SWIFT CSP
SWIFT Customer Security Programme — Customer Security Controls Framework
Standard Introduction
The SWIFT Customer Security Programme (CSP) is a mandatory security initiative for all organizations connected to the SWIFT financial messaging network. Launched in May 2016 following the $81 million Bangladesh Bank cyber heist, the CSP defines baseline security requirements through the Customer Security Controls Framework (CSCF). All 11,000+ SWIFT-connected institutions must attest their compliance annually.
The CSCF v2025 comprises 25 mandatory and 7 advisory security controls organized around three objectives: secure your environment, know and limit access, and detect and respond. SWIFT updates the framework annually, progressively elevating advisory controls to mandatory status. Organizations must undergo independent assessment and submit attestation results by December 31 each year. Non-compliant institutions are reported to regulators and may face disconnection from the SWIFT network.
Mandatory for SWIFT Users
All 11,000+ organizations connected to the SWIFT network must attest compliance with mandatory controls annually by December 31, with independent assessment required.
25 Mandatory Controls
The CSCF v2025 defines 25 mandatory and 7 advisory security controls covering environment protection, access management, detection, and response capabilities.
Annual Framework Updates
SWIFT publishes an updated CSCF each July, effective the following year, progressively elevating advisory controls to mandatory status based on evolving threats.
list_alt CSCF Control Objectives
- Restrict internet access and protect critical systems
- Reduce attack surface and vulnerabilities
- Physically secure the environment
- Prevent compromise of credentials
- Manage identities and segregate privileges
- Detect anomalous activity on systems and transactions
- Plan for incident response and information sharing
- Outsourced critical activity protection
Who Needs to Comply?
All organizations connected to the SWIFT network — banks, financial institutions, securities firms, market infrastructures, corporates with direct SWIFT access, and their service bureaus and third-party providers.
Key Requirements
Secure Environment
Restrict internet access from the SWIFT infrastructure, segment the SWIFT secure zone from general IT, and reduce the attack surface of SWIFT-connected components.
Access Management
Implement strong authentication (multi-factor) for operator access to SWIFT systems. Apply least-privilege and segregation of duties principles for all user accounts.
Detect and Respond
Implement security monitoring to detect anomalous behavior on SWIFT infrastructure. Establish incident response plans and share threat information with SWIFT ISAC.
Independent Assessment
Undergo independent assessment of compliance against mandatory controls by an internal or external assessor. Submit annual attestation through the KYC Security Attestation application.
Back Office Data Flow Security
Protect the confidentiality, integrity, and authenticity of data flows between the SWIFT infrastructure and back-office systems. Control 2.4A becomes mandatory in 2026.
Implementation Roadmap
Prepare architecture type and scope
Identify the Swift architecture type, connected components, service bureaus, back-office integrations, operators, and third parties in scope. Review the current CSCF and determine which mandatory and advisory controls apply to the environment.
Gap analysis against CSCF controls
Assess secure zone segmentation, internet restrictions, access control, MFA, credential protection, vulnerability management, logging, transaction monitoring, incident response, and outsourced activity controls against the applicable CSCF control set.
Implement controls and assessment evidence
Remediate control gaps, update Swift secure-zone architecture, harden operator workstations, protect back-office flows, collect evidence, and prepare for independent assessment. Confirm remediation for controls that become mandatory in the next attestation cycle.
Attest, monitor & maintain compliance
Complete independent assessment and submit the annual KYC Security Attestation before the deadline. Monitor Swift infrastructure, review user access, test incident response, and track annual CSCF updates so new mandatory controls are implemented early.
Compliance Checklist
checklist Scope & architecture
checklist Access, hardening & monitoring
checklist Assessment & attestation
SWIFT CSP vs ISO 27001 vs PCI DSS
SWIFT CSP protects financial messaging environments, while ISO 27001 and PCI DSS cover different assurance needs.
| Aspect | SWIFT CSP | ISO 27001 | PCI DSS |
|---|---|---|---|
| Primary scope | Swift user environment and messaging security | Information security management system | Cardholder data environment |
| Assessment output | Annual KYC Security Attestation | Accredited certificate | ROC, SAQ, or attestation of compliance |
| Control model | Mandatory and advisory CSCF controls by architecture type | Risk-based ISMS controls | Detailed payment-card security requirements |
| Main audience | Swift, counterparties, regulators, and financial institutions | Customers and certification stakeholders | Payment brands, acquirers, and merchants/service providers |
Common Misconceptions
Swift secures everything once an institution connects to the network.
Swift secures its network, but each user must secure its own local environment, operators, credentials, integrations, and back-office data flows.
Advisory controls can be ignored.
Advisory controls are important risk signals and may become mandatory in future versions. Mature programs track them early.
Attestation is only a compliance form.
Attestation is backed by independent assessment and is visible to counterparties, so unsupported claims can affect trust and business relationships.
Penalties & Enforcement
Non-compliant organizations are reported to local regulators and counterparts. SWIFT can restrict or disconnect non-attesting institutions from the network. Counterpart banks may refuse to transact with non-compliant institutions, effectively cutting off access to global interbank messaging.
Frequently Asked Questions
Who must comply with SWIFT CSP?
expand_more
All organizations connected to the Swift network must comply with applicable mandatory Customer Security Controls Framework controls and submit an annual security attestation. This includes banks, securities firms, market infrastructures, corporates, and service bureaus.
What is the CSCF?
expand_more
The Customer Security Controls Framework is Swift’s control framework for user environments. It defines mandatory and advisory controls covering secure architecture, access management, vulnerability management, monitoring, incident response, and outsourced activity protection.
What is annual attestation?
expand_more
Swift users must attest their compliance status through the KYC Security Attestation application each year. The attestation is visible to counterparties and may also be shared with supervisors depending on local expectations.
Is independent assessment required?
expand_more
Yes. Swift requires independent assessment of CSCF compliance, performed by an external assessor or an independent internal function that meets Swift’s criteria. The assessment supports the annual attestation.
What happens if a user is non-compliant?
expand_more
Non-compliance can be visible to counterparties and regulators. Swift may report non-attesting users, and counterparties may restrict relationships with institutions that cannot demonstrate control compliance.
What are mandatory and advisory controls?
expand_more
Mandatory controls must be implemented by applicable users for successful attestation. Advisory controls reflect important security practices and may become mandatory in future CSCF versions as threats and Swift expectations evolve.
How often does the CSCF change?
expand_more
Swift typically publishes updated CSCF requirements annually, with changes becoming effective in a later attestation cycle. Organizations should review new versions early so upcoming mandatory controls can be budgeted and implemented.
How does SWIFT CSP relate to ISO 27001?
expand_more
ISO 27001 can support governance and many security controls, but SWIFT CSP is specific to Swift user environments, architecture types, mandatory controls, attestation, and counterparty transparency.
Official Documentation
SWIFT CSP Document Centre
External Link • swift.com • CSCF & Program Documents
SWIFT Security Controls
External Link • swift.com • Control Requirements
SWIFT CSP Portal
External Link • swift.com • Attestation & Resources