After Russia’s invasion of Ukraine, a chorus of voices across the political spectrum demanded President Biden cut off Russia from the international SWIFT banking system. At first, Biden indicated our European allies aren’t ready to take that step. But EU countries relented, announcing SWIFT will expel certain Russian banks.
I worked with the SWIFT organization and systems when its member banks were under attack from North Korea’s Lazarus Group (aka Hidden Cobra). There are some key things people need to understand:
SWIFT is a private organization governed by its member banks. It operates under the laws of the EU and Belgium (where its HQ is located). While many US banks are members, the United States government has zero say in SWIFT operations.
Two US banks (Citi, PNC) sit on the SWIFT Board of Directors. One of the Board seats is held by a Russian bank (NCC). The board has 24 members, mostly European.
If SWIFT fully disconnects Russia, it will likely backfire, hurting Europe more than Russia. Many European companies do business with Russia and rely on SWIFT to receive payments, included loan repayments.
Russia prepared for this years ago. Since 2014 Russia has built its own bank messaging platform called SPFS as an alternative to SWIFT. Four hundred Russian banks and companies already use SPFS, as do some banks outside Russia.
We’ve seen this movie before, when Iran was cut off from SWIFT in 2012. Their economy took a temporary hit. But, like Russia, they quickly built their own electronic banking platform (SEPAM) as a workaround. If we disconnect Russia from SWIFT, it’s likely they would extend their SPFS network to pariah countries like Iran and North Korea.
SWIFT is the most secure international banking network, especially after the big investments it made in cybersecurity following the North Korean attacks. We need to keep SWIFT intact and strong. Pushing companies toward insecure alternatives isn’t desirable.
I abhor the Ukraine invasion. But keeping Russia as a whole in SWIFT, while surgically disconnecting Russian entities and individuals associated with Putin, is the right way to thread the needle.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.
Comments