Bottomline SWIFT Access Service
Bottomline SWIFT Access Service is a fully accredited SWIFT service bureau, that helps organisations gain visibility and control of their global cashscape.
Why is SWIFT mandating an Independent review of the CSP (Customer Security Programme) attestation this year?
All SWIFT users are mandated to carry out an Independent Assessment when attesting. The Independent Assessment Framework (IAF) was introduced at the request of the global SWIFT community to reinforce and uphold the highest level of security of the global financial community.
What are the consequences of non-compliance?
In the instance of non-compliance, SWIFT can inform other members within the community and have the right to report any non-conformities to the local authorities of that member. Understandably, this could have detrimental effects on an organisation; potentially jeopardising daily business operations as well as reputational damage and trust.
Start planning for your attestation now to avoid any consequences
Our assessment is in December – why are you engaging with us now?
The annual attestation can be made as early as July 1st and will be valid until the annual attestation is required. Engaging early and being proactive will help provide peace of mind that you will comfortably meet the attestation deadline. In preparation for the new assessment methodology we encourage our clients to act now to avoid any delays in the instance that any remediation work needs to be done in order to comply with all mandatory controls of the CSP
How long does remedial action normally take prior to the Independent Assessment taking place?
In some instances, typical resolution periods can range from weeks to months. The CSP pre-attestation review will highlight any instances of non-conformance and you will be provided with a task list of any necessary remediation works required before the actual Independent Assessment is performed.
Our SWIFT certified auditors will be on hand to provide guidance and ensure you have the necessary measures in place to fully comply with the SWIFT CSP.
How can Bottomline help with the pre-assesement?
In order to fully support our customers we have a long-standing SWIFT certified cyber risk audit partner with whom we have been working together for over 5 years to successfully deliver CSP assessments. This ensures that our customers fully understand their requirements and are able to complete the attestation to the highest standard.
What is the benefit of Bottomline doing the Independent Assessment vs. an accountancy firm or external consultant?
Bottomline is able to provide peace of mind and assurance that your organisation will meet and exceed the requirements of the CSP with intimate knowledge of your SWIFT environment. We offer a competitive CSP compliance package to help customers with the Independent Assessment and to meet specific controls laid out in the Customer Security Control Framework (CSCF).
We also offer year-round guidance and advice regarding the CSP, ensuring our customers feel in control of their security and compliance needs.
Can Bottomline provide us with a template of what the pre-attestation review outputs will look like?
The pre-attestation review will allow our SWIFT certified auditors to review and discuss your organisation’s current compliance status before the actual Independent Assessment is performed. The auditors will then recommend enhancements and possible remediation works. The outputs of this will be outlined in both a summary presentation and a detailed task list with the relevant details. We’ll be happy to share an example of the reports with you.
What happens if we don’t do the Independent Assessment this year?
All SWIFT users are mandated to carry out the Independent Assessment to support their CSP attestation. In the instance that an Independent Assessment is not completed, the SWIFT user will be considered non-compliant with the CSP.
The consequences of non-compliance are high and could result in detrimental effects to both an organisation’s business and their reputation.
What additional controls do we need to attest to this year and can Bottomline assist us in being compliant?
The CSP is constantly evolving, it is assessed annually, with new controls introduced and advisory controls promoted to mandatory to ensure the bar continues to be raised. The SWIFT CSP v2022 framework comprises of a maximum of 23 mandatory controls and 9 advisory controls. The 2022 framework saw the promotion of one control from advisory to mandatory (control 2.9 - Transaction Business Controls) and the introduction of a new advisory control (control 1.5 Customer Environment Protection). Organisations must attest to the v2022 framework supported by an Independent Assessment by 31st December.
Bottomline can provide guidance and assurance with helping your organisation adhere to the CSP requirements. Remediation work can take time so we urge you to get in touch now to discuss you compliance status, providing peace of mind that you will successfully attest to the CSP.
Which controls are most misunderstood in attesting which leads to potential non-compliance with the mandatory requirements?
One control that is often misunderstood is 6.4 – Logging and Monitoring. This is a mandatory control that requires the organisation to ensure they have monitoring and alerting capabilities in place to detect anomalous actions and operations within their local SWIFT environment.
In some instances, where organisations have not implemented sufficient measures, it can take from 3 to 6 months to resolve.
Another commonly misunderstood control is 7.2 – Security Training and Awareness. This control requires annual security training for all staff within an organisation. This control is very easily overlooked; however, it is critical that appropriate training is provided for all staff and must be evidenced to SWIFT in order to comply with the CSP.
If an external assessor is chosen what are the responsibilities for you as a client?
The assessor will work closely with your organisation to review your existing processes, providing guidance and recommendations prior to the formal assessment, ensuring you feel in control and ready. The assessor will then perform the Independent Assessment, meeting with various individuals within your organisation to discuss your procedures and review your organisation’s compliance to the CSP, including sampling controls.
The assessor will then provide an official certification with appropriate evidence that can be uploaded to SWIFT as proof to support your attestation.
Can Bottomline help me with my CSP attestation next year as well as this year?
Yes, we do recommend multi-year contracts and most customers have this. However, for clients that have signed for just one year, they will need to extend their agreement to support next year’s control framework too.
I’ve only got an agreement with Bottomline for this year, what do i need to do to ensure compliance for next year?
That’s fine, Bottomline can help you with your annual Independent Assessments going forward.
Just reach out to your account manager who will be able to assist.
If I do my Independent Assessment for this year by 31st December, do I have to do another Independent Assessment next year as well?
Yes, an Independent Assessment is required when submitting you attestation to SWIFT on an annual basis. So ensure you remain proactive and plan effectively for future assessments.
We chose to do the assessment internally but are concerned we won’t complete the assessment within the deadline, what should we do?
We would be more than happy to discuss your options with you and can help you with your Independent Assessment requirement.
Our SWIFT certified assessor partners, A Jolly Consulting, have the required expertise and knowledge to ensure that you can achieve the Independent Assessment deadlines.
What will happen if there are noncompliant items identified in the Independent Assessment where remediation will not be completed by the attestation deadline?
As per prior years, when attesting to the companies compliance, there will be a drop down where you will be able to indicate areas of non-compliance.
It is highly recommended that this should be accompanied with a date of when the organisationwill be compliant.
The independent review can also note this within their report on the basis that they have been provided with appropriate evidence
What are the common failure areas?
The most common areas of non-compliance that we see across organisations tend to relate to poor policy and documentation which is often overlooked.
Organisations have documentation in place but it is not adequately maintained or doesn’t contain the specifics to meet the CSP requirements. Similarly, we often seen organisations failing to adhere to the controls that focus around vulnerability scanning and penetration testing.
Does my ISO certificate, or similar, mean that I can certify as compliant?
Whilst the ISO certificate and audit ensures that the organisation has appropriate Information Security governance, it does not cover the specifics related to the SWIFT CSP.
As a consequence, a review of the SWIFT specific components are required.
We have used Bottomline and AJC to meet new CSP Independent Assessment deadline and the service has been very efficient. It has given us peace of mind that the CSP attestation deadline is met and that our payment infrastructure is safe, secure and compliant.
-Cambodia Asia Bank
In the final part of transition from open banking to open finance, Marcus Hughes, Bottomline's Head of Strategic Business Development talks about the impact and benefits of Open Banking across businesses of different sizes.
Our payment experts are here to help.+61 2 9068 9438
Chat with one of our payment experts. We'll recommend the right solution for you.
Tell us a bit about you and your business and we’ll get back to you with all the information you need.