Payment flow security at Royal FloraHolland

With a complex landscape consisting of two SAP systems and several banks, the choice was made to implement SWIFT’s Alliance Lite 2 functionality.

This new standardized approach to bank connectivity has enabled Royal FloraHolland to connect with new banks, and in addition, the embedded payment approval workflow within AL2 provides the opportunity for Royal FloraHolland to carry out a final control before releasing payment and collection files to their partner banks. Unfortunately, this final control process was highly dependent on manual activities, where files were retrieved from folders within SAP environments and subsequently uploaded into AL2. Despite these payment and collection files being authorized after being uploaded into AL2, the fact that they are downloaded to a user’s personal desktop has always been a risk from an audit and control perspective. Royal FloraHolland wanted to mitigate the risk of human error and remove the vulnerability of the files in transit.

Considerations
After carrying out a short assessment of available solutions on the market, ranging from payment hub providers to full blown SWIFT Service Bureaus, Royal FloraHolland decided to explore options towards developing a solution in house. This was motivated by the fact that Royal FloraHolland had already invested in a generic bank connectivity solution. Their requirements were simple; namely that payment and collection files must be transferred to AL2 in a secure manner without any human intervention. In this context, the minimum security requirements must not allow following:

• Files to be manipulated in the transit between SAP and AL2
• The injection of files from sources other than the (production) SAP system

Solution
SWIFT Autoclient is a SWIFT solution that allows clients to automatically upload/download files to/from AL2. Royal FloraHolland was already using Autoclient to automatically download their bank statements from AL2, however they were not currently leveraging on the automatic file upload capabilities offered by Autoclient. When using the upload functionality, there are a few things that should be considered.

Firstly, it is important to consider the vulnerability of files in transit. Autoclient uploads files automatically to SWIFT AL2 once they are placed in the configured source directory. To avoid the risk of processing files that have either been manipulated or have originated from a non-trusted source system, Autoclient offers the option to secure files using LAU (Local Authentication). This method ensures a secure transfer of (payment) files between backend applications and Autoclient by calculating an electronic signature over the file. This signature is then transferred together with the file to Autoclient and verified. Only files that have been successfully verified will be transferred into AL2. This method requires a symmetric key infrastructure, whereby the secret key used to calculate the electronic signature is the same key used to verify the signature, meaning there is a requirement to maintain the secret key in both the source (SAP) application and in Autoclient. Since this deviates from SAP standard functionality, a bespoke development was required, alongside the additional logic to calculate the LAU signature.

Secondly, the routing of outgoing payment files needs to be managed. When uploading payment files to AL2 there is a requirement to transfer the relevant parameters for FileAct traffic. Normally, this can be achieved by using the Autoclient configuration options, however, when using LAU, SWIFT recommends its customers to provide the FileAct parameters together with a payment file. To fulfil this requirement a transaction was built in SAP to maintain these parameters. A clear advantage of this transaction is that the connection to new partner banks can now be managed fully via configuration in the SAP systems. There is no immediate requirement for further updates in Autoclient or AL2 as the parameter files supplied already contain all required routing information.

A third hurdle to overcome is the approval workflow within AL2. By default, AL2 will deliver files that are uploaded via Autoclient directly to partner banks. Any verification and authorization steps in AL2 will be bypassed. Royal FloraHolland wanted an additional authentication workflow to be active in AL2, which included files uploaded via Autoclient. As this requirement deviates from the standard functionality offered by AL2, a change request was raised to SWIFT, who developed and implemented this logic.

Implementation
The new solution was developed such that there was no impact on the existing file transfer process. This allowed Royal FloraHolland to perform a dry run in the production system using a limited number of payments, to ensure that the new solution is working as designed.

Conclusion
Royal FloraHolland is now running their payments and collections in an automated way. Not only has this reduced the workload burden for the AP department but has increased confidence that payments arriving in AL2 are from a trusted source.