We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Cybersecurity blog

SWIFT CSP Compliance in India: Attestation Guide for Banks

PCI SSC Qualified Security Assessor — CYBERSIGMA CONSULTING SERVICES LLP

QSA Authorized
CEMEA · Asia Pacific · USA

Our Offerings -PCI-DSS Audit,RBI/SEBI/IRDAI/Aadhar/NBFC & Housing Cybersecurity Audit,SOC1/2/3,GDPR,ISMS,ISO,

SWIFT CSP Compliance in India: Attestation Guide for Banks

Most banks in India treat the SWIFT Customer Security Programme attestation like a tax return. Someone in the treasury back office logs into the KYC-SA portal in November, ticks the boxes green, uploads a two-year-old assessment report, and moves on. Nobody in the room has actually walked the payment operator's terminal or checked whether the jump server they swear exists is still switched on.

Then the 2016 Bangladesh Bank heist gets mentioned in an RBI inspection, and suddenly everyone remembers that SWIFT sits closer to real money than almost any other system in the bank. USD 81 million left Dhaka through fraudulent SWIFT messages. The attackers did not break SWIFT's network. They broke the local operating environment around it — the exact thing the CSP was built to force you to secure. If your attestation is a box-ticking exercise, you are attesting to a control set you have never verified. That is the gap this guide is about.

What the CSP actually is, in plain terms

The Customer Security Programme, or CSP, is SWIFT's mandatory security framework for every institution connected to its network. The heart of it is the Customer Security Controls Framework, the CSCF, which is published fresh every year (the CSCF v2024 and v2025 versions are what most Indian banks are assessing against right now). Each year you must submit an attestation against the current version through the KYC-Security Attestation portal, known as KYC-SA.

The framework groups controls under three objectives and seven principles: secure your environment, know and limit access, and detect and respond. Controls are split into mandatory and advisory. You must attest compliance against all mandatory controls that apply to your SWIFT architecture type. Advisory controls are strongly encouraged and, in practice, examiners increasingly expect them too.

Two things trip Indian banks up immediately. First, the attestation must be supported by an independent assessment — you cannot just self-declare any more. Second, your obligations depend entirely on your architecture type, and most banks mis-classify their own architecture.

Architecture types decide almost everything

Before you look at a single control, you have to know which architecture type you are. This determines how many controls apply and where your CSP scope starts and stops. Get this wrong and every downstream decision is wrong.

Architecture typeWhat it meansTypical Indian bank
A1You own the messaging interface and the SWIFT connector on your premisesLarge PSU and private banks running their own Alliance Access
A2You own the messaging interface; connector is at a service providerMid-size banks using a partial outsource
A3You use a SWIFT interface, but connectivity is via a service bureau or group hubBanks connecting through a shared group entity
A4You have no local SWIFT footprint; a service provider operates everythingSmall banks, some co-operative banks, some NBFCs
BYou connect through a business application at a service provider, no local SWIFT infrastructureFully outsourced institutions

The number of applicable mandatory controls climbs as you move from B towards A1. An A1 bank running its own Alliance Access and Alliance Gateway on-premises carries the fullest control burden — hardening, network segmentation, the general operator PC, back-office data flow security, the lot. A type B institution can offload most technical controls to its provider but still owns operator-side controls and must obtain the provider's own attestation.

The single most common error we see in the audit room: a bank declares itself A4 or B to shrink its scope, while a live Alliance Access instance is sitting in its own data centre. The moment an assessor sees that server, the architecture is A1 and half the attestation is now unsupported. Classify honestly, or the assessment collapses.

The independent assessment requirement — and who can sign it

Since the 2021 attestation cycle, SWIFT has required that your attestation be backed by an independent assessment. You get two routes. An internal independent assessment, performed by a function within your bank that is organisationally independent of the team that runs SWIFT (typically internal audit or a second-line risk function). Or an external independent assessment, performed by a qualified third-party cyber security firm.

For Indian banks the practical answer is usually external, for three reasons. RBI inspection teams give more weight to a named external assessor. Your internal audit function rarely has hands-on SWIFT hardening expertise. And a CERT-In empanelled auditor's report doubles up neatly with your other regulatory obligations. The assessor must be competent in the CSCF and independent of the assessed controls — a firm that also implemented your SWIFT hardening cannot then assess it.

  • The assessment must cover every mandatory control applicable to your architecture type, and any advisory controls you have chosen to attest.
  • Evidence must be sampled and tested, not merely inspected as a policy document — the assessor should see the actual configuration, not a screenshot from last year.
  • The assessor produces an assessment completion letter and a detailed findings report; you retain both for at least the current plus prior attestation cycle.
  • The assessment is valid for the CSCF version it was performed against — a v2024 assessment does not cover v2025 without a delta review.

The controls that actually fail Indian banks

On paper there are 30-odd controls. In the room, the same handful sink attestation after attestation. Here is where the evidence is thinnest for Indian banks specifically.

Control 1.1 — SWIFT environment protection

The mandate is a segregated SWIFT zone, separated from the general enterprise network. What we find instead is a flat network where the Alliance Access server can reach, and be reached from, the general LAN. There is a firewall, but its rule set has an any-any rule from three years ago that nobody dares touch. The control fails not because segmentation is absent but because the rule base was never reviewed against the actual data flows.

Control 1.2 and 5.1 — privileged account and operating system access

Least privilege on the SWIFT servers. In reality, the same domain admin account that patches the print server also administers the Alliance Gateway. Shared local accounts, no individual accountability, service accounts with interactive login rights. When we ask who logged into the messaging interface at 02:00 on a given night, the answer is a shared account name. That is an audit failure and, more importantly, a heist waiting to happen.

Control 2.1 — internal data flow security

The link between your back-office application and the SWIFT interface must be confidential and integrity-protected. Banks routinely run this over an internal network in clear text because it is inside the perimeter. The CSCF does not care that it is internal. Encrypt it or compensate and document the compensating control.

Control 6.1 to 6.4 — malware, integrity, logging

Anti-malware, software integrity, database integrity, and centralised logging on the SWIFT-related components. The gap here is almost always logging. Logs exist on the server but never leave it, so an attacker who owns the box owns the evidence too. The control requires logs captured to a system the SWIFT operator cannot tamper with — usually your SIEM. If your SIEM is not ingesting Alliance Access and Gateway logs, 6.4 is not met.

Control 2.4A — back office data flow, and 1.4A — internet access restriction

The advisory-turned-expected controls. Restricting outbound internet from the general operator PC is where a lot of banks quietly fail. The operator's PC that accesses SWIFT also browses the web and reads email. That machine is your single richest attack surface, and the CSCF explicitly wants it isolated.

ControlWhat it demandsCommon India-side failure
1.1Segregated SWIFT zoneFlat network, stale any-any firewall rule
1.2 / 5.1Least-privilege privileged accessShared admin accounts, no individual accountability
2.1Encrypted internal data flowClear-text back-office to interface link
2.3System hardeningDefault OS build, unpatched interface servers
4.1Password policy / MFAStatic passwords, MFA missing on operator login
6.4Centralised loggingLogs stay on the local box, never reach the SIEM
7.1 / 7.3AIncident response and pen testingNo SWIFT-specific IR playbook, no scoped pen test

What actually happens during an assessment

Let me walk you through a real shape of engagement, anonymised. A mid-size private sector bank in Mumbai, architecture A1, calls us six weeks before its attestation deadline because internal audit flagged that last year's self-attestation had no supporting evidence.

Day one, we ask for the network diagram showing the SWIFT zone. The diagram they hand over is the target state from a 2022 project. The live environment is different: a second Alliance Access instance was spun up for a DR test and never decommissioned. It is on the general LAN, patched to nobody's schedule, and it can send live messages. That single finding reclassifies their risk overnight and becomes the top remediation item.

Day three, we sit with the payment operator and ask her to log in. She uses a shared operator ID. There is no MFA. Control 4.1 fails on the spot. We pull the Gateway logs; they exist locally but the SIEM has no feed. Control 6.4 fails. By the end of week one we have a findings register with eleven items, four of them mandatory-control failures that block a clean attestation.

The bank cannot honestly attest full compliance yet, so it attests with the failures declared and a documented remediation plan with dates — which is permitted and far safer than a green tick that an RBI inspection later punctures. Over the next four weeks they decommission the rogue server, enforce individual operator accounts with MFA, and pipe SWIFT logs into the SIEM. The re-test closes the mandatory gaps. The attestation goes in supported and defensible.

How CSP sits alongside your RBI and Indian obligations

CSP is a SWIFT requirement, not an RBI one — but in India the two are inseparable in practice. The RBI's cyber security framework for banks (the June 2016 circular and the graded SOC/security operations expectations that followed) covers the same ground: network segmentation, privileged access, logging, incident response. A well-run CSP assessment feeds directly into your RBI compliance evidence and your CERT-In obligations.

RequirementOwnerHow CSP overlaps
SWIFT CSP attestationSWIFT, annualPrimary — the CSCF assessment itself
RBI cyber security frameworkRBI, ongoing inspectionSegmentation, PIM, logging, IR overlap heavily
CERT-In directions (6-hour incident reporting)CERT-InA SWIFT incident is a reportable cyber incident
RBI IT and cyber risk auditInternal / RBICSP findings feed the IT audit evidence base
DPDP Act obligationsData FiduciaryOperator PII and transaction data handling

One consequence worth stating plainly: under the CERT-In directions of 2022, a SWIFT-related security incident is a reportable cyber incident and must be reported within six hours of detection. If your CSP incident-response control (7.1) has no SWIFT-specific playbook that names the six-hour CERT-In clock, you have a control that looks compliant on paper and fails the moment it is needed.

Cost and timeline — the honest numbers

Banks ask us for a number before they ask for anything else, so here it is, with the caveat that architecture type and estate size swing it heavily.

ItemTypical range (INR)Notes
External CSP independent assessment (A4 / B)3.5 to 7 lakhSmaller scope, provider attestation reliance
External CSP independent assessment (A1 / A2)8 to 18 lakhFull mandatory control set, on-prem estate
Remediation (segmentation, PIM, MFA, SIEM feeds)10 lakh to 1 crore+Depends entirely on current maturity
Annual re-assessment (delta)40 to 60 percent of first-year feeLower once controls are stable

On timeline, plan a first full assessment across six to ten weeks: scoping and architecture validation, evidence collection, control testing, findings and re-test, then completion letter. Do not start six weeks before the KYC-SA deadline — that is the mistake almost every bank makes, and it forces you either to attest with open gaps or to rush the evidence.

Your fix-it checklist before you touch KYC-SA

  • Validate your architecture type against the live environment, not the design document — physically confirm where every SWIFT interface and connector actually runs.
  • Hunt for rogue and forgotten instances — DR copies, test servers, decommissioned-on-paper machines that still send messages.
  • Confirm the SWIFT zone is genuinely segregated and re-baseline the firewall rules against real data flows, killing any any-any rule.
  • Enforce individual named accounts with MFA for every operator and administrator touching the interface; abolish shared IDs.
  • Confirm anti-malware, hardening, and software integrity on every SWIFT-related component, and check patch currency of the interface servers.
  • Verify Alliance Access and Gateway logs are shipping to a SIEM the operator cannot tamper with, and that alerts actually fire.
  • Encrypt the back-office to interface data flow, or document a real compensating control — not just a note that it is internal.
  • Write a SWIFT-specific incident response playbook that names the CERT-In six-hour reporting clock and the payment operations escalation path.
  • Engage an independent, competent assessor who did not implement your controls, and give them eight to ten weeks, not six days.
  • Retain the completion letter and findings report, and attest with any residual gaps declared alongside a dated remediation plan.

The point you came here for

The CSP was written in the shadow of a real heist where the attackers never touched SWIFT's own network — they walked in through a poorly secured local environment and a payment operator's trust. Your attestation is only worth the evidence underneath it. A green tick with nothing behind it is not compliance; it is a liability you have signed your name to, and an RBI inspection or a genuine incident will find the hollow space fast.

Treat the attestation as the by-product of a control set you have actually verified, not the goal. Walk the terminal. Pull the logs. Find the rogue server. If you would value a second set of hands from people who have sat on the wrong side of these findings, CyberSigma's CERT-In empanelled auditors and PCI QSAs do SWIFT CSP assessments hands-on, and we would rather find your rogue server than let an examiner find it for you.

FAQs

Is the SWIFT CSP attestation mandatory in India?

Yes. Every institution connected to the SWIFT network must attest annually against the current Customer Security Controls Framework through the KYC-SA portal, and since 2021 that attestation must be supported by an independent assessment. It is a SWIFT requirement, but Indian regulators including RBI increasingly expect to see it during inspections.

Can we do the independent assessment internally instead of hiring a firm?

You can, if the assessing function is genuinely independent of the team that operates SWIFT, typically internal audit or a second-line risk function with real CSCF competence. In practice most Indian banks use an external CERT-In empanelled assessor because RBI inspection teams give the external report more weight and internal audit rarely has hands-on SWIFT hardening expertise.

How do we know which architecture type we are?

It depends on where your SWIFT messaging interface and connector physically run. If you operate your own Alliance Access on-premises you are almost certainly A1. If a service provider runs everything and you have no local SWIFT footprint you may be A4 or B. Validate this against the live environment, because mis-classifying to reduce scope is the most common and most damaging error we see.

What happens if we attest but cannot meet every mandatory control?

You attest with the non-compliant controls declared and a documented remediation plan with target dates. This is permitted and far safer than declaring full compliance you cannot support. A false green tick exposes you if an RBI inspection or a real incident later reveals the gap, which can carry regulatory and reputational consequences well beyond the control itself.

How does CSP relate to CERT-In incident reporting?

A SWIFT-related security incident is a reportable cyber incident under the CERT-In directions of 2022 and must be reported within six hours of detection. Your CSP incident-response control should include a SWIFT-specific playbook that names this six-hour clock and the payment operations escalation path, otherwise the control looks compliant but fails when you actually need it.

How long does a first CSP assessment take and what does it cost?

Plan six to ten weeks for a first full assessment covering scoping, architecture validation, evidence collection, control testing, re-test and the completion letter. External assessment fees typically run 3.5 to 7 lakh for A4 or B architectures and 8 to 18 lakh for A1 or A2, with remediation costs separate and driven entirely by your current control maturity.

Naveen Kumar

Naveen Kumar

CyberSigma is a CERT-In empanelled cybersecurity firm helping Indian businesses with VAPT, ISO 27001, PCI DSS, SOC 2 and DPDP compliance — delivered by senior auditors, not juniors.

Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Leave A Comment

CyberSigma office locations across India, UAE, Egypt and Australia

Our Office

Locations we operate from

HQ, Noida, India

405, 4th Floor, Majestic Signia, Sector 62, Noida, Uttar Pradesh 201309

Pune, India

InCube Centre, Tejaswini Society, Lane 2, Aundh, PUNE, India, 411007

Mumbai, India

A802, Crescenzo, C /38-39, G-Block, Bandra Kurla Complex, Mumbai-400051, Maharashtra, India

Bengaluru, India

Maharaj, 152/4, 8th Cross, Chamrajpet, Bengaluru, Karnataka, India, 560018

UAE

Business Point Building - Office No. 702 - Dubai - United Arab Emirates

UAE

L.L.C Muna AlJaziri Building, Office No 303 Al Mararr Dubai, UAE

Egypt

19 Dr. Omar Dessouky Street, Cairo- Egypt 4271020

Australia

Level 4, 80 Market Street, South Melbourne 3205