The SWIFT Customer Security Controls Framework (CSCF) is a key global cybersecurity framework that provides recommended and mandatory security controls for banking institutions that use the SWIFT banking system. The framework is designed to help financial institutions improve their cyber resilience and ensure that participants within the SWIFT network adhere to a stringent set of security compliance standards.
Find out how UpGuard helps the financial services industry meet compliance standards >
What is the SWIFT system?
The SWIFT banking system, commonly known as SWIFT, was developed by the Society for Worldwide Interbank Financial Telecommunication as a global messaging network for banks and financial institutions to securely transmit information and instructions through a standardized system of codes. Established in 1973, SWIFT facilitates international transactions by providing a reliable, secure, and standardized way for financial institutions to communicate.
SWIFT is a member-owned cooperative that serves over 11,000 financial institutions in more than 200 countries, making it the largest payment network in the world. The SWIFT network handles millions of financial transactions every day, ensuring that money moves smoothly and securely across borders.
Overview of SWIFT CSCF
Because the financial services industry is one of the most targeted sectors in the world, SWIFT launched the SWIFT Customer Security Controls Framework (CSCF) in 2016 to help banking organizations around the world strengthen their cyber defenses. The framework is updated annually to account for changing threat landscapes and environments.
The CSCF is an essential part of SWIFT’s Customer Security Programme (CSP), which was launched in 2017. SWIFT CSP aims to help SWIFT users build stronger cybersecurity programs, defend against cyber threats, and establish baseline security controls for financial organizations. The CSCF provides a set of mandatory and advisory security controls that all users of the SWIFT network must implement.
Key objectives of SWIFT CSCF
As of 2024, SWIFT CSCF v2024 is centered around three main objectives, which are broken down into seven overall principles:
1. Secure your environment
- Restrict Internet Access and Protect Critical Systems from General IT Environment
- Reduce Attack Surface and Vulnerabilities
- Physically Secure the Environment
2. Know and limit access
- Prevent Compromise of Credentials
- Manage Identities and Segregate Privileges
3. Detect and respond
- Detect Anomalous Activity to Systems or Transaction Records
- Plan for Incident Response and Information Sharing
SWIFT CSCF Security Controls
SWIFT CSCF v2024 outlines 32 security controls, which include 25 mandatory controls and 7 advisory controls that cover a wide range of security measures. These controls are designed to protect the confidentiality, integrity, and availability of financial transactions.
These security controls include:
Note: Controls listed with “A” are advisory controls.
1. Restrict Internet Access and Protect Critical Systems from General IT Environment
- 1.1 SWIFT Environment Protection
- 1.2 Operating System Privileged Account Control
- 1.3 Virtualisation or Cloud Platform Protection
- 1.4 Restriction of Internet Access
- 1.5 Customer Environment Protection
2. Reduce Attack Surface and Vulnerabilities
- 2.1 Internal Data Flow Security
- 2.2 Security Updates
- 2.3 System Hardening
- 2.4A Back Office Data Flow Security
- 2.5A External Transmission Data Protection
- 2.6 Operator Session Confidentiality and Integrity
- 2.7 Vulnerability Scanning
- 2.8 Outsourced Critical Activity Protection
- 2.9 Transaction Business Controls
- 2.10 Application Hardening
- 2.11A RMA Business Controls
3. Physically Secure the Environment
- 3.1 Physical Security
4. Prevent Compromise of Credentials
- 4.1 Password Policy
- 4.2 Multi-Factor Authentication
5. Manage Identities and Separate Privileges
- 5.1 Logical Access Control
- 5.2 Token Management
- 5.3A Staff Screening Process
- 5.4 Password Repository Protection
6. Detect Anomalous Activity to Systems or Transaction Records
- 6.1 Malware Protection
- 6.2 Software Integrity
- 6.3 Database Integrity
- 6.4 Logging and Monitoring
- 6.5A Intrusion Detection
7. Plan for Incident Response and Information Sharing
- 7.1 Cyber Incident Response Planning
- 7.2 Security Training and Awareness
- 7.3A Penetration Testing
- 7.4A Scenario-based Risk Assessment
SWIFT security attestations
To ensure compliance with the CSCF, SWIFT requires all users to submit an annual security attestation. This attestation involves a self-assessment against the mandatory controls outlined in the CSCF. The results are then shared with SWIFT and can be accessed by other SWIFT users, promoting transparency and accountability within the community. All SWIFT users must begin the re-attestation process between July and December of that year using the KYC-Security Attestation application (KYC-SA).
The attestation process has several purposes:
- Verification: It verifies that financial institutions have implemented the necessary controls to secure their SWIFT environment.
- Awareness: It raises awareness within institutions about their security posture and areas that may require improvement.
- Benchmarking: It allows institutions to benchmark their security controls against industry standards and peers.
Additionally, all SWIFT members must conduct an internal or external risk assessment using the Independent Assessment Framework (IAF) as part of the attestation process. The assessment ensures that each institution's attestations are accurate and compliant with the mandatory controls. Failure to conduct the independent assessment is considered non-compliant with SWIFT CSCF.
Institutions can choose to use an external party to conduct their SWIFT CSP Assessment. Compliance solutions like UpGuard can help financial organizations meet their compliance standards and adhere to mandatory frameworks like SWIFT CSCF.
Learn more about UpGuard’s compliance tools >
How to comply with SWIFT CSCF
Complying with the SWIFT CSCF involves several key steps:
- Understand the controls: Financial institutions must thoroughly understand the mandatory and advisory controls outlined in the CSCF.
- Conduct a gap analysis: Assess the current security posture against the CSCF controls to identify any gaps or areas for improvement.
- Implement the controls: Develop and execute a plan to implement the necessary controls, addressing any identified gaps.
- Continuous monitoring and review: Regularly monitor and review the implemented controls to ensure they remain effective and up-to-date against evolving threats.
- Annual attestation: Complete the annual security attestation, documenting compliance with the mandatory controls and identifying any deviations.
Penalties for non-compliance with SWIFT CSCF
SWIFT members are considered non-compliant if they fall under the following categories:
- Failure to submit a valid attestation or existing attestation is expired
- Failure to comply with the mandatory controls
- Connected through a non-compliant service provider
- Failure to complete a SWIFT-mandated independent assessment
Non-compliance with the SWIFT CSCF can result in several significant penalties and consequences, impacting a financial institution's operations and reputation:
- Increased risk of cyber attacks: Institutions that do not comply with CSCF controls are more vulnerable to cyber attacks, which can lead to financial losses, data breaches, and operational disruptions.
- Reputational damage: Failure to comply with SWIFT CSCF can affect an institution's reputation within the financial community. Other institutions may be reluctant to engage in transactions with a non-compliant entity.
- Restricted access to the SWIFT network: SWIFT may impose restrictions or limitations on a non-compliant institution's access to the SWIFT network, hindering its ability to conduct international transactions and communicate securely with other financial entities.
- Financial penalties: Non-compliance can result in financial penalties from regulatory bodies or SWIFT itself. These penalties can be substantial and impact the institution's financial health.
- Report to local authorities: Regulatory bodies and SWIFT may report non-compliant institutions to local authorities for further investigation. This can lead to more frequent audits and reviews to determine if the institution is in violation of other regulatory laws. As a result, the institution may incur additional operational costs or monetary fines to deal with compliance issues.
