Electronic payment systems have simplified cashless payments enormously and the next evolution in payments is already underway: “instant payments” reduce settlement processes to a matter of seconds. In this blog post, you will find out what opportunities and risks the planned introduction of the Swiss National Bank’s new SIC5 standard for payment traffic entails and what this means for you as a financial services provider.
The first instant-payments solutions already exist – and you’re probably using them, for instance Twint. Up to 5,000 Swiss francs can be transferred instantly from cell phone to cell phone. But what most users don’t realise is that the money is only superficially transferred in real time. The banks of the parties involved make advance payments in the background. The beneficiary’s bank credits the beneficiary with the amount until it finally receives the money from the ordering party’s bank a day or two later.
Instant payments – new opportunities and risks in payment traffic
Instant payments will make payment transactions even more convenient in the future. Combined these with the Internet of Things (IoT) and various automated payment processes are imaginable: cars pay lease instalments on their own or machines instantly settle repair bills. A key concept within such visions is the “request to pay”, the modern way of asking for payment. Alongside such opportunities, however, the new technology also entails risks – especially fraudulent payments. Initial experiences show us that fraud has increased in all countries that have already introduced instant payments
For instant payments to work with larger amounts and across national borders, both national clearing systems and banks’ infrastructures need to evolve. Instant payments have been implemented in EU countries since 2019 via SEPA and the PSD2 financial directive. In Switzerland, too, the acceleration of payment traffic is getting underway. The Swiss National Bank (SNB) is currently developing the Swiss Interbank Clearing System (SIC) so that the processing of instant payments will be possible from August 2024. Instant payments and the associated SIC5 payment standard are mandatory.
SIC5 – Swiss National Bank’s instant payment
SIC5 from the SNB is a payment system that makes it possible to transfer funds in near real time between banks in Switzerland and Liechtenstein. It is relevant to the financial industry because it increases the speed and efficiency of payments and enables banks to respond more quickly and reliably to their customers’ needs. The introduction of SIC5 will be phased. From August 2024, the largest Swiss banks must be capable of processing instant payments, with the remaining banks to follow by 2026.
SIC5 can be considered a real “game changer” as it fundamentally alters the way payments are made in Switzerland. It allows businesses and consumers to make payments in real time instead of having to wait several days or even weeks for payments to be processed. Today’s standard for domestic payments is the payment request with next-day execution. In addition, same-day transfers are also possible with express payments. Instant payments provide significantly more speed: delays due to holidays and weekends are eliminated because instant payments are executed anytime – 24 hours a day, 365 days a year. The target value transaction time is ten seconds.
The system behind SIC5
But how does this system work? SIC5 uses existing interfaces, such as SWIFT, for the transmission of messages between the participating banks. However, the existing infrastructure must be equal to the new challenges arising from 24/7 operation. Significant operational investments are to be expected here.
The SNB is the primary supervisory authority for the SIC5 system. At the same time, there is some interdependence with international regulatory standards and best practices. The SNB therefore regularly reviews whether the SIC5 system complies with the requirements of EU regulations in order to enable and ensure interoperability and the use of SIC5 in Europe.
Changes to the IT landscape and processes due to instant payments
As far as banks are concerned, the implementation of instant payments involves considerable effort. After all, financial institutions sometimes have to make extensive and complex changes to infrastructure, applications and core banking systems, as well as internal processes in order to offer IP to customers. On the one hand, new functional requirements for IP have to be implemented, for example in the form of the connection to SIC5 with the associated communication protocol (including security framework, message types, and changes to the risk and compliance screening processes). On the other, the underlying systems on the banking side have to meet stricter non-functional requirements, as transactions are processed within a very short time and 24/7/365 availability has to be ensured.
These fundamental requirements will result in changes affecting a majority of systems in a financial institution’s IT landscape, as well as changes to operational processes that impact multiple business units. Most of the functions that need to be customised for IP are relevant for both outgoing and incoming payment processing. For example, both cases require the same level of support for the SIC5 protocol and the required real-time postings and risk and compliance checks.
Thus, SIC5 has far-reaching implications for architecture, processes, technologies and also (cyber-security) controls, as it fundamentally changes the way payments are processed. We have summarised the most important points for you:
Rapid processing
- Implementation of new communication protocols to enable real-time payments.
- Set-up and establishment of contingency procedures to respond quickly to outages and disruptions (e.g. zero downtime, 365/24/7 operation).
High performance
- Use of systems and databases with high availability and performance to ensure that payments can be consistently processed in real time (e.g. execution 24/7, higher number (frequency), payment sizes).
Risk and liquidity management
- Review of accounts from which payments originate to ensure adequate coverage.
- Review of banks’ liquidity to ensure that they are in a position to make payments.
- Adjustment of risk management systems and processes to ensure that banks are able to adequately manage risks.
- Implementation of mechanisms for detecting and responding to security threats.
- Introduction of blockchain technology to increase transparency and security.
- Introduction of machine-learning technology to automate security processes and detect threats.
Compliance
- Verification of the authenticity of payment instructions to ensure that they originate from a trusted source.
- Monitoring and review of compliance with regulatory requirements for SIC v5 IP (e.g. SNB).
Technological modifications
- Introduction of two-factor authentication to ensure security of online payments.
- Implementation of security protocols such as TSL/SSL to protect data transmission and ensure the authenticity of payment instructions.
- Guaranteeing availability and performance.
- Introduction of appropriate interfaces such as APIs (application programming interface) to enable interoperability with other systems and services.
Because the customisations required for a smooth implementation of IP capability render this a complex undertaking, it quickly becomes clear that a project of this magnitude involves a significant throughput. Swift analysis is needed to be IP-ready by 2024. Given the number and complexity of changes – technical, organisational and procedural – an overview of the interventions aimed at IP-readiness is needed immediately. Assuming SIC5 availability and an IP go-live in 2024, there is an immediate need to act and it makes sense to take important decisions to enable the start of such a transformation project to be scheduled in time.
Act in time for your SIC5-readiness
Based on the recommendations on endpoint security for large-value payment systems issued by the Bank for International Settlements (BIS), the SNB has developed new requirements that apply to all SIC participants.
The “Endpoint Security in the SIC System” – Version 2024 (1.00 dated 5 October 2022) framework defines a set of binding, i.e. mandatory and partly recommended, security measures for the participants in the SIC network. These serve to establish basic end-to-end protection. Recommended measures are based on best practices and should be considered when possible. Compliance must be verified annually by an independent body as part of a “self-attestation”. This can be either an internal control body (e.g. internal audit; risk or compliance manager) or a qualified external service provider (e.g. InfoGuard).
InfoGuard provides support in the various phases – from consulting, planning and design, through continuous development and optimisation, to protection and review of the SIC infrastructure (technical, organisational and process-related). In addition, we offer a dedicated “SIC Assessment” to check compliance with the measures defined in the framework. This can be done alone or through close relationship with SWIFT compliance in combination with a SWIFT CSCF Assessment.
SIC5 is coming – don’t wait until 2024!
IP for banks will soon also become a reality in Switzerland, and developments in other countries show that customers will quickly accept and demand this as the “new normal”. For banks, SIC5 readiness means a comprehensive transformation to their IT landscapes and processes. It is therefore important to decide promptly on a strategy for the introduction of IP and to actively use the design space to clean up the structures and technical “legacy”. Partners like InfoGuard can actively support you in this process – we look forward to your inquiry.
![ISG revision: consequences & obligations for critical infrastructure operators [Part 1]](https://www.infoguard.ch/hubfs/images/blog/infoguard-cyber-security-isg-informationssicherheitsgesetz.jpg)
