Delivering Swift Community Standard Assessments

DON'T MISS THE DEADLINE!

  • 00Days
  • 00Hours
  • 00Minutes
  • 00Seconds
SWIFT CSP

About SWIFT CSP

The SWIFT Customer Security Programme (CSP) is a is a mandatory control framework for any companies that use SWIFT. It came about as a result of the significant threat that cyber-attacks and breaches have posed to payments institutions and the global financial community as a whole. The purpose of SWIFT CSP is to improve cybersecurity by offering mandatory security standards and discretionary controls designed to prevent fraudulent activity and keep SWIFT transactions and payments secure. It is backed by the financial service regulatory bodies and controls are aligned with international security standards such as NIST Cybersecurity Framework, ISO 27001:2013 and PCI DSS.

Is your company affected by SWIFT CSP?

All SWIFT members are affected. Among the financial institutions obliged to comply to the Customer Security Programme (CSP) are:

 

  • Banks
  • Brokerage institutes and trading houses
  • Securities dealers
  • Asset management companies
  • Clearing houses
  • Depositories
  • Exchanges
  • Corporate business houses
  • Treasury market participants and service providers
  • Foreign exchange and money brokers
What are your obligations?

Firstly, any company that participates in SWIFT must annually attest compliance to the SWIFT Security Control Framework which contains mandatory and advisory controls. Secondly, these companies must now have this annual attestation independently assessed. Independent assessment requirement is in force since 31 December 2021.

Who can conduct the independent assessment?

The SWIFT CSP assessment must be completed independently. This means either by a third line of defence (such as an audit department), or externally through an independent assessor. SWIFT has published a list of the service providers, follow the link below:

CSP Assessment providers directory

 

SWIFT does not certify, warrant, endorse or recommend any service provider listed in its directory and SWIFT customers are not required to use providers listed in the directory.

 

What is the deadline and how regularly must assessments be conducted?

The deadline for the assessment is the 31st of December each year, this is an annually recurring activity. SWIFT attestation is required to be supported by independent assessment in order to be compliant of your obligation. An independent assessment can be relied upon for 2 years this is subject to: which CSCF version the assessment was performed against;  control conclusion was supporting and can be relieved upon;  control has not been updated ; same design and implementation and environment.  Please contact us for further details. The SWIFT portal opens for submission on 1st July.

What are the consequences of non-compliance?

An independent SWIFT CSP assessment is a legal requirement according to the terms and conditions of the SWIFT agreement. Additionally, any SWIFT participant company that has not submitted their independent assessment by 31 December will be considered non-compliant by the local regulator. Non-compliance typically results in the regulator requesting additional reporting and can trigger non-compliance in other scheme’s such as CHAPS. Non-compliance is also visible to counterparties in the SWIFT KYC tool.