The SWIFT CSP independent assessment and the role of internal audit

What is SWIFT’s role in safeguarding payments?

SWIFT, a global financial services organisation, provides secure infrastructure for making cross-border payments. SWIFT has taken measures to strengthen and safeguard the payments landscape by integrating the SWIFT attestation framework, referred to as SWIFT Customer Security Programme (CSP), into its compliance landscape.

The SWIFT CSP is aligned with security frameworks such as NIST, ISO: 27001 and PCI-DSS. It was introduced to ensure the SWIFT network is secure from criminals targeting SWIFT workstations and user accounts in financial institutions’ corporate environments to initiate fraudulent money transfers. Demonstrating compliance to SWIFT CSP’s requirements is mandatory for all its participants, which includes more than 11,000 banking and securities organisations, market infrastructure and corporate customers (including non-financial service companies) in over 200 countries.

SWIFT CSP attestation

SWIFT introduced the SWIFT CSP Customer Security Controls Framework (CSCF) in 2016. The CSP CSCF has three objectives and seven principles, covered across 32 controls. These 32 controls are split into mandatory and advisory categories: mandatory controls are designed to improve cyber security and advisory controls are designed to implement industry best practices. The SWIFT CSCF is generally refreshed every year with enhanced controls to address emerging cyber threats. In their latest version of the SWIFT CSP CSCF (v2023), there are 24 mandatory and eight advisory controls.

SWIFT has also established an Independent Assessment Framework (IAF) where all SWIFT participants with a Live Business Identified Code (BIC) are required to attest using the Know Your Customer – Self-Attestation (KYC-SA) portal on an annual basis. The attestation submissions in the portal also enables SWIFT participants to see their counterparties’ controls compliance before on-boarding or continuing relationships with them.

Evolution and future position

Initially, SWIFT requested its participants to perform a self-assessment of their controls landscape as per the SWIFT CSCF and submit as a self-attestation. From 2021, SWIFT introduced CSP Independent Assessments (CSPIAs), also known as the Community Standard Assessment (CSA), to support and validate that the annual self-attestations are meeting the SWIFT CSP’s objectives. CSPIAs can be carried out by the second or third line of defence, as they are considered independent from operating SWIFT related controls. However, the expectation is that the teams undertaking these assessments should have relevant expertise and industry certifications on cyber security. If such options are not available, an external assessment agency can be used. To bring robustness into the attestation process, SWIFT has established the ‘SWIFT-mandated assessment’, where it selects some participants at random every year to enforce assessments to be performed by external agencies only.

It is worth noting that the SWIFT CSPIA is not a full audit, with lighter testing requirements and is conducted in a comparatively shorter timescale to a traditional audit. Its purpose is to verify the effective implementation of the controls and that the controls are meeting defined objective as per SWIFT CSCF. A risk-based approach is used to assess the compliance as opposed to an audit checklist.

Role of internal audit (IA) in CSPIA

As per the above, IA, as the third line of defence, can perform the SWIFT CSPIA if it has the right skills and knowledge. In 2024, SWIFT is planning to introduce a certification process for assessors. This will help IA upskill and be ready to effectively assess the controls. There will be training provided as part of the certification process, followed by examination and requirement for continuous learning.

As well as ensuring IA maintains the skill level required in this space, there are several key areas to consider while performing the assessment:

• Applicability: Assess if the independent assessment outcome from the previous year can be fully or partially relied upon. As per SWIFT’s IAF, if there are no changes to all or selected controls, then the self-attestation could be submitted based on previous year’s assessment.
• Architecture type: Confirming the architecture type is a key step where the organisation’s SWIFT architecture needs to be analysed deeply to confirm the correct architecture type. It’s important as the entire independent assessment including number of controls, in-scope components, related test steps, gathering of evidence and submission to the portal are dependent on this decision.
• Assessment plan: Considering the applicable architecture type and related controls, an assessment plan needs to be drawn up including governance arrangements to ensure the tests are performed in time before the deadline of 31 December each year. Any major change in the SWIFT infrastructure or control environment during the year may greatly impact the scope, schedule and cost of performing the independent assessment.
• Risk-based approach: Even though SWIFT has detailed the control requirements in SWIFT CSCF, no two organisations will assess the risks and controls in SWIFT environment in the same manner. In case of larger organisations with complex technology landscape, the level of rigor in testing the effectiveness of controls may be higher compared to some of the smaller participants. A calculated risk-based approach can help achieve SWIFT CSP’s objectives and attestation requirements in an efficient manner.
• Third party dependencies: In case of architecture types ‘A4’ and ‘B’, a ‘service bureau’ is involved that provides SWIFT infrastructure to the SWIFT participant. In those cases, the independent assessment may have to derive comfort from the Shared Infrastructure Programme (SIP) report from the service bureau completed for the current assessment year. More broadly, in all types of architectures, there could be third party providers involved including cloud services. In case of cloud infrastructure, all major players (Microsoft, Amazon, and Google) have assurance reports that could be consumed while performing the tests.
• Enhancements: Organisations need to keep an eye on key changes and enhancements introduced by SWIFT in their CSCF, IAF and KYC-SA portal. For example, in 2023, SWIFT has simplified the compliance submission option, with an optional text to be added per control.

While many considerations are listed above, there could be many specific scenarios and situations with respect to concluding a control to be compliant as per SWIFT’s requirements. They may need key subject matter expertise that could be augmented through co-source arrangements with established external agencies. Also, the independent assessment shouldn’t be considered as a one-off exercise. Instead, organisations need to use this as an opportunity to strengthen key controls that are shared with other mission-critical applications, and products and services.

Disclaimer: The views reflected in this article are the views of the authors and do not necessarily reflect the views of the global EY organisation or its member firms.

It must be noted that SWIFT does not certify, warrant, endorse or recommend any service provider listed in its directory and SWIFT customers are not required to use providers listed in the directory.

?

?