SWIFT misuse: Why RBI's missive to Indian banks matters

RBI has set April 30th as the deadline for banks to link their CBS with SWIFT. Here are five cases of SWIFT misuse that led to a cybersecurity nightmare, which could have been avoided.


In January last year, RBI had advised banks to be extra cautious with banking technology being misused – either by external or internal parties.

The banking tech in focus is - The Society for Worldwide Interbank Financial Telecommunication or SWIFT. The electronics payments messaging system is used for worldwide financial transactions. While it does not actually ‘transfer’ money itself, it is a secure network that BFSI players use to communicate and transmit instructions to each other.

The SWIFT network carries approximately 30 million messages each day. While the network uses techniques like encryption, the vulnerabilities lie at endpoints. That is why it is extremely important that financial institutions should adhere to the latest and best security practices when it comes to SWIFT infrastructure within their institutions and also at other endpoints.

In the wake of the massive USD 2 billion PNB scam, RBI has mandated banks to link their core banking solutions (CBS) with SWIFT by 30th April 2018. And this is not the first time RBI has given banks this slap on the wrist. The central bank had cautioned Indian banks against misuse of SWIFT since 2016.

Here are five instances of SWIFT misuse that created havoc for the BFSI industry.

PNB scam: At the heart of the Nirav Modi-PNB saga, lies SWIFT misuse by the officials of the state-run lender. It is alleged that PNB officials issued letters of undertaking (LoUs) to Nirav Modi and associates without formally recording it in CBS, the banking software that contains records of all transactions. And as SWIFT was not linked to the bank’s CBS, the scam went undetected for years. 

City Union Bank of India: In February 2018, India’s City Union Bank admitted to being a victim of a cyber attack. Cybercriminals hacked into the bank’s systems and transferred USD 2 million using the SWIFT platform. City Union Bank CEO N Kamakoti said in a statement to Reuters that the conspiracy involved international cybercriminals and multiple countries. The bank is currently working with Indian authorities and SWIFT officials to investigate the hack further.

Central Bank of Bangladesh: In February 2016, all hell broke loose for the Bangladesh Bank. USD 81 million was stolen from the bank through SWIFT network. Hackers used SWIFT credentials of banking officials to send money transfer requests to Federal Reserve Bank of New York. The request was to transfer millions of funds to accounts in other countries. The hackers would have stolen more, but a printing error led to the discovery of the cyber-attack. Experts believe North Korean hacking group Lazarus was behind this hack.  

Russian Bank: According to a report published in Reuters, hackers exploited the SWIFT platform to steal close to USD 6 million from Russian central bank in 2017. While SWIFT and the Russian bank have not revealed more details, this was not the first cyber-attack to hit a Russian bank. In December 2017, Russian state bank Globex, fell victim to a hacking move, which tried to steal 55 million rubles via SWIFT network.

Taiwan's Far Eastern International: According to reports published by Taiwan’s local media in October 2017, hackers had stolen USD 60 million from the Far Eastern Bank. The bank and Taiwan’s financial regulator launched an investigation into the hack, which revealed loopholes in the bank’s security system. Consequently, Taiwan’s financial regulator imposed a fine of USD 8 million on the bank.