Summary: Pursuant to a congressional request, GAO assessed security measures for national and international electronic funds transfer systems, focusing on: (1) four Federal Reserve banks' security measures for the Federal Reserve Communications System (Fedwire); (2) the New York Clearing House Association's protective measures for its Clearing House Interbank Payments System (CHIPS); and (3) the Society for Worldwide Interbank Financial Telecommunication S.C.'s (SWIFT) security measures for its telecommunications system.
GAO found that risk assessments of the systems identified problems and concerns involving: (1) Fedwire's unauthorized or excessive access to sensitive software or data, inadequate physical security provisions, lack of backup power supplies, lack of software review procedures, lack of a requirement to conduct periodic external security reviews, and incomplete use of recommended telecommunications security controls; (2) the CHIPS quality control group's performance of incompatible duties that should be performed by different units to reduce risks, lack of an independent internal audit function, and lack of complete external audit coverage; and (3) the SWIFT system's internal audit independence, potential computer capacity problems, and system development problems with a planned replacement system. GAO also found that systems oversight was uneven, with: (1) the Federal Reserve Board not requiring periodic external security reviews of Fedwire; (2) regulatory agencies reviewing CHIPS operations on an invitational basis, since the New York Clearing House Association did not recognize their oversight authority; and (3) regulatory agencies not examining or overseeing the SWIFT system, since they were uncertain as to whether they had oversight authority.