Submit your self-attestation, keep up-to-date with the attestation status of others, and share your own attestation data with your counterparties
It is straightforward to self-attest
The KYC-SA makes it straightforward to meet the requirement for self-attestation as outlined in the Customer Security Controls Policy. No additional software or hardware is required to access the browser-based application, which uses a two-step verification process.
Once your self-attestation data has been prepared and submitted, SWIFT will publish the submission. The presence of the self-attestation and its validity will be visible to all KYC-SA users, but the data contents will not be shared without the owner’s explicit permission.
Users may edit and re-submit their data at any time and self-attestation data must be updated at least every 12 months, dependent on the expiry date of the attestation.
Full details of the self-attestation data requirements and workflows – including requirements for organisations connecting through a service provider – are described in the Customer Security Controls Policy.
Sharing data in order to improve security awareness and practice
You can search the KYC-SA by BIC, legal entity identifier or other user name keywords to identify the published self-attestation of another SWIFT user, and the validity period for the information. However, you can only view the attestation data content if the attesting user agrees to your request to share the data. Available data that may be shared, subject to approval includes, contact information; the type of assessment performed; whether the user complies with the mandatory controls (and advisory controls where included).
You can also grant or refuse access requests from counterparties to view your own attestation data via the application. By sharing data, and checking the compliance status of your counterparties, you can help to foster security awareness and improve security practice within your own organisation and across the industry.
KYC-SA – R3.0 – making consultation of data easier
Release 3.0 introduces a number of enhancements such as a view on your messaging counterparties, bulk access request and auto-grant functionalities, new reports on counterparties self-attestation status and controls details, as well as other usability improvements.
Details can be found in the KYC-SA release letter.
What must I do, and when?
Self-attestation is a requirement for all SWIFT users for each of their live 8-character BICs, irrespective of whether connecting directly or through a service provider. Self-attestations must be updated at least every 12 months and within a maximum of one month if relevant data becomes inaccurate.
Self-attesting your level of compliance with the advisory controls as set out in the Customer Security Controls Framework is optional but strongly encouraged.
- By 31 December 2017: All users must have self-attested their status against the mandatory security controls.
- From 1 January 2018: SWIFT reports those who have not self-attested against the mandatory controls to their local supervisors.
- By 31 December 2018: All SWIFT users must re-attest and confirm full compliance with the mandatory security controls V1 (2018), dependent on the expiry date of the attestation.
- From 1 January 2019: SWIFT reserves the right to report users who have failed to self-attest full compliance with all mandatory security controls (or who connect through a non-compliant service provider) to their local supervisors.
- By 31 December 2019: All users must re-attest and confirm compliance with the mandatory security controls V2019. The CSCF V2019 can now be consulted but will only become effective in the KYC-SA, the online repository for customer attestations, in July 2019. All SWIFT users must attest against the mandatory controls of this new version by the end of 2019