SWIFT Customer Security Programme: Mandatory Controls for Every SWIFT Correspondent

Following the 2016 Bangladesh Bank cyber heist — in which attackers compromised the bank's SWIFT messaging interface and sent fraudulent SWIFT messages to steal $81 million — SWIFT launched the Customer Security Programme (CSP) to improve the security of the global financial messaging ecosystem. Today, compliance with the SWIFT CSP and its annual self-attestation requirement is mandatory for all SWIFT correspondents. Non-compliance creates counterparty risk that can result in correspondent banks restricting or terminating relationships.

The Customer Security Controls Framework (CSCF)

The Customer Security Controls Framework (CSCF) defines the mandatory and advisory security controls that SWIFT correspondents must implement. The framework is organised around three objectives and eight principles:

Objective 1 — Secure your environment:

• Restrict internet access and protect critical systems from the general IT environment
• Reduce attack surface and vulnerabilities
• Physically secure the environment

Objective 2 — Know and limit access:

• Prevent compromise of credentials
• Manage identities and segregate privileges

Objective 3 — Detect and respond:

• Detect anomalous activity to systems or transaction records
• Plan for incident response and information sharing
• Detect and prevent anomalies in payment activity

The CSCF is updated annually to address the evolving threat landscape. Organisations must re-assess their compliance against the current CSCF each year and update their attestation accordingly.

Mandatory vs. Advisory Controls

The CSCF distinguishes between Mandatory controls (must be implemented by all users) and Advisory controls (best practice recommendations that will be reviewed for potential future mandation):

Key mandatory controls include:

• Restrict internet access (SWIFT-related components must not have direct internet connectivity)
• Separate SWIFT-related systems from the general IT environment
• Reduce the attack surface of SWIFT-related systems (patch management, hardening)
• Prevent compromise of credentials (password policies, privileged access management)
• Manage identities and segregate privileges
• Detect anomalous activities in systems or transaction records (logging, monitoring, SWIFT payment control)

Advisory controls cover additional hardening measures, network segmentation best practices, enhanced authentication, penetration testing, and information sharing participation.

The Annual Attestation Process

Every SWIFT correspondent must complete an annual self-attestation in the KYC Security Attestation (KYC-SA) application on the SWIFT platform:

1. Self-assess against all mandatory CSCF controls
2. Submit attestation in the KYC-SA application by December 31 each year
3. Counterparty visibility: Correspondent banks can see your attestation status and compliance level
4. Independent assessment: While self-attestation is the baseline requirement, SWIFT increasingly encourages — and some counterparties require — independent assessment by a certified CSP assessor

Non-compliance consequences: Banks that fail to attest or attest non-compliance face counterparty risk management actions from their correspondents — potentially including reduced credit lines, transaction monitoring, or termination of correspondent relationships.

SWIFT also conducts random sampling verifications, and persistent non-compliance can result in regulatory reporting.

Building a SWIFT CSP Compliance Program

Environment assessment: Mapping all SWIFT-related components — SWIFT interfaces (Alliance Access, Alliance Entry, Service Bureau connections), SWIFT Secure Zone architecture, and the IT environment surrounding SWIFT components.

Gap assessment against CSCF: For each mandatory and advisory control, assessing current implementation status and identifying gaps requiring remediation.

Secure Zone architecture: The SWIFT Secure Zone must be properly designed with appropriate network segmentation from the general IT environment. This architecture decision underpins compliance with multiple mandatory controls.

Credential and access management: SWIFT CSP requires strong authentication for SWIFT interfaces, appropriate operator privilege management, and clear segregation of duties between initiators, authorisers, and administrators of SWIFT transactions.

Payment anomaly detection: SWIFT strongly recommends — and increasingly mandates through payment controls — implementing payment anomaly detection to identify unusual transactions before they are submitted or processed through the SWIFT network.

Why Organisations Choose Savadub

Deep GRC Expertise

Our team holds practitioner-level expertise across every major compliance framework — not just theoretical knowledge, but hands-on implementation experience across multiple industries and organisation sizes.

Engineers, Not Just Consultants

We implement controls, not just recommend them. Our GRC engineers configure the systems, write the integrations, and build the monitoring pipelines that make compliance operational.

Global and African Regulatory Coverage

We understand both the global frameworks and the African regulatory environment — NDPR, NDPA, CBN directives, NITDA guidelines, and regional data protection laws — making us uniquely positioned for organisations operating across Africa and internationally.

Internal and External Audit Capability

We provide both embedded internal audit functions and independent third-party audit support, including CPA-accredited audit coordination for SOC examinations.

End-to-End Engagement

From initial gap assessment through certification, continuous monitoring, and ongoing compliance management — we are your long-term GRC partner, not a one-time consultant.

Industries We Serve

Financial Services · Healthcare · Technology & SaaS · Manufacturing · Logistics & Trade · Government & Public Sector · Energy & Critical Infrastructure · Education & EdTech · Media & Broadcasting · Retail & E-Commerce · Professional Services · Food & Beverage

Deliverables You Receive

Working with Savadub, every engagement delivers a concrete set of outputs:

• Gap Assessment Report — prioritised findings with effort estimates and risk ratings
• Compliance Roadmap — milestone-based plan from current state to certification or attestation
• Risk Register — organisational risk register with treatment plans
• Policy Pack — all required policies authored, reviewed, and approved
• Technical Control Implementation Evidence — configurations, screenshots, and audit trails
• Internal Audit Report — independent assessment of control effectiveness
• Audit Evidence Repository — organised, auditor-ready evidence collection
• Executive Summary Presentation — board and leadership-ready compliance status
• Remediation Tracker — structured tracking of open findings and closure evidence
• Continuous Monitoring Setup — ongoing CCM pipeline for post-certification compliance

Get Started with Savadub

Savadub's GRC practice combines deep compliance expertise with technical engineering capability. We don't just advise — we build, implement, and operate your compliance program from the ground up.

Book a free GRC consultation with our team. We will review your current posture, identify your most critical gaps, and give you a clear, costed roadmap to compliance.

Contact us:

• Email: grc@savadub.com
• Phone: +234 816 734 2201
• WhatsApp: +234 903 234 8435
• Website: www.savadub.com