Are you ready to comply with SWIFT’s new Customer Security Programme requirements?

New requirements and changes introduced coming into force in July 2022. Compliance is expected by December 2022, in line with SWIFT’s expectation for organisations to support self-attestation through independent assessments.

SWIFT’s updated Customer Security Controls Framework (CSCF) v2022, released in July 2021, comes into force this summer, with new mandatory and advisory controls together with other changes added to SWIFT’s growing control framework. Participants in the SWIFT ecosystem are expected to comply with the new CSCF between July and December 2022.

As implemented last year, CSCF self-attestation exercises must be supported by an independent assessment. Such independent assessments are usually conducted by functions independent from the first line of defence within an organisation (e.g., internal audit, risk, and compliance functions) provided that such functions have the requisite competencies or outsourced to specialised external advisors.

In this article, we look at the most significant changes that were made to the CSCF and how they impact your controls review and overarching cybersecurity maturity.

Some context on the SWIFT Customer Security Programme

The SWIFT Customer Security Programme (CSP) was created to raise the bar of cybersecurity for participants in the SWIFT ecosystem and the wider financial services industry, following a series of sophisticated cyber attacks on SWIFT users. The CSP establishes a common set of security controls known as the Customer Security Controls Framework (CSCF), which is designed to foster a more secure financial ecosystem and ensure secure local environments for customers.

SWIFT CSP Independent Assessment in 2022

The SWIFT CSCF has gradually evolved over the span of a few years, from a coverage of 27 controls in 2017 to 32 controls in 2022. Typically, new framework releases allow for an 18-month window for participants in the SWIFT ecosystem to comply with the requirements. This means that the new version (i.e., v2022) of the CSCF, which was released in July 2021, should be complied with between July and December 2022.


Changes introduced in the SWIFT CSCF 2022

SWIFT’s CSCF v2022 introduces a number of new requirements, namely:

1. New ‘mandatory’ control

2.9 Transaction Business Controls

This set of controls, which focuses on detecting and preventing fraudulent outbound transaction activities, has become mandatory in CSCF v2022. The new requirements steer businesses to ensure SWIFT transactions are limited to those that support business as usual activities, and to restrict SWIFT transactions outside of customer-defined amount limits.


2. New ‘advisory’ control

1.5A Customer Environment Protection

This new control, which focuses mainly on the A4 architecture type, has the objective to strengthen the security of file transfer solutions or middleware systems, called customer connectors, used for SWIFT communication, by ensuring such communication take place within customer secure zones. This is a new advisory control that will become mandatory in the CSCF v2023.


3. Significant ‘mandatory’ scope increase for A4 architecture

Customer connector is now a mandatory component for A4 architecture type. There is a significant number of controls (i.e., 1.2, 1.3, 1.4, 2.2, 2.3, 2.6, 2.7, 3.1, 4.1, 4.2, 5.1, 5.4, 6.1, and 6.4) that need to be assessed for customer connector application level and underlying operating system and virtual platform to ensure fulfilment of the relevant controls’ objectives.


4. Other scope changes added as ‘mandatory’

1.2 Operating System Privileged Account Control

The scope of this control has been increased to restrict access to administrator-level operating system accounts defined in dedicated operator PCs and network devices, protecting the secure zone for all architectures.


5. Other scope changes added as ‘advisory’

1.2 Operating System Privileged Account Control

The scope of this control has been increased to restrict access to administrator-level operating system accounts defined in general-purpose operator PCs for all architectures.

6.2 Software Integrity and 6.3 Database Integrity

The scope of this control has been increased to ensure the software and database integrity.


6. Consistency updates, clarifications, and other changes

Several updates, clarification, and other changes were introduced to controls, including 1.2 Operating System Privileged Account Control, 2.1 Internal Data Flow Security, 2.6 Operator Session Confidentiality and Integrity, 4.2 Multi-Factor Authentication, 5.1 Logical Access Control, 5.4 Physical and Logical Password Storage, and 7.2 Security Training and Awareness.

How can we help?

SWIFT CSP independent assessment

Deloitte have created a tailor-made methodology based on the extensive experience we have with this type of assessment. The methodology and our experience can support your organisation to be compliant with SWIFT CSP requirements and ensure that your staff will need to invest only the minimum necessary time.

Support on building SWIFT infrastructure or changes to existing infrastructure

We can support your organisation in efforts to build SWIFT infrastructure from scratch or support you in changing your existing SWIFT infrastructure. Our centre of excellence has extensive experience in advising clients with SWIFT infrastructure. Based on hundreds of infrastructures we had a chance to work with, we are very well-positioned to support you in making the right decisions regarding your infrastructure and how to best fulfil the SWIFT CSP requirements.

Moving the SWIFT infrastructure to cloud

Cloud computing is another trend in relation to SWIFT infrastructure. We have an extensive experience with advising our clients on moving their SWIFT infrastructure to the cloud and utilising its benefits to the fullest extent possible.

SWIFT CSP Independent Assessment in 2022

Learn more about:

> Operational RIsk

> Cyber Risk

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?