All SWIFT members are affected. Among the financial institutions obliged to comply to the Customer Security Programme (CSP) are:

• Banks
• Brokerage institutes and trading houses
• Securities dealers
• Asset management companies
• Clearing houses
• Depositories
• Exchanges
• Corporate business houses
• Treasury market participants and service providers
• Foreign exchange and money brokers

Firstly, any company that participates in SWIFT must annually attest compliance to the SWIFT Security Control Framework which contains mandatory and advisory controls. Secondly, these companies must now have this annual attestation independently assessed before 31 December 2021.

The SWIFT CSP assessment must be completed independently. This means either by a third line of defence (such as an audit department), or externally, in order to verify that the information provided complies to standards and that the company itself is compliant with the SWIFT CSP Control Framework. However, as these independent assessments must be conducted by appropriately qualified individuals, internal audit teams do not necessarily qualify.

The deadline for the first assessment is the 31^st December 2021. SWIFT requires customers to get an independent assessment at least every two years, or every time there is a significant change to the platform. The SWIFT portal opens for the 2021 CSP attestation on the 1 July 2021.

An independent SWIFT CSP audit is a legal requirement according to the terms and conditions of the SWIFT agreement. Additionally, any SWIFT participant company that has not submitted their independent assessment by 31 December 2021 will be considered non-compliant by the local regulator. Non-compliance typically results in the regulator requesting additional reporting and can trigger non-compliance in other scheme’s such as CHAPS. Non-compliance is also visible to counterparties in the SWIFT KYC tool.