[PeterisP]

SWIFT is essentially a system for structured authenticated bank-to-bank messages in which pretty much every worldwide financial institution participates - in some ways a glorified email (though with structured fields), but with sufficient security assurances that if you get a message claiming to be from the First Bank of Nigeria (FBNINGLA) "pls do XYZ with USD 100 million kthxbye" then you would actually consider it to be sufficient authorization to execute that request. You still might wait until actually getting that money from them though before passing it on, counterparty risk is a thing, but you can assume that it's actually from them and whoever is sending has the authority to act on their behalf for huge amounts of money.

If Russian institutions can't participate, it means a disconnection for the majority of international financial communications, preventing Russian banks from directly interfacing with all the thousands of banks worldwide - they will have to establish a bilateral communications protocol with some specific partners/correspondent banks (perhaps they have something arranged already) and have someone else handle the international transactions on their behalf. That's not totally devastating, but a pain in the butt, extra expenses, extra delays and extra risk for all those transactions.

[perl4ever]

>you can assume that it's actually from them and whoever is sending has the authority to act on their behalf for huge amounts of money

Google "epic bangladesh swift fraud"...I believe they got away with over $80M.

[PeterisP]

Yes, that particular case was one of what I had in mind as one of many valid examples, it's the largest one but there are many others.

The receiving instutition(s) could safely assume that the message is actually from Bangladesh Bank and whoever was sending them has the authority to act on their behalf even if it was not true. If Bangladesh Bank allowed hackers to send messages in their name, they are still fully responsible for their content, the recipient does not have necessarily to verify anything (for a counterexample, consider the legal risks involved with not verifying who has the authority to sign for a large international contract) unless a specific bilateral contract specifies that - like in the Bangladesh 80M case, there's no blame or risk placed on the message recipient/executor (Federal Reserve Bank of New York), they had the rights to assume that the orders were from Bangladesh bank, and all the losses from that case were solely on the Bangladesh bank. In all the major cases there have been lawsuits or threats of them - because why not try - but the general precedent is that those lawsuits fail and the recipient is reasonably safe to make that assumption.

In a similar manner, if the SWIFT infrastructure itself was hacked and fraudulent messages inserted (this has not ever happened AFAIK), you still can assume that the messages are valid, and that in that case the liability (insured!) for any losses would be on SWIFT.