Like many financial services organizations around the world, Crédit Mutuel Arkéa is a member of a cooperative known as SWIFT, which is the secure way of transmitting financial messages relating to securities, treasury and trade.Download the case study
In 2020, SWIFT introduced additional mandatory and advisory security controls. At the same time, its standards were raised as they increasingly reflected Payment Card Industry (PCI) Data Security Standard requirements. Assessments based on the SWIFT assurance framework needed to be completed by 2021.
The process of auditing myriad security controls can be both time- and labor-intensive, and the outbreak of the COVID-19 pandemic only added to the workload that Crédit Mutuel Arkéa would face.
“Regulation is getting stronger and stronger everywhere in the world,” said Gildas Guillerm, the firm’s head of development and relations department. “We decided to look at the regulations as an opportunity to innovate and enhance the value we offer to B2B partners and our internal stakeholders.”
We decided to look at the regulations as an opportunity to innovate and enhance the value we offer to B2B partners and our internal stakeholders.”
Head of payments development and interbanks relations
To validate that it had successfully aligned its controls based on the SWIFT assurance framework, Crédit Mutuel Arkéa turned to Verizon, which acted as an independent auditor.
This included working closely with the Crédit Mutuel Arkéa team to analyze the scope, effectiveness and maturity level of its controls based on the SWIFT assurance framework. It also required collecting data and conducting interviews.
The auditing process offered by Verizon as part of its Payment Security Programs services enabled them to help organizations like Crédit Mutuel Arkea identify security controls that aren’t fully documented, as well as any potential vulnerabilities or key risk areas where it might have to make improvements.
“This kind of assessment is very strict. If you can validate every point, you are compliant. If not, you’re not compliant,” said Jacques Bodilis, Crédit Mutuel Arkéa’s head of the IT risks and projects department within the operations and technologies division. “The result is 0% or 100%. It’s not a sure thing that a company succeeds. If they are found noncompliant, they have to start back at square one and undergo infrastructure upgrades.”
Crédit Mutuel Arkéa not only avoided that fate but enjoyed a positive customer experience that included:
Adaptability amid unexpected constraints
It’s important to have a close relationship with your auditor and regularly meet to discuss the status of an assessment, Bodilis said. However, the pandemic threatened to make that far more difficult than usual. “Normally, some of these status meetings are done face to face. Naturally, this was impossible due to the pandemic and all meetings took place virtually,” he said. “Thanks to Verizon, this all worked very well, and the assessment was not delayed.”
A timely, six-month process
An independent assessment such as the one SWIFT requires can take up to 6 months to complete. The amount of time is based on the breadth and depth of the audit, as well as how data is stored and all the access requirements involved.
With its experience in providing similar audits for Crédit Mutuel Arkéa around payment card industry (PCI) security standards, however, Verizon was able to get the work done in less than six months.
“Verizon has made it possible to go faster, to help in transversality and to make internal discussions much more fluid,” Guillerm said.
Knowledge transfer to benefit the entire team
“Verizon has helped us improve our security maturity level by going in-depth during evidence collection and review,” Bodilis said.
Verizon also helped educate a wide range of Crédit Mutuel Arkéa stakeholders on the process, from senior consultants and project managers to those who were new to the SWIFT assurance framework.
“The methodology applied by Verizon, based on an extensive collaboration, has been of value and brought our teams up to speed on SWIFT CSP compliance,” he said.