We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center / SWIFT CSCF
SWIFT · Global

SWIFT CSP / CSCF

SWIFT’s Customer Security Controls Framework for institutions on the SWIFT network.

Introduction: The SWIFT Customer Security Programme

The SWIFT Customer Security Programme (CSP) is a global initiative introduced by SWIFT (the Society for Worldwide Interbank Financial Telecommunication) to reinforce the security of the financial messaging ecosystem and its interconnected user community. At the heart of the CSP sits the Customer Security Controls Framework (CSCF), a mandatory set of security controls that every SWIFT user must implement and against which they must attest annually. The CSCF was created in the aftermath of a series of high-profile payment fraud attacks in which criminals compromised the local infrastructure of SWIFT users, fraudulently injected payment messages and moved funds across the network. Crucially, the SWIFT network and core messaging services themselves were not breached in those incidents; rather, the attackers exploited weaknesses in the users' own local environments. The CSCF is therefore a shared-responsibility framework: SWIFT secures its central infrastructure, and each user is accountable for securing the local systems they operate to connect to and transact over SWIFT.

This guide is written for chief information security officers, heads of payments and operations, internal auditors, and the risk and compliance teams of banks, financial market infrastructures, corporates and service bureaux that use SWIFT. It provides an auditor-grade walkthrough of the framework: what it is, who it binds, how it is structured, and a master assessment checklist that enumerates every objective, principle and control, together with the evidence an assessor should expect to see. The intent is to help an organisation prepare rigorously for its Community-Standard Assessment (CSA) and its annual attestation on the SWIFT Know Your Customer Security Attestation (KYC-SA) application.

Copyright and licensing note
The SWIFT Customer Security Controls Framework, the Customer Security Programme and all associated control descriptions, control identifiers and guidance are the intellectual property of SWIFT SC and are published under SWIFT's own terms. This guide is an original, independent interpretation written for educational and readiness purposes. It paraphrases concepts and does not reproduce SWIFT's copyrighted control text. Always work from the current official CSCF publication (a new version is issued each year, effective the following July) and the SWIFT Knowledge Base for the authoritative, binding wording. Control identifiers and numbering are cited for orientation and may change between annual releases.

What is the SWIFT Customer Security Controls Framework (CSCF)

The CSCF is a structured catalogue of security controls that a SWIFT user must implement across the local infrastructure that supports its connection to SWIFT. Controls are grouped under a small number of high-level security objectives, and each objective decomposes into principles, which in turn are realised by individual controls bearing unique identifiers (for example, 1.1, 2.4A, 5.1). Each control is designated either mandatory or advisory. Mandatory controls set the security baseline that all in-scope users must achieve; advisory controls represent good practice that SWIFT strongly recommends and periodically promotes to mandatory in later framework versions.

The framework is deliberately technology-agnostic and outcome-focused. Rather than prescribing a single product, each control states a risk-reduction goal (for example, restrict internet access, protect privileged accounts, detect anomalous activity) and lists implementation guidance and, importantly, an in-scope component definition describing which parts of the user's estate the control applies to. A distinctive feature is the CSCF's use of architecture types: the framework recognises that different users connect to SWIFT in different ways, and it maps each control to the components relevant to a user's specific architecture. This means two organisations may implement the same control very differently depending on whether they run a full local SWIFT stack, use a service bureau, or connect through a cloud-hosted messaging interface.

Compliance is demonstrated through an annual attestation cycle. Each year SWIFT users must self-attest their level of compliance against the mandatory (and optionally advisory) controls of the current CSCF version, and, critically, that attestation must be independently assessed. Since 2021 SWIFT has required either an independent internal assessment (by a team independent of the first line, such as internal audit or a second-line risk function) or an independent external assessment. The attestation is recorded in KYC-SA, where counterparties can be granted permission to view it, creating peer pressure and counterparty risk management around good security hygiene.

Who must comply with SWIFT CSCF

Every entity that holds a SWIFT BIC and connects to the SWIFT network to send or receive financial messages is subject to the CSP and must attest against the CSCF. The framework applies regardless of size, geography or transaction volume. The specific controls that bind a given user depend on that user's connectivity architecture, which SWIFT classifies into architecture types.

User category / architectureDescriptionCSCF applicability
Architecture A1 (full stack)User owns and operates the messaging interface, communication interface and a connector, plus the SWIFT-related applications, on its own premises or private cloud.Broadest scope; the full set of applicable mandatory and advisory controls, including those covering local messaging and communication interfaces.
Architecture A2 (partial stack)User owns and operates a messaging interface but the communication interface is operated by a service provider or hosted externally.Most controls apply; boundary controls shift according to which components the user directly operates.
Architecture A3 (connector)User operates only a connector (such as SWIFT's connectivity software) to a messaging/communication interface hosted by a service provider.Reduced local footprint; controls focus on the connector, the operator workstation and the data exchange layer.
Architecture A4 (connector to service provider)User relies on a service provider for the interface and connects via a thin connector or software.Fewer infrastructure controls; strong focus on operator security and secure connectivity to the provider.
Architecture B (no local user footprint)User has no SWIFT-specific local infrastructure; it accesses SWIFT services entirely through a GUI or API at a service bureau or SWIFT-hosted service (for example via a browser).Smallest scope, concentrated on operator workstations, credential protection, access control and the endpoint used to reach the service.
Service bureaux and shared connectivity providersThird parties that host SWIFT connectivity on behalf of multiple customers.Must comply with the CSCF for the infrastructure they operate and are subject to SWIFT's Shared Infrastructure Programme obligations.
Corporates, banks, FMIs, brokersAll BIC-holding users regardless of institution type.All must attest annually; architecture type determines the applicable control set.
Determine your architecture type first
Before any assessment, correctly classifying your architecture type (A1, A2, A3, A4 or B) is the single most consequential scoping decision. It determines which controls are in scope, which components each control applies to, and the effort involved. Misclassification is one of the most common causes of a flawed attestation.

Structure of the SWIFT CSCF

The CSCF is organised as a three-tier hierarchy: a small number of overarching security objectives, each objective containing several principles, and each principle realised by one or more numbered controls. The objectives are frequently summarised by the mantra 'Secure your environment, Know and limit access, Detect and respond'. The current framework spans three objectives, eight principles and roughly thirty-two controls (the exact count varies by version as advisory controls are promoted to mandatory). The table below sets out the objective and principle structure.

ObjectivePrincipleFocus of the controls under this principle
1. Secure your environment1. Restrict Internet Access & Protect Critical Systems from General IT EnvironmentSegregation of the SWIFT-related infrastructure from the general enterprise network and the internet; secure zone definition.
1. Secure your environment2. Reduce Attack Surface and VulnerabilitiesInternal data flow security, hardening, back-office data flow protection, external transmission, operator session integrity, vulnerability scanning, transaction business controls, and secure application/interface configuration.
1. Secure your environment3. Physically Secure the EnvironmentPhysical protection of the equipment and locations hosting SWIFT-related systems and sensitive materials.
2. Know and limit access4. Prevent Compromise of CredentialsPassword strength, protection against credential theft, and multi-factor authentication for interactive access.
2. Know and limit access5. Manage Identities and Segregate PrivilegesLogical access control on a least-privilege and need-to-know basis, token/credential management, physical and logical password storage, and segregation of duties.
3. Detect and respond6. Detect Anomalous Activity to Systems or Transaction RecordsMalware protection, software integrity, database integrity, logging and monitoring, and intrusion detection.
3. Detect and respond7. Plan for Incident Response and Information SharingCyber incident response planning, security training and awareness, and, in newer versions, penetration testing and scenario risk assessment.

Each control record in the official framework carries a rich set of attributes that an assessor must read carefully: the control identifier, the control title, whether it is mandatory or advisory, a control statement (the outcome to be achieved), the risk drivers it mitigates, the in-scope components by architecture type, implementation guidance, and, from recent versions, a set of quality-assurance sub-elements that an independent assessor uses to conclude on the control's design and operating effectiveness.

Master assessment checklist

This is the core section of the guide. It enumerates every principle and its constituent controls. For each principle there is a table stating, control by control, what an assessor should verify and the typical evidence that substantiates compliance. Control identifiers follow the CSCF convention; where a control has both a mandatory and an advisory variant, the advisory is denoted with a trailing 'A'. Confirm the exact wording and applicability against the current framework version and your architecture type.

Principle 1 — Restrict Internet Access & Protect Critical Systems from General IT Environment

What to verifyTypical evidence
1.1 SWIFT Environment Protection — a segregated secure zone isolates SWIFT-related components from the general enterprise IT environment and the internet, with controlled ingress and egress.Network architecture and data-flow diagrams, firewall rulesets and change records, VLAN/subnet definitions, jump-server configuration, penetration-test evidence confirming isolation.
1.2 Operating System Privileged Account Control — privileged OS-level accounts on in-scope systems are restricted, controlled and monitored.Account inventories, sudoers/administrator group membership exports, privileged-access-management (PAM) session logs, approval workflows for elevation.
1.3 Virtualisation or Cloud Platform Protection — where SWIFT components run on a virtualisation or cloud platform, the hypervisor/management plane is secured to the same standard as the guests.Hypervisor hardening baselines, cloud tenancy and IAM configuration, management-plane access logs, evidence that the platform is within the secure zone or equivalently controlled.
1.4A Restriction of Internet Access (advisory) — outbound and inbound internet connectivity from the secure zone is restricted to what is strictly required.Proxy and firewall egress rules, allow-lists, evidence that general browsing/email is not possible from in-scope systems, web-filtering configuration.
1.5A Customer Environment Protection (advisory, connector architectures) — a secure zone protects the connector and related components in A3/A4 architectures.Segmentation diagrams for the connector, firewall rules around the connector host, evidence of isolation from general IT.

Principle 2 — Reduce Attack Surface and Vulnerabilities

What to verifyTypical evidence
2.1 Internal Data Flow Security — confidentiality, integrity and authenticity of data flows between local SWIFT-related applications and their link to the operator PC are protected.TLS/mutual-TLS configuration, cipher suites, certificate inventory, network-capture evidence showing encrypted internal flows.
2.2 Security Updates — a documented process keeps in-scope systems patched with vendor security updates in a timely, risk-based manner.Patch-management policy and SLAs, patch deployment reports, exception/risk-acceptance register for deferred patches, vendor advisories tracked.
2.3 System Hardening — in-scope systems are hardened by reducing services, applying secure configuration baselines and removing unnecessary components.Hardening standards (CIS/vendor benchmarks), configuration-compliance scan results, disabled-service inventories, baseline drift reports.
2.4A Back-Office Data Flow Security (advisory) — data flows between back-office/middleware and the SWIFT infrastructure are protected.Encryption/integrity controls on back-office connectors, interface configuration, data-flow diagrams to back-office systems.
2.5A External Transmission Data Protection (advisory) — sensitive SWIFT data transmitted outside the secure zone (for example to a backup site) is protected.Encryption of data in transit and backups, secure file-transfer configuration, key-management records.
2.6 Operator Session Confidentiality and Integrity — sessions between operator PCs and SWIFT applications are protected against interception and hijacking, including session timeouts.Session-encryption settings, idle-timeout and re-authentication policies, GUI/interface session configuration, screen-lock policy.
2.7 Vulnerability Scanning — in-scope components are scanned for vulnerabilities on a regular, risk-based cadence and findings are remediated.Vulnerability scan schedules and reports, remediation tickets and closure evidence, authenticated-scan configuration, trend reports.
2.8A Outsourced Critical Activity Protection (advisory) — where critical SWIFT-related activity is outsourced, the provider meets equivalent security controls.Outsourcing contracts with security clauses, provider CSCF attestation or independent assurance report, right-to-audit provisions.
2.9A Transaction Business Controls (advisory) — business controls restrict SWIFT transactions to expected counterparties, values, corridors and times to limit fraud impact.Payment-limit and corridor configuration, RMA (Relationship Management Application) settings, business-rule engine screenshots, four-eyes payment approval configuration.
2.10 Application Hardening — SWIFT-related applications and interfaces are configured securely, removing default and unnecessary functionality.Interface configuration baselines, disabled default accounts, secure parameter settings, application security review records.
2.11A RMA Business Controls (advisory) — Relationship Management Application authorisations are restricted to necessary correspondents and reviewed periodically.RMA authorisation register, periodic review evidence, removal records for obsolete relationships.

Principle 3 — Physically Secure the Environment

What to verifyTypical evidence
3.1 Physical Security — physical access to systems hosting SWIFT-related components, and to sensitive equipment and materials (HSMs, tokens, printouts), is restricted and monitored.Data-centre and equipment-room access logs, badge-access lists, CCTV coverage, HSM safe/vault records, visitor logs, clean-desk and secure-disposal evidence.

Principle 4 — Prevent Compromise of Credentials

What to verifyTypical evidence
4.1 Password Policy — passwords for in-scope accounts meet defined strength, complexity, length, history and rotation requirements.Password policy document, directory/interface password configuration, evidence of enforcement, disabled shared/default passwords.
4.2 Multi-Factor Authentication — multi-factor authentication is enforced for interactive access to in-scope systems and applications, including remote and administrative access.MFA configuration and enrolment reports, VPN/jump-host MFA logs, evidence that single-factor access is not possible, token/authenticator inventory.

Principle 5 — Manage Identities and Segregate Privileges

What to verifyTypical evidence
5.1 Logical Access Control — access to in-scope systems and applications is granted on least-privilege and need-to-know principles, with a joiner/mover/leaver process and periodic recertification.Role/entitlement matrices, access-request and approval records, quarterly access recertification evidence, leaver-revocation tickets, orphan-account reports.
5.2 Token Management — hardware and software tokens/authenticators are securely issued, stored, tracked, and revoked on separation.Token issuance and return register, secure storage evidence, PIN/activation controls, revocation records.
5.3A Personnel Vetting Process (advisory) — staff with access to the SWIFT environment are subject to background screening appropriate to their role.Background-check policy, completion records for in-scope staff, re-screening cadence for privileged roles.
5.4 Physical and Logical Password Storage — credentials, keys and secrets are stored securely, whether in a vault, secrets manager or physical safe.Secrets-management tooling configuration, encryption of credential stores, safe/vault logs for sealed-envelope passwords, break-glass procedures.

Principle 6 — Detect Anomalous Activity to Systems or Transaction Records

What to verifyTypical evidence
6.1 Malware Protection — anti-malware protection is deployed, current and monitored on in-scope systems.Endpoint-protection console reports, definition-update status, coverage reports across in-scope hosts, alert-handling records.
6.2 Software Integrity — the integrity of SWIFT-related application software and its critical files is verified against a trusted baseline.File-integrity-monitoring configuration and alerts, vendor integrity/checksum verification records, evidence of baseline comparison after updates.
6.3 Database Integrity — the integrity of records in SWIFT-related databases (message and reference data) is checked to detect unauthorised modification.Database integrity-check tooling output, tamper-detection alerts, reconciliation of message store integrity, DB audit configuration.
6.4 Logging and Monitoring — security-relevant events on in-scope systems are logged, retained, protected and monitored for anomalies.Log-source inventory, SIEM ingestion and retention configuration, use-case/alerting rules, monitoring runbooks, sample investigated alerts, log-tamper protection.
6.5A Intrusion Detection (advisory) — network and/or host intrusion detection covers the secure zone to identify malicious activity.IDS/IPS deployment and rule configuration, alert logs, tuning records, coverage map over the secure zone.

Principle 7 — Plan for Incident Response and Information Sharing

What to verifyTypical evidence
7.1 Cyber Incident Response Planning — a documented, tested cyber incident response plan covers SWIFT-related fraud and compromise scenarios, including notification of SWIFT and relevant parties.Incident response plan and playbooks, contact/escalation matrix including SWIFT, tabletop exercise reports, post-incident review records, evidence of SWIFT ISAC information sharing.
7.2 Security Training and Awareness — staff, including privileged and operator roles, receive role-appropriate security awareness and SWIFT-specific fraud training.Training curriculum and completion records, phishing-simulation results, role-specific SWIFT operator training evidence, awareness campaign materials.
7.3A Penetration Testing (advisory) — application, host and network penetration testing of the SWIFT environment is performed periodically by qualified testers.Penetration-test scope and reports, tester qualifications, remediation tracking, retest evidence.
7.4A Scenario-Based Risk Assessment (advisory) — cyber-attack scenarios against the SWIFT environment are analysed to identify and treat residual risks.Scenario-based risk assessment documentation, threat-modelling output, risk register entries and treatment plans.
Do not skip advisory controls in your assessment
Advisory controls are not optional to consider. SWIFT regularly promotes advisory controls to mandatory in subsequent framework versions. Assess and, where practical, implement them now to avoid a compliance scramble when they become mandatory, and to strengthen your genuine security posture. Attesting to advisory controls also signals maturity to counterparties viewing your KYC-SA record.

Scoping the assessment

Accurate scoping is foundational. The scope of a CSCF assessment is defined by the components that make up the user's SWIFT-related infrastructure and the flows that connect them. Getting this right prevents both under-scoping (leaving exploitable components unassessed) and over-scoping (wasting effort on out-of-scope systems).

  1. Confirm your architecture type (A1, A2, A3, A4 or B) based on which components you own and operate versus those hosted by a service provider.
  2. Inventory all in-scope components as defined by the CSCF for your architecture: messaging interfaces, communication interfaces, connectors, SWIFTNet Link/connectivity software, operator PCs, jump servers, HSMs, GUI/API access endpoints, and dedicated middleware.
  3. Map the secure zone boundary and every data flow crossing it, including back-office, monitoring, backup and administrative flows.
  4. Identify the general-purpose operator PCs used to access SWIFT-related applications; these are in scope even in Architecture B.
  5. Include supporting infrastructure that in-scope components depend on for security, such as authentication services, PAM, secrets management, logging/SIEM and time synchronisation, where they directly enforce a control.
  6. Document outsourced and third-party dependencies (service bureaux, cloud providers, managed operators) and how their controls are evidenced.
  7. Freeze the scope in a scope statement agreed with the independent assessor before fieldwork begins, and record any exclusions with justification.
Operator PCs are always in scope
Even in the lightest Architecture B deployment, the general-purpose PC used by an operator to access the SWIFT GUI or API is in scope for credential, session and endpoint controls. This is the most commonly under-scoped component and a frequent source of real-world compromise.

Implementation approach

A phased programme lets an organisation move from an unknown baseline to a defensible, independently assessed attestation. The following five phases each list core activities and the deliverables that mark completion.

Phase 1 — Scoping and architecture baseline

  • Activities: classify architecture type; inventory in-scope components; draw current-state network and data-flow diagrams; identify secure-zone boundaries; catalogue third-party dependencies.
  • Deliverables: approved scope statement, component inventory, architecture and data-flow diagrams, applicability matrix mapping each control to your architecture.

Phase 2 — Gap assessment

  • Activities: assess current design and operating effectiveness of every applicable mandatory and advisory control; collect preliminary evidence; interview control owners; identify gaps and root causes.
  • Deliverables: control-by-control gap register with risk ratings, evidence log, prioritised gap-remediation backlog.

Phase 3 — Remediation

  • Activities: implement secure-zone segmentation, MFA, PAM, hardening, logging/monitoring and business controls; update policies and procedures; assign control owners; embed change control.
  • Deliverables: remediated controls with configuration evidence, updated policy set, control-ownership RACI, remediation closure report.

Phase 4 — Independent assessment

  • Activities: engage an independent internal or external assessor; provide evidence; walk through each control's quality-assurance elements; resolve findings; conclude on design and operating effectiveness.
  • Deliverables: independent assessment report, findings and management responses, completed evidence pack aligned to each control.

Phase 5 — Attestation and continuous compliance

  • Activities: submit the attestation on the KYC-SA application; grant counterparty viewing permissions as appropriate; establish continuous monitoring and an annual re-attestation calendar; track framework version changes.
  • Deliverables: submitted KYC-SA attestation, counterparty sharing decisions, continuous-compliance runbook, annual re-attestation plan.

Capability and compliance scoring model

SWIFT does not publish a five-level maturity model in the manner of some frameworks; compliance is fundamentally binary at control level (compliant or not compliant, with an option to declare a control not applicable or to record an exception with a plan and target date). Nonetheless, a capability model is invaluable internally to plan improvement and to demonstrate direction of travel. The table below combines SWIFT's compliance states with a practical internal capability scale.

LevelLabelDescriptionAttestation implication
0Not implementedControl is absent or ad hoc; no design in place; significant exposure.Non-compliant; must be recorded with a remediation plan and target date.
1Partially implementedControl exists for some in-scope components or lacks consistent operation.Non-compliant or compliant-with-exception; requires action plan.
2Implemented (design)Control is designed and deployed across all in-scope components but operating evidence is thin.Borderline; independent assessor may challenge operating effectiveness.
3Operating effectivelyControl is designed and demonstrably operating across the full scope with retained evidence.Compliant; sustainable attestation.
4Managed and monitoredControl is continuously monitored, metrics are tracked, and deviations are detected and corrected.Compliant and resilient; low re-attestation effort.
5OptimisedControl is automated, integrated with broader security operations, and continuously improved.Compliant with strong assurance and minimal residual risk.

Alongside internal capability, record each control against SWIFT's own states: Compliant, Compliant with exception (with plan and date), Not Applicable (with justification), or Not Compliant. Advisory controls may also be marked as not attested, but assessing them is strongly recommended.

Assessment and audit approach

An independent assessment must be performed by parties independent of the first-line teams that operate the controls, whether that is an internal function such as internal audit or second-line risk, or an external firm with relevant cyber and assessment competencies. The assessor concludes on both the design and the operating effectiveness of each in-scope control.

  1. Plan and confirm scope: agree architecture type, in-scope components, control applicability and the assessment period with the assessor.
  2. Understand the environment: review architecture and data-flow diagrams, walk the secure-zone boundary, and confirm the component inventory is complete.
  3. Assess control design: for each control, evaluate whether the implemented mechanism would, if operating, achieve the control's stated outcome across all in-scope components.
  4. Assess operating effectiveness: inspect configurations, sample logs and records over the period, re-perform or observe key activities, and interview control owners.
  5. Evaluate the quality-assurance sub-elements: for controls that define them, confirm each sub-element is satisfied, as these drive the compliance conclusion.
  6. Test third-party reliance: examine service-provider attestations, independent assurance reports and contractual security obligations for outsourced components.
  7. Document findings: record any deficiencies, their risk, and management's remediation plans with owners and dates.
  8. Conclude per control: reach a compliant / compliant-with-exception / not-applicable / not-compliant conclusion for every in-scope control.
  9. Support attestation: enable the responsible officer to submit an accurate KYC-SA attestation, retaining the assessment report and evidence for SWIFT-mandated retention and possible SWIFT review.
  10. Establish continuous monitoring and schedule the annual re-assessment aligned to the new framework version's effective date.

Evidence request list

The following categorised evidence supports a robust assessment. Assessors should request current, dated artefacts covering the full assessment period rather than point-in-time screenshots alone.

  • Governance and policy: information security policy, SWIFT-specific security procedures, scope statement, control-ownership RACI, prior attestation and assessment reports.
  • Architecture and scope: network and data-flow diagrams, secure-zone definition, component inventory, architecture-type classification, third-party dependency register.
  • Network and segmentation: firewall rulesets and change records, proxy/egress configuration, VLAN/subnet maps, jump-server configuration, penetration-test isolation evidence.
  • Access control and identity: role/entitlement matrices, access-request and approval records, periodic recertification evidence, joiner/mover/leaver tickets, orphan-account reports, PAM logs.
  • Authentication and credentials: password policy and enforcement configuration, MFA enrolment and logs, token issuance/return register, secrets-management configuration, safe/vault logs.
  • System security: hardening baselines and compliance scans, patch-management reports and exception register, anti-malware coverage and update status, file-integrity monitoring output.
  • Data protection: internal and external data-flow encryption configuration, certificate inventory, backup encryption, key-management records.
  • Logging and monitoring: log-source inventory, SIEM retention and alerting configuration, sample investigated alerts, IDS/IPS configuration and logs, time-synchronisation evidence.
  • Business controls: RMA authorisation register and reviews, payment limits/corridors, four-eyes approval configuration, transaction-monitoring rules.
  • Physical security: data-centre and equipment-room access logs, CCTV coverage, HSM/token storage records, visitor logs, secure-disposal evidence.
  • Vulnerability and testing: vulnerability scan schedules/reports and remediation, penetration-test reports and retests, scenario-based risk assessments.
  • People and response: incident response plan and playbooks, tabletop and exercise reports, SWIFT notification contacts, security training curriculum and completion records, phishing-simulation results.
  • Third parties: service-bureau/cloud provider CSCF attestations or independent assurance reports, outsourcing contracts with security and right-to-audit clauses.

Roles and responsibilities

RolePrimary CSCF responsibilities
Board / Executive managementOwn accountability for the SWIFT relationship and cyber risk; approve the security programme and resourcing; oversee attestation outcomes.
Chief Information Security Officer (CISO)Own the CSCF control framework, drive remediation, define policy, and sponsor the annual assessment and attestation.
Head of Payments / SWIFT OperationsOwn the operational SWIFT environment, RMA and transaction business controls, and operator practices.
SWIFT infrastructure / IT teamImplement and operate technical controls: segmentation, hardening, patching, MFA, logging and interface configuration.
Identity and access management teamAdminister least-privilege access, recertification, token management and privileged-access controls for in-scope systems.
Security operations / SOCOperate logging, monitoring, malware and integrity detection, and lead incident response for SWIFT-related events.
Internal audit / second-line riskPerform or oversee the independent assessment where done internally; validate design and operating effectiveness independently of the first line.
External assessor / QSA-equivalentWhere engaged, conduct the independent external assessment and report on control effectiveness.
Responsible attesting officerReview the independent assessment and submit an accurate KYC-SA attestation on behalf of the entity.
Third-party / service providerImplement and evidence the CSCF controls for the infrastructure they operate on the user's behalf.

KPIs to track

  • Percentage of applicable mandatory controls assessed as compliant (target 100%).
  • Percentage of applicable advisory controls implemented and attested.
  • Number of controls in compliant-with-exception state and average age of open exceptions.
  • Mean time to remediate assessment findings, by risk rating.
  • Patch SLA adherence for in-scope systems (percentage patched within policy window).
  • MFA coverage across all interactive access paths to in-scope systems (target 100%).
  • Privileged-account access recertification completion rate and on-time percentage.
  • Vulnerability remediation timeliness for critical/high findings on in-scope components.
  • Log-source coverage and SIEM alert mean-time-to-detect and mean-time-to-respond for SWIFT-related use cases.
  • Security awareness and SWIFT operator training completion rates and phishing-simulation failure rate.
  • Incident response exercise cadence and number of SWIFT-relevant scenarios rehearsed per year.
  • Third-party attestation coverage: percentage of in-scope service providers with current CSCF evidence.
  • Attestation submitted on time each annual cycle and independently assessed (yes/no).

Readiness checklist

  • Architecture type (A1/A2/A3/A4/B) correctly classified and documented.
  • Complete in-scope component inventory and current data-flow diagrams produced.
  • Secure zone defined and SWIFT infrastructure segregated from general IT and the internet.
  • Privileged OS and application accounts controlled, monitored and minimised.
  • Systems hardened to a recognised baseline and patched within SLA.
  • Multi-factor authentication enforced for all interactive and administrative access.
  • Least-privilege access implemented with periodic recertification and prompt leaver revocation.
  • Tokens, credentials, keys and secrets stored and managed securely.
  • Anti-malware, software integrity and database integrity controls deployed and monitored.
  • Comprehensive logging and monitoring in place with retained, tamper-protected logs.
  • RMA and transaction business controls configured to limit fraud exposure.
  • Physical access to SWIFT systems and sensitive materials restricted and logged.
  • Cyber incident response plan tested and SWIFT notification path defined.
  • Security awareness and SWIFT operator training delivered and recorded.
  • Vulnerability scanning and (advisory) penetration testing performed and remediated.
  • Third-party/service-provider CSCF evidence obtained and reviewed.
  • Independent assessment completed for the current framework version.
  • KYC-SA attestation prepared, reviewed by the responsible officer, and scheduled for on-time submission.

Common gaps

  • Operator PCs treated as out of scope, leaving the most-targeted endpoints unprotected.
  • Weak or absent secure-zone segregation, with SWIFT systems reachable from the general enterprise network.
  • Incomplete MFA coverage, especially on jump servers, administrative and remote-access paths.
  • Privileged accounts unmanaged: shared credentials, no PAM, and no session monitoring.
  • Patch and hardening backlogs on interfaces and connectors, with unmanaged exceptions.
  • Insufficient logging and monitoring: key event sources missing, short retention, or no active alerting for SWIFT use cases.
  • RMA relationships never reviewed and transaction business controls not configured, so fraud impact is unbounded.
  • Third-party and service-bureau reliance not evidenced; no independent assurance obtained.
  • Attestation submitted without a genuinely independent assessment, or based on stale evidence.
  • Advisory controls ignored, causing scramble when they become mandatory in the next framework version.
  • Physical protection of HSMs, tokens and printed materials overlooked.
  • Incident response plan exists on paper but is never tested against SWIFT-specific fraud scenarios.

SWIFT CSCF mapped to other frameworks

The CSCF's controls align closely with established security standards, allowing an organisation to reuse existing control evidence. The table maps CSCF principles to comparable requirements in widely used frameworks. Mappings are indicative and should be validated against the specific control text of each framework.

CSCF principleISO/IEC 27001:2022 (Annex A)NIST CSF 2.0PCI DSS v4.0CIS Controls v8
1. Restrict internet access & protect critical systemsA.8.20-8.23 network/segregation, A.8.9 configurationPR.AA / PR.IR (network isolation)Req 1 network security controlsCIS 4 secure configuration, CIS 12 network management
2. Reduce attack surface and vulnerabilitiesA.8.8 vuln mgmt, A.8.9 config, A.8.25-8.28 secure developmentID.RA, PR.PS platform securityReq 6 secure systems, Req 11 testingCIS 7 continuous vuln mgmt, CIS 16 app security
3. Physically secure the environmentA.7 physical and environmental securityPR.AA physical accessReq 9 physical accessCIS 1 asset inventory (physical)
4. Prevent compromise of credentialsA.5.17 authentication information, A.8.5 secure authenticationPR.AA-01/02 identity & authenticationReq 8 identify and authenticateCIS 5 account management, CIS 6 access control
5. Manage identities and segregate privilegesA.5.15-5.18 access control, A.8.2 privileged accessPR.AA access managementReq 7 restrict access, Req 8CIS 5, CIS 6 access control management
6. Detect anomalous activityA.8.15-8.16 logging & monitoring, A.8.7 malwareDE.CM continuous monitoring, DE.AEReq 5 malware, Req 10 logging & monitoringCIS 8 audit logs, CIS 10 malware defences, CIS 13 monitoring
7. Plan for incident response & information sharingA.5.24-5.28 incident mgmt, A.6.3 awarenessRS respond, RC recoverReq 12.10 incident responseCIS 17 incident response, CIS 14 awareness

How CyberSigma helps

Partner with CyberSigma for SWIFT CSP readiness and independent assessment
CyberSigma provides end-to-end SWIFT CSCF support: architecture classification and scoping, a control-by-control gap assessment against the current framework version, hands-on remediation of segmentation, MFA, privileged access, hardening, logging and transaction business controls, and a rigorous independent assessment aligned to SWIFT's requirements so your responsible officer can attest with confidence on KYC-SA. As a CERT-In empanelled auditor and PCI QSA firm, we bring cross-framework expertise that lets you reuse ISO 27001, NIST CSF and PCI DSS evidence, minimise duplicate effort, and stay ahead of advisory-to-mandatory control changes. Engage CyberSigma to turn your annual SWIFT attestation from a compliance burden into demonstrable, resilient security assurance for you and your counterparties.
Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Frequently asked questions

Is SWIFT CSCF mandatory?
Yes — all SWIFT users must attest compliance annually against the mandatory controls, supported by an independent assessment.
Does the CSCF change every year?
Yes — SWIFT updates the CSCF annually, sometimes moving advisory controls to mandatory, so assessments must use the current version.

Need help with SWIFT CSCF?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.