Skip to main content

SWIFT Customer Security Program

Banking information is some of the most important to keep safe. That's why recent high-profile cyber-attacks on customers using Society for Worldwide Interbank Financial Telecommunications (SWIFT) are so significant. Deloitte can help business leaders navigate the factors associated with implementing SWIFT's Customer Security Controls Framework (CSCF), as well as address SWIFT dependencies.

Why Deloitte?

Deloitte’s cyber risk practice is widely acknowledged as a leading security consulting practice, and is eminently qualified to help your organization be secure, vigilant, and resilient in the face of evolving cyber threats.

Deloitte ranked #1 by Gartner in security consulting services for the sixth consecutive year

Gartner, the world's leading information technology research and advisory company, has positioned Deloitte first globally, based on revenue, in security consulting services for the sixth consecutive year in its report, Market Share: Security Consulting Services, Worldwide, 2017.

  • Deloitte’s leadership in the field of information security assures you of our ability to assign qualified, knowledgeable, and industry-respected personnel who have performed similar consulting assignments
  • Our experience in delivering similar mandates for local organizations brings industry specific experience. Our local industry resources and high experience of security technologies, constitute an invaluable set of resources for SWIFT CSP-related engagements. This enables us to use proven tools and methods to carry out comprehensive engagements
  • We are technology and solution agnostic and we only recommend a solution that makes sense for the business and provides value

We help clients establish controls and processes around their most sensitive assets, balancing the need to reduce risk, while also helping to enable productivity, business growth, and cost optimization objectives.

Learn more about our cyber risk services.

Moreover, Deloitte in Luxembourg, and globally through the Deloitte Touche Tohmatsu Limited network of member firms, are the number one providers of security risk management solutions.

* While Deloitte is prepared to assist you in connection with the SWIFT Customer Security Controls Framework, please note that Deloitte does not represent or speak for SWIFT; and the Customer Security Controls Framework is part of the contractual framework between SWIFT and its users.

In response to recent cyber-attacks, SWIFT issued baseline security requirements through its Customer Security Controls Framework. While the SWIFT network itself was not compromised in the attacks, in some cases hackers successfully breached the local operating environment established by SWIFT users.

To reduce the opportunities for cybercriminals to exploit weaknesses in SWIFT users' local environments in the future, SWIFT created the Customer Security Program (CSP). The CSP is a programme designed to help organisations using Swift to design, review and implement specific cyber security controls for their local environments.

The CSP focusses on three mutually reinforcing areas. Customers will first need to protect and secure their local environment (you), it is then about preventing and detecting fraud in your commercial relationships (your counterparts), and continuously sharing information and preparing to defend against future cyber threats (your community).


Securing your local SWIFT-related infrastructure and putting in place the right people, policies and practices, are critical to avoiding cyber related fraud.

Your counterparts

Companies do not operate in a vacuum and all SWIFT users are part of a broader ecosystem. Even with strong security measures in place, attackers are very sophisticated and you need to assume that you may be the target of cyber-attacks. That is why it is also vital to manage security risk in your interactions and relationships with counterparties

Your community

The financial industry is truly global, and so are the cyber challenges it faces. What happens to one company in one location can be replicated elsewhere in the world.

SWIFT has requested users to set up these cyber security controls by 31 December 2017, and to update their systems according to CSP requests on an annual basis. The CSP compliance will come through self-attestation. SWIFT has already announced updates to the Customer Security Controls Framework for attestation in 2021.

SWIFT encourages its users to implement and monitor these customer security controls as part of a broader cyber security risk management program which should be regularly evaluated and adjusted, based on leading industry practices, and changes to the individual users' security posture and infrastructure.
Moreover, from mid-2021, all users will be obligated to perform ‘Community Standard Assessments’. This means that all attestations submitted in 2021 under the CSCF v2021 also require an independent assessment. A user can do this in either of two ways:

  • External assessment, by an independent external organisation, which has existing cybersecurity assessment experience, and individual assessors who have relevant security industry certification(s). Deloitte can help you with the external assessment, or
  • Internal assessment, by a user’s second or third line of defense function (such as compliance, risk management or internal audit) or its functional equivalent [as appropriate], which is independent from the first line of defense function that submitted the attestation (such as the CISO office) or its functional equivalent [as appropriate]. As per external assessors, those undertaking the assessment work should possess recent and relevant experience in the assessment of cyber-related security controls.

Last, separate and distinct from the above two categories, SWIFT also reserves the right to seek independent external assurance to verify the veracity of their self-attestation, as outlined in the Customer Security Controls Policy (CSCP). These are called “SWIFT-Mandated assessments”.

SWIFT-Mandated assessments must cover all SWIFT mandatory controls applicable to the user’s architecture type as defined in the version of the CSCF applicable at the time the assessment is conducted, even if the assessment request relates to an attestation submitted under a prior version of the CSCF.

The SWIFT Customer Security Controls Framework is built up out of 3 objectives and 7 strategic security principles. The framework is applicable to four types of SWIFT user architectures, titled A1, A2, A3, A4 and B. SWIFT users must first identify which architecture applies to them before implementing the applicable controls.

Deloitte SWIFT Customer Security Program experience
Download the brochure

SWIFT CSP controls scope

The diagram below depicts the scope of the customer security controls framework.

The scope of the SWIFT security controls is limited to the local SWIFT infrastructure and operator PCs (also referred to as the “secure zone”) and the connection to and from the secure zone. This includes the connection between the secure zone (1) operators, and (2) the back office or middleware. Depending on your set-up and applicable architecture, the scope may vary in size.

We help clients to establish controls and processes around their most sensitive assets, balancing the need to reduce risk, while also helping to enable productivity, business growth, and cost optimization objectives.

SWIFT Systems and the SWIFT Customer Security Program
Download the brochure

More information on the CSP CSCF is available here.

SWIFT CSP Changes in 2021

What is the impact of the updates of the 2021 version of the CSCF on your financial organization

The SWIFT Customer Security Program was created to set the bar of cyber security for the financial services industry, following a series of cyber heists. In this article, we look at the most recent changes that were made to the Customer Security Control Framework (CSCF) in order to maintain an up-to-date cyber security maturity in the financial industry. You may have some questions around this. How do the 2021 changes to the CSCF affect your organization? What are the updates to the CSCF in 2021? When will we have to attest against the 2021 CSCF?
In this article we will have a more detailed look at what these changes are and how it affects your organization.

History of the Customer Security Controls Framework

The customer security Controls Framework (CSCF) has gradually evolved over the past years. In a few years’ time, the framework has emerged from including 27 controls in 2017, to 31 controls in 2021. Moreover, every year the number of mandatory controls increased. Typically, there is a period of 18 months to understand and implement future changes to the framework. More specifically, the new version of the CSCF was released in June 2020 and compliance is expected by December 2021. In addition, the CSCF change management process allows a phased approach: new mandatory controls or scope extensions are typically first introduced as advisory and only thereafter as mandatory.

Over time, more controls will transform to mandatory controls and will have to be implemented. Therefore, we advise you to already start testing your readiness of those controls. By doing this, there is the added value of improving the maturity of the controls before they actually become mandatory. This avoids non-compliance with the Customer Security Program in the future.

Changed to be taken into account for your organization:

1. Significant scope change

The scope of control 4.2 was significantly changed as multi-factor authentication is also to be presented when accessing, at least for transaction processing, a SWIFT related service, application or component operated by a service provider (such as a service bureau, an L2BA provider or intermediate actor). This means that authentication to any application used for SWIFT transaction processing, now requires multi-factor authentication.

2. New architecture types

One of the most significant changes of the updated version of the CSCF is the new architecture type: Type A4. The most important change here is that organizations that define themselves as an A4 type architecture, don't create a separate secure zone.

3. Advisory controls that are promoted to mandatory

Control 1.4 about the restriction of internet access has been promoted to a mandatory control for all infrastructure types. Direct access to the Internet raises exposure to internet-based attacks. Risk is even higher in case of human interactions (browsing, emails or other social network activities being permitted). Therefore, general purpose and dedicated operator PCs as well as systems within the secure zone have controlled direct internet access in line with business requirements.

4. Scope update and clarifications

The scope of 6 controls were extended with, for most cases, the (customer) connector. SWIFT has also clarified the definition of the ‘connector’: “Embed middleware/MQ servers and API end points when used to connect or transmit transactions to service providers or SWIFT Differentiate SWIFT related connectors (such as SIL, DirectLink, AutoCLient)”.
Additionally, an explicit reference was added to remote (externally hosted or operated) virtualisation platform to foster attention when engaging with a third party or moving to the cloud under requirement 1.3.

The SWIFT CSP controls

How confident are you in the effectiveness of your last self-declaration?

We propose that you begin your journey by performing a gap assessment to fully understand your current situation towards current and future (advisory controls may become mandatory) requirements and assessment framework. This could help you to better identify and plan your projects to ensure you’ll be compliant by the given date. Doing a gap assessment evaluating the design, implementation, and operating effectiveness of your control environment would also help to prevent your first independent assessment revealing unexpected non-compliant controls.