Since its inception in 2016, the Swift Customer Security Programme (CSP) has evolved its framework to facilitate safe, secure money movement throughout the global banking community. Designed to protect enrolled financial institutions in the Swift network, CSP guidelines are routinely updated in response to emerging trends in cybersecurity and fraud. Security analysts, however, have found knowledge gaps among Swift users tasked with updating security infrastructures and conducting required annual assessments and attestations.
Jon Anderson, manager at Schellman, sheds light on recent updates to Swift’s CSP and Independent Assessment Framework (IAF). Drawing from deep experience as a certified information systems security professional, certified information systems auditor, ISO 27001 lela auditor, payment card industry professional, payment card industry qualified security assessor, and 3DS assessor, he shares advice on how to stay current with Swift’s evolving CSP and IAF guidelines.
When assisting IT teams with CSP assessments, Anderson observes that banks frequently outsource critical security functions and are not always familiar with their firms’ security architecture or Swift applications in use. He recommends appointing an on-premises administrator who understands Swift products and the internal communications interfaces that support them to further enhance compliance and eliminate uncertainties.
Anderson further notes that internal or external auditors who conduct independent assessments must have experience and at least one well-known cybersecurity certification, such as CISP, CISA, CISSP, or ISO/IEC 27001. “External and internal assessors must be CSP certified, listed in the Swift.com directory, and be able to assert independence from the organization,” he says.
Swift’s CSP-certified assessor programme is due to be completed in August 2024, Anderson states. Viewable on Swift’s KYC portal, the programme would indicate if participants used CSP-certified assessors and flag any non-certified assessors, he explains.
Citing multifactor authentication as another challenging area, Anderson advises Swift users that MFA combines something they know with something they have and something they are.
“Any combination of two of those three is fine, but I get confused responses and questions about how to combine these three factors,” he says. “When a knowledge factor is combined with a possession factor, the device used for the second factor cannot be the same as the device used to enter the first factor,” he says. “For example, a bad actor could compromise your laptop if both factors were on it but would not likely have access to your phone.”
“It’s critical to have two sets of eyes,” he adds, recalling an incident involving a banking entity in Hong Kong that was spoofed by an AI. Attackers impersonated the CEO, requesting payment on a Zoom video, and the person wired funds to criminals, which might not have happened if a second person had reviewed and approved the payment. That’s a good example of why this control needs to be there. “Multiple approvals can be facilitated systemically, through an application or on paper; it really doesn’t matter as long as the control is there.”
Anderson notes that Swift created the Independent Assessment Framework to enhance security attestations’ integrity, consistency, and accuracy, highlighting the assessment process and its three primary assessment types.
“First, there is the self-assessment, which can be conducted internally by an organization’s first or second line of defence, but this process is not compliant,” he says. “Next is the community standard assessment, which is fully compliant and based on CSP guidelines. Finally, there’s the mandated external assessment, paid for by Swift, where assessors suddenly appear on site to perform a surprise assessment.”
Once approved to use the Swift network, Swift users must attest to their compliance on the KYC portal. He adds that the online form will query users about their respective areas of responsibility and compliance status in the customer security controls framework. Of the three available answers for each control line item, the best option is “I comply with this control,” he said. The second-best option is, “I will comply with this control by this date,” detailing how the company will fix this. The third regrettable option is “I do not comply.”
Swift users who choose “I will comply by” or “I do not comply” will be flagged as non-compliant on the portal for all counterparties to see, Anderson warns. “Swift users frequently miss these nuances,” he said. “But the good news is that users have until the 31st of December to attest and can begin assessments as early as July. Be thorough, remediate what you can, and mark everything ‘I comply’ by yearend.”
The Payments Association
St Clement’s House
27 Clements Lane
London EC4N 7AE
© Copyright 2024 The Payments Association. All Rights Reserved. The Payments Association is the trading name of Emerging Payments Ventures Limited.
Emerging Ventures Limited t/a The Payments Association; Registered in England and Wales, Company Number 06672728; VAT no. 938829859; Registered office address St. Clement’s House, 27 Clements Lane, London, England, EC4N 7AE.
Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.
We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.
Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.
Please click the button below which relates to the issue you’re having.
Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association
Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.
For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.
The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.
Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.
Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.
For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.
