New Customer Security Controls Policy published

31 July 2019

Updated policy includes changes to self-attestation and independent assessments

SWIFT has updated the Customer Security Controls Policy document, which sets out SWIFT's policy with regards to the Customer Security Controls Framework (CSCF): a set of security controls which provide a security baseline for SWIFT users, as part of its Customer Security Programme (CSP). Self-attesting compliance with these controls is an essential step for customers to take towards securing their systems.

The refreshed policy includes the following changes:

  • Annual self-attestation, between July and December
  • As from CSCF v2019, self-attestations submitted between July and December will be valid until the end of the following year (replacing the current 12 months validity rule)
  • As from mid-2020, an independent assessment (either internal or external) will be required as outlined in the recently published Independent Assessment Framework
  • Policy and CSCF updates will follow an annual joint update cycle
  • Elements specific to the usage of the KYC-SA application have been moved to the KYC-SA user guide

SWIFT Customer Security Programme

You can access the new Customer Security Controls Policy here.  (SWIFT login ID required).

CSCF v2019 on KYC-SA

As a reminder, KYC Security Attestation (KYC-SA) application for the CSCF v2019 has been available since early July and users can start to attest their level of compliance against this baseline. The deadline for attesting is 31 December 2019 and all SWIFT users must self-attest compliance with, at the minimum, the mandatory controls set out in SWIFT’s Customer Security Controls Framework v2019.

The CSCF v2019 is available in full here. (SWIFT login ID required).

Related

CSP

Customer Security Programme (CSP)

Reinforcing the security of the global banking system.