We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
01 June 2018
The funds of some participants in the Interbank Electronic Payments System (SPEI) were recently affected by a series of unprecedented cyberattacks. The Mexican Central Bank (Banxico) revealed that approximately $15 million (Ps300 million) had been involved in diverse irregular transfers, subject to investigation. Customer funds were not affected, as only financial intermediaries' accounts seem to have been targeted.
The SPEI is Banxico's payment infrastructure, which allows its participants (ie, banks, brokers, popular financial societies and other regulated financial entities) to exchange money through electronic transfers in real time. The route of SPEI transfers can be summarised as follows:
The first cyberattack breaching the SPEI occurred on April 17 2018 and was followed by other attacks with the same modus operandi: cybercriminals diverted transfers ordered by SPEI participants to targeted accounts controlled by them and withdrew the funds in cash directly from bank branches. The cybercriminals had identified a flaw in the system that permitted receivers of SPEI transfers to withdraw cash almost immediately after receiving the transfer so that the money could not be traced.
Before these cyberattacks, Banxico had already implemented diverse measures to strengthen the SPEI's cybersecurity. Operational rules for the SPEI are set out in Banxico's Rules 14/2017, which include several security requirements for SPEI participants and Banxico. The mandatory requirements include:
These recent attacks show the importance of having systems in place which promptly identify system weaknesses and attacks so that operations are not disrupted or disruption is minimal. Further, it is equally important to have an effective communication system in place to address concerns from the public.
Lessons can be learned from all cyberattacks and these are no exception. Banxico immediately began to implement mitigation measures and has created a new cybersecurity division to avoid a similar situation in future.
Banxico also implemented a simple but effective measure to delay cash withdrawals of funds received through electronic transfers and thus allow more time for SPEI participants to verify transactions. Specifically, Banxico issued Rules 4/2018 and 5/2018, which provide that funds of Ps$50,000 (approximately $2,500) or more that are transferred may be withdrawn in cash or cashier's checks only on the business day following the transfer.
Despite the existence of a specialised and well-drafted regulation for implementing cybersecurity means and methods to protect Banxico's payment system, neither the SPEI nor any other electronic system will ever be bulletproof. Ex ante regulation of technologies is nearly impossible since technological advances significantly outpace laws and regulations. Thus, these risks may be mitigated through constant dialogue between regulators and IT engineers.
For further information on this topic please contact Federico de Noriega or Rodrigo Mendez Solis at Hogan Lovells BSTL by telephone (+52 55 5091 0000) or email (firstname.lastname@example.org or email@example.com). The Hogan Lovells website can be accessed at www.hoganlovells.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.