SWIFT Customer Security Program

Compliance deadline: 31 December 2022

In response to the cybersecurity challenges, SWIFT has established a complex set of rules and requirements that require 23 mandatory and 9 recommended controls for SWIFT users.

Resilience to cyber-attacks

In order to standardize the management of cyber security and operational risks, SWIFT has introduced the Customer Security Program (CSP), a framework that helps SWIFT users to establish and maintain an information security control environment for their SWIFT system. It covers control areas similar to those of well-known information security frameworks (e.g. ISO 27001, NIST CSF), but also includes controls related to key-links, back-office encryption or even employee due diligence.

Starting in 2021, self-audit will no longer be sufficient for demonstrating compliance with the requirements. Instead, an independent audit will be necessary to confirm that the necessary controls have been properly designed and implemented.


What is an independent investigation?

There are two main types of independent audits:

  1. By an external, independent party - Compliance can be verified by an independent, external party with appropriate information security experience and expertise, e.g. CISA qualification.
  2. An independent internal audit - compliance with SWIFT controls can be verified by the SWIFT user's second or third line of defense, e.g. the compliance department or internal audit team, if they have the appropriate information security expertise and are truly independent in terms of organization.

A risk assessment report of the independent review should be produced, listing the areas of controls that do not meet SWIFT CSP requirements and management's intended action in this regard.


What happens if I do not carry out the independent review?

If the independent review is not conducted and submitted to SWIFT by the end of 2022, SWIFT will report the noncompliance to the regulatory authority, the MNB in Hungary.


How can Deloitte help?

At Deloitte, we are committed to supporting our clients through the independent review process. This includes identifying and summarizing any deficiencies, making recommendations for remediation, and verifying improvements. We also provide guidance on industry best practices and offer practical implementation suggestions while upholding the principles of independence. By entrusting us with the internal audit process, our clients can be assured of a thorough and efficient review.


Want to know more about our program?

For more information, please download our SWIFT Customer Security Program leaflet.

SWIFT Customer Security Program 2022 Leaflet

Get in touch with our experts

Zoltán Szöllősi

Zoltán Szöllősi


Zoltán is a Partner responsible for leading the IT Risk & Control and Internal Audit service line at Deloitte Hungary. He has been performing and managing audit and advisory projects for over 19 years... More

Balázs Agárdy

Balázs Agárdy


Balázs Agárdy is a Manager at Deloitte Hungary IT Risk Advisory practice. He has more than 6 years Big4 experience in information security and IT audit.  His area of expertise includes security review... More