In the post Corporate to Bank Connectivity – 10 Questions YOU Need To Ask I suggest some high level questions to ask if you are considering an entirely new bank connectivity solution. The highlighted questions will help you get a birds eye view of your existing internal systems and banks. Now depending on the size of your company, that can clearly be quite a major initiative. Sometimes though and much more frequently, you need to roll your sleeves up and get into the details of a particular bank interface. You just need to know how a particular payment to bank interface works. Perhaps there has been an internal review, or a security breach, or maybe there are known concerns with a particular process and you just want to get to the bottom of it. Within large and complex organisations it can be difficult to know where to start. I reckon the following bank interface questions will provide you with an excellent insight into any bank interface whether it is happening in Tampa, Telford, Timbuktu or Tokyo …
The focus here is mainly corporate to bank interfaces, since these are normally the most complex. But there is no reason why the same questions should not be asked for a bank to corporates interface.
The best analogy to use, is to think of your payment file (for example) as your luggage when you go on a business trip. Now imagine the airport is the bank, and from the moment you leave your home with your luggage you need to ensure nobody else tampers with its contents. The same is true of a payment file in a bank interface. So here goes…
For Each Bank Interface Understand:
The Source…
1. What is the source system? Where is it hosted..?
The Target…
2. Where is your file (e.g. SEPA payment file, SEPA direct debit, other..) being sent? Which bank is it being sent to, and what system is the target bank system?
The Journey from Source to Target…
3. How is the payment file sent from the source system to the target bank ? Referring to the luggage comparison – understand the overall journey, is it a direct train, or is it via plane, train and automobile? Consider the more legs there are on a particular journey, the greater the risk to your luggage…
The Journey Itinerary…
4. Ok, so now you understand the overall journey of the payment file from the source to its intended target. Now you need to ask, could the file have been modified along the way? Or to use the luggage metaphor, could someone on either the plane, train or car have opened up your luggage and inserted or taken something from it..?
Risk Reduction…
5. Are there any preventative measures and/or controls in place to prevent somebody from modifying the contents of your payment file? For example, is the payment file encrypted, or is there a hash check happening at the appropriate points? Does your luggage come with a security lock, or is it wrapped making it difficult to open and tamper with, or is your baggage completely unlocked?
Security Checks…
6. Is the payment file being approved in the target system, i.e. the bank software? It is crucial to know that the approver(s) are checking the contents of the file at the target with some kind of reference (report) back to the original source system payment(s). Consider this – if 2 people (2 approvers in banking software) are checking your baggage and all of its contents at the final destination – does that mean you don’t necessarily need to lock your luggage. Is that an efficient process…?
Known risks…
7. Sometimes an audit or previous review of a particular bank interface may have already highlighted some concerns or risks – Check if there are any known risks and concerns? Going back to the luggage comparison, if a particular journey is prone to looters or pirates (is this going too far now?!?!) – highlight the risk…
Existing Documentation…
8. Is there any existing documentation available describing the bank interface? It may save you a lot of time, and highlight known issues and risks, and maybe even a proposed solution
Support Contacts…
9. Understand who supports the bank interface. There maybe multiple teams involved, each should be able to help you piece together the end to end puzzle. Somebody, somewhere must know something… right….?
Bank Interface Summary
Of course this isn’t a complete and comprehensive list, but that is not the intention. The idea here is to get you started, so that you begin to build a picture of any given bank interface. Once you have understand that, you can start to delve into the details and investigate and pursue as required. Remember, think of your payment file as your luggage – you don’t want anyone to tamper with it, and you need to know that it is intact and complete from the moment it has been packed (file is generated) through to the final check-in at the airport (delivery to the bank). Any risks and potential weak spots should be exposed as you step through the above 9 questions.
I’d love to hear your thoughts and comments on this post below, particularly if you are a provider of bank interface software and solutions…
Pingback: 7 Cyber Security Challenges You Cannot Ignore