SWIFT has updated its Customer Security Controls Framework, and firms have until December to complete their attestation against it. Paul Olukoya and Anthony Lulu look at key elements of the update, and what firms need to do now.

Every year, SWIFT issues an update to its Customer Security Controls Framework (CSCF) which may impact how your payments operations and technology is structured. This affects all organisations who use SWIFT.

SWIFT created the Customer Security Programme (CSP) to promote cyber security within the SWIFT-user community and create collaboration across the industry to counter against the cyber threat. At the heart of the CSP is the Customer Security Controls Framework (CSCF), a common set of mandatory and advisory security controls revised annually, which help users secure their local environments and, in turn, the SWIFT community at large.

SWIFT customers must ensure that your security measures are aligned with those outlined in the CSCF and annually attest your level of compliance. To further enhance the integrity, consistency, and accuracy of attestations, SWIFT mandates that, at minimum, all mandatory controls of the attestation are independently assessed.

This month, the Customer Security Controls Framework (CSCF) v2023 was made available to SWIFT users in the KYC Security Attestation (KYC-SA) application. All customers are required to attest against this version by a deadline of 31 December 2023.

What are the changes to the CSCF?

SWIFT has published CSCF v2023 via the KYC Security Attestation (KYC-SA) application, with further changes due later this month. All customers must attest against this version by 31 December 2023. So far, SWIFT hasn’t made big changes to the CSCF, but there are some key amendments. 

Control 1.5 (covering customer environment protection) is now mandatory. This control focuses on the customer connector and expects separation between the operational (or production) environment where the customer connector resides and the wider or general IT environment.

Further minor clarifications or changes have been made to the CSCF framework to improve the usability and comprehension and help users implement the framework as intended.

  • MX equivalent representation of identified MT messages
  • Middleware is used more generically in a product agnostic form
  • It's repeated that the security protection of the back-office systems is strongly recommended – with the APIs rise, it will become even more crucial
  • Control 2.2 (Security Updates) aligns the vulnerability remediation timeframes to common standard for security patching
  • Control 2.9 (Transaction Business Controls) asks, as optional enhancement, to combine several types of controls
  • Control 4.2 (Multi-Factor Authentication) also proposes to consider NIST SP 800-63B AAL2 for authentication factors selection/usage and remote-wipes in case of device theft/loss
  • Control 6.1 (Malware Protection) specifically mentions, as optional enhancement, to consider all the general operator PCs, not only the Windows OS based ones To ensure compliance, you should review these updates and check if your current systems align to the new requirements


Meeting compliance early

Getting an early start is essential to make sure you continue to meet SWIFT messaging standards and can maintain a robust network infrastructure. It will require significant resources with both cyber and security expertise. If you’re slow off the mark to implement changes, you could run out of time to implement changes, complete the SWIFT attestation itself, and gain an independent review by the end of the year. As such, you could face end of year change freezes and greater competition for internal change windows from your IT department in the final flurry of firms racing to achieve compliance. It’s also important to think about resourcing, recognising that many integral individuals could be out of office during the holiday season.

Avoiding operational issues

There are also operational issues to think about and delaying CSCF adoption can affect long-term planning. If you don’t assess or prioritise your SWIFT implementation, you’re more likely to install the wrong security controls for your architecture type. This could be a costly mistake, and you could spend a lot of time and resources to address the issue before the deadline. Prompt CSCF adoption will keep you on track and give you enough time to address any problems as they arise.

What to do now

SWIFT has an obligation to protect its customers and make sure all firms across its network meet the same security standards. As such, it has the right to report firms to their regulators, generally due to one of the following:

  • not having a valid SWIFT attestation
  • non-compliance with mandatory controls
  • connecting to the SWIFT network through a non-compliant service provider
  • not completing a SWIFT-mandated external assessment.

Regulatory intervention for any of the above could have long-term financial and reputational implications. Getting started on the CSCF process will keep your security protocols up to date and help you meet the December deadline.

For more help or information, contact Paul Olukoya.

Get the latest insights, events and guidance for financial services professionals, straight to your inbox.