80% of major financial institutions failed their initial 2025 Swift CSP assessment. Here’s how to get ahead for 2026.
As Swift’s Customer Security Programme (CSP) continually evolves in response to new and emerging cyber and fraud threats, maintaining CSP compliance is getting harder—even for previously compliant organizations. In conducting over 200 CSP assessments in 2025, Deloitte found that 80% of large financial institutions failed their initial assessments, increasing their risk of mandated external assessment and remedial action, greater regulatory scrutiny, and reputational and operational impacts.
Key takeaways
- Organizations must assess their CSP compliance annually against an ever-changing control framework.
- With most organizations failing their first attempt, it’s important to manage your environment proactively to avoid non-compliance.
- CSP non-compliance creates significant reputational, financial, and operational risks.
The Swift network plays a critical role in facilitating payments worldwide and enabling trust and security across the global financial ecosystem. This makes it a prime target for sophisticated cyber and fraud threat actors, requiring increased due diligence to protect payment networks and customers.
That’s why it’s more critical than ever for Swift-connected organizations to ensure they’re compliant with Swift’s Customer Security Programme (CSP).1 Because Swift CSP compliance isn’t just a checkbox—it’s a vital, evolving trust signal that helps sustain a secure global financial ecosystem. And non-compliance can pose serious risks to organizations and the global financial ecosystem.
What’s new in Swift’s 2026 CSP
The attestation period for Swift’s 2026 CSP opens July 1, 2026. The current Customer Security Controls Framework (CSCF v2026) at the core of the CSP comprises 26 mandatory and 6 advisory controls across all architecture types.
Security expectations are expanding beyond the “Swift Secure Zone” (a segmented zone separating Swift-related systems from the wider enterprise environment) to encompass a broader ecosystem that supports Swift payment processing. Changes include the “customer client connector,” a new mandatory component across architecture types connecting out to the Swift network, and mandated security controls for end-to-end data flows across back-office integration points.
For organizations with mature security and governance practices for the Swift CSP, this year’s changes should be manageable. For others—particularly those with complex legacy environments, outsourced dependencies, or incomplete visibility into end-to-end Swift data flows—the changes may increase the risk of non-compliance and late remediation.
Due to the increasing scope of CSCF control objectives, the challenge for many organizations isn’t understanding control intent, it’s proving implementation and operational effectiveness and maintaining compliance against a shifting environment, consistently and annually. As such, it’s critical that Swift users maintain visibility into ongoing changes to the CSP and CSCF and understand the risks and consequences of non-compliance.
Key risks of Swift CSP non-compliance
1. Reduced trust and damaged reputation and relationships
Swift users increasingly treat CSP compliance as a standard onboarding and security tool. When organizations submit their Swift CSP security attestations via Swift’s KYC–Security Attestation portal, counterparties can view its presence and publication status. They can also request access to your attestation details from Swift.
If an organization is non-compliant in a given year, it can reduce trust among peers, negatively impact existing Swift relationships, and even result in reputational damage. Organizations may come under more scrutiny during onboarding, incur heightened due diligence, and experience delays in expanding services.
2. Increased risk of Swift-mandated external independent assessment and related disruption
Every year, Swift randomly selects a subset of users to undergo a mandated external independent assessment of their submitted security attestations. If Swift deems an organization to be at high risk of an incident—for example, being non-compliant with the CSP—that organization faces a higher risk of being selected for such an assessment.
At a minimum, Swift-mandated external independent assessments must cover all applicable mandatory security controls for the organization’s Swift architecture type and be completed by December 31 of the year of the initial request. An organization selected for mandatory external independent assessment may face more intensive assurance expectations and tighter remediation execution due to tighter timelines and increased pressure from Swift.
Completing the mandatory external independent assessment on time will disrupt the organization’s ongoing business activities and strategic priorities. Organizations may also face higher costs to close any newly identified gaps—on top of costs spent to implement previously identified remediations—under increased deadline pressure.
3. Increased regulatory and Swift community scrutiny
Organizations that regularly fail to attest to their CSP compliance—or regularly attest to their non-compliance—risk increased scrutiny from local regulators and the broader Swift community.
Regulators are increasing pressure on financial institutions within their jurisdictions to protect their payment infrastructure and customers against rapidly evolving, increasingly sophisticated cyber and fraud threats. Regulators are increasingly interested in monitoring Swift CSP compliance within their jurisdictions due to Swift’s prevalence and visibility across international payment networks.
As well, Swift reserves the right to report any users to local supervisory authorities (e.g., Canada’s Office of the Superintendent of Financial Institutions or the US Federal Reserve Board) that lack a valid attestation, fail to submit an attestation, or are non-compliant with the applicable mandatory controls for their architecture type.
How Deloitte can help
Many organizations face challenges with maintaining their Swift CSP compliance each year. Even previously compliant organizations often find new gaps against Swift’s control objectives—typically due to changes in their infrastructure and security control requirements year-over-year. In 2025, for example, Deloitte completed more than 200 independent Swift CSP assessments. Our initial assessment of mandatory controls found that 80% of large financial institutions globally weren’t compliant with any assessed controls. After identified remediations were implemented and reassessed, this dropped to 10%.
To mitigate the risk of non-compliance, Deloitte helps organizations treat Swift CSP compliance as a managed capability, not a seasonal exercise. As a Swift CSP Certified Assessor, we have extensive global experience supporting and conducting Swift CSP assessments for local and international entities, with over 300 external independent assessments performed at both public and private sector organizations.
Our local Deloitte professionals, supported by our global Center of Excellence, help our clients develop their Swift CSP compliance roadmaps year-over-year. We provide advisory support to prioritize and validate remediation activities on our clients’ Swift environments, and we help our clients ensure they stay aligned with global best practices for maintaining Swift CSP compliance.
Get your 2026 Swift CSP attestation effort started today
As the Swift CSP continues to evolve, organizations that start their assessments early are best positioned to reduce their compliance risk, avoid late-cycle business disruptions, and maintain positive reputations within their peer networks and regulatory frameworks.
Have concerns about your 2026 Swift CSP assessment? Connect with one of the Deloitte professionals below to discuss your challenges and clear the path to successful Swift CSP compliance.
