly evolving field. – for instance we’re seeing the announcement of the convergence between Target 2 and T2S here at Sibos and we’re seeing a lot of MIs adopting ISO 20022. And in the real time payments area, where we are delivering on the AU NPP platform in Australia, we really aim to help the banks offer real time payments to their customers, enabling them to offer overlay services on top of that.
So I think innovation is very much embedded in our 2020 strategy. And I think that it is as relevant as ever. Innovation and Fintech are not going to go away. We are engaging with banks on innovation – but when we do that, we do it from a perspective of maximising the value of what’s already there. Don’t expect from us to come up with something completely new that rips out everything that is in place already. There’s a huge migration cost for banks if they go to new infrastructures. We seek to maximise the value of what they already have, incorporating innovative processes and technologies into the existing architecture, to make migrations as smooth as possible.
ED: But at the same time blockchain, which requires the kind of collaboration, which validates the transactions and real time payment, does that give an indication that SWIFT itself needs to evolve, and give up perhaps that 90% of your income from messaging? And is that a journey that you would bravely take?
GL: We’ll take any journey that is required bravely – SWIFT absolutely needs to evolve. The analogy that I made about the internet in the opening plenary is really relevant. I think it was about the year 2000 when people said the internet would disintermediate banks and would disintermediate SWIFT. We took that challenge and put the internet at the heart of our SWIFTNet offering TCPand PKI infrastructure. Essentially we took the whole internet technology and put it inside our offering.
Banks have done the same thing. Banks have put the internet at the core of their customer value propositions with mobile, e-banking and what have you. And I would see the same with blockchain. It’s an exciting technology and we very much see it as something we might put inside our offering, but it is not yet at a point where we see it replacing existing business models – at least in our area. The way I would see it is that we might put it inside what we already have to maximise existing models and to offer even better services.
ED: A number of the participants at Sibos are potentially your threat. They operate on an open platform. They operate in the open space. And on top of that they are far more engrained into the payment system, rather than just being a messaging in that regard. What do you think you need to do, either collaborate, or learn from them, or merge with over time, and in your own process of transforming SWIFT?
GL: I think that’s where a lot of the initiatives that we’re doing right now come in.
ED: Are you thinking about acquisitions maybe?
GL: We don’t disregard anything. We’ve made acquisitions in the past, and I’m sure we’ll continue to do so in the future. Again, the focus for us will always be on what helps the banks. They are our owners, and we are a co-operative: we are in this to help the banks make the most of the investments they already have. This is where a big initiative – the global payments initiative (GPI) – comes in.
The GPI is really a bold attempt we are making, together with the banks, to improve correspondent banking. We are doing this over the existing rails and using established market practices and relationships, by offering faster, more transparent, traceable payments.
ED: What are the numbers looking like on that front, a percentage growth relevant to the overall business involved?
Gottfried: We have 80 banks signed up for the GPI – that is, 80 of the biggest banks, banks that represent well over half of all the traffic that we have on our network. So I think we have more than enough critical mass in banks making these investments with us. Right now the gpi is in a pilot stage. We’re going to roll out the live initiative early next year which is when we’ll be looking at numbers and the adoption rate..
ED: So do you sleep with your phone next to, and what sort of calls you might be expecting?
Gottfried: Do I sleep with my phone? I try to not keep my phone too close to my head as I’m still paranoid about this radiation thing. Instead I sleep where I can hear the phone if it goes off. But at the end of the day I sleep well. What do I worry about? Cyber keeps me awake at night, Fintech keeps me awake at night, the global situation keeps me awake at night, and presidential debates keep me awake at night, as they did on Monday night at Sibos, but at the end of the day I try to get some sleep, even here at Sibos.