The SWIFT Customer Security Programme (CSP) is a is a mandatory control framework for any companies that use SWIFT. It came about as a result of the significant threat that cyber-attacks and breaches have posed to payments institutions and the global financial community as a whole. The purpose of SWIFT CSP is to improve cybersecurity by offering mandatory security standards and discretionary controls designed to prevent fraudulent activity and keep SWIFT transactions and payments secure. It is backed by the financial service regulatory bodies and controls are aligned with international security standards such as NIST Cybersecurity Framework, ISO 27001:2013 and PCI DSS.
All SWIFT members are affected. Among the financial institutions obliged to comply to the Customer Security Programme (CSP) are:
Firstly, any company that participates in SWIFT must annually attest compliance to the SWIFT Security Control Framework which contains mandatory and advisory controls. Secondly, these companies must now have this annual attestation independently assessed. Independent assessment requirement is in force since 31 December 2021.
The SWIFT CSP assessment must be completed independently. This means either by a third line of defence (such as an audit department), or externally through an independent assessor. SWIFT has published a list of the service providers, follow the link below:
CSP Assessment providers directory
SWIFT does not certify, warrant, endorse or recommend any service provider listed in its directory and SWIFT customers are not required to use providers listed in the directory.
The deadline for the assessment is the 31st of December each year, this is an annually recurring activity. SWIFT attestation is required to be supported by independent assessment in order to be compliant of your obligation. An independent assessment can be relied upon for 2 years this is subject to: which CSCF version the assessment was performed against; control conclusion was supporting and can be relieved upon; control has not been updated ; same design and implementation and environment. Please contact us for further details. The SWIFT portal opens for submission on 1st July.
An independent SWIFT CSP assessment is a legal requirement according to the terms and conditions of the SWIFT agreement. Additionally, any SWIFT participant company that has not submitted their independent assessment by 31 December will be considered non-compliant by the local regulator. Non-compliance typically results in the regulator requesting additional reporting and can trigger non-compliance in other scheme’s such as CHAPS. Non-compliance is also visible to counterparties in the SWIFT KYC tool.
Want to get in touch? We would love to hear from you. Here’s how you can reach us…
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |