SWIFT CSP: Frequently Asked Questions

All SWIFT users are mandated to carry out an Independent Assessment when attesting. The Independent Assessment Framework (IAF) was introduced at the request of the global SWIFT community to reinforce and uphold the highest level of security of the global financial community.

In the instance of non-compliance, SWIFT can inform other members within the community and have the right to report any non-conformities to the local authorities of that member. Understandably, this could have detrimental effects on an organisation; potentially jeopardising daily business operations as well as reputational damage and trust.

Start planning for your attestation now to avoid any consequences

The annual attestation can be made as early as July 1st and will be valid until the annual attestation is required. Engaging early and being proactive will help provide peace of mind that you will comfortably meet the attestation deadline. In preparation for the new assessment methodology we encourage our clients to act now to avoid any delays in the instance that any remediation work needs to be done in order to comply with all mandatory controls of the CSP

In some instances, typical resolution periods can range from weeks to months. The CSP pre-attestation review will highlight any instances of non-conformance and you will be provided with a task list of any necessary remediation works required before the actual Independent Assessment is performed.

Our SWIFT certified auditors will be on hand to provide guidance and ensure you have the necessary measures in place to fully comply with the SWIFT CSP.

In order to fully support our customers we have a long-standing SWIFT certified cyber risk audit partner with whom we have been working together for over 5 years to successfully deliver CSP assessments. This ensures that our customers fully understand their requirements and are able to complete the attestation to the highest standard.

Bottomline is able to provide peace of mind and assurance that your organisation will meet and exceed the requirements of the CSP with intimate knowledge of your SWIFT environment. We offer a competitive CSP compliance package to help customers with the Independent Assessment and to meet specific controls laid out in the Customer Security Control Framework (CSCF).

We also offer year-round guidance and advice regarding the CSP, ensuring our customers feel in control of their security and compliance needs.

The pre-attestation review will allow our SWIFT certified auditors to review and discuss your organisation’s current compliance status before the actual Independent Assessment is performed. The auditors will then recommend enhancements and possible remediation works. The outputs of this will be outlined in both a summary presentation and a detailed task list with the relevant details. We’ll be happy to share an example of the reports with you.

All SWIFT users are mandated to carry out the Independent Assessment to support their CSP attestation. In the instance that an Independent Assessment is not completed, the SWIFT user will be considered non-compliant with the CSP.

The consequences of non-compliance are high and could result in detrimental effects to both an organisation’s business and their reputation.

The CSP is constantly evolving, it is assessed annually, with advisory controls promoted to mandatory to ensure the bar continues to be raised annually. The SWIFT CSP v2024 framework comprises of a maximum of 25 mandatory controls and 7 advisory controls. The 2024 framework saw the promotion of one control from advisory to mandatory (control 2.8A – Outsourced Critical Activity Protection). Organisations must attest to the v2024 framework supported by an Independent Assessment by 31st December.

The assessor will work closely with your organisation to review your existing processes, providing guidance and recommendations prior to the formal assessment, ensuring you feel in control and ready. The assessor will then perform the Independent Assessment, meeting with various individuals within your organisation to discuss your procedures and review your organisation’s compliance to the CSP, including sampling controls.

The assessor will then provide an official certification with appropriate evidence that can be uploaded to SWIFT as proof to support your attestation.

Yes, we do recommend multi-year contracts and most customers have this. However, for clients that have signed for just one year, they will need to extend their agreement to support next year’s control framework too.

That’s fine, Bottomline can help you with your annual Independent Assessments going forward.

Just reach out to your account manager who will be able to assist.

Yes, an Independent Assessment is required when submitting you attestation to SWIFT on an annual basis. So ensure you remain proactive and plan effectively for future assessments.

We would be more than happy to discuss your options with you and can help you with your Independent Assessment requirement.

Our SWIFT certified assessor partners, A Jolly Consulting, have the required expertise and knowledge to ensure that you can achieve the Independent Assessment deadlines.

As per prior years, when attesting to the companies compliance, there will be a drop down where you will be able to indicate areas of non-compliance.

It is highly recommended that this should be accompanied with a date of when the organisationwill be compliant.

The independent review can also note this within their report on the basis that they have been provided with appropriate evidence

The most common areas of non-compliance that we see across organisations tend to relate to poor policy and documentation which is often overlooked.

Organisations have documentation in place but it is not adequately maintained or doesn’t contain the specifics to meet the CSP requirements. Similarly, we often seen organisations failing to adhere to the controls that focus around vulnerability scanning and penetration testing.

Whilst the ISO certificate and audit ensures that the organisation has appropriate Information Security governance, it does not cover the specifics related to the SWIFT CSP.

As a consequence, a review of the SWIFT specific components are required.