Since its introduction in 2017, the Customer Security Controls Framework (CSCF) has aimed to strengthen the security of the SWIFT network. The aim is to reduce the risk of cyberattacks and minimize the impact of fraudulent transactions. To prevent potential vulnerabilities and security risks, the security of an organization's SWIFT infrastructure and SWIFT systems is thoroughly reviewed in an annual mandatory SWIFT assessment.
The current version of the framework, CSCFv2025, contains an important change. It affects SWIFT customers who are part of architecture type B and use a “customer client connector”. Together with Lea Wachter, Senior Consultant at usd AG and auditor for international security standards, we took a closer look at the changes:
Who Is Affected?
The change to the framework affects companies that are in architecture type B. Within this group, a distinction is made between two cases:
- If a company operates an application-to-application flow and uses a client connector to connect to a SWIFT service provider or directly to SWIFT, the current version of the framework has an impact on the architecture type and thus on the controls that must be met.
- If an organization only connects directly to its SWIFT service provider or to SWIFT via user-to-application flows (e.g. using a browser-based GUI) without application-to-application flows, this organization is not affected by the change.
Gradual Adjustment of the Scope of Application for All Types of Customer Connectors
To ensure that SWIFT connections continue to run smoothly, all customer client connectors are gradually being classified as customer connectors. This applies to all applications or systems that are connected to SWIFT directly or via a third-party provider. It is therefore no longer relevant whether the endpoint is a server or a client.
In the first step, it is advised to include customer client connectors in the scope. This includes endpoints such as API consumers, middleware or data transfer clients. With the upcoming CSCFv2026, the requirements for customer client connectors are to become mandatory. This means that companies that use a customer client connector and were previously subject to architecture type B will have to switch to architecture type A4.
The change of architecture type will result in the application of new controls for SWIFT assessments starting in June 2025:
- 1 new mandatory control:
| Control Number | Security Control |
|---|---|
| 1.5 | Customer Environment Protection |
- 4 new advisory controls:
| Control Number | Security Control |
|---|---|
| 2.5A | External Transmission Data Protection |
| 6.2 | Software Integrity |
| 6.3 | Database Integrity |
| 6.5A | Intrusion Detection |
- 3 previously advisory controls that will become mandatory in the future:
| Control Number | Security Control |
|---|---|
| 1.2 | Operating System Privileged Account Control |
| 1.3 | Virtualisation or Cloud Platform Protection |
| 2.7 | Vulnerability Scanning |
Controls that list the customer client connector as an “in-scope component” will also become relevant. These include:
- 15 mandatory controls:
| Control Number | Security Control |
|---|---|
| 1.2 | Operating System Privileged Account Control |
| 1.3 | Virtualisation or Cloud Platform Protection |
| 1.4 | Restriction of Internet Access |
| 1.5 | Customer Environment Protection |
| 2.2 | Security Updates |
| 2.3 | System Hardening |
| 2.6 | Operator Session Confidentiality and Integrity |
| 2.7 | Vulnerability Scanning |
| 3.1 | Physical Security |
| 4.1 | Password Policy |
| 4.2 | Multi-Factor Authentication |
| 5.1 | Logical Access Control |
| 5.4 | Password Repository Protection |
| 6.1 | Malware Protection |
| 6.4 | Logging and Monitoring |
- 2 advisory controls:
| Control Number | Security Control |
|---|---|
| 5.3A | Staff Screening Process |
| 7.3A | Penetration Testing |
It is important to note that for the 15 mandatory controls, only the system component "customer client connector" is to be considered “advisory” until the publication of CSCFv2026. All other in-scope components of the aforementioned controls are already “mandatory” and must therefore be fulfilled.
Do you have any questions or need support with your upcoming SWIFT assessment? Contact us, we will be happy to help.
