SWIFT audit: preparing your annual compliance assessment

What is the SWIFT CSP Security program?

Founded in 1973, the Society for Worldwide Interbank Financial Telecommunication (SWIFT) is the global messaging network used by banks and financial institutions. It enables these organizations to carry out international payments and currently serves over 11,000 users worldwide.

SWIFT network: securing financial transactions globally

Every day, the SWIFT network processes millions of payment instructions, purchase orders, and other transactions, significantly speeding up the financial transactions worldwide.

However, this widespread use also makes the SWIFT network a prime target for cybercriminals. In 2018, the North Korean hacking group Lazarus exploited the SWIFT network to steal over $80 million from the Bangladesh Bank. In the face of the cyber threats targeting financial institutions, the SWIFT Customer Security Program (CSP) requires network members to undergo an annual independent security audit to assess the security of their systems.

Purpose of the Customer Security Program (CSP) SWIFT

The SWIFT Client Security Programme (CSP) helps financial institutions ensure their cyberdefenses are up to date and effective. This contributes to protecting the integrity of the financial network globally. In practice, users of SWIFT solutions and platforms compare their implemented security measures with those detailed in the Customer Security Control Framework (CSCF). The independent auditor assesses and certifies their level of compliance in a mandatory annual SWIFT audit.

What is a SWIFT audit?

Understanding the SWIFT Customer Security Controls Framework (CSCF)

One of the key factors for a successful mandatory annual SWIFT audit is preparation, particularly understanding the structure of the customer security control framework (CSCF).

The SWIFT CSP’s CSCF is built around three main objectives designed to prevent, monitor, and respond to cyberattacks. From these objectives come seven security principles, which serve as practical operational security recommendations:

Objective 1 – Secure your environment

• Restrict Internet access and protect critical systems from general IT environment
• Reduce attack surface and vulnerabilities
• Physically secure the environment

Objective 2 – Know and limit access

• Prevent compromise of credentials
• Manage identities and segregate privileges

Objective 3 – Detect and respond to cyberattacks

• Detect anomalous activity to systems or transaction records
• Plan for incident response and information sharing

Adapting SWIFT CSP audit controls based on your deployment architecture

From the 7 safety principles outlined above, a list of controls is drawn up each year. The total number of controls, in general or mandatory ones, is also increasing steadily. For the 2025 SWIFT audit exercise, the CSCF includes 32 controls, of which 25 are mandatory. These mandatory controls set a baseline security standard for the entire SWIFT community and must be implemented by all users within their local infrastructure. The advisory controls represent best practices recommended for all users.

The scope and evaluation criteria vary depending on the SWIFT service deployment architecture chosen by each financial institution:

• Architecture A1: you own the SWIFT communication interface (and, generally, the messaging interface too)
• Architecture A2: you only own the SWIFT messaging interface, but not the communication interface
• Architecture A3: you use a SWIFT connector in your environment to access the SWIFT services or an interface hosted by a service provider.
• Architecture A4: within your environment, you use a system running a software application to establish an external connection to an interface, application, or solution related to SWIFT hosted by a service provider.
• Architecture B: You do not use any specific SWIFT components in your environment. Instead, you access SWIFT services through an application or back-office system managed by a service provider.

How to prepare for your SWIFT audit

Getting ready ahead of your annual SWIFT assessment

• Implement the SWIFT CSCF’s security controls: The updated Customer Security Controls Framework (CSCF) is published every July 1st, six months before it comes into effect on January 1st of the following year. This gives you ample time to review and adapt your security measures to comply with the latest SWIFT CSCF controls.
• Conduct an internal SWIFT audit: Similar to a standard internal audit, this is carried out by your company’s Audit department and is independent from the external body that issues the official CSP SWIFT compliance certification. This internal review helps you identify your current compliance status against the 32 CSCF security controls well in advance.

Preparing for the external auditor’s visit for your SWIFT assessment

Per the CSP SWIFT requirements, your annual assessment must be performed by an independent SWIFT-certified service provider who will conduct a compliance audit against the 32 controls listed in the SWIFT CSCF. To ensure a smooth and successful audit, and facilitate the auditor’s evaluation, you should prepare the following in advance:

1. Complete SWIFT documentation: Make sure all documentation related to your SWIFT infrastructure is current and easy to access. This includes your SWIFT architecture diagrams, security policies, standard operating procedures, and system configurations.
2. Inventory of SWIFT assets: Keep a detailed inventory of all assets falling within the SWIFT audit’s scope, including servers, software, and security devices in place.
3. Staff training: Ensure that all personnel involved in using SWIFT are well-trained and fully aware of the current security policies and procedures. Proper training not only strengthens their ability to perform their roles securely but also prepares them to confidently respond to auditor questions during the evaluation. Well-prepared staff will provide clear, precise information, demonstrating your organization’s commitment to SWIFT security and compliance.

How does a SWIFT audit work?

The 5 key steps of your SWIFT audit

The SWIFT assessment process involves several important stages:

• Step 1: Defining the scope of the SWIFT Assessment

Based on your SWIFT documentation and inventory of SWIFT-related assets, the assessor will determine the scope of the evaluation to ensure adequate coverage for evidence gathering. This includes understanding the architecture, processes, and procedures of SWIFT users, as well as preparing a detailed work scope.

💡Our tip: To make the process smoother, have all relevant documentation ready in advance.

• Step 2: Reviewing the SWIFT user environment

At this stage, all necessary business and technical evidence will be collected to verify that controls are properly implemented. The auditor will interview both business and technical SWIFT users and develop a testing plan.

💡Our tip: Make sure the relevant stakeholders are available during this phase and fully aware of the controls they are responsible for.

• Step 3: Compliance Testing

After reviewing the evidence and carrying out the testing plan, the assessor will determine your level of compliance with the controls.

• Step 4: Evaluation Report

The auditor will provide you with a draft evaluation report, which you can review and discuss to ensure all data is accurate. The goal is to secure your formal approval and resolve any disagreements.

• Step 5: Post-Evaluation Activities

Finally, the assessor will deliver additional documentation and wrap up any post-assessment tasks, including issuing a completion letter. If agreed beforehand, the auditor can also assist you with preparing the annual SWIFT audit attestation in the KYC-SA application.

Updates and changes in the SWIFT CSCF v2025

None of the 2024 advisory controls or scope components will become mandatory in the 2025 controls currently in effect. However, please note the following key points:

• Control 2.4A, “Back Office Data Flow Security”, will gradually become mandatory. While it remains advisory in 2025, SWIFT recommends that you start preparing a prioritization plan for the identified data flows between the user’s secure zone and the back office. This plan should be
  based on your security posture and a risk-based approach.
  • In 2026, this control will become mandatory for protecting bridge servers, flows between link servers themselves, and flows to the user’s secure zone. The same will apply to new direct flows between the user’s secure zone and the back office.
  • Mandatory protection for legacy direct flows between the user’s secure zone and the back office is scheduled for 2028.
• All user endpoints that connect indirectly to SWIFT, whether servers or client devices, will progressively be classified as client connectors.

Starting in 2026, client connectors — such as terminals using APIs, middleware, or client file transfer software — will become mandatory components within the scope of several controls (1.2, 1.3, 1.4, 2.2, 2.3, 2.6, 2.7, 3.1, 4.1, 4.2, 5.1, 5.4, 6.1, 6.4).

For some users who previously attested to having a Type B architecture, this change will require them to attest to a Type A4 architecture (i.e., a higher level) when using a client connector.

As a reminder, SWIFT CSCF v2024 introduced the following changes:

• Control 2.3, “System Hardening”, now includes requirements for USB port protection.
• Due to the growing use of cloud service and hosting organizations — and even outsourcing of IT systems — control 2.8, “Outsourced Critical Activity Protection”, became mandatory in the SWIFT CSP audit.
• Control 2.9, “Transaction Business Controls”, now allows transaction controls to be performed outside the secure zone.
• Control 7.4, which covers risk assessment by scenario, permits the use of existing risk management processes.

Get your annual SWIFT audit with I-TRACING

How to choose your SWIFT CSP certified auditor?

All members of the SWIFT network are required to carry out an annual assessment by an independent provider. SWIFT members can choose a provider, like I-TRACING, present in the repository of companies holding a SWIFT certification.

Rely on I-TRACING for your annual SWIFT CSP audit

As every year, the SWIFT audit exercise starts on July 1st and runs until December 31st. Contact our SWIFT certified assessors to carry out your SWIFT audit before the end of the year. Thanks to our presence in Europe (France, Switzerland, United Kingdom), North America (Canada) and Asia (China, Hong Kong, Malaysia), I-TRACING can carry out your SWIFT audit anywhere in the world.

Since the SWIFT audit can be integrated into a more general audit, our I-TRACING experts also assist you in deploying best practices and cybersecurity solutions.

22 May 2024