SWIFT Customer Security Programme – An Independent Attestation for SWIFT Users in Financial Services

19.04.2021 – Beginning mid-2021, all SWIFT users will be required to have an independent attestation of their compliance with the updated version of the Customer Security Controls Framework (CSCF v2021) based on SWIFT’s Independent Assessment Framework (IAF). Mazars’ experience in cybersecurity and SWIFT requirements guarantees the efficient completion of these attestations.

SWIFT and the Customer Security Programme (CSP)

The SWIFT (Society for Worldwide Interbank Financial Telecommunication) payment network is currently the only de-facto means of carrying out legally secured cross-border payment transactions. All SWIFT users – i.e., banks, insurance, and asset management firms with a BIC (Bank Identifier Code) connected to the international payment network SWIFT – must attest to their level of compliance with a set of mandatory controls as described in the Customer Security Controls Framework (CSCF) as part of the Customer Security Program (CSP).

As of 2021, the Independent Assessment Framework (IAF) replaces the annual self-attestation, making a Community Standard Assessment (CSA) mandatory. The CSA specifies an attestation of applicable controls of the CSCF by an independent assessor. This can either be done by an external third party or an internal, independent function maintaining the appropriate competencies and certifications.

Non-compliance with CSCF’s cybersecurity requirements as well as non-compliance with the annual obligation of self-attestation and independent attestation is reported by SWIFT to local supervisory authorities or other SWIFT users.

The Customer Security Controls Framework

The framework contains – dependent on the user’s SWIFT Architecture Type – defined mandatory and advisory cybersecurity controls in the following areas:

Independent Attestation

SWIFT sets requirements in terms of independence, cybersecurity experience, and relevant certifications which usually represent a high bar for internal assessors. SWIFT users opting for an external assessment must ensure that it is performed by an independent external organisation. It is mandatory that the assessor has existing cybersecurity assessment experience and that individual assessors have the relevant security industry certification(s).

At Mazars, our auditors:

  • have ample experience in performing assessments and reviews of CSCF compliance in banking and insurance environments
  • have sufficient training and expertise in SWIFT and SWIFT security – including the SWIFT security control framework and detailed mandatory and advisory controls
  • have extensive financial service experience serving clients in cybersecurity and IT audit and advisory projects
  • hold recognised industry qualifications such as Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), ISO 27001 Lead Auditor, etc.

We will provide you with a detailed Gap Analysis between the SWIFT CSCF requirements and your current control level, and provide recommendations for improvement, if necessary.

Our assessment consists of independent testing and could be performed based on ISAE 3000 (International Standard on Assurance Engagements 3000 «Assurance Engagements other than audits or reviews of historical financial information», Type I) for audit clients. Most importantly, this service does not conflict with the statutory audit in terms of independence.

Do you have questions or want to know more?

* mandatory fields

Your personal data is collected by Mazars in Germany, the data controller, in accordance with applicable laws and regulations. Fields marked with an asterisk are required. If any required field is left blank, it will not be possible to process your request. Your personal data is collected for the purpose of processing your request.

You have a right to access, correct and erase your data, and a right to object to or limit the processing of your data. You also have a right to data portability and the right to provide guidance on what happens to your data after your death. Finally, you have the right to lodge a complaint with a supervisory authority and a right not to be the subject of a decision based exclusively on automated processing, including profiling, that produces legal effects concerning you or significantly affects you in a similar way.