Electronic Funds Transfer:

Oversight of Critical Banking Systems Should Be Strengthened

IMTEC-90-14: Published: Jan 4, 1990. Publicly Released: Feb 21, 1990.

Additional Materials:

Contact:

Howard G. Rhile, Jr
(202) 512-6418
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO assessed security measures for national and international electronic funds transfer systems, focusing on: (1) four Federal Reserve banks' security measures for the Federal Reserve Communications System (Fedwire); (2) the New York Clearing House Association's protective measures for its Clearing House Interbank Payments System (CHIPS); and (3) the Society for Worldwide Interbank Financial Telecommunication S.C.'s (SWIFT) security measures for its telecommunications system.

GAO found that risk assessments of the systems identified problems and concerns involving: (1) Fedwire's unauthorized or excessive access to sensitive software or data, inadequate physical security provisions, lack of backup power supplies, lack of software review procedures, lack of a requirement to conduct periodic external security reviews, and incomplete use of recommended telecommunications security controls; (2) the CHIPS quality control group's performance of incompatible duties that should be performed by different units to reduce risks, lack of an independent internal audit function, and lack of complete external audit coverage; and (3) the SWIFT system's internal audit independence, potential computer capacity problems, and system development problems with a planned replacement system. GAO also found that systems oversight was uneven, with: (1) the Federal Reserve Board not requiring periodic external security reviews of Fedwire; (2) regulatory agencies reviewing CHIPS operations on an invitational basis, since the New York Clearing House Association did not recognize their oversight authority; and (3) regulatory agencies not examining or overseeing the SWIFT system, since they were uncertain as to whether they had oversight authority.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: The Board has corrected 15 of the 17 weaknesses, does not agree with the remaining 2, and, therefore, will not take action on these recommendations. The Board has increased the emphasis of Fedwire security in its operational reviews, and each Reserve Bank's internal audit has performed a review of the system. GAO believes this recommendation should be closed.

    Recommendation: The Federal Reserve Board should: (1) ensure that Fedwire control weaknesses identified in this report have been satisfactorily corrected; (2) determine whether similar weaknesses exist at other Federal Reserve banks and correct those found; and (3) require annual external reviews of Fedwire to help ensure that the system maintains reliable and secure operations.

    Agency Affected: Federal Reserve System: Board of Governors

  2. Status: Closed - Implemented

    Comments: As part of a combined regulatory review of CHIPS operations in September 1990, FRS, OCC, and FDIC assessed actions taken by the New York Clearinghouse Association to implement the recommendations. According to a FRS official, the recommendations have been implemented.

    Recommendation: The Federal Reserve Board, the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) should exercise their existing authorities to ensure the effectiveness of actions taken by the New York Clearing House Association to: (1) develop procedures for the separation of duties for testing, approving, and installing new computer programs; (2) establish and maintain a reporting structure that allows for an independent internal audit function; and (3) utilize external auditors on an annual basis to provide for more comprehensive audit coverage of CHIPS.

    Agency Affected: Department of the Treasury: Office of the Comptroller of the Currency

  3. Status: Closed - Implemented

    Comments: As part of a combined regulatory review of CHIPS operations in September 1990, FRS, OCC, and FDIC have assessed actions taken by the New York Clearinghouse Association to implement the recommendations. According to a FRS official, the recommendations have been implemented.

    Recommendation: The Federal Reserve Board, the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) should exercise their existing authorities to ensure the effectiveness of actions taken by the New York Clearing House Association to: (1) develop procedures for the separation of duties for testing, approving, and installing new computer programs; (2) establish and maintain a reporting structure that allows for an independent internal audit function; and (3) utilize external auditors on an annual basis to provide for more comprehensive audit coverage of CHIPS.

    Agency Affected: Federal Deposit Insurance Corporation

  4. Status: Closed - Implemented

    Comments: As part of a combined regulatory review of CHIPS operations in September 1990, FRS, OCC, and FDIC assessed actions taken by the New York Clearinghouse Association to implement the recommendations. According to a FRS official, the recommendations have been implemented.

    Recommendation: The Federal Reserve Board, the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) should exercise their existing authorities to ensure the effectiveness of actions taken by the New York Clearing House Association to: (1) develop procedures for the separation of duties for testing, approving, and installing new computer programs; (2) establish and maintain a reporting structure that allows for an independent internal audit function; and (3) utilize external auditors on an annual basis to provide for more comprehensive audit coverage of CHIPS.

    Agency Affected: Federal Reserve System: Board of Governors

  5. Status: Closed - Implemented

    Comments: The Board believes it is inappropriate for bank regulators to undertake the supervision of SWIFT when domestic banks primarily use SWIFT for telecommunication purposes. The Board will, however, continue to monitor banks' use of such systems and to consider whether further oversight action is appropriate. Because of these actions, GAO is closing this recommendation.

    Recommendation: The Federal Reserve Board should work with other central banks and bank supervisory authorities through, for example, the Bank for International Settlements, to ensure effective oversight and regulation of the SWIFT system and similar systems that serve the international banking community.

    Agency Affected: Federal Reserve System: Board of Governors

 

Explore the full database of GAO's Open Recommendations »

Jul 25, 2016

Jul 5, 2016

May 6, 2016

Apr 21, 2016

Apr 18, 2016

Apr 12, 2016

Mar 28, 2016

Mar 8, 2016

Feb 16, 2016

Jan 27, 2016

Looking for more? Browse all our products here