What is SWIFT’s role in safeguarding payments?

SWIFT, a global financial services organisation, provides secure infrastructure for making cross-border payments. SWIFT has taken measures to strengthen and safeguard the payments landscape by integrating the SWIFT Customer Security Controls Framework (CSCF) that is updated annually, referred to as SWIFT Customer Security Programme (CSP), into its compliance landscape.

The SWIFT CSCF is aligned with security frameworks such as NIST, ISO: 27001 and PCI-DSS. It was introduced to ensure the SWIFT network was consistently reviewed for security and further enhanced to protect SWIFT workstations and user accounts in financial institutions’ corporate environments from fraudulent money transfers. Demonstrating compliance to SWIFT CSP’s requirements is mandatory for all its participants, which includes more than 11,500+ institutions (that includes banking, securities and organisations) customers (in over 200 countries).

The SWIFT CSP attestation

SWIFT introduced the CSCF in 2016. The CSP CSCF has three objectives and seven principles, covered across 32 controls. These 32 controls are split into mandatory and advisory categories: mandatory controls are designed to improve cybersecurity and advisory controls are designed to implement industry best practices. The SWIFT CSCF is refreshed annually with enhanced controls to address emerging cyber threats. In their latest version of the SWIFT CSP CSCF (v2024), there are 25 mandatory and seven advisory controls.

SWIFT has also established an Independent Assessment Framework (IAF) where all SWIFT participants with a Live Business Identified Code (BIC) are required to attest using the Know Your Customer – Self-Attestation (KYC-SA) portal on an annual basis. The attestation submissions in the portal bring transparency and enables SWIFT participants to evaluate their counterparties’ controls compliance before on-boarding or continuing business relationships with them.

Evolution and future position

In 2021, SWIFT introduced CSP Independent Assessments (CSPIAs), also known as the Community Standard Assessment (CSA), to support and validate that the annual self-attestations are meeting the SWIFT CSP’s objectives. CSPIAs can be carried out by the second or third line of defence (Internal Audit (IA)), as they are considered independent from operating SWIFT related controls. However, the expectation is that the teams undertaking these assessments should have relevant expertise and industry certifications on cybersecurity. If such options are not available, an external assessment agency can be used. To bring robustness into the attestation process, SWIFT has established the ‘SWIFT-mandated assessment’, where assessment is performed by external agencies only.

It is worth noting that the SWIFT CSPIA is not a full audit but an assessment, with lighter testing requirements and is conducted in a comparatively shorter timescale to a traditional audit. Its purpose is to verify the effective implementation of the controls and that the controls are meeting defined objective as per SWIFT CSCF. A risk-based approach is used to assess the compliance as opposed to an audit checklist.

Role of internal audit (IA) in CSPIA

As per the above, IA, as the third line of defence, can perform the SWIFT CSPIA if it has the right skills and knowledge. ?From 2024, SWIFT has introduced a certification process for external assessors, listed on the SWIFT CSP assessor’s directory, to bring in standardisation. SWIFT SMART training portal has the relevant training material for the preparation of certification.? Whilst this certification is not mandatory for IA, it can upskill and provide the knowledge and skills to effectively assess the controls.? There are several key areas to consider while performing the assessment:

• Applicability: Assess if changes have been introduced to SWIFT in-scope components to understand if the previous year’s control assessment can be relied upon fully or partially. As per SWIFT’s IAF, if there are no changes to all or selected controls against the most recent CSCF version, then previous year’s control assessment can be re-used however only once and therefore the following year controls will require to be re-assessed.
• Architecture type: Confirming the architecture type is a key step where the organisation’s SWIFT architecture needs to be analysed deeply to confirm the correct architecture type. It’s important as the entire independent assessment including number of controls, in-scope components, related test steps, gathering of evidence and submission to the portal are dependent on this decision.
• Assessment plan: Considering the applicable architecture type and related controls, an assessment plan needs to be drawn up including governance arrangements to ensure the tests are performed in time before the deadline of 31 December each year. Any major change in the SWIFT infrastructure or control environment during the year may greatly impact the scope, schedule and cost of performing the independent assessment.
• Risk-based approach: Even though SWIFT has detailed the control requirements in SWIFT CSCF, no two organisations will assess the risks and controls in SWIFT environment in the same manner. In the case of larger organisations with a complex technology landscape, the level of rigor in testing the effectiveness of controls may be higher compared to some of the smaller participants. A calculated risk-based approach can help achieve SWIFT CSP’s objectives and attestation requirements in an efficient manner.
• Third-party dependencies or Critical outsourced activities: In case of architecture types ‘A4’ and ‘B’, a ‘service bureau’ is involved that provides SWIFT infrastructure to the SWIFT participant. In those cases, the independent assessment may have to derive comfort from the Shared Infrastructure Programme (SIP) report from the service bureau completed for the current assessment year.

More broadly, in all types of architectures, there could be third-party providers involved including cloud services. In case of cloud infrastructure, all major cloud players have assurance reports that could be consumed while performing the tests.? SWIFT has provided further guidance and clarification related to this subject in Outsourcing Agents Security Requirements Baseline document.

While many considerations are listed above, there could be many specific scenarios and situations with respect to concluding a control to be compliant as per SWIFT’s requirements, for example:

• Large organisations managing an environment with multiple BICs across different entities
• Introduction of a new BIC within an existing infrastructure
• Change to infrastructure or application hosting SWIFT in-scope components

IA may need key subject matter expertise that could be augmented through co-source arrangements with established external agencies. Also, the independent assessment shouldn’t be considered as a one-off exercise. Instead, organisations need to use this as an opportunity to strengthen key controls that are shared with other mission-critical applications, and products and services.

?

Disclaimer: The views reflected in this article are the views of the authors and do not necessarily reflect the views of the global EY organisation or its member firms.

It must be noted that SWIFT does not certify, warrant, endorse or recommend any service provider listed in its directory and SWIFT customers are not required to use providers listed in the directory.

?

?

?