Bottomline SWIFT Customer Security Programme
From July 2021, all SWIFT users must carry out an independent assessment to ensure they are adhering to the CSP with the option of self-attestation no longer viable.
All SWIFT users are mandated to carry out an independent assessment when attesting. The Independent Assessment Framework (IAF) was introduced at the request of the global SWIFT community to reinforce and uphold the highest level of security of the global financial community.
The annual attestation can be made as early as July 1st and will be valid until the next annual attestation is required. Engaging early and being proactive will help provide peace of mind that you will comfortably meet the attestation deadline. In preparation for the new assessment methodology we encourage our clients to act now to avoid any delays in the instance that any remediation work needs to be done in order to comply with all mandatory controls of the CSP.
In the instance of non-compliance, SWIFT can inform other members within the community and have the right to report any non-conformities to the local authorities of the respective country of that member. Understandably, this could have detrimental effects on an organisation; potentially jeopardising daily business operations as well as reputational damage and trust.
Start planning for your attestation now to avoid any consequences.
In some instances, typical resolution periods can take multiple weeks to months. The CSP pre-attestation review will highlight any instances of non-conformance and you will be provided with a task list of any necessary remediation works required before the actual independent assessment is performed.
Our SWIFT certified auditors will be on hand to provide guidance and ensure you have the necessary measures in place to fully comply with the SWIFT CSP.
To fully support our customers, we have a long-standing SWIFT certified cyber risk audit partner that we have been working with for over four years to successfully deliver CSP assessments. This ensures that our customers fully understand their requirements and are able to complete the attestation to the highest standard.
All SWIFT users are mandated to carry out the independent assessment to support their CSP attestation. In the instance that an independent assessment is not completed, the SWIFT user will be considered non-compliant with the CSP.
The consequences of non-compliance are high and could result in detrimental effects to both an organisation’s business and their reputation.
Bottomline is able to provide peace of mind and assurance that your organisation will meet and exceed the requirements of the CSP with intimate knowledge of your SWIFT environment. We offer a competitive CSP compliance package to help customers with the independent assessment and to meet specific controls laid out in the Customer Security Control Framework (CSCF).
We also offer year-round guidance and advice regarding the CSP, ensuring our customers feel in control of their security and compliance needs.
The pre-attestation review will allow our SWIFT certi ied auditors to review and discuss your organisation’s current compliance status, before the actual independent assessment is performed. The auditors will then recommend enhancements and possible remediation works. The outputs of this will be outlined in both a summary presentation and a detailed task list with the relevant details.
We’ll be happy to share an example of the reports with you.
The CSP is constantly evolving, it is assessed annually, with new controls introduced and advisory controls promoted to mandatory to ensure the bar continues to be raised. The SWIFT CSP 2021 assessment comprises a maximum of 22 mandatory controls and 9 advisory controls within the CSCF v2021. In 2020, 2 advisory controls were promoted to mandatory and 2 new advisory controls were introduced, however due to COVID-19 these changes were not enforced until 2021. In 2021 1 control was promoted to mandatory. Organisations must attest to v2021 of the CSCF supported by an independent assessment.
One control that is often misunderstood is 6.4 – Logging and Monitoring. This is a mandatory control that requires the organisation to ensure they have monitoring and alerting capabilities in place to detect anomalous actions and operations within their local SWIFT environment.
In some instances, where organisations have not implemented sufficient measures, it can take from 3 to 6 months to resolve.
Another commonly misunderstood control is 7.2 – Security Training and Awareness. This control requires annual security training for all staff within an organisation. This control is very easily overlooked; however, it is critical that appropriate training is provided for all staff and must be evidenced to SWIFT in order to comply with the CSP.
The assessor will work closely with your organisation to review your existing processes, providing guidance and recommendations prior to the formal assessment, ensuring you feel in control and ready. The assessor will then perform the independent assessment, meeting with various individuals within your organisation to discuss your procedures and review your organisation’s compliance to the CSP, including sampling controls.
The assessor will then provide an official certification with appropriate evidence that can be uploaded to SWIFT as proof to support your attestation.
Our payment experts are here to help.
+61 2 8047 3700Chat with one of our payment experts. We'll recommend the right solution for you.
Tell us a bit about you and your business and we’ll get back to you with all the information you need.