Since 2017, the Customer Security Controls Framework (CSCF) has been helping organizations to effectively secure their SWIFT infrastructure. The aim is to reduce cyber risks and to detect and stop fraudulent transactions at an early stage.
SWIFT users must demonstrate annually that they meet the CSCF requirements. The basis for this is an independent SWIFT assessment. This confirms that the organization's SWIFT infrastructure and connected systems are effectively and reliably protected against potential threats and vulnerabilities.
With the latest update to the framework, CSCFv2026, SWIFT has introduced key changes and significant improvements. Together with our colleague Najim Quraishi, Managing Security Consultant at usd AG and auditor for international security standards, we provide you with an overview of the most important new features. Knowing these now gives you an advantage – both in the upcoming SWIFT assessment according to CSCFv2025 and in the subsequent transition phase until your next SWIFT assessment in 2026.
What changes does CSCFv2026 introduce?
CSCFv2026 builds incrementally on the previous version. As announced in CSCFv2025, control 2.4 “Back Office Data Flow Security” is now mandatory in CSCFv2026.
This means that the customer client connector (e.g., API users, middleware, or file transfer clients) is classified as a mandatory component for several controls. Every endpoint that is indirectly connected to SWIFT via shared resources from service providers is now considered a customer connector, regardless of whether it is server- or client-based.
This may cause institutions that were previously certified according to architecture type B to be reclassified as type A4 if customer connectors are used. Details on the implications and reclassification can be found in our previous article “SWIFT CSCFv2025: Current Version of the Framework Brings Changes for Architecture Type B”.
The following controls list the Customer Connector as an in-scope component and are classified as mandatory with the introduction of CSCFv2026:
| Control Number | Security Control |
|---|---|
| 1.2 | Operating System Privileged Account Control |
| 1.3 | Virtualisation or Cloud Platform Protection |
| 1.4 | Restriction of Internet Access |
| 2.2 | Security Updates |
| 2.3 | System Hardening |
| 2.6 | Operator Session Confidentiality and Integrity |
| 2.7 | Vulnerability Scanning |
| 3.1 | Physical Security |
| 4.1 | Password Policy |
| 4.2 | Multi-Factor Authentication |
| 5.1 | Logical Access Control |
| 5.4 | Password Repository Protection |
| 6.1 | Malware Protection |
| 6.4 | Logging and Monitoring |
The Alliance Connect instances are also included as part of the components that fall within the scope of the framework.
Why should you start thinking about CSCFv2026 now?
Your current SWIFT assessment is carried out in accordance with CSCFv2025. Nevertheless, we recommend that you familiarize yourself with the changes in the new CSCFv2026 and take them into account. Why? By making use of the transition phase, you can plan with certainty and avoid any last-minute surprises.
Our tip: Conduct a gap analysis according to CSCFv2026 in parallel to your current assessment. This will allow you to identify whether your architecture is affected and whether a reclassification to architecture type A4 is necessary at an early stage. This gives you the opportunity to implement major adjustments strategically and without time pressure.
Do you have any questions or need support with your upcoming SWIFT assessment? Contact us, we will be happy to help.
