Table of contents
The Shared Infrastructure Programme (SIP) is designed to establish and maintain a high level of security and resilience for Service Bureau operations.
The compliance assessment is based on a combination of self-attestation and SWIFT on-site inspections. The on-site inspections are performed in accordance with a 3 years cycle and Service Bureaux with the higher risk profile are subject to a more frequent on-site inspection. Risk based parameters also determine the frequency of on-site inspections. On the year that Service Bureaux are not inspected, the Service Bureaux will have to self-attest.
SWIFT’s certification verifies compliance with the SIP requirements at the time of assessment. Service Bureaux are responsible for ensuring their continued compliance with the applicable SIP requirements at all times, and are obliged to notify incidents and events (for example, security incidents) that impact the provision of services to their customers.
In the event a Service Bureau is not compliant with the terms and conditions of the SIP, SWIFT is entitled to remove the Service Bureau from the programme. This process includes removal from the directory, notification of customers and formal termination of the programme for the Service Bureau.
The SIP does not provide absolute assurance about the operations security of the Service Bureaux and their customers, and does not free Service Bureaux or their customers from having to perform their own roles and responsibilities.
Subscription to the programme is subject to payment of an annual registration fee.
Evolution of the Shared Infrastructure Programme
The security framework was designed by a diverse group of SWIFT security experts and has been validated against leading industry standards/guidelines such as the NIST (National Institute of Standard in Technology – US Department of Commerce) security framework. The NIST framework was designed to optimise computer/cyber/information security and privacy in critical infrastructures.
The first release of the SIP was defined in 2012 and was rolled out over a three year project, which also saw a reduction in the number of Service Bureaux.
In early 2016, the programme was updated with additional controls in the areas of organisational and cyber security. Later that same year, an increased frequency of verification was announced and the definition of Service Bureaux was expanded to include all parties that provide indirect connectivity to SWIFT.
Since 2018, SIP includes a harmonisation with SWIFT's Customer Security Programme (CSP), in order to align the security controls that SWIFT Users need to implement the controls the Service Bureaux put in place.
Publication of the Service Bureaux
SWIFT publishes the Terms and Conditions of the Shared Infrastructure Programme on its website.
Service Bureaux are bound with the SWIFT Terms and Conditions of the Shared Infrastructure Programme. The Provider Security Controls Framework is an integral part of the SIP Terms and Conditions.
Certified Service Bureaux are listed on swift.com, with their geographic location, as well as the version of the SIP against which they have been assessed at a specific moment in time.
Apart from the certification status, SWIFT does not provide individual details or reports on individual Service Bureaux.
Service Bureaux operate under their own brand name. Their use of any SWIFT logo is subject to the SWIFT Trademark Guidelines.
Service Bureaux do not represent SWIFT and they are not part of SWIFT’s area of control. They do act as a provider as would system integrators, software vendors and consultants.
Roles and Responsibilities
The use of a Service Bureau, or any subsequent change of a Service Bureau, is at customers’ own risk. Checks performed by SWIFT to verify compliance of a Service Bureau with the SIP should never be seen as a substitute for customers’ own checks and due diligence. SWIFT encourages all customers considering using a Service Bureau to undertake all due diligence that they believe is necessary before choosing an appropriate Service Bureau. SWIFT disclaims any liability for the acts, faults, or omissions of a Service Bureau.
A customer that uses a Service Bureau must ensure that the scope of rights granted to the Service Bureau in respect of SWIFT services and products does not exceed those contracted for with SWIFT. In addition, a customer that decides to use a Service Bureau must ensure that its selected Service Bureau is bound by no less stringent obligations than those incumbent upon the customer under its contractual arrangements with SWIFT.
Service Bureaux are responsible for ensuring their continued and effective compliance with the applicable SIP requirements at all times and, more generally, the security of their operations. They are also obliged to notify their customers and SWIFT of incidents and events (for example, security incidents) that impact the provision of their services.