標準簡介
SWIFT 客戶安全計畫(CSP)是所有連接 SWIFT 金融報文網路的機構必須遵守的安全倡議。該計畫於 2016 年 5 月推出,起因是孟加拉國央行 8100 萬美元網路盜竊事件。CSP 透過客戶安全控制框架(CSCF)定義了基本安全要求,所有 11,000 多家 SWIFT 連接機構必須每年證明其合規性。
CSCF v2025 包含 25 項強制性和 7 項建議性安全控制措施,圍繞三個目標組織:保護環境安全、了解並限制存取、偵測與回應。SWIFT 每年更新該框架,逐步將建議性控制升級為強制性控制。機構必須接受獨立評估並在每年 12 月 31 日前提交證明結果。不合規機構將被報告給監管機構,並可能面臨中斷 SWIFT 網路連線的處罰。
Mandatory for SWIFT Users
All 11,000+ organizations connected to the SWIFT network must attest compliance with mandatory controls annually by December 31, with independent assessment required.
25 Mandatory Controls
The CSCF v2025 defines 25 mandatory and 7 advisory security controls covering environment protection, access management, detection, and response capabilities.
Annual Framework Updates
SWIFT publishes an updated CSCF each July, effective the following year, progressively elevating advisory controls to mandatory status based on evolving threats.
list_alt CSCF Control Objectives
- Restrict internet access and protect critical systems
- Reduce attack surface and vulnerabilities
- Physically secure the environment
- Prevent compromise of credentials
- Manage identities and segregate privileges
- Detect anomalous activity on systems and transactions
- Plan for incident response and information sharing
- Outsourced critical activity protection
Who Needs to Comply?
All organizations connected to the SWIFT network — banks, financial institutions, securities firms, market infrastructures, corporates with direct SWIFT access, and their service bureaus and third-party providers.
Key Requirements
Secure Environment
Restrict internet access from the SWIFT infrastructure, segment the SWIFT secure zone from general IT, and reduce the attack surface of SWIFT-connected components.
Access Management
Implement strong authentication (multi-factor) for operator access to SWIFT systems. Apply least-privilege and segregation of duties principles for all user accounts.
Detect and Respond
Implement security monitoring to detect anomalous behavior on SWIFT infrastructure. Establish incident response plans and share threat information with SWIFT ISAC.
Independent Assessment
Undergo independent assessment of compliance against mandatory controls by an internal or external assessor. Submit annual attestation through the KYC Security Attestation application.
Back Office Data Flow Security
Protect the confidentiality, integrity, and authenticity of data flows between the SWIFT infrastructure and back-office systems. Control 2.4A becomes mandatory in 2026.
Penalties & Enforcement
Non-compliant organizations are reported to local regulators and counterparts. SWIFT can restrict or disconnect non-attesting institutions from the network. Counterpart banks may refuse to transact with non-compliant institutions, effectively cutting off access to global interbank messaging.