SWIFT Customer Security Program

The Swift Customer Security Programme (CSP) initiative aims to strengthen the security of the global financial community.

Enhancing Global Financial Security

The Swift Customer Security Programme (CSP) initiative was launched by Swift in 2016 and aims to strengthen the security of the global financial community. As a Certified CSP Assessment Provider, BDO Malta recognises the importance of Swift's focus areas for v2025 and the forthcoming changes.

Evolution of the Swift CSP since 2016 

In an era where digitalisation has transformed the way financial institutions work, the security of financial data and transactions is more important than ever.  Following a number of security breaches at financial institutions, Swift became concerned about the security of its users. They decided to create a set of security controls and requires all its users to attest their level of compliance with these controls transparently. The CSP is continually updated to address new threats and weaknesses in the ever-changing cybersecurity landsca

CSCF EvolutionSWIFT Copyright

Objectives, principles & controls

Swift has defined a set of security objectives, which are linked to seven principles and covered by the set of controls in the Customer Security Controls Framework (CSCF). The CSCF consists of 25 mandatory and 7 advisory controls, but not all controls are applicable to all architecture types: it depends on the extent to which an organisation is integrated with Swift systems.

Swift users are required to confirm their compliance with the mandatory security controls between 1 July and 31 December of each year – whether fully compliant or not!

Three Objectives and Seven Principles

SWIFT Controls

  • #1 Secure Your Environment 

1. Restrict Internet access & segregate critical systems from general IT environment

2. Reduce attack surface & vulnerabilities

3. Physically secure the environment

  • #2 Know and Limit Access 

4. Prevent compromise of credentials

5. Manage identities and segregate privileges

  • #3 Detect and Respond 

6. Detect anomalous activity to system or transaction records 

7. Plan for incident response and information sharing 

SWIFT Focus Areas

The Swift Customer Security Controls Framework (CSCF) v2025 focuses on stabilisation, strategic evolution, and preparation for future mandatory requirements. Here are the key focus areas and updates:

1. Framework Stabilisation

  • No new mandatory controls introduced in 2025.
  • Focus is on clarifications, scope refinements, and implementation guidance:
    • Clearer definitions (e.g., Swift connectivity providers, service providers).
    • Updated visuals and diagrams.
    • Enhanced guidance for cloud and virtual environments.

2. Back Office Security – Control 2.4A

  • Still advisory in 2025, but expected to become mandatory by 2026.
  • Focuses on securing data flows between Swift systems and back-office applications.
  • Organizations are encouraged to:
    • Identify “first hop” systems.
    • Conduct gap assessments.
    • Prioritise new flows first, then legacy flows.

3. Customer Client Connectors

  • A new advisory component introduced in 2025, covering:
    • API consumers
    • Middleware
    • File transfer clients
  • These will become mandatory in 2026, potentially requiring some users to reclassify their architecture type (e.g., from B to A4).

Attestation Timeline

  • Compliance attestation for CSCF v2025 must be completed between July 1 and December 31, 2025.

Want to know more?

Key Contacts

Ivan Spiteri Director Technology BDO Malta

Ivan Spiteri

Director of Technology Advisory & Assurance
View bio
Iverna Mulliah BDO Malta

Iverna Mulliah

Technology Advisory & Assurance Assistant Manager
View bio