标准简介
SWIFT 客户安全计划(CSP)是环球银行金融电信协会(SWIFT)于 2017 年推出的强制性安全框架,旨在提升全球金融通信网络的安全性。该计划要求所有连接 SWIFT 网络的金融机构实施客户安全控制框架(CSCF)中的安全控制,并每年进行独立评估和证明。CSCF 包含强制控制和建议控制两类,涵盖「限制互联网访问并保护关键系统」、「减少攻击面和漏洞」、「确保环境物理安全」、「防止凭据泄露」、「管理身份和权限分离」、「检测系统或交易记录的异常活动」以及「规划事件响应和信息共享」七大目标。
SWIFT CSP 要求每年更新,控制要求逐年加强。2024 年版 CSCF(v2024)包含 25 项强制控制和 7 项建议控制。从 2021 年开始,所有 SWIFT 用户必须由独立评估方(如外部审计师或内部审计部门)对其 CSCF 合规性进行评估,评估结果通过 SWIFT 的 KYC-Security Attestation 应用提交。不合规的机构将被向其交易对手和监管机构报告。SWIFT CSP 适用于全球 200 多个国家和地区的 11,000 多家金融机构,包括银行、证券经纪商、中央银行和清算所。该框架与 NIST CSF、ISO 27001 和 PCI DSS 等其他安全标准和框架有密切关联,许多控制要求可映射到这些标准。
Mandatory for SWIFT Users
All 11,000+ organizations connected to the SWIFT network must attest compliance with mandatory controls annually by December 31, with independent assessment required.
25 Mandatory Controls
The CSCF v2025 defines 25 mandatory and 7 advisory security controls covering environment protection, access management, detection, and response capabilities.
Annual Framework Updates
SWIFT publishes an updated CSCF each July, effective the following year, progressively elevating advisory controls to mandatory status based on evolving threats.
list_alt CSCF Control Objectives
- Restrict internet access and protect critical systems
- Reduce attack surface and vulnerabilities
- Physically secure the environment
- Prevent compromise of credentials
- Manage identities and segregate privileges
- Detect anomalous activity on systems and transactions
- Plan for incident response and information sharing
- Outsourced critical activity protection
Who Needs to Comply?
All organizations connected to the SWIFT network — banks, financial institutions, securities firms, market infrastructures, corporates with direct SWIFT access, and their service bureaus and third-party providers.
Key Requirements
Secure Environment
Restrict internet access from the SWIFT infrastructure, segment the SWIFT secure zone from general IT, and reduce the attack surface of SWIFT-connected components.
Access Management
Implement strong authentication (multi-factor) for operator access to SWIFT systems. Apply least-privilege and segregation of duties principles for all user accounts.
Detect and Respond
Implement security monitoring to detect anomalous behavior on SWIFT infrastructure. Establish incident response plans and share threat information with SWIFT ISAC.
Independent Assessment
Undergo independent assessment of compliance against mandatory controls by an internal or external assessor. Submit annual attestation through the KYC Security Attestation application.
Back Office Data Flow Security
Protect the confidentiality, integrity, and authenticity of data flows between the SWIFT infrastructure and back-office systems. Control 2.4A becomes mandatory in 2026.
Penalties & Enforcement
Non-compliant organizations are reported to local regulators and counterparts. SWIFT can restrict or disconnect non-attesting institutions from the network. Counterpart banks may refuse to transact with non-compliant institutions, effectively cutting off access to global interbank messaging.