verified_user
Standardful
Homechevron_rightStandardschevron_rightSWIFT CSP
ActiveInternational Standardupdate Standard Updated: Jul 2024fact_check Fact checked: Jun 28, 2026

SWIFT CSP

SWIFT Customer Security Programme — Customer Security Controls Framework

apartmentPublishing Organization:Society for Worldwide Interbank Financial Telecommunication (SWIFT)

Standard Introduction

The SWIFT Customer Security Programme (CSP) is a mandatory security initiative for all organizations connected to the SWIFT financial messaging network. Launched in May 2016 following the $81 million Bangladesh Bank cyber heist, the CSP defines baseline security requirements through the Customer Security Controls Framework (CSCF). All 11,000+ SWIFT-connected institutions must attest their compliance annually.

The CSCF v2025 comprises 25 mandatory and 7 advisory security controls organized around three objectives: secure your environment, know and limit access, and detect and respond. SWIFT updates the framework annually, progressively elevating advisory controls to mandatory status. Organizations must undergo independent assessment and submit attestation results by December 31 each year. Non-compliant institutions are reported to regulators and may face disconnection from the SWIFT network.

account_balance

Mandatory for SWIFT Users

All 11,000+ organizations connected to the SWIFT network must attest compliance with mandatory controls annually by December 31, with independent assessment required.

security

25 Mandatory Controls

The CSCF v2025 defines 25 mandatory and 7 advisory security controls covering environment protection, access management, detection, and response capabilities.

update

Annual Framework Updates

SWIFT publishes an updated CSCF each July, effective the following year, progressively elevating advisory controls to mandatory status based on evolving threats.

list_alt CSCF Control Objectives

  • Restrict internet access and protect critical systems
  • Reduce attack surface and vulnerabilities
  • Physically secure the environment
  • Prevent compromise of credentials
  • Manage identities and segregate privileges
  • Detect anomalous activity on systems and transactions
  • Plan for incident response and information sharing
  • Outsourced critical activity protection

Who Needs to Comply?

groups

All organizations connected to the SWIFT network — banks, financial institutions, securities firms, market infrastructures, corporates with direct SWIFT access, and their service bureaus and third-party providers.

Key Requirements

1

Secure Environment

Restrict internet access from the SWIFT infrastructure, segment the SWIFT secure zone from general IT, and reduce the attack surface of SWIFT-connected components.

2

Access Management

Implement strong authentication (multi-factor) for operator access to SWIFT systems. Apply least-privilege and segregation of duties principles for all user accounts.

3

Detect and Respond

Implement security monitoring to detect anomalous behavior on SWIFT infrastructure. Establish incident response plans and share threat information with SWIFT ISAC.

4

Independent Assessment

Undergo independent assessment of compliance against mandatory controls by an internal or external assessor. Submit annual attestation through the KYC Security Attestation application.

5

Back Office Data Flow Security

Protect the confidentiality, integrity, and authenticity of data flows between the SWIFT infrastructure and back-office systems. Control 2.4A becomes mandatory in 2026.

Implementation Roadmap

1
Phase 1schedule Duration: 2-4 weeks

Prepare architecture type and scope

Identify the Swift architecture type, connected components, service bureaus, back-office integrations, operators, and third parties in scope. Review the current CSCF and determine which mandatory and advisory controls apply to the environment.

2
Phase 2schedule Duration: 4-8 weeks

Gap analysis against CSCF controls

Assess secure zone segmentation, internet restrictions, access control, MFA, credential protection, vulnerability management, logging, transaction monitoring, incident response, and outsourced activity controls against the applicable CSCF control set.

3
Phase 3schedule Duration: 8-16 weeks

Implement controls and assessment evidence

Remediate control gaps, update Swift secure-zone architecture, harden operator workstations, protect back-office flows, collect evidence, and prepare for independent assessment. Confirm remediation for controls that become mandatory in the next attestation cycle.

4
Phase 4schedule Duration: Annual cycle

Attest, monitor & maintain compliance

Complete independent assessment and submit the annual KYC Security Attestation before the deadline. Monitor Swift infrastructure, review user access, test incident response, and track annual CSCF updates so new mandatory controls are implemented early.

Compliance Checklist

0 / 12

checklist Scope & architecture

checklist Access, hardening & monitoring

checklist Assessment & attestation

SWIFT CSP vs ISO 27001 vs PCI DSS

SWIFT CSP protects financial messaging environments, while ISO 27001 and PCI DSS cover different assurance needs.

AspectSWIFT CSPISO 27001PCI DSS
Primary scopeSwift user environment and messaging securityInformation security management systemCardholder data environment
Assessment outputAnnual KYC Security AttestationAccredited certificateROC, SAQ, or attestation of compliance
Control modelMandatory and advisory CSCF controls by architecture typeRisk-based ISMS controlsDetailed payment-card security requirements
Main audienceSwift, counterparties, regulators, and financial institutionsCustomers and certification stakeholdersPayment brands, acquirers, and merchants/service providers

Common Misconceptions

cancel
Myth

Swift secures everything once an institution connects to the network.

check_circle
Reality

Swift secures its network, but each user must secure its own local environment, operators, credentials, integrations, and back-office data flows.

cancel
Myth

Advisory controls can be ignored.

check_circle
Reality

Advisory controls are important risk signals and may become mandatory in future versions. Mature programs track them early.

cancel
Myth

Attestation is only a compliance form.

check_circle
Reality

Attestation is backed by independent assessment and is visible to counterparties, so unsupported claims can affect trust and business relationships.

Penalties & Enforcement

warning

Non-compliant organizations are reported to local regulators and counterparts. SWIFT can restrict or disconnect non-attesting institutions from the network. Counterpart banks may refuse to transact with non-compliant institutions, effectively cutting off access to global interbank messaging.

Frequently Asked Questions

Who must comply with SWIFT CSP?

expand_more

All organizations connected to the Swift network must comply with applicable mandatory Customer Security Controls Framework controls and submit an annual security attestation. This includes banks, securities firms, market infrastructures, corporates, and service bureaus.

What is the CSCF?

expand_more

The Customer Security Controls Framework is Swift’s control framework for user environments. It defines mandatory and advisory controls covering secure architecture, access management, vulnerability management, monitoring, incident response, and outsourced activity protection.

What is annual attestation?

expand_more

Swift users must attest their compliance status through the KYC Security Attestation application each year. The attestation is visible to counterparties and may also be shared with supervisors depending on local expectations.

Is independent assessment required?

expand_more

Yes. Swift requires independent assessment of CSCF compliance, performed by an external assessor or an independent internal function that meets Swift’s criteria. The assessment supports the annual attestation.

What happens if a user is non-compliant?

expand_more

Non-compliance can be visible to counterparties and regulators. Swift may report non-attesting users, and counterparties may restrict relationships with institutions that cannot demonstrate control compliance.

What are mandatory and advisory controls?

expand_more

Mandatory controls must be implemented by applicable users for successful attestation. Advisory controls reflect important security practices and may become mandatory in future CSCF versions as threats and Swift expectations evolve.

How often does the CSCF change?

expand_more

Swift typically publishes updated CSCF requirements annually, with changes becoming effective in a later attestation cycle. Organizations should review new versions early so upcoming mandatory controls can be budgeted and implemented.

How does SWIFT CSP relate to ISO 27001?

expand_more

ISO 27001 can support governance and many security controls, but SWIFT CSP is specific to Swift user environments, architecture types, mandatory controls, attestation, and counterparty transparency.

Official Documentation

View All

Implementation Timeline

warning
Feb 2016
Bangladesh Bank cyber heist ($81M) exposes SWIFT infrastructure vulnerabilities
rocket_launch
May 2016
SWIFT launches Customer Security Programme in response to attacks
description
Apr 2017
First CSCF published with 16 mandatory and 11 advisory controls
verified_user
2019
Independent assessment requirement introduced; mandatory controls expanded to 19
security
2024
CSCF v2024 with 25 mandatory and 7 advisory controls; Control 2.8 becomes mandatory
update
Jul 2024
CSCF v2025 published; Control 2.4A (Back Office Data Flow Security) mandatory from 2026

Related Categories