Every year, SWIFT issues an update to its Customer Security Controls Framework (CSCF) which may impact how your payments operations and technology is structured. This affects all organisations who use SWIFT.
SWIFT created the Customer Security Programme (CSP) to promote cyber security within the SWIFT-user community and create collaboration across the industry to counter against the cyber threat. At the heart of the CSP is the Customer Security Controls Framework (CSCF), a common set of mandatory and advisory security controls revised annually, which help users secure their local environments and, in turn, the SWIFT community at large.
SWIFT customers must ensure that your security measures are aligned with those outlined in the CSCF and annually attest your level of compliance. To further enhance the integrity, consistency, and accuracy of attestations, SWIFT mandates that, at minimum, all mandatory controls of the attestation are independently assessed.
This month, the Customer Security Controls Framework (CSCF) v2023 was made available to SWIFT users in the KYC Security Attestation (KYC-SA) application. All customers are required to attest against this version by a deadline of 31 December 2023.
SWIFT has published CSCF v2023 via the KYC Security Attestation (KYC-SA) application, with further changes due later this month. All customers must attest against this version by 31 December 2023. So far, SWIFT hasn’t made big changes to the CSCF, but there are some key amendments.
Control 1.5 (covering customer environment protection) is now mandatory. This control focuses on the customer connector and expects separation between the operational (or production) environment where the customer connector resides and the wider or general IT environment.
Further minor clarifications or changes have been made to the CSCF framework to improve the usability and comprehension and help users implement the framework as intended.
Getting an early start is essential to make sure you continue to meet SWIFT messaging standards and can maintain a robust network infrastructure. It will require significant resources with both cyber and security expertise. If you’re slow off the mark to implement changes, you could run out of time to implement changes, complete the SWIFT attestation itself, and gain an independent review by the end of the year. As such, you could face end of year change freezes and greater competition for internal change windows from your IT department in the final flurry of firms racing to achieve compliance. It’s also important to think about resourcing, recognising that many integral individuals could be out of office during the holiday season.
There are also operational issues to think about and delaying CSCF adoption can affect long-term planning. If you don’t assess or prioritise your SWIFT implementation, you’re more likely to install the wrong security controls for your architecture type. This could be a costly mistake, and you could spend a lot of time and resources to address the issue before the deadline. Prompt CSCF adoption will keep you on track and give you enough time to address any problems as they arise.
SWIFT has an obligation to protect its customers and make sure all firms across its network meet the same security standards. As such, it has the right to report firms to their regulators, generally due to one of the following:
Regulatory intervention for any of the above could have long-term financial and reputational implications. Getting started on the CSCF process will keep your security protocols up to date and help you meet the December deadline.
For more help or information, contact Paul Olukoya.
Stay up to date with our latest round up of financial regulation.
The SWIFT payment system is an attractive target for cyber attack. What are the risks and how can you overcome them?
Do you understand the FCA's plans for customer protection around payments? This is what the regulator's telling us now.