The SWIFT Customer Security Programme (CSP) and its Customer Security Controls Framework (CSCF) define mandatory and advisory security controls for all institutions connected to the SWIFT network. The CSCF is updated annually, and members must self-attest compliance each year backed by an independent assessment.
Who must comply
- All SWIFT users — banks and financial institutions using SWIFT for messaging and payments.
- Service bureaus and providers within the SWIFT environment.
Security objectives and principles
| Objective | Principles |
|---|---|
| Secure your environment | Restrict internet access; segregate critical systems; reduce the attack surface and harden systems; physically secure the environment |
| Know and limit access | Prevent credential compromise; manage identities and segregate privileges |
| Detect and respond | Detect anomalous activity in systems and transaction records; plan incident response and information sharing |
Architecture types and scope
Your SWIFT infrastructure "architecture type" (e.g., A1–A4 or B) determines which controls apply. Correctly identifying the architecture type is the first step, as it defines the applicable mandatory controls.
The assessment and attestation cycle
- Determine the architecture type and scope.
- Assess against the current-year CSCF (independent assessment is required for attestation).
- Remediate gaps across the mandatory controls.
- Complete the independent assessment (internal independent function or external assessor).
- Submit the annual attestation via SWIFT KYC-SA.
Evidence checklist
- SWIFT architecture-type determination and scope.
- Segregation and hardening evidence for the SWIFT environment.
- Access-control, MFA and privileged-access evidence.
- Logging, monitoring and anomaly-detection evidence.
- Independent assessment report against the current CSCF.
- KYC-SA attestation submission.
How CyberSigma helps
We determine your architecture type, perform the independent CSCF assessment, help remediate the mandatory controls, and support your annual KYC-SA attestation.
Frequently asked questions
Is SWIFT CSCF mandatory?
Yes — all SWIFT users must attest compliance annually against the mandatory controls, supported by an independent assessment.
Does the CSCF change every year?
Yes — SWIFT updates the CSCF annually, sometimes moving advisory controls to mandatory, so assessments must use the current version.
Official documents
CyberSigma resources
Need help with SWIFT CSCF?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
