Overview
The SWIFT Customer Security Programme (CSP) and its Customer Security Controls Framework (CSCF) establish mandatory and advisory security controls for all organizations connected to the SWIFT network. Updated annually, the CSCF v2024 includes 25 mandatory and 7 advisory controls across three objectives: Secure Your Environment, Know and Limit Access, and Detect and Respond. Every SWIFT-connected institution must self-attest to compliance annually through the KYC-Security Attestation (KYC-SA) application, and independent assessments have been mandatory since 2021.
Architecture Types and Applicability
| Architecture | Description | Control Scope |
|---|---|---|
| A1 | User owns and operates SWIFT infrastructure on-premises | Full scope of mandatory controls applicable to the secure zone and operator PCs |
| A2 | User accesses SWIFT through a service provider (e.g., service bureau) but still has local components | Controls focus on the local environment and connections to the service provider |
| A3 | User accesses SWIFT entirely through a service provider's connector | Reduced control scope focused on back-office application security and general IT environment |
| A4 | User accesses SWIFT through a service provider without any local SWIFT footprint | Minimal set of controls focused on general cybersecurity practices |
| B | Customers using SWIFT through a third-party application managed by the third party (no direct SWIFT access) | Controls focus on securing the connection to the third-party application |
Three Security Objectives
Objective 1 (Secure Your Environment) focuses on restricting internet access, segregating the SWIFT environment from the general IT infrastructure, reducing the attack surface, and physically securing the environment. Key controls include restricting internet access in the secure zone, hardening operating systems and database platforms, and ensuring operator PCs are secured and dedicated. Objective 2 (Know and Limit Access) covers managing identities and credentials, implementing multi-factor authentication, and controlling operator access and privileges. Objective 3 (Detect and Respond) covers malware protection, log management, intrusion detection, and incident response planning.
Mandatory Controls Checklist
- Restrict internet access from the secure zone and protect it from the general IT environment
- Seggregate the SWIFT infrastructure within a secured zone separate from the broader IT network
- Implement operating system and database hardening on all SWIFT-related components
- Secure operator PCs used to access SWIFT with endpoint protection and restricted configurations
- Manage identities and limit access based on the principle of least privilege
- Enforce strong password policies and credential management for all SWIFT-related accounts
- Implement multi-factor authentication for all interactive sessions to SWIFT infrastructure
- Deploy anti-malware solutions on all SWIFT-related systems with regular updates
- Ensure software integrity of SWIFT-related applications and verify against known good states
- Implement logging and monitoring on all systems within the SWIFT secure zone
- Develop and maintain an incident response plan specific to SWIFT-related scenarios
- Conduct security awareness training for all SWIFT operators and administrators
- Conduct vulnerability scanning and penetration testing of the SWIFT environment regularly
Independent Assessment Requirements
Since 2021, SWIFT requires all self-attestations to be supported by an independent assessment. The assessment can be performed by an internal audit function that is independent from the first and second lines of defense, an internal security team independent of the SWIFT operations team, or an external security assessment firm. The assessor must evaluate compliance against each applicable mandatory control and document findings. The assessment results are submitted through the KYC-SA application and are visible to your counterparties, creating transparency and accountability across the SWIFT community.
Attestation Timeline and Non-Compliance
The annual attestation cycle typically runs from July to December, with the attestation due by year-end. Organizations must attest against the current year's CSCF version. Late or missing attestations are flagged to counterparties and local regulators. SWIFT reports non-compliant institutions to their national regulators and supervisory bodies. Counterparties can view your attestation status and may restrict or decline transactions with non-compliant institutions. In practice, non-compliance can result in increased scrutiny from regulators and deterioration of correspondent banking relationships.
Frequently Asked Questions
How often is the CSCF updated?
SWIFT updates the CSCF annually, typically publishing the new version in the first half of the year with attestation against the updated version required by year-end. Changes generally include new mandatory controls (some previously advisory controls become mandatory), updated guidance, and alignment with emerging threats. Organizations should review changes early in the year to allow time for implementation.
What happens if we fail the independent assessment?
If the independent assessment identifies non-compliant controls, you must document a remediation plan and timeline. You can still submit your attestation reflecting the non-compliant status, but this is visible to your counterparties. SWIFT expects non-compliant institutions to remediate findings promptly and may escalate persistent non-compliance to regulators.
Can a service bureau attest on our behalf?
Service bureaus attest for the controls they are responsible for under their own architecture type. However, as the SWIFT user, you are still responsible for attesting to the controls applicable to your local environment and back-office applications. You cannot delegate your full attestation responsibility to a service bureau.
Which architecture type applies to our organization?
Your architecture type depends on how you connect to SWIFT. If you operate your own SWIFT infrastructure (Alliance Lite2, Access, or Gateway), you are typically A1. If you use a service bureau for connectivity but maintain local components, you are A2 or A3. If you access SWIFT entirely through a third party with no local SWIFT footprint, you are A4 or B.
How does CSCF relate to other compliance frameworks?
CSCF controls overlap significantly with ISO 27001, NIST CSF, and financial sector regulations like MAS TRM and RBI guidelines. Organizations already certified to ISO 27001 or compliant with NIST CSF will find that many CSCF mandatory controls are already addressed. However, CSCF has specific requirements around SWIFT secure zone segregation and operator PC hardening that are unique to the SWIFT environment.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.