SWIFT Customer Security Programme Q&A's

What additional controls do we need to attest to this year and can Bottomline assist us in being compliant?

The CSP is constantly evolving, it is assessed annually, with advisory controls promoted to mandatory to ensure the bar continues to be raised annually. The SWIFT CSP v2024 framework comprises of a maximum of 25 mandatory controls and 7 advisory controls. The 2024 framework saw the promotion of one control from advisory to mandatory (control 2.8A – Outsourced Critical Activity Protection). Organisations must attest to the v2024 framework supported by an Independent Assessment by 31st December.

Does my ISO certificate, or similar, mean that I can certify as compliant?

Whilst the ISO certificate and audit ensures that the organisation has appropriate Information Security governance, it does not cover the specifics related to the SWIFT CSP.

As a consequence, a review of the SWIFT specific components are required.

What are the common failure areas?

The most common areas of non-compliance that we see across organisations tend to relate to poor policy and documentation which is often overlooked.

Organisations have documentation in place but it is not adequately maintained or doesn’t contain the specifics to meet the CSP requirements. Similarly, we often seen organisations failing to adhere to the controls that focus around vulnerability scanning and penetration testing.

What will happen if there are non-compliant items identified in the Independent Assessment where remediation will not be completed by the attestation deadline?

As per prior years, when attesting to the companies compliance, there will be a drop down where you will be able to indicate areas of non-compliance.

It is highly recommended that this should be accompanied with a date of when the organisationwill be compliant.

The independent review can also note this within their report on the basis that they have been provided with appropriate evidence

We chose to do the assessment internally but are concerned we won’t complete the assessment within the deadline, what should we do?

We would be more than happy to discuss your options with you and can help you with your Independent Assessment requirement.

Our SWIFT certified assessor partners, A Jolly Consulting, have the required expertise and knowledge to ensure that you can achieve the Independent Assessment deadlines.

If I do my Independent Assessment for this year by 31st December, do I have to do another Independent Assessment next year as well?

Yes, an Independent Assessment is required when submitting you attestation to SWIFT on an annual basis. So ensure you remain proactive and plan effectively for future assessments.

I’ve only got an agreement with Bottomline for this year, what do i need to do to ensure compliance for next year?

That’s fine, Bottomline can help you with your annual Independent Assessments going forward.

Just reach out to your account manager who will be able to assist.

Can Bottomline help me with my CSP attestation next year as well as this year?

Yes, we do recommend multi-year contracts and most customers have this. However, for clients that have signed for just one year, they will need to extend their agreement to support next year’s control framework too.

If an external assessor is chosen what are the responsibilities for you as a client?

The assessor will work closely with your organisation to review your existing processes, providing guidance and recommendations prior to the formal assessment, ensuring you feel in control and ready. The assessor will then perform the Independent Assessment, meeting with various individuals within your organisation to discuss your procedures and review your organisation’s compliance to the CSP, including sampling controls.

The assessor will then provide an official certification with appropriate evidence that can be uploaded to SWIFT as proof to support your attestation.

Why is SWIFT mandating an Independent review of the CSP (Customer Security Programme) attestation this year?

All SWIFT users are mandated to carry out an Independent Assessment when attesting. The Independent Assessment Framework (IAF) was introduced at the request of the global SWIFT community to reinforce and uphold the highest level of security of the global financial community.

What happens if we don’t do the Independent Assessment this year?

All SWIFT users are mandated to carry out the Independent Assessment to support their CSP attestation. In the instance that an Independent Assessment is not completed, the SWIFT user will be considered non-compliant with the CSP.

The consequences of non-compliance are high and could result in detrimental effects to both an organisation’s business and their reputation.

Can Bottomline provide us with a template of what the pre-attestation review outputs will look like?

The pre-attestation review will allow our SWIFT certified auditors to review and discuss your organisation’s current compliance status before the actual Independent Assessment is performed. The auditors will then recommend enhancements and possible remediation works. The outputs of this will be outlined in both a summary presentation and a detailed task list with the relevant details. We’ll be happy to share an example of the reports with you.

What is the benefit of Bottomline doing the Independent Assessment vs. an accountancy firm or external consultant?

Bottomline is able to provide peace of mind and assurance that your organisation will meet and exceed the requirements of the CSP with intimate knowledge of your SWIFT environment. We offer a competitive CSP compliance package to help customers with the Independent Assessment and to meet specific controls laid out in the Customer Security Control Framework (CSCF).

We also offer year-round guidance and advice regarding the CSP, ensuring our customers feel in control of their security and compliance needs.

How can Bottomline help with the pre-assesement?

In order to fully support our customers we have a long-standing SWIFT certified cyber risk audit partner with whom we have been working together for over 5 years to successfully deliver CSP assessments. This ensures that our customers fully understand their requirements and are able to complete the attestation to the highest standard.

How long does remedial action normally take prior to the Independent Assessment taking place?

In some instances, typical resolution periods can range from weeks to months. The CSP pre-attestation review will highlight any instances of non-conformance and you will be provided with a task list of any necessary remediation works required before the actual Independent Assessment is performed.

Our SWIFT certified auditors will be on hand to provide guidance and ensure you have the necessary measures in place to fully comply with the SWIFT CSP.

Our assessment is in December – why are you engaging with us now?

The annual attestation can be made as early as July 1st and will be valid until the annual attestation is required. Engaging early and being proactive will help provide peace of mind that you will comfortably meet the attestation deadline. In preparation for the new assessment methodology we encourage our clients to act now to avoid any delays in the instance that any remediation work needs to be done in order to comply with all mandatory controls of the CSP

What are the consequences of non-compliance?

In the instance of non-compliance, SWIFT can inform other members within the community and have the right to report any non-conformities to the local authorities of that member. Understandably, this could have detrimental effects on an organisation; potentially jeopardising daily business operations as well as reputational damage and trust.

Start planning for your attestation now to avoid any consequences