SWIFT CSP Compliance in India: Attestation Guide for Banks
Most banks in India treat the SWIFT Customer Security Programme attestation like a tax return. Someone in the treasury back office logs into the KYC-SA portal in November, ticks the boxes green, uploads a two-year-old assessment report, and moves on. Nobody in the room has actually walked the payment operator's terminal or checked whether the jump server they swear exists is still switched on.
Then the 2016 Bangladesh Bank heist gets mentioned in an RBI inspection, and suddenly everyone remembers that SWIFT sits closer to real money than almost any other system in the bank. USD 81 million left Dhaka through fraudulent SWIFT messages. The attackers did not break SWIFT's network. They broke the local operating environment around it — the exact thing the CSP was built to force you to secure. If your attestation is a box-ticking exercise, you are attesting to a control set you have never verified. That is the gap this guide is about.
What the CSP actually is, in plain terms
The Customer Security Programme, or CSP, is SWIFT's mandatory security framework for every institution connected to its network. The heart of it is the Customer Security Controls Framework, the CSCF, which is published fresh every year (the CSCF v2024 and v2025 versions are what most Indian banks are assessing against right now). Each year you must submit an attestation against the current version through the KYC-Security Attestation portal, known as KYC-SA.
The framework groups controls under three objectives and seven principles: secure your environment, know and limit access, and detect and respond. Controls are split into mandatory and advisory. You must attest compliance against all mandatory controls that apply to your SWIFT architecture type. Advisory controls are strongly encouraged and, in practice, examiners increasingly expect them too.
Two things trip Indian banks up immediately. First, the attestation must be supported by an independent assessment — you cannot just self-declare any more. Second, your obligations depend entirely on your architecture type, and most banks mis-classify their own architecture.
Architecture types decide almost everything
Before you look at a single control, you have to know which architecture type you are. This determines how many controls apply and where your CSP scope starts and stops. Get this wrong and every downstream decision is wrong.
| Architecture type | What it means | Typical Indian bank |
|---|---|---|
| A1 | You own the messaging interface and the SWIFT connector on your premises | Large PSU and private banks running their own Alliance Access |
| A2 | You own the messaging interface; connector is at a service provider | Mid-size banks using a partial outsource |
| A3 | You use a SWIFT interface, but connectivity is via a service bureau or group hub | Banks connecting through a shared group entity |
| A4 | You have no local SWIFT footprint; a service provider operates everything | Small banks, some co-operative banks, some NBFCs |
| B | You connect through a business application at a service provider, no local SWIFT infrastructure | Fully outsourced institutions |
The number of applicable mandatory controls climbs as you move from B towards A1. An A1 bank running its own Alliance Access and Alliance Gateway on-premises carries the fullest control burden — hardening, network segmentation, the general operator PC, back-office data flow security, the lot. A type B institution can offload most technical controls to its provider but still owns operator-side controls and must obtain the provider's own attestation.
The single most common error we see in the audit room: a bank declares itself A4 or B to shrink its scope, while a live Alliance Access instance is sitting in its own data centre. The moment an assessor sees that server, the architecture is A1 and half the attestation is now unsupported. Classify honestly, or the assessment collapses.
The independent assessment requirement — and who can sign it
Since the 2021 attestation cycle, SWIFT has required that your attestation be backed by an independent assessment. You get two routes. An internal independent assessment, performed by a function within your bank that is organisationally independent of the team that runs SWIFT (typically internal audit or a second-line risk function). Or an external independent assessment, performed by a qualified third-party cyber security firm.
For Indian banks the practical answer is usually external, for three reasons. RBI inspection teams give more weight to a named external assessor. Your internal audit function rarely has hands-on SWIFT hardening expertise. And a CERT-In empanelled auditor's report doubles up neatly with your other regulatory obligations. The assessor must be competent in the CSCF and independent of the assessed controls — a firm that also implemented your SWIFT hardening cannot then assess it.
- The assessment must cover every mandatory control applicable to your architecture type, and any advisory controls you have chosen to attest.
- Evidence must be sampled and tested, not merely inspected as a policy document — the assessor should see the actual configuration, not a screenshot from last year.
- The assessor produces an assessment completion letter and a detailed findings report; you retain both for at least the current plus prior attestation cycle.
- The assessment is valid for the CSCF version it was performed against — a v2024 assessment does not cover v2025 without a delta review.
The controls that actually fail Indian banks
On paper there are 30-odd controls. In the room, the same handful sink attestation after attestation. Here is where the evidence is thinnest for Indian banks specifically.
Control 1.1 — SWIFT environment protection
The mandate is a segregated SWIFT zone, separated from the general enterprise network. What we find instead is a flat network where the Alliance Access server can reach, and be reached from, the general LAN. There is a firewall, but its rule set has an any-any rule from three years ago that nobody dares touch. The control fails not because segmentation is absent but because the rule base was never reviewed against the actual data flows.
Control 1.2 and 5.1 — privileged account and operating system access
Least privilege on the SWIFT servers. In reality, the same domain admin account that patches the print server also administers the Alliance Gateway. Shared local accounts, no individual accountability, service accounts with interactive login rights. When we ask who logged into the messaging interface at 02:00 on a given night, the answer is a shared account name. That is an audit failure and, more importantly, a heist waiting to happen.
Control 2.1 — internal data flow security
The link between your back-office application and the SWIFT interface must be confidential and integrity-protected. Banks routinely run this over an internal network in clear text because it is inside the perimeter. The CSCF does not care that it is internal. Encrypt it or compensate and document the compensating control.
Control 6.1 to 6.4 — malware, integrity, logging
Anti-malware, software integrity, database integrity, and centralised logging on the SWIFT-related components. The gap here is almost always logging. Logs exist on the server but never leave it, so an attacker who owns the box owns the evidence too. The control requires logs captured to a system the SWIFT operator cannot tamper with — usually your SIEM. If your SIEM is not ingesting Alliance Access and Gateway logs, 6.4 is not met.
Control 2.4A — back office data flow, and 1.4A — internet access restriction
The advisory-turned-expected controls. Restricting outbound internet from the general operator PC is where a lot of banks quietly fail. The operator's PC that accesses SWIFT also browses the web and reads email. That machine is your single richest attack surface, and the CSCF explicitly wants it isolated.
| Control | What it demands | Common India-side failure |
|---|---|---|
| 1.1 | Segregated SWIFT zone | Flat network, stale any-any firewall rule |
| 1.2 / 5.1 | Least-privilege privileged access | Shared admin accounts, no individual accountability |
| 2.1 | Encrypted internal data flow | Clear-text back-office to interface link |
| 2.3 | System hardening | Default OS build, unpatched interface servers |
| 4.1 | Password policy / MFA | Static passwords, MFA missing on operator login |
| 6.4 | Centralised logging | Logs stay on the local box, never reach the SIEM |
| 7.1 / 7.3A | Incident response and pen testing | No SWIFT-specific IR playbook, no scoped pen test |
What actually happens during an assessment
Let me walk you through a real shape of engagement, anonymised. A mid-size private sector bank in Mumbai, architecture A1, calls us six weeks before its attestation deadline because internal audit flagged that last year's self-attestation had no supporting evidence.
Day one, we ask for the network diagram showing the SWIFT zone. The diagram they hand over is the target state from a 2022 project. The live environment is different: a second Alliance Access instance was spun up for a DR test and never decommissioned. It is on the general LAN, patched to nobody's schedule, and it can send live messages. That single finding reclassifies their risk overnight and becomes the top remediation item.
Day three, we sit with the payment operator and ask her to log in. She uses a shared operator ID. There is no MFA. Control 4.1 fails on the spot. We pull the Gateway logs; they exist locally but the SIEM has no feed. Control 6.4 fails. By the end of week one we have a findings register with eleven items, four of them mandatory-control failures that block a clean attestation.
The bank cannot honestly attest full compliance yet, so it attests with the failures declared and a documented remediation plan with dates — which is permitted and far safer than a green tick that an RBI inspection later punctures. Over the next four weeks they decommission the rogue server, enforce individual operator accounts with MFA, and pipe SWIFT logs into the SIEM. The re-test closes the mandatory gaps. The attestation goes in supported and defensible.
How CSP sits alongside your RBI and Indian obligations
CSP is a SWIFT requirement, not an RBI one — but in India the two are inseparable in practice. The RBI's cyber security framework for banks (the June 2016 circular and the graded SOC/security operations expectations that followed) covers the same ground: network segmentation, privileged access, logging, incident response. A well-run CSP assessment feeds directly into your RBI compliance evidence and your CERT-In obligations.
| Requirement | Owner | How CSP overlaps |
|---|---|---|
| SWIFT CSP attestation | SWIFT, annual | Primary — the CSCF assessment itself |
| RBI cyber security framework | RBI, ongoing inspection | Segmentation, PIM, logging, IR overlap heavily |
| CERT-In directions (6-hour incident reporting) | CERT-In | A SWIFT incident is a reportable cyber incident |
| RBI IT and cyber risk audit | Internal / RBI | CSP findings feed the IT audit evidence base |
| DPDP Act obligations | Data Fiduciary | Operator PII and transaction data handling |
One consequence worth stating plainly: under the CERT-In directions of 2022, a SWIFT-related security incident is a reportable cyber incident and must be reported within six hours of detection. If your CSP incident-response control (7.1) has no SWIFT-specific playbook that names the six-hour CERT-In clock, you have a control that looks compliant on paper and fails the moment it is needed.
Cost and timeline — the honest numbers
Banks ask us for a number before they ask for anything else, so here it is, with the caveat that architecture type and estate size swing it heavily.
| Item | Typical range (INR) | Notes |
|---|---|---|
| External CSP independent assessment (A4 / B) | 3.5 to 7 lakh | Smaller scope, provider attestation reliance |
| External CSP independent assessment (A1 / A2) | 8 to 18 lakh | Full mandatory control set, on-prem estate |
| Remediation (segmentation, PIM, MFA, SIEM feeds) | 10 lakh to 1 crore+ | Depends entirely on current maturity |
| Annual re-assessment (delta) | 40 to 60 percent of first-year fee | Lower once controls are stable |
On timeline, plan a first full assessment across six to ten weeks: scoping and architecture validation, evidence collection, control testing, findings and re-test, then completion letter. Do not start six weeks before the KYC-SA deadline — that is the mistake almost every bank makes, and it forces you either to attest with open gaps or to rush the evidence.
Your fix-it checklist before you touch KYC-SA
- Validate your architecture type against the live environment, not the design document — physically confirm where every SWIFT interface and connector actually runs.
- Hunt for rogue and forgotten instances — DR copies, test servers, decommissioned-on-paper machines that still send messages.
- Confirm the SWIFT zone is genuinely segregated and re-baseline the firewall rules against real data flows, killing any any-any rule.
- Enforce individual named accounts with MFA for every operator and administrator touching the interface; abolish shared IDs.
- Confirm anti-malware, hardening, and software integrity on every SWIFT-related component, and check patch currency of the interface servers.
- Verify Alliance Access and Gateway logs are shipping to a SIEM the operator cannot tamper with, and that alerts actually fire.
- Encrypt the back-office to interface data flow, or document a real compensating control — not just a note that it is internal.
- Write a SWIFT-specific incident response playbook that names the CERT-In six-hour reporting clock and the payment operations escalation path.
- Engage an independent, competent assessor who did not implement your controls, and give them eight to ten weeks, not six days.
- Retain the completion letter and findings report, and attest with any residual gaps declared alongside a dated remediation plan.
The point you came here for
The CSP was written in the shadow of a real heist where the attackers never touched SWIFT's own network — they walked in through a poorly secured local environment and a payment operator's trust. Your attestation is only worth the evidence underneath it. A green tick with nothing behind it is not compliance; it is a liability you have signed your name to, and an RBI inspection or a genuine incident will find the hollow space fast.
Treat the attestation as the by-product of a control set you have actually verified, not the goal. Walk the terminal. Pull the logs. Find the rogue server. If you would value a second set of hands from people who have sat on the wrong side of these findings, CyberSigma's CERT-In empanelled auditors and PCI QSAs do SWIFT CSP assessments hands-on, and we would rather find your rogue server than let an examiner find it for you.
FAQs
Is the SWIFT CSP attestation mandatory in India?
Yes. Every institution connected to the SWIFT network must attest annually against the current Customer Security Controls Framework through the KYC-SA portal, and since 2021 that attestation must be supported by an independent assessment. It is a SWIFT requirement, but Indian regulators including RBI increasingly expect to see it during inspections.
Can we do the independent assessment internally instead of hiring a firm?
You can, if the assessing function is genuinely independent of the team that operates SWIFT, typically internal audit or a second-line risk function with real CSCF competence. In practice most Indian banks use an external CERT-In empanelled assessor because RBI inspection teams give the external report more weight and internal audit rarely has hands-on SWIFT hardening expertise.
How do we know which architecture type we are?
It depends on where your SWIFT messaging interface and connector physically run. If you operate your own Alliance Access on-premises you are almost certainly A1. If a service provider runs everything and you have no local SWIFT footprint you may be A4 or B. Validate this against the live environment, because mis-classifying to reduce scope is the most common and most damaging error we see.
What happens if we attest but cannot meet every mandatory control?
You attest with the non-compliant controls declared and a documented remediation plan with target dates. This is permitted and far safer than declaring full compliance you cannot support. A false green tick exposes you if an RBI inspection or a real incident later reveals the gap, which can carry regulatory and reputational consequences well beyond the control itself.
How does CSP relate to CERT-In incident reporting?
A SWIFT-related security incident is a reportable cyber incident under the CERT-In directions of 2022 and must be reported within six hours of detection. Your CSP incident-response control should include a SWIFT-specific playbook that names this six-hour clock and the payment operations escalation path, otherwise the control looks compliant but fails when you actually need it.
How long does a first CSP assessment take and what does it cost?
Plan six to ten weeks for a first full assessment covering scoping, architecture validation, evidence collection, control testing, re-test and the completion letter. External assessment fees typically run 3.5 to 7 lakh for A4 or B architectures and 8 to 18 lakh for A1 or A2, with remediation costs separate and driven entirely by your current control maturity.
Liked the post? Share on:





Leave A Comment