Shared Infrastructure Programme
The Shared Infrastructure Programme defines operational standards for third-party service bureaux offering SWIFT connectivity - ensuring quality, security and reliability.
SWIFT’s Shared Infrastructure Programme (SIP) contains legal, financial and operational requirements which service bureaux are required to meet.
The SIP is designed to establish and maintain a high level of security and resilience for service bureau operations.
SWIFT regularly reviews and adapts the SIP to reflect market developments and the evolving threat environment. Earlier this year we announced that we would be expanding the scope of the SIP to other providers of shared connectivity to third parties and extending the SIP requirements – in particular those related to cyber-security considerations. The updated SIP will also include increased frequency of verification, risk-based tiering for the assurance approach and more ad-hoc remote checks.
As from 2017 the SIP inspections and certifications will be undertaken annually, and a combination of on-site inspections and remote data gathering will provide the basis for documenting service bureaux’ compliance with the programme. All Service Bureaux will be required to demonstrate their compliance with the full expanded scope during 2017, while, as of 2018, risk-based tiering for increased focus will come into force.
In response to the increasing scale and sophistication of cyber-attacks, the updated SIP will introduce more stringent cybersecurity management requirements involving specific intrusion detection systems and penetration testing. Service bureaux staff will also need to enrol in frequent security training and awareness sessions.
About the SIP
Under the SIP programme, SWIFT’s certification verifies service bureaux’ compliance with the SIP operational requirements at the time of certification. Service bureaux are responsible for ensuring their continued compliance with the applicable SIP requirements at all times, and are obliged to notify incidents and events (for example, security incidents) that impact the provision of their services to their customers.
In the event that a service bureau is not compliant with the terms and conditions of the SIP, SWIFT is entitled, as per a documented process, to remove the service bureau from the SIP.
The SIP does not provide absolute assurance about the security of the operations of the service bureaux and their customers, and does not free service bureaux and their customers from having to perform their own roles and responsibilities.
The SWIFT certification should never be seen as a substitute for customers’ own checks and due diligence and SWIFT encourages all users considering engaging a service bureau to undertake all checks and due diligence that they believe necessary. Service bureaux and their customers are ultimately responsible for maintaining sound cyber practices at all times.