Bottomline SWIFT Customer Security Programme
From July 2021, all SWIFT users must carry out an independent assessment to ensure they are adhering to the CSP with the option of self-attestation no longer viable.
All SWIFT users are mandated to carry out an Independent Assessment when attesting. The Independent Assessment Framework (IAF) was introduced at the request of the global SWIFT community to reinforce and uphold the highest level of security of the global financial community.
In the instance of non-compliance, SWIFT can inform other members within the community and have the right to report any non-conformities to the local authorities of that member. Understandably, this could have detrimental effects on an organisation; potentially jeopardising daily business operations as well as reputational damage and trust.
Start planning for your attestation now to avoid any consequences
The annual attestation can be made as early as July 1st and will be valid until the annual attestation is required. Engaging early and being proactive will help provide peace of mind that you will comfortably meet the attestation deadline. In preparation for the new assessment methodology we encourage our clients to act now to avoid any delays in the instance that any remediation work needs to be done in order to comply with all mandatory controls of the CSP
In some instances, typical resolution periods can range from weeks to months. The CSP pre-attestation review will highlight any instances of non-conformance and you will be provided with a task list of any necessary remediation works required before the actual Independent Assessment is performed.
Our SWIFT certified auditors will be on hand to provide guidance and ensure you have the necessary measures in place to fully comply with the SWIFT CSP.
In order to fully support our customers we have a long-standing SWIFT certified cyber risk audit partner with whom we have been working together for over 5 years to successfully deliver CSP assessments. This ensures that our customers fully understand their requirements and are able to complete the attestation to the highest standard.
Bottomline is able to provide peace of mind and assurance that your organisation will meet and exceed the requirements of the CSP with intimate knowledge of your SWIFT environment. We offer a competitive CSP compliance package to help customers with the Independent Assessment and to meet specific controls laid out in the Customer Security Control Framework (CSCF).
We also offer year-round guidance and advice regarding the CSP, ensuring our customers feel in control of their security and compliance needs.
The pre-attestation review will allow our SWIFT certified auditors to review and discuss your organisation’s current compliance status before the actual Independent Assessment is performed. The auditors will then recommend enhancements and possible remediation works. The outputs of this will be outlined in both a summary presentation and a detailed task list with the relevant details. We’ll be happy to share an example of the reports with you.
All SWIFT users are mandated to carry out the Independent Assessment to support their CSP attestation. In the instance that an Independent Assessment is not completed, the SWIFT user will be considered non-compliant with the CSP.
The consequences of non-compliance are high and could result in detrimental effects to both an organisation’s business and their reputation.
The CSP is constantly evolving, it is assessed annually, with new controls introduced and advisory controls promoted to mandatory to ensure the bar continues to be raised. The SWIFT CSP v2022 framework comprises of a maximum of 23 mandatory controls and 9 advisory controls. The 2022 framework saw the promotion of one control from advisory to mandatory (control 2.9 - Transaction Business Controls) and the introduction of a new advisory control (control 1.5 Customer Environment Protection). Organisations must attest to the v2022 framework supported by an Independent Assessment by 31st December.
Bottomline can provide guidance and assurance with helping your organisation adhere to the CSP requirements. Remediation work can take time so we urge you to get in touch now to discuss you compliance status, providing peace of mind that you will successfully attest to the CSP.
One control that is often misunderstood is 6.4 – Logging and Monitoring. This is a mandatory control that requires the organisation to ensure they have monitoring and alerting capabilities in place to detect anomalous actions and operations within their local SWIFT environment.
In some instances, where organisations have not implemented sufficient measures, it can take from 3 to 6 months to resolve.
Another commonly misunderstood control is 7.2 – Security Training and Awareness. This control requires annual security training for all staff within an organisation. This control is very easily overlooked; however, it is critical that appropriate training is provided for all staff and must be evidenced to SWIFT in order to comply with the CSP.
The assessor will work closely with your organisation to review your existing processes, providing guidance and recommendations prior to the formal assessment, ensuring you feel in control and ready. The assessor will then perform the Independent Assessment, meeting with various individuals within your organisation to discuss your procedures and review your organisation’s compliance to the CSP, including sampling controls.
The assessor will then provide an official certification with appropriate evidence that can be uploaded to SWIFT as proof to support your attestation.
Yes, we do recommend multi-year contracts and most customers have this. However, for clients that have signed for just one year, they will need to extend their agreement to support next year’s control framework too.
That’s fine, Bottomline can help you with your annual Independent Assessments going forward.
Just reach out to your account manager who will be able to assist.
Yes, an Independent Assessment is required when submitting you attestation to SWIFT on an annual basis. So ensure you remain proactive and plan effectively for future assessments.
We would be more than happy to discuss your options with you and can help you with your Independent Assessment requirement.
Our SWIFT certified assessor partners, A Jolly Consulting, have the required expertise and knowledge to ensure that you can achieve the Independent Assessment deadlines.
As per prior years, when attesting to the companies compliance, there will be a drop down where you will be able to indicate areas of non-compliance.
It is highly recommended that this should be accompanied with a date of when the organisationwill be compliant.
The independent review can also note this within their report on the basis that they have been provided with appropriate evidence
The most common areas of non-compliance that we see across organisations tend to relate to poor policy and documentation which is often overlooked.
Organisations have documentation in place but it is not adequately maintained or doesn’t contain the specifics to meet the CSP requirements. Similarly, we often seen organisations failing to adhere to the controls that focus around vulnerability scanning and penetration testing.
Whilst the ISO certificate and audit ensures that the organisation has appropriate Information Security governance, it does not cover the specifics related to the SWIFT CSP.
As a consequence, a review of the SWIFT specific components are required.
In the final part of transition from open banking to open finance, Marcus Hughes, Bottomline's Head of Strategic Business Development talks about the impact and benefits of Open Banking across businesses of different sizes.
Our payment experts are here to help.+44 118 925 8250
Chat with one of our payment experts. We'll recommend the right solution for you.
Tell us a bit about you and your business and we’ll get back to you with all the information you need.