Electronic Funds Transfer

Oversight of Critical Banking Systems Should Be Strengthened Gao ID: IMTEC-90-14 January 4, 1990

Pursuant to a congressional request, GAO assessed security measures for national and international electronic funds transfer systems, focusing on: (1) four Federal Reserve banks' security measures for the Federal Reserve Communications System (Fedwire); (2) the New York Clearing House Association's protective measures for its Clearing House Interbank Payments System (CHIPS); and (3) the Society for Worldwide Interbank Financial Telecommunication S.C.'s (SWIFT) security measures for its telecommunications system.

GAO found that risk assessments of the systems identified problems and concerns involving: (1) Fedwire's unauthorized or excessive access to sensitive software or data, inadequate physical security provisions, lack of backup power supplies, lack of software review procedures, lack of a requirement to conduct periodic external security reviews, and incomplete use of recommended telecommunications security controls; (2) the CHIPS quality control group's performance of incompatible duties that should be performed by different units to reduce risks, lack of an independent internal audit function, and lack of complete external audit coverage; and (3) the SWIFT system's internal audit independence, potential computer capacity problems, and system development problems with a planned replacement system. GAO also found that systems oversight was uneven, with: (1) the Federal Reserve Board not requiring periodic external security reviews of Fedwire; (2) regulatory agencies reviewing CHIPS operations on an invitational basis, since the New York Clearing House Association did not recognize their oversight authority; and (3) regulatory agencies not examining or overseeing the SWIFT system, since they were uncertain as to whether they had oversight authority.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone:


The Justia Government Accountability Office site republishes public reports retrieved from the U.S. GAO These reports should not be considered official, and do not necessarily reflect the views of Justia.