Keeping compliant with the SWIFT CSP 2022

Control 2.9 - Here's what you need to know

In response to the increasing and complex nature of fraud and financial crime attacks across our community, SWIFT launched the Customer Security Programme (CSP) in 2016. This programme was introduced to protect organisations and the entire SWIFT ecosystem from internal and external bad actors. The SWIFT CSP is updated annually to align with the evolving threats, and this year is no different. control 2.9 has been promoted from advisory to mandatory to mitigate the global increased risk of payment fraud.

SWIFT CSP in a nutshell

In response to the increasing and complex nature of fraud and financial crime attacks across our community, SWIFT launched the Customer Security Programme (CSP) in 2016. This programme was introduced to protect organisations and the entire SWIFT ecosystem from internal and external bad actors. The SWIFT CSP is updated annually to align with the evolving threats, and this year is no different.

What’s new for 2022?

The SWIFT Customer Security Control Framework (CSCF) v2022 comprises 32 controls, of which 23 are mandatory and 9 are advisory. Notably, there is one new advisory control (1.5A Customer Environment protection) and one control has been promoted from advisory to mandatory (2.9 Transaction Business controls).

With the global losses of payment fraud tripling from $9.84 billion in 2011 to $32.39 in 2020, and forecast to exceed $40 billion by 2027, control 2.9 is needed to mitigate the increased risk of payment fraud.

However, with all the noise and speculation surrounding control 2.9, we’re here to clarify what it entails and why it’s important to you and your organisation.

A deep dive into the new mandatory control 2.9

In a bid to protect the SWIFT network, all users must now implement effective detection, prevention, and validation solutions to ensure that their transactions occur within the bounds of normal business activities.

This is a significant change for the entire financial services community as it addresses the seriousness of the threat landscape and provides a solution for organisations to stay one step ahead of fraudsters. This is especially important as fraudsters are increasingly using machine learning (ML) to camouflage their fraudulent schemes under the guise of normal business activity.

SWIFT’s definition of Control 2.9 ‘ensure outbound transaction activity within the expected bounds of normal business’

But what is ‘normal’ business?

This is a difficult question to define, but what’s certain is that there isn’t a simple or blanket answer. Instead, defining normal business must be done on an organisation-by-organisation basis.

Here’s how can we help

Our Secure Payments CSP solution is designed to understand your business by monitoring user activities to build a clear and complete picture of normal behaviour. In addition to using machine learning and rule-based analysis to provide real-time alerts of suspicious payments made on the SWIFT network.

Secure Payments CSP ensures transactions are conducted within the expected bounds and limits. You can...

• Use machine learning, business rules and behaviour profiling to monitor transaction and user activity.
• Identify threats in real-time to review and stop suspicious transactions before they leave your business.
• Monitor, alert and stop anomalous actions on the SWIFT network. • learns and adapts to emerging threats.
• Comply with the existing mandatory control 6.4