usd AG Offers Assessment according to SWIFT Customer Security Controls Framework (CSCF)

8. July 2021

SWIFT has become an integral part of international payment traffic. The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a global member-owned cooperative that provides secure financial messaging services to its community of 11,000 banks and financial institutions.

SWIFT Customer Security Programme

In response to the cyber attack on the Bangladesh Bank in 2016, SWIFT developed the Customer Security Programme (CSP). The requirements of the CSP are intended to strengthen the security of the global banking system and actively support customers in the fight against cyber attacks. In addition, the CSP aims to improve the exchange of information within the community and boost endpoint security.

SWIFT Customer Security Controls Framework

Based on these security requirements, SWIFT developed a set of control guidelines that all companies connected to the network must comply with: the Customer Security Controls Framework (CSCF).

The CSCF consists of mandatory and advisory controls. The ever-increasing requirements for security in the financial sector lead to a continuous adaptation of the CSCF to the current situation. The CSCF has evolved to include 22 mandatory and nine advisory controls against which customers need to attest.

What are the requirements for SWIFT members?

According to the CSCF, SWIFT members are required to provide annual confirmation of their compliance with all mandatory controls to SWIFT. In the past, banks and financial institutions could provide this proof through a "user initiated assessment" in form of a self-assessment.

For quality assurance reasons, however, an important change was made in 2020 with regard to this proof of compliance: According to the Independent Assessment Framework (IAF), all members will be required to provide evidence through an independent assessment in the future. This can be performed by external auditors as well as by internally independent persons with appropriate expertise (e.g. internal auditors).

How we support you with your assessment

"At usd, we combine many years of auditing experience in the payment industry with extensive know-how in regulatory projects in the financial sector. This means that we have the best qualifications to support our customers in SWIFT audits as well. I am therefore glad that we are now officially listed as a partner in SWIFT's CSP Assessment Providers Directory.*" announces Anna Magdalena-Kohl, Team Lead Sales Security Audits & PCI.

Our tips for a good preparation towards the assessment:

  1. Determine the desired type of assessment at an early stage: by an external auditor or through internal auditing.
  2. If an external auditor has been chosen, start looking for a suitable partner in time and involve him or her in the preparation at an early stage.
  3. Prepare yourself sufficiently for the assessment. In an independent assessment, whether by an internal audit or an external auditor, stricter requirements will usually be placed on processes and documentation than with self-certification. A gap analysis or a short workshop to compare the implemented processes and the CSCP controls can be a good start.

You need support in preparing or would like us to lead the assessment? Contact us, we will be happy to help.

*SWIFT does not certify, warrant, endorse or recommend any service provider listed in its directory and SWIFT customers are not required to use providers listed in the directory

Also interesting:

DORA Deep Dive: Threat-Led Penetration Testing (TLPT)

DORA Deep Dive: Threat-Led Penetration Testing (TLPT)

The Digital Operational Resilience Act (DORA) will apply as of January 17, 2025. In addition to routine operational resilience testing, DORA will also make it mandatory for certain financial companies to carry out threat-led penetration testing (TLPT) every three...

Security Advisory on Gambio

Security Advisory on Gambio

The pentest professionals at usd HeroLab examined the online shop software Gambio during their pentests. The software offers merchants various functions that support the management of inventory and orders. Our professionals discovered a vulnerability in the password...