Financial institutions face growing cybersecurity threats as they operate in a rapidly evolving digital landscape. So, it has been essential to implement effective controls that safeguard sensitive transactions. One of the critical controls introduced in the SWIFT Customer Security Controls Framework (CSCF) v2024 is Control 2.9: Transaction Business Controls. This mandatory control for all architecture types (A and B), focuses on securing the integrity and authenticity of financial transactions, ensuring that institutions not only prevent unauthorized activities but also actively monitor and mitigate potential risks.

What Does Control 2.9 Seek to Achieve?

The control ensures outbound transaction activities align with normal business practices and mitigate risks associated with fraudulent transactions. Control 2.9 detects and prevents unauthorized or suspicious activities within SWIFT-connected systems. It requires institutions to implement transaction detection, prevention, or validation controls, or a combination of them tailored to their specific transaction profiles. While primarily focused on outbound transactions, these controls can be applied to inbound transactions and other sensitive transaction types.

Control 2.9 mandates that institutions set defined parameters around transaction activities to monitor for, prevent, and validate any abnormal behavior. These controls target key SWIFT-connected systems, such as graphical user interfaces (GUI), messaging interfaces, and communication interfaces, as well as SWIFT and customer connectors. By defining "normal" business activity, institutions can set up boundaries to spot and address unusual patterns that could signify unauthorized activity.

Core Implementation Elements of Control 2.9

Control 2.9 offers five specific methods for achieving its objective. Each method detects and prevents unusual transactional activity based on the institution's defined "normal" business patterns. Let’s explore these strategies in detail.

1. Restricting Transactions Outside Business Hours

By restricting transaction activities to business hours, institutions reduce the risk of unauthorized transactions occurring during off-peak times. Organizations can set specific business hours or apply restrictions across different departments or regions to fit their unique schedules. This approach, however, may not suit systems running 24/7, where alternative monitoring or real-time transaction validation may be necessary.

Best Practices:

• Restrict submission and approval of SWIFT transactions outside defined hours.
• Enable active FIN sessions only during business hours ( for instance, using automated session logouts at day-end.)
• Monitor all transactions closely during business hours, since suspicious transactions can be disguised within regular traffic.

2. Setting Limits on Transaction Amounts

Defining transaction limits based on “normal” amounts can help identify and flag high-risk transactions, which may indicate fraud.

Best Practices:

• Institutions can tailor transaction limits according to regional, currency, or transactional needs, setting global, region-specific, or correspondent-specific thresholds in line with functionalities offered by the used SWIFT-based interface, application, or service.

• Hold transactions exceeding defined limits for offline validation by authorized personnel( in line with Control 5.1 on separation of duties.)

3. Routine End-of-Day and Intra-Day Reconciliation

Reconciliation at regular intervals ensures that all transactions are accurately recorded, helping identify discrepancies between the institution’s records and SWIFT network activity.

Best Practices:

• Consider using confirmation messages to ensure that transaction records align with messages like MT 900 and MT 910 (or their MX camt.054 equivalents). This helps with intra-day Nostro reconciliation.

• Reconcile accounting records with end-of-day messages (e.g., MT 940, MT 950, or MX camt.053) or via online queries for end-of-day Nostro reconciliation.

• Perform regular reconciliation of exchanged daily and potentially intra-day messages between the back office and the SWIFT network to ensure consistency across all systems.

4. Centralized Monitoring for Anomalies in Transaction Behavior

This method allows institutions to detect unusual patterns in transaction activity, such as unexpected beneficiaries, currencies, or transaction volumes.

Best Practices:

• Consider monitoring session numbers to ensure that the sequential session numbering is intact with no unexpected gaps, as this could indicate unauthorized access.

• Flag unusual transactions such as unusually high amounts or unfamiliar sender/recipient pairs, based on criteria defined by the institution.

5. Independent Verification from Secondary Sources

Cross-referencing transaction data with secondary sources ensures data integrity and authenticates transaction legitimacy.

Best Practices:

• Use third-party reports or secondary sources to cross-check transaction data.

• Verify with both senders and recipients to confirm that the transaction details are correct, particularly for high-value or suspicious transactions.

Additional Measures

• Restrict login attempts to operational hours specific to user roles, ensuring only authorized personnel can access systems at the appropriate times.

• Implement controls to ensure that inbound transactions are within normal business limits and to prevent unexpected surges or irregularities.

• Apply similar controls to other critical financial transactions, not just payments, to ensure comprehensive security across all areas.

• Consider combining different control measures to strengthen security ( 1 and 2 as preventive control; 4 as on-line detective control; 3 and 5 as post-event validation control)

Control 2.9 serves as an essential layer of security for financial institutions, providing a framework to prevent unauthorized transactions and detect anomalies. By setting transaction limits based on "normal" business activity and implementing a combination of real-time and post-event controls, institutions can greatly reduce their vulnerability to fraudulent transactions. Additionally, organizations reinforce operational security, uphold compliance standards, and foster customer trust.

Prajeeta Parajuli