Fighting cybercriminals with the updated SWIFT CSP

in Regulatory/Compliance, Technology, 23.10.2019

In recent years, sophisticated cybercriminals have managed to compromise several banks’ computer networks, learn their payment processes, and gain access to the relevant IT credentials—ultimately being able to send fraudulent payment instructions over the SWIFT financial messaging network.

The worst case so far was in 2016, when thieves successfully stole over US$81 million from a South Asian central bank. More banks have unfortunately fallen victim to similar attacks since then, including one alleged case in an EU member state in 2019.

This challenging cyber threat landscape has led SWIFT to launch the Customer Security Programme (CSP) which intends to help its user community increase its cyber defences by implementing specific security requirements.

In Luxembourg, the local supervisory bodies have recommended to members of the local association of SWIFT users to seriously consider the adoption of the CSP and its framework to protect their SWIFT systems.

What are the requirements?

The security requirements to be implemented are set forth in the SWIFT Customer Security Controls Framework (CSCF), which specifies detailed implementation guidelines. At a high level, the requirements can be described as follows:


It should be noted the CSCF has been recently updated for the second year in a row (“v2020” published in July 2019). In particular, these regular updates seek to raise the bar by making certain advisory controls mandatory: two controls were made mandatory following last year’s update, and there are two more this year.

What must a user do to comply?

SWIFT users should perform an annual assessment of their security environment against the CSCF requirements (unless material changes occur). As from 2020, significant changes will take place and the users will be required to perform one of the following types of assessment:

Graph 2

Indeed, as from mid-2020, it will no longer be possible to resort to self-assessment or advice, and all users will be obligated to perform independent assessments. The objective is to increase the accuracy and consistency of assessments.

Once the assessment has been completed, SWIFT users need to report their compliance status to SWIFT via the KYC Registry Security Attestation Application in order to provide transparency.

What if a user does not comply?

Failure to submit self-attestation is visible to all counterparties
Details of a user’s compliance with individual CSCF controls are by default restricted from that user’s counterparties in the KYC Registry Security Attestation Application, unless specific access is granted by the user. However, the presence or absence of a submission is visible to the counterparties.

SWIFT can report a user’s non-compliance to local supervisory bodies
Since the beginning of 2018, SWIFT has been able to report a user’s (or its service provider’s) late or missing submission from the first self-attestation to supervisory bodies. For Luxembourg banks, these are the CSSF, the Central Bank of Luxembourg, and/or the European Central Bank.

Since 2019, SWIFT has also been able to report a user’s failure to fully comply with the CSCF mandatory security controls to local supervisory bodies. Therefore, it is imperative for any issues identified in an assessment to be addressed quickly.

SWIFT can report a user’s non-compliance to messaging counterparties
For those without a direct supervisory body (e.g. a large corporate with a treasury department), SWIFT can report the user’s (or its service provider’s) non-compliance status to their messaging counterparties instead.

What does this mean for users now?

The ongoing programme developments made by SWIFT, the upcoming obligation to perform independent assessments, the recommendations of local supervisory bodies, and the seriousness of incidents involving payment systems, suggest that executive management should ensure that initiatives are in place. These initiatives must be proportionate to their organization’s risk appetite in order to identify control gaps in local SWIFT environments and establish plans to implement or reinforce the controls.

Need a hand?

KPMG can help in a number of ways, including internal assessment support, external assessment, and remediation services. Please visit our website or contact me to find out more.

Next up on the KPMG Blog

Leave a Reply

This blog is pre-moderated which means that all comments are reviewed by a moderator before they appear. KPMG reserves the right not to publish any comments made.