usd AG Offers Assessment according to SWIFT Customer Security Controls Framework (CSCF)

8. July 2021

SWIFT has become an integral part of international payment traffic. The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a global member-owned cooperative that provides secure financial messaging services to its community of 11,000 banks and financial institutions.

SWIFT Customer Security Programme

In response to the cyber attack on the Bangladesh Bank in 2016, SWIFT developed the Customer Security Programme (CSP). The requirements of the CSP are intended to strengthen the security of the global banking system and actively support customers in the fight against cyber attacks. In addition, the CSP aims to improve the exchange of information within the community and boost endpoint security.

SWIFT Customer Security Controls Framework

Based on these security requirements, SWIFT developed a set of control guidelines that all companies connected to the network must comply with: the Customer Security Controls Framework (CSCF).

The CSCF consists of mandatory and advisory controls. The ever-increasing requirements for security in the financial sector lead to a continuous adaptation of the CSCF to the current situation. The CSCF has evolved to include 22 mandatory and nine advisory controls against which customers need to attest.

What are the requirements for SWIFT members?

According to the CSCF, SWIFT members are required to provide annual confirmation of their compliance with all mandatory controls to SWIFT. In the past, banks and financial institutions could provide this proof through a "user initiated assessment" in form of a self-assessment.

For quality assurance reasons, however, an important change was made in 2020 with regard to this proof of compliance: According to the Independent Assessment Framework (IAF), all members will be required to provide evidence through an independent assessment in the future. This can be performed by external auditors as well as by internally independent persons with appropriate expertise (e.g. internal auditors).

How we support you with your assessment

"At usd, we combine many years of auditing experience in the payment industry with extensive know-how in regulatory projects in the financial sector. This means that we have the best qualifications to support our customers in SWIFT audits as well. I am therefore glad that we are now officially listed as a partner in SWIFT's CSP Assessment Providers Directory.*" announces Anna Magdalena-Kohl, Team Lead Sales Security Audits & PCI.

Our tips for a good preparation towards the assessment:

  1. Determine the desired type of assessment at an early stage: by an external auditor or through internal auditing.
  2. If an external auditor has been chosen, start looking for a suitable partner in time and involve him or her in the preparation at an early stage.
  3. Prepare yourself sufficiently for the assessment. In an independent assessment, whether by an internal audit or an external auditor, stricter requirements will usually be placed on processes and documentation than with self-certification. A gap analysis or a short workshop to compare the implemented processes and the CSCP controls can be a good start.

You need support in preparing or would like us to lead the assessment? Contact us, we will be happy to help.

*SWIFT does not certify, warrant, endorse or recommend any service provider listed in its directory and SWIFT customers are not required to use providers listed in the directory

Also interesting:

AI Vulnerability Storm: When a Lack of Speed Becomes a Risk

AI Vulnerability Storm: When a Lack of Speed Becomes a Risk

Current developments in AI systems show that vulnerabilities are found more quickly, suitable exploits are developed more quickly, and attacks are increasingly implemented automatically. This significantly reduces the time between discovery and exploitation. What used...

Bafin Publishes 9th Amendment to MaRisk

Bafin Publishes 9th Amendment to MaRisk

On 30 June 2026, all credit institutions and financial services institutions in Germany received an important circular: Following the consultation phase, the German Federal Financial Supervisory Authority (Bafin) published the 9th amendment to its Minimum Requirements...

usd AG Listed as EPI Partner for Mobile Security Evaluations

usd AG Listed as EPI Partner for Mobile Security Evaluations

The popularity of mobile payments is growing, and with it, the demand for verified security. usd AG is expanding its activities in the EPI environment and will also conduct Mobile Security Evaluations in the future. This places us among the few EPI-listed Security...

Categories

Categories