Knowledge Center / SWIFT CSCF
SWIFT · Global

SWIFT CSP / CSCF

SWIFT’s Customer Security Controls Framework for institutions on the SWIFT network.

The SWIFT Customer Security Programme (CSP) and its Customer Security Controls Framework (CSCF) define mandatory and advisory security controls for all institutions connected to the SWIFT network. The CSCF is updated annually, and members must self-attest compliance each year backed by an independent assessment.

Who must comply

  • All SWIFT users — banks and financial institutions using SWIFT for messaging and payments.
  • Service bureaus and providers within the SWIFT environment.

Security objectives and principles

ObjectivePrinciples
Secure your environmentRestrict internet access; segregate critical systems; reduce the attack surface and harden systems; physically secure the environment
Know and limit accessPrevent credential compromise; manage identities and segregate privileges
Detect and respondDetect anomalous activity in systems and transaction records; plan incident response and information sharing

Architecture types and scope

Your SWIFT infrastructure "architecture type" (e.g., A1–A4 or B) determines which controls apply. Correctly identifying the architecture type is the first step, as it defines the applicable mandatory controls.

The assessment and attestation cycle

  1. Determine the architecture type and scope.
  2. Assess against the current-year CSCF (independent assessment is required for attestation).
  3. Remediate gaps across the mandatory controls.
  4. Complete the independent assessment (internal independent function or external assessor).
  5. Submit the annual attestation via SWIFT KYC-SA.

Evidence checklist

  • SWIFT architecture-type determination and scope.
  • Segregation and hardening evidence for the SWIFT environment.
  • Access-control, MFA and privileged-access evidence.
  • Logging, monitoring and anomaly-detection evidence.
  • Independent assessment report against the current CSCF.
  • KYC-SA attestation submission.
How CyberSigma helps
We determine your architecture type, perform the independent CSCF assessment, help remediate the mandatory controls, and support your annual KYC-SA attestation.

Frequently asked questions

Is SWIFT CSCF mandatory?
Yes — all SWIFT users must attest compliance annually against the mandatory controls, supported by an independent assessment.
Does the CSCF change every year?
Yes — SWIFT updates the CSCF annually, sometimes moving advisory controls to mandatory, so assessments must use the current version.

Need help with SWIFT CSCF?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.