Shared Infrastructure Programme
The Shared Infrastructure Programme defines operational standards for third-party service bureaux offering SWIFT connectivity - ensuring quality, security and reliability.
The SIP is designed to establish and maintain a high level of security and resilience for service bureau operations.
To verify their compliance, Service Bureaux will have to self-attest on a yearly basis and remote checks on basic security controls will be performed. Additionally, risk based parameters will determine the frequency by which on-site inspections and possible unannounced additional tests will be performed by SWIFT.
SWIFT’s certification verifies compliance with the SIP requirements at the time of assessment. Service Bureaux are responsible for ensuring their continued compliance with the applicable SIP requirements at all times, and are obliged to notify incidents and events (for example, security incidents) that impact the provision of their services to their customers.
In the event a service bureau is not compliant with the terms and conditions of the SIP, SWIFT is entitled to remove the service bureau from the SIP. This process includes removal from the directory, notification of customers and formal termination of the programme for the Service Bureau.
The SIP does not provide absolute assurance about the security of the operations of the service bureaux and their customers, and does not free service bureaux and their customers from having to perform their own roles and responsibilities.
Subscription to the programme is subject to payment of an annual registration fee.
Evolution of the Shared Infrastructure Programme
The security framework was designed by a diverse group of SWIFT security experts and has been validated against leading industry standards/guidelines such as the security framework of NIST (National Institute of Standard in Technology – US Department of Commerce). The NIST framework was designed to optimise computer/cyber/information security and privacy in critical infrastructures.
The first release of the SIP was defined in 2012 and was rolled out over a 3year project, which also saw a reduction in the number of Service Bureaux.
In early 2016, the programme was updated with additional controls in the areas of organisational and cyber security. Later that same year, an increased frequency of verification was announced and the definition of Service Bureaux was expanded to include all parties that provide indirect connectivity to SWIFT.
For 2018, the next release of the SIP will include a harmonization with SWIFTs Customer Security Programme (CSP), in order to align the security controls that SWIFT Users need to implement with the controls that the Service Bureaux put in place.
Publication of the Service Bureaux
SWIFT publishes the Terms and Conditions of the Shared Infrastructure Programme on its website.
Service Bureaux are bound with the SWIFT Terms and Conditions of the Shared Infrastructure Programme
Certified Service Bureaux are listed on swift.com, with their geographic location, as well as the version of the SIP against which they have been assessed at a specific moment in time.
Apart from the certification status, SWIFT does not provide individual details or reports on individual Service Bureaux.
Service Bureaux operate under their own brand name. Their use of any SWIFT logo is subject to the SWIFT Trademark Guidelines.
Service Bureaux do not represent SWIFT and they are not part of SWIFT’s area of control. They do not represent SWIFT in any matter but act as a provider as would system integrators, software vendors and consultants.
Roles and Responsibilities
Use of a service bureau, or any subsequent change of service bureau, is at customers’ own responsibility and risk. The checks performed by SWIFT to verify compliance of a service bureau with the SIP should never be seen as a substitute for customers’ own checks and due diligence. SWIFT encourages all customers considering using a service bureau to undertake all due diligence that they believe is necessary before choosing an appropriate service bureau. SWIFT disclaims any liability for the acts, faults, or omissions of a service bureau.
A customer that uses a service bureau must ensure that the scope of rights granted to the service bureau in respect of SWIFT services and products does not exceed those contracted for with SWIFT. In addition, a customer that decides to use a service bureau must ensure that its selected service bureau is bound by no less stringent obligations than those incumbent upon the customer under its contractual arrangements with SWIFT.
Service Bureaux are responsible for ensuring their continued and effective compliance with the applicable SIP requirements at all times and, more generally, the security of their operations. They are also obliged to notify their customers and SWIFT of incidents and events (for example, security incidents) that impact the provision of their services.