The funds of some participants in the Interbank Electronic Payments System (SPEI) were recently affected by a series of unprecedented cyberattacks. The Mexican Central Bank (Banxico) revealed that approximately $15 million (Ps300 million) had been involved in diverse irregular transfers, subject to investigation. Customer funds were not affected, as only financial intermediaries' accounts seem to have been targeted.
The SPEI is Banxico's payment infrastructure, which allows its participants (ie, banks, brokers, popular financial societies and other regulated financial entities) to exchange money through electronic transfers in real time. The route of SPEI transfers can be summarised as follows:
- A bank account holder generates an electronic instruction of payment to the relevant SPEI participant (the transferor).
- The transferor validates the instruction's diverse security elements.
- The transferor prepares the payment instruction given by its client, including additional security elements, and sends it to the SPEI.
- Banxico verifies the participants' e-signatures and initiates the process to pay the transferee.
- Involved participants are informed about the transfer's success. The transferee then places the funds in the end customer's account and informs Banxico of the relevant information to generate proof of the electronic payment.
The first cyberattack breaching the SPEI occurred on April 17 2018 and was followed by other attacks with the same modus operandi: cybercriminals diverted transfers ordered by SPEI participants to targeted accounts controlled by them and withdrew the funds in cash directly from bank branches. The cybercriminals had identified a flaw in the system that permitted receivers of SPEI transfers to withdraw cash almost immediately after receiving the transfer so that the money could not be traced.
Measures already in place
Before these cyberattacks, Banxico had already implemented diverse measures to strengthen the SPEI's cybersecurity. Operational rules for the SPEI are set out in Banxico's Rules 14/2017, which include several security requirements for SPEI participants and Banxico. The mandatory requirements include:
- assessing protocol communications;
- implementing means for detecting viruses or malicious codes;
- performing periodic updates;
- collecting and preserving evidence;
- evaluating and auditing technological infrastructure; and
- monitoring, auditing and tracking access and activities carried out by users of computer services.
These recent attacks show the importance of having systems in place which promptly identify system weaknesses and attacks so that operations are not disrupted or disruption is minimal. Further, it is equally important to have an effective communication system in place to address concerns from the public.
Lessons can be learned from all cyberattacks and these are no exception. Banxico immediately began to implement mitigation measures and has created a new cybersecurity division to avoid a similar situation in future.
Banxico also implemented a simple but effective measure to delay cash withdrawals of funds received through electronic transfers and thus allow more time for SPEI participants to verify transactions. Specifically, Banxico issued Rules 4/2018 and 5/2018, which provide that funds of Ps$50,000 (approximately $2,500) or more that are transferred may be withdrawn in cash or cashier's checks only on the business day following the transfer.
Despite the existence of a specialised and well-drafted regulation for implementing cybersecurity means and methods to protect Banxico's payment system, neither the SPEI nor any other electronic system will ever be bulletproof. Ex ante regulation of technologies is nearly impossible since technological advances significantly outpace laws and regulations. Thus, these risks may be mitigated through constant dialogue between regulators and IT engineers.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.