Banxico Reinforces Security Rules to Operate in the SPEI

 Banco de Mexico (Banxico) published on Friday new measures to be implemented by financial institutions that use the Interbank Electronic Payment System (SPEI) to reinforce policies and controls on transfers of funds; this after the theft of some 300 million pesos that suffered five institutions because of a cyber attack. In a statement, the central institute stressed that it has determined to establish additional obligations to the participants of the SPEI such as improving response schemes for possible risks and having a full identification of operations, particularly when dealing with transfers to companies that may allow the exit of resources from the financial sector towards virtual assets.

As well as having protocols and procedures that document the measures and actions to be taken in the event that cybersecurity risks materialize in its technological infrastructure, in its electronic channels and in the technological infrastructure provided by third parties that could affect the operation of the financial institution in the SPEI.

Participants must establish and implement tests of trust and integrity to their personnel, as well as to third parties that provide information and communication technology services, that have access to information and systems relevant to their operation with the SPEI,” said the Banxico.

In addition, financial institutions must designate an information security officer responsible for the design, implementation and verification of cybersecurity risk prevention policies, as well as the implementation of corrective measures before the materialization of these risks that could affect the operation of the institution in the SPEI.

Banxico pointed out that in addition to these circulars, requirements were established to strengthen the elements of security in the provision of funds transfer services to those customers or companies that offer the exchange or purchase of virtual assets. Among these are: identify those accounts belonging to this type of clients in order to be able to implement additional validations prior to the accreditation of funds from funds transfers through the SPEI.

He added that those participants in the SPEI that carry accounts on behalf of the clients indicated must pay the corresponding resources to the money transfer orders they receive, on the business day following their reception, until they have the authorization of the Bank of Mexico, as administrator of SPEI, to carry out in different terms, additional validations that have as purpose to ensure the legitimacy of said orders.

In addition, they must refrain from making available to this type of client the resources corresponding to the transfer orders they receive, on the same day they are received, in those cases in which the Bank of Mexico issues warnings of possible attacks on the technology infrastructure of the Bank system.

The accounts that SPEI participants bring to this type of company must be open money deposit accounts open only to those financial institutions authorized to offer them (credit institutions, popular financial corporations, community financial societies and savings and loan cooperatives). loan), he added.

He pointed out that they must also refrain from providing accounts to these companies with the purpose that these are, in turn, assigned to clients for the transfer of resources destined to the purchase of virtual assets.