SWIFT has published an Independent Assessment Framework (IAF) to support its users and their independent assessors in carrying out their responsibilities as part of the Customer Security Programme (CSP).
The IAF defines how users need to verify that their self-attestations correspond with their actual level of security control implementation.
The introduction of independent assessments is a significant milestone for the CSP, which launched in 2016 and sets benchmark security practices critical to defending against, detecting and recovering from cybercrime. The assessments, introduced at the request of the entire SWIFT community through its Board and Overseers, further reinforce the security of the global banking system.
From July 2020, all SWIFT users will be obligated to carry out an independent assessment when self-attesting. These can be done through either:
• Internal assessment carried out by the company’s second- or third- line of defence such as the users’ internal compliance, internal risk of internal audit departments (independent from the first line of defence function submitting the attestation); or
• External assessment carried out by an independent external organisation with cyber security assessment experience and individual assessors who have relevant security industry certification.
As a minimum, the ‘Community Standard Assessments’ must cover all mandatory controls in the latest version of the Customer Security Controls Framework (CSCF) that are applicable based on a user’s CSP architecture type and infrastructure. Users that have attested against advisory controls may also consider asking the assessor to include these in the evaluation.
As users begin to plan and budget, we advise that external assessors should be registered with SWIFT under the SWIFT Partner Programme to have direct access to training and other CSP related materials. To ensure a consistent approach to the assessment process, SWIFT provides users and assessors standardised Excel templates and forms.
From July 2020, a user’s self-attestation will not be able to be submitted into the Know Your Customer – Security Attestation (KYC-SA) application without necessary details from the independent assessment being submitted. All self-attestations from all users are subject to the normal year-end deadline.
In addition to the IAF outlined above, SWIFT also reserves the right, for a small cross-section of users, to mandate that an external assessment be undertaken.