The SWIFT Customer Security Programme (CSP) is a is a mandatory control framework for any companies that use SWIFT. It came about as a result of the significant threat that cyber-attacks and breaches have posed to payments institutions and the global financial community as a whole. The purpose of SWIFT CSP is to improve cybersecurity by offering mandatory security standards and discretionary controls designed to prevent fraudulent activity and keep SWIFT transactions and payments secure. It is backed by the financial service regulatory bodies and controls are aligned with international security standards such as NIST Cybersecurity Framework, ISO 27001:2013 and PCI DSS.
All SWIFT members are affected. Among the financial institutions obliged to comply to the Customer Security Programme (CSP) are:
Firstly, any company that participates in SWIFT must annually attest compliance to the SWIFT Security Control Framework which contains mandatory and advisory controls. Secondly, these companies must now have this annual attestation independently assessed before 31 December 2021.
The SWIFT CSP assessment must be completed independently. This means either by a third line of defence (such as an audit department), or externally, in order to verify that the information provided complies to standards and that the company itself is compliant with the SWIFT CSP Control Framework. However, as these independent assessments must be conducted by appropriately qualified individuals, internal audit teams do not necessarily qualify.
The deadline for the first assessment is the 31st December 2021. SWIFT requires customers to get an independent assessment at least every two years, or every time there is a significant change to the platform. The SWIFT portal opens for the 2021 CSP attestation on the 1 July 2021.
An independent SWIFT CSP audit is a legal requirement according to the terms and conditions of the SWIFT agreement. Additionally, any SWIFT participant company that has not submitted their independent assessment by 31 December 2021 will be considered non-compliant by the local regulator. Non-compliance typically results in the regulator requesting additional reporting and can trigger non-compliance in other scheme’s such as CHAPS. Non-compliance is also visible to counterparties in the SWIFT KYC tool.