SWIFT CSP
SWIFT Customer Security Programme — Customer Security Controls Framework
Standard Introduction
The SWIFT Customer Security Programme (CSP) is a mandatory security initiative for all organizations connected to the SWIFT financial messaging network. Launched in May 2016 following the $81 million Bangladesh Bank cyber heist, the CSP defines baseline security requirements through the Customer Security Controls Framework (CSCF). All 11,000+ SWIFT-connected institutions must attest their compliance annually.
The CSCF v2025 comprises 25 mandatory and 7 advisory security controls organized around three objectives: secure your environment, know and limit access, and detect and respond. SWIFT updates the framework annually, progressively elevating advisory controls to mandatory status. Organizations must undergo independent assessment and submit attestation results by December 31 each year. Non-compliant institutions are reported to regulators and may face disconnection from the SWIFT network.
Mandatory for SWIFT Users
All 11,000+ organizations connected to the SWIFT network must attest compliance with mandatory controls annually by December 31, with independent assessment required.
25 Mandatory Controls
The CSCF v2025 defines 25 mandatory and 7 advisory security controls covering environment protection, access management, detection, and response capabilities.
Annual Framework Updates
SWIFT publishes an updated CSCF each July, effective the following year, progressively elevating advisory controls to mandatory status based on evolving threats.
list_alt CSCF Control Objectives
- Restrict internet access and protect critical systems
- Reduce attack surface and vulnerabilities
- Physically secure the environment
- Prevent compromise of credentials
- Manage identities and segregate privileges
- Detect anomalous activity on systems and transactions
- Plan for incident response and information sharing
- Outsourced critical activity protection
Who Needs to Comply?
All organizations connected to the SWIFT network — banks, financial institutions, securities firms, market infrastructures, corporates with direct SWIFT access, and their service bureaus and third-party providers.
Key Requirements
Secure Environment
Restrict internet access from the SWIFT infrastructure, segment the SWIFT secure zone from general IT, and reduce the attack surface of SWIFT-connected components.
Access Management
Implement strong authentication (multi-factor) for operator access to SWIFT systems. Apply least-privilege and segregation of duties principles for all user accounts.
Detect and Respond
Implement security monitoring to detect anomalous behavior on SWIFT infrastructure. Establish incident response plans and share threat information with SWIFT ISAC.
Independent Assessment
Undergo independent assessment of compliance against mandatory controls by an internal or external assessor. Submit annual attestation through the KYC Security Attestation application.
Back Office Data Flow Security
Protect the confidentiality, integrity, and authenticity of data flows between the SWIFT infrastructure and back-office systems. Control 2.4A becomes mandatory in 2026.
Penalties & Enforcement
Non-compliant organizations are reported to local regulators and counterparts. SWIFT can restrict or disconnect non-attesting institutions from the network. Counterpart banks may refuse to transact with non-compliant institutions, effectively cutting off access to global interbank messaging.