With the January deadline for self-attestation to the SWIFT Customer Security Programme (CSP) in the rear view mirror, members of the Swift community find themselves at various levels of compliance. On the whole, many organisations have viewed these new regulations as an opportunity to raise their game around security, understanding the rationale SWIFT have put behind this programme. There is still a lot of progress to be made however in order to ensure that the end of December 2018 compliance deadline is met. Here’s a look at the three stages of compliance so you can figure out where you stand and what you need to do next.
Status, Green: We have attested and are compliant
Congratulations – you’re part of the 89% of the global SWIFT community that have attested on time! Don’t let this make you overly confident, however. Now is not the time to let your guard down. Meeting the first phase of SWIFT’s CSP is an excellent step in the right direction, but take this opportunity to consider the real detail of your compliance standards by asking some important questions; have you evidenced how you meet current controls? How well positioned are they to meet other directives? How well do they fit into your broader security programme objectives? The CSP provides a great step to analyse how secure your processes and technology are around SWIFT. Now is also a good time to consider your other payment types.
Status, Yellow: We have attested and will be compliant
The good news is that you’re part of the majority of the global SWIFT community that have attested on time. The bad news, however, is that you aren’t yet compliant. Not to worry. What’s important now is that you become compliant over the course of 2018 so that your status, which is visible by SWIFT members who ask for your status, can be updated as soon as possible. As you work to address your compliance status, keep in mind that prerequisites for SWIFT CSP around multi-factor authentication and transaction monitoring are also a requirement in other forthcoming regulations that address data security, such as the General Data Protection Regulation on data protection and privacy for all individuals within the European Union. This is also a good opportunity to consider a more holistic approach to your security strategy, particularly as it relates to proactive behaviour monitoring, encryption and verification. Talk to your solution provider for their guidance on how to make sure your payments are always secure, regardless of new regulation standards.
Status, Red: We have not attested
If you fall within this category then you’re part of the 11% minority, with your negative attestation status visible to the rest of the SWIFT community. Community embarrassment aside, part of the benefit of following the Customer Security Programme is that you come to understand any security weaknesses within your payment processes. Taking an ostrich approach and burying your head in the sand about potential vulnerabilities is never a good idea. It’s imperative that you complete the attestation process so you have insight into the overall security of your organization. If you don’t know already, your first step should be to understand everything you can about what the CSP requires. Then, talk with trusted vendors who can help you. They should be able to provide you with the support you need to help you meet the 16 mandatory and 11 advisory controls.
Keep in mind that one of the central protections of the CSP is payment monitoring. The best way to meet this requirement (and future proof your organization against ongoing threats) is to proactively monitor the usage of payment applications in real-time, stopping fraudulent transactions before they happen. Although SWIFT’s CSP is not government legislation, it is an acknowledgement of the severity of security threats today. It’s inevitable that more payment communities and organisations will introduce similar guidelines. Many technology vendors are adopting a “security as standard” approach to the solutions they provide. The time has come for your organization to match this commitment and demonstrate your duty of care to secure business payments and protect not only your reputation, but also your customer data and relationships.