Independent Assessment Framework v2023 1.0
Independent Assessment Framework v2023 1.0
Independent Assessment Framework v2023 1.0
The purpose of this document is to provide Swift users and assessors with a comprehensive
overview of the independent assessment process and obligations.
Customer Security Programme Confidentiality: Restricted Page: 2 of 38
Date: 30 June 2023
Table of Contents
1 Preface 4
2 Assessment overview 6
3 Assessment Details 13
5 Testing Methodologies 20
5.3 Controls implemented in systems that are not in scope of the CSP 21
6 Assessment Resources 22
8 Special Cases 27
10 Glossary of Acronyms 35
Legal Notices 38
Customer Security Programme Confidentiality: Restricted Page: 4 of 38
Date: 30 June 2023
1 Preface
About this document
This document provides a framework for undertaking assessments against the Swift
Customer Security Controls Framework (CSCF). It is intended to support Swift users
and their assessors in carrying out their respective responsibilities.
Background
Swift created the Customer Security Programme (CSP) to promote cyber security in the
Swift user community and to drive industry-wide collaboration in the fight against cyber
threats. Users are responsible for the security of their infrastructure, and to support this,
the CSP has been designed to help combat end-point security threats and cyber fraud.
At the heart of the CSP programme is the Customer Security Controls Framework
(CSCF), a common set of security controls revised annually. The security controls help
users to secure their local environments and, in turn the Swift community overall.
Intended audience
This document is targeting the following audience:
• Swift users who need to perform an independent assessment to confirm their
level of compliance against the CSCF in force
• Internal/external assessors selected by the Swift users to assist them in the
Independent Assessment process
• Third-party organisations (called Outsourcing Agents) engaged by the Swift
user to whom they delegate the hosting, installation, operation, and/or
maintenance of components involved in their SWIFT connectivity, or providing
with a Swift-related application, and subject to the CSP program requiring to
provide comfort of controls applicable for outsourced components
Significant changes
The following table summarises the most significant changes (ordered by section
number) to the content of this document compared to the previous version. The table
does not include editorial changes that Swift makes to improve the usability and
comprehension of the document.
4.1 Assessment vs Audit More precise comparison between the two review
approach approaches
Swift-defined terms
In the context of Swift documentation, certain terms have a specific meaning. These
terms are called Swift-defined terms (for example, customer, user, or Swift services and
products). The definitions of Swift-defined terms appear in the Swift Glossary.
The CSCF Appendix D: “Glossary of Terms” also provides a definition of key terms
involved in the CSP.
Customer Security Programme Confidentiality: Restricted Page: 6 of 38
Date: 30 June 2023
2 Assessment Overview
2.1 Assessment Purpose
To further enhance the integrity, consistency, and accuracy of attestations, and as
requested by the Swift Board and supported by the Swift’s Oversight, Swift mandates
that, at minimum, all mandatory controls of the attestation are independently
assessed.
It is required for independent assessor(s) to confirm that for CSCF the controls under
review, the control objective is met, the in-scope components are covered, and the risks
drivers are addressed. At a minimum, the mandatory controls must be independently
assessed. While the implementation of advisory controls is recommended but optional;
they must also be independently assessed when considered for inclusion in the
attestation.
The result of the assessment and related compliance level must be reflected in the
Know-Your-Customer Security Attestation (KYC-SA) application by the submission of an
annual attestation. Each attestation must be supported by assessment report(s) and
confirmation letter(s) (see “7.1 Assessment Report and Completion Letter” for more
info).
The below illustration depicts a high-level summary of the different steps in the
assessment process, which are described in more details further in this document:
Types of assessment
Although still present in the KYC-SA application, a self-assessment, as per its name, is
not independent and hence is considered as ‘not compliant’ when submitting an
attestation in KYC-SA. As a result, the non-compliance status will be visible in real-time
by the counterparties of the users (after processed access request), and supervised 1
users will (a) appear on in real-time as “not compliant” in a dedicated application called
Know-Your-Customer for Supervisors (KYS), and (b) be reported in a bi-annual PDF
1
Users under the supervision of an institution’s supervisor. The supervision is the act of monitoring the financial performance
and operations of an institution to ensure that they are operating safely and soundly and following rules and regulations.
Institution’s supervision is conducted by governmental regulators and occurs to prevent institutions failures.
Customer Security Programme Confidentiality: Restricted Page: 8 of 38
Date: 30 June 2023
As per the CSP Policy, a Swift user is obliged to have a published KYC-SA attestation to
activate a new BIC on the Swift network (that is, an attestation submitted against the
current active CSCF; all controls do not need to be compliant with).
To allow faster activation of a new BIC, a user can temporarily submit an attestation
supported by a self-assessment even if not yet fully compliant (the user might be unable
to conduct an independent (internal or external) assessment before BIC activation). This
selection should be done on a temporary basis only and an independent assessment
should be conducted as soon as practical.
The lead assessors (whether internal or external) must possess recent and relevant
experience in the assessment of cyber-related security controls supported by adequate
qualifications (see chapter “2.5 Assessor Qualifications”).
For specific cases like a user Group-Hub, Service Bureaux (SB), Lite2 Business
Application Providers (L2BA), Outsourcing agents, please refer to Chapter 8: Special
Cases.
Customer Security Programme Confidentiality: Restricted Page: 9 of 38
Date: 30 June 2023
Mixed assessment
Users can combine internal and external independent assessments; this corresponds to
a mixed assessment; for example, an independent assessor such as risk, compliance, or
internal audit validates some controls, whilst another external independent assessor
validates the others. A mixed assessment is acceptable if all applicable controls are
reviewed by at least one of the involved independent assessors.
For the selected BICs, follow-up and execution of the mandatory external assessment is
essential to ensure strong security practices across the Swift ecosystem. Not
undertaking the mandatory external assessment represents a breach of the CSCP and
Swift reserves the right to report this breach to the relevant supervisor(s) and/or
counterparties of the selected BICs.
Selection
Every year, Swift aims to select a relevant cross-section of users to undertake mandated
external independent assessments. This process follows Swift’s main quality assurance
(QA) process 2.
The identified users’ BICs are randomly selected, however extra elements can be
applied in the selection including:
• User segments where analysis indicate they may be at high risk of an incident.
• Indication of an incident (re-)occurring for a specific user.
Process
When selected for the sample, Swift notifies the user via the CISO contact designated in
their last KYC-SA attestation. If the selected user believes that there are legitimate
reasons why a mandated assessment should not be undertaken, then this should be
promptly communicated to Swift by email to the [email protected] and
detailing the specific circumstances.
Swift requires selected users to appoint a third party (external) assessor and requests
the usage of standardised templates (or ensure same content is being used as
described in chapter “6.2 Assessment Templates and Form”) to undertake this external
assessment. Users have the free choice to select their external assessor, provided it
meets the assessor’s required criteria. The use of independent internal parties, including
the internal audit function, is not permitted for Swift-Mandated External Assessments.
Users can also make use of an assessor they are already engaged with for other internal
purposes. Users are required to inform Swift of the company they select for external
assessment services using a standardised notification template (provided by Swift).
2
The Customer Security Programme (CSP) Quality Assurance (QA) process is designed to provide both quantitative insight
and qualitative evidence of the operations around user attestations and counterparty data consultation.
Customer Security Programme Confidentiality: Restricted Page: 10 of 38
Date: 30 June 2023
Users must finally notify Swift of the completion of the external assessment (by
contacting [email protected]) and submit or update their KYC-SA attestation
accordingly. Upon request, users must provide the Word-based completion letter
(translated in English as appropriate) to Swift.
Scope
Swift-Mandated External Assessments must cover at least all mandatory controls
applicable to the user’s architecture type as defined in the version of the CSCF that
must be met by the end of the year the assessment is conducted. In case the selected
BIC is connecting through a group hub, the mandated assessment is limited to the local
footprint of the BIC mentioned in the request, the group hub itself in this case is out-of-
scope. If the selected BIC is the group hub itself, then the Swift-Mandated External
Assessment is applicable to the group hub infrastructure.
Timeline
Swift aims to inform BICs selected for a Swift-Mandated External assessment in the first
quarter of the year for completion by 31 December of the same year. Unless specified
differently, the Swift-Mandated External Assessment must be conducted by the end of
the year of the initial request.
KYC-SA Alignment
If the outcome of the assessment highlights a different compliance status than the one
indicated in the user latest KYC-SA attestation, then in line with existing CSP policy, a
new attestation should be submitted within three months of the issuance of the Swift-
Mandated Assessment report.
Independence is the freedom from conditions that threaten the ability of the assessment
activity to carry out responsibilities in an unbiased manner… Threats to independence
must be managed at the individual assessor, engagement, functional, and organisational
levels
When an internal department (for example Internal Audit, Risk team, or Compliance
Department) is engaged to execute an independent assessment, users are advised to
take steps to ensure that those involved in the assessment execute their duties in an
objective way, free from undue influence (including but not limited to independent
reporting lines between assessors and controls owners).
• PCI Qualified Security Assessor (QSA) - the PCI Security Standards Council
maintains a list of Qualified Security Assessors QSAs that can be found here
(for reference only)
• Certified Information Systems Security Professional (CISSP)
• Certified Information Systems Auditor (CISA)
• Certified Information Security Manager (CISM)
• ISO 27001 Lead Auditor
• System Administration, Networking, and Security Institute (SANS) GIAC
(Global Information Assurance Certification)
• Other professional certifications, from the local market and in local
language, are permissible if they provide the same level of robustness.
In all cases, Swift expects a close oversight, monitoring and accountability from the lead
assessor on the activities performed by the other individual members of the assessment
team.
Swift does not endorse or accredit any specific assessor, users remain ultimately
responsible for selecting the assessor suitable to their needs and meeting the required
standards and certification fitting their purposes. Swift however publishes on the
swift.com website 4 a directory of CSP Assessment Providers (this is a list of companies
that offer services to assist in performing independent assessments). This list is not
limitative, Swift users are permitted to select an assessor who is not on this list. When
selecting an assessor (whatever from the directory or not), it is strongly recommended
that users challenge their Swift and CSP/CSCF knowledge and curriculum.
Companies listed on the assessment providers directory have been required to follow a
CSP curriculum to acquire or maintain their knowledge and understanding of Swift and
the CSP programme. Their presence in the directory reflects a successful completion of
the CSP curriculum by these assessors. Swift users that engage with a listed
3
Lead assessors are persons who are responsible for managing the assessment team in an organisation. They supervise the
preparation of the plan prepare the plan, usually deliver meetings and are the persons who provides the assessment
conclusions and report.
4
Organisations present in multiple countries will be displayed under a unique name not referring to a specific location
Customer Security Programme Confidentiality: Restricted Page: 12 of 38
Date: 30 June 2023
Note that external assessors may outsource some assessment activities to third parties
provided the latter fulfil the independence, expertise, skills, and credentials criteria as
outlined in this section, in full transparency to the user engaging with this external
assessor. The external assessor however remains fully accountable for activities
performed by the outsourced third party towards the user.
5
At least one item of each in-scope components’ categories in each assessed environment (example: messaging interfaces,
communication interfaces, jump servers, general-purpose operator PCs, network components) must be assessed to confirm
their compliance with a control. However, if the population of a category is composed of a high quantity of items, sampling
can be used to obtain reasonable comfort as described in the High-Level Test Plan Guidelines document.
Customer Security Programme Confidentiality: Restricted Page: 13 of 38
Date: 30 June 2023
3 Assessment Details
3.1 Assessment Scope and Timing
Scope
Independent assessments must at least cover all mandatory controls as set out in the
CSCF version of the applicable year, and in line with the Swift user architecture type and
infrastructure. It is however suggested to perform the assessment by using the latest
published CSCF version to benefit of the latest clarifications. Non-compliance to an
advisory control will not lead to a non-compliant attestation.
The assessment should at first confirm the adequate architecture type and encompass
all production, disaster recovery (DR), and/or backup environments (as applicable) that
host any of the in-scope systems, operators, and devices. This could lead to different
architecture types for each environment, each of them must be fully compliant (the most
encompassing architecture type must be specified in the attestation in KYC-SA).
The assessment must include all components of the user’s Swift-related infrastructure as
documented in the in-scope components section of each the control definition in the
CSCF.
Users must accurately define the assessment scope with their assessor during the
provider procurement process. This helps prevent later misunderstandings and mitigate
substantially against any risks associated with over or under-scoping the assessment
exercise.
Timing
Users engaging with an external assessor should allocate appropriate time to prepare
for and contract with the appropriate external party to conduct the assessment. This
phase includes budgetary considerations (as appropriate) to support the selection and
procurement of an external assessor. Appropriate planning should take place within the
organisation to ensure assessors can undertake their work ahead of the KYC-SA
attestation deadline.
Users should securely retain evidence supporting the assessment conclusions for 5
years (with a minimum of 2 attestation’s cycles for potential further reliance). There is no
requirement to proactively provide any supporting evidence to Swift.
Re-assessment
Ideally, remediation should be validated before the submission of the attestation to avoid
any declaration of non-compliance. If the remediation and its validation are not
performed before the submission of the attestation in the KYC-SA application, then
control(s) with open deviation(s) must be marked with either the option (i) “I do not
comply” or (ii) “I will comply by <a given date>”, the latter with the best estimated
compliance date. In the latter case, a new attestation must also be submitted once the
deviations have been remediated and validated by an assessor.
If the target date for control compliance cannot be met, then a revised date must be
selected, and the control will still be considered as not compliant.
• If all above four conditions are satisfied for a control, then the
compliance conclusion from the previous assessment for this control can
be relied on; however, it does not prevent the assessor from confirming
the continued correctness of the previous conclusion with, for example, a
limited testing of the control, as appropriate.
• If at least one of the above 4 conditions is not met, then this control
cannot be relied on and must be added to the current assessment scope.
• All controls, when the previous assessment or report may not be relied
on, as per step 1 above, or
• The sum of all controls which were not satisfying all the 4 reusability
conditions described above under step 2. Control(s) conclusions which
relied on a previous assessment must be marked as such in the
assessment report.
The below diagram illustrates, per control, the potential reliance options. The timeline is
for illustration purpose and can differ for every user.
In case of shared interface(s) offered by a group hub, please refer to section “8.1 User
Group Hub” for more details on assessment specificities.
• The scope, components, and risks covered by the report must be accurately
reviewed to ensure that it is identical to the CSCF controls definition it will support. If
not, complementary assessment work might be required; and
• The period covered by the assessment/audit must not be older 18 months before the
attestation is submitted; and
• The company or department who issued the report must be qualified to perform the
related assessment/audit, and fully independent for the entity being assessed as per
section “2.4 Assessor Independence”
Customer Security Programme Confidentiality: Restricted Page: 18 of 38
Date: 30 June 2023
Sampling Sampling may be not necessary or limited in Recognised, qualified and documented sampling
comparison with an audit, a sample of one must be used to obtain assurance conclusion –
item could be sufficient to obtain comfort of Sample size depends on the period covered, the
the adequate implementation of a control. size of the population, and the level of confidence
required. (When possible, Data Analytics is used to
test full population)
Process An assessment follows the assessment An audit strictly follows recognised international
methodology described in this document methodology and audit standards, with defined
and described in the Independent standardised deliverables (example: IIA’s
Assessment Process Guidelines International Professional Practices Framework –
IPPF)
Duration An assessment typically takes limited For the same scope, an audit typically consumes
resources and time more resources and time than an assessment
Remediation An assessment provides a list of exceptions, An audit provides with a list of detailed exceptions
recommendation can be proposed but there and proposed recommendations, a formalised
is no obligation of formalised follow-up of the follow-up of the closure of the open observations
remediation by the assessors. must be performed by the auditors according to a
strict timeline.
• Noted exception(s) do not materially impact the control’s ability to mitigate the
risk, or alternative controls compensate for the noted deviations.
The Control Statement of each control described in the CSCF is a suggested way to fulfil
the control objective and the Implementation Guidelines are common methods for
meeting the objective. Even if the guidelines can be a good way to start an assessment,
they should never be considered as an ‘audit checklist’ because each user’s
implementation can vary.
5 Testing Methodologies
Swift does not provide pre-packaged test methodology for use in the assessment
process. Assessors are solely responsible for determining the approach in designing test
cases and conducting assessment activities in line with industry best practices. For
general guidance, potential testing methodologies are outlined below.
Examples of assessment methods include, but is not limited to, the below approaches:
Inquiry
Conducting interviews with relevant personnel can provide insights into awareness of
controls and the organisation’s actual processes and procedures, which can contribute
to overall levels of comfort.
Observation
Comfort gathered through the direct observation of the existence of specific controls.
Inspection
Comfort gathered through the inspection of documents and records. Among the most
basic methods of assessing control implementation are a review of applicable user
documents such as policies, standards, processes, procedures, and run books. Review
of documentation is a relatively easy method of collecting assessment information
because it requires little impact on normal business operations. However, the degree of
comfort achievable by this method is limited, as it does not necessarily provide insight
into actual system settings, network configurations, personnel actions, nor other
potentially relevant practices.
Re-performance
Hands-on system re-performance and sample evidence collection can provide further
levels of comfort. This method is best employed in the case of technical controls where
direct insight into system settings and configuration is beneficial. Evidence collected via
system testing often takes the form of screenshots and/or data extracts from applicable
systems and infrastructure components.
Customer Security Programme Confidentiality: Restricted Page: 21 of 38
Date: 30 June 2023
• For technical and organisational controls, assessors could rely on the review of
documentation: screenshots (for example, network diagrams), system extracts,
procedures complemented with remote staff interviews.
• For physical controls, assessors could combine a review of documentation (for
example, maps or schemas) with interviews and images or video recordings.
6 Assessment Resources
This chapter describes what resources proposed by Swift can be leveraged to prepare
the assessment and to support the review phase.
External assessors registered 6 with Swift have direct access to training and assessment
materials. The “annex A” lists resources available on swift.com and which can constitute
a curriculum for assessors engaged by users.
If a user opts for an external assessor that is not registered with Swift, then it is the
user’s responsibility to provide the assessor with the necessary assessment supporting
material in accordance with all applicable terms and conditions. As a minimum, these
resources are as follows:
Users of Swift products and their assessors are strongly encouraged to read and apply
the relevant security guidance documents and verify their implementation in their local
Swift set up.
Users of vendor (that is, non-Swift) product should reach out to their vendor for security
guidelines, otherwise, industry best security practices must be applied.
6
The assessors appearing in the directory of CSP assessment providers are registered under the Swift Partner Programme
Customer Security Programme Confidentiality: Restricted Page: 23 of 38
Date: 30 June 2023
• A ‘Notification of External Assessor Selection’, which Swift user must use for
confirming its assessor selection to Swift
Swift will send those documents to users selected for a Swift Mandated Assessment.
The user can find the most up-to-date assessment materials online through the
swift.com portal. Swift recommends that users and assessors use the latest versions of
the forms and templates available to the Swift community.
Assessors can fill in the Excel assessment templates using their native language;
however, the Word-based completion letter must be completed in English or duly
translated, since Swift may request a copy.
See also Annex A for additional training material and a comprehensive curriculum that
Swift recommends assessors with whom users engage to follow.
Customer Security Programme Confidentiality: Restricted Page: 24 of 38
Date: 30 June 2023
Every attestation and applicable controls (mandatory and advisory) compliance level
must be supported by one or multiple reports, and even if reliance on a previous
assessment is applied.
Documentation Storage
At the conclusion of assessment proceedings, users are advised to obtain all
assessment-related materials from their assessors (for example, evidence, working
papers).
Customer Security Programme Confidentiality: Restricted Page: 25 of 38
Date: 30 June 2023
Users are expected to ensure the documents supporting the assessment are safely
maintained for the duration that the assessment supports their attestation (therefore for
minimum 2 attestation’s cycles, 5 years being recommended).
Users and assessors are encouraged to implement robust controls to limit access to
assessment materials in line with legal and regulatory requirements and applicable
confidentiality agreements.
It is recommended that users will duly track resolution of non-compliance with their
assessors and, when addressed, submit a new attestation in the KYC-SA application
(see section “3.3 Control Remediation” for more information).
For all assessment types, users must take the following into account when planning the
timing of the assessment and the associated attestation in the KYC-SA application:
• The supporting independent assessment and report must comply with the
quality criteria outlined in this document.
• Users must complete a KYC-SA attestation consistent with the final assessment
report; that means that conclusions on the compliance of each individual control
must be accurately reflected in the KYC-SA attestation. It is typically the role of
the CISO or an equivalent senior level of IT management to approve the
attestation for review and publication by Swift.
o Note: The independent assessor (internal or external) or the service
bureau/L2BA serving the user (as appropriate) is allowed to draft of the
attestation and submit the filled attestation for approval to the CISO.
This possibility and conditions are further developed in “9 Delegation of
the Submitter and Assessor Roles”
• Users should submit their attestation in a timely manner, after the assessment
has been concluded (ideally within 30 days of the date of the assessment final
report). As corollary, attestations must not be submitted before the completion
of the assessment.
• The final report date supporting the attestation should ideally be, at the earliest,
within the year of the assessment exercise (for example, the submission of an
attestation against the CSCF v2023 must be supported by a report produced in
2023 at the earliest and validating at least the CSCF v2023 version or above).
• To reach compliance, users must attest within the attestation window from early
July to 31 December of that year. Users, and not their assessors, are always
responsible to approve the attestation.
Data relevant to the assessment and assessor (including the name and contact details
(optional) of the assessor, the assessment end dates, and the effort required to conduct
the assessment (in Man/Day – optional)) need to be provided in the KYC-SA application
when attestation is submitted.
Customer Security Programme Confidentiality: Restricted Page: 26 of 38
Date: 30 June 2023
8 Special Cases
This section provides details on specific Swift connectivity set-up involving third parties
and are subject to specificities in terms of assessment and attestation.
• A Swift user group hub offers a shared connectivity to its organisation through
a communication interface (and usually a messaging interface) that it owns.
• A non-Swift user Group Hub (previously called Internal Service Bureau) is a
non-Swift user organisation connecting affiliated Swift users within its corporate
group. A corporate group in this context means that:
o All connected users and the group hub belong to the same corporate
group based on the current criteria for Swift traffic aggregation and as
defined in the Price List for Swift Messaging and Solutions, or
o Connected users which include two or more Swift shareholders being
(together) majority shareholders of and exercising (together) effective
control over the group hub, and any other connected user belonging to
the same corporate group as that of any such shareholder based on the
then current criteria for Swift traffic aggregation (as defined in the Price
List for Swift Messaging and Solutions)
The CSP Policy states ‘In case of users connecting through a non-Swift user group hub
that is not registered under the Shared Infrastructure Programme, the user heading the
traffic aggregation hierarchy or, as the case may be, one of the connected shareholding
users must in principle submit a distinct attestation for the Partner Identifier Code (PIC)
of the group hub. In the absence of an attestation being submitted for a non-Swift user
group hub, all users connected through that group hub must attest with architecture
type A1.’
User Group Hub and connected users' Attestation and independent assessment
In terms of KYC-SA attestation and independent assessment, the following rules apply to
user group Hubs: and their connected users:
• All connected users to the group hub (i) are architecture type A2, A3, A4 or B
as appropriate, (ii) refer in their attestation to the PIC/BIC as group Hub and (iii)
must assess and attest for their local footprint only.
If no connected user attests for the PIC of the non-Swift group hub, then no attestation is
provided for the group hub PIC and all connected users need to attest as A1 and
Customer Security Programme Confidentiality: Restricted Page: 28 of 38
Date: 30 June 2023
perform an independent assessment covering both their local footprint and group Hub
PIC components. Stakeholders should agree to perform an independent assessment on
the PIC infrastructure, such independent assessment can be re-used by all stakeholders.
For additional examples of architecture involving a service provider, please refer to the
Swift Customer Security Controls Framework or to the decision tree examples section
(see 1.2 “Related Documents”).
The figure below shows the scope of the CSP for the Swift user using a service provider
offering connectivity:
Customer Security Programme Confidentiality: Restricted Page: 29 of 38
Date: 30 June 2023
Therefore, those dedicated users and related privileges must be reviewed as part of the
CSP assessment of the Swift user (mainly to ensure adequate segregation of duties), as
depicted in the below diagram:
Attestation of users serviced by a Service Bureau with a regular BIC code but not a
PIC code
There are service providers that are also Swift user with their own BIC. They are also
subject to the CSP for such BIC. They have a Swift infrastructure (typically a messaging
and communication interface), which is, at the same time, shared with other non-owner
third party BICs. In terms of KYC-SA attestation and independent assessment:
• The owner BIC attests as A1 in KYC-SA. For the purpose of its independent
assessment, this owner BIC can rely on the service provider inspection results
(provided those satisfy the reliance conditions described in this document) for
the overlapping part of the CSP controls. It will however need to complement
the service provider coverage with an assessment covering the non-overlapping
part such as general-purpose operator PC or end-users. The owner BIC must
refer in its attestation to both the service provider inspection and to the
assessment of this non-overlapping independent assessment. Note for
inspection: the inspection report is available to the service bureau/L2BA
provider as it is delivered at completion of the inspection; there is no need for
any formal approval from the SIP auditors to rely on the final SIP report; details
regarding components typically reviewed as part of the SIP Programme are
available in the KB article 5024785
• The non-owner BICs (i) attest as A2, A3, A4 or B as appropriate, (ii) refer to the
owner BIC as service bureau and (iii) conduct an independent assessment
covering their local footprint only.
Under specific conditions, users can leverage the conclusions from an audit inspection
of their service provider to confirm their compliance to CSCF controls applicable to
them. When the conditions described below are met, only the recent audit report (from
the year or the year before) can be relied on. The Service Bureau or L2BA Self-
Assessment can never be leveraged (only an audit).
• This audit must have been performed on the controls that are part of the current
or the previous PSCF version of the year the CSP attestation applies. For
example, to support control(s) compliance conclusion for an assessment against
the CSCF v2023, the control compliance conclusion from the service provider
audit inspection must have been performed on either the PSCF v2023 or v2022,
but not any other earlier PSCF version.
• The user must confirm that those CSP controls covered by the service provider
inspection are adequately covered and assessed compliant as described in this
document (meaning that the control objective is met, all in-scope components
covered, mitigating the related risks).
own Swift infrastructure must obtain reasonable comfort from such third parties
(referred to as outsourcing agents) that the outsourced activities or externally hosted
components are protected in line with the relevant CSCF security controls.
Users are still responsible and accountable for the assessment of all their in-scope
components for the comprehensive implementation (as if it was not outsourced).
Users can terminate their ‘Receiving-only’ profile by submitting the relevant e-form on
swift.com. The termination request is subject to the user having a published KYC-SA
attestation. At the same time, their KYC-SA attestation must again be supported by an
independent assessment. Furthermore, they will no longer be flagged as Receiving-only
users in the KYC-SA application and their counterparties will be notified of the change.
Service Providers (such as service bureau, L2BA providers) may also support their
users in (i) the attestation submission process or (ii) act as an independent assessor.
Those Service Providers have indeed a close relationship with their users and their
involvement in the attestation and independent assessment processes, can help improve
the overall accuracy and timeliness of their users’ attestation.
• The delegation of this role to the Service Provider or the independent assessor
is duly documented and formally agreed between both parties, and
• The delegation covers at a minimum: timings, protocol for exchanging
attestation information, confidentiality, respective parties’ roles, responsibilities,
and liabilities
The delegating user must set up and apply the 4-eyes principle in KYC-SA. This set-up
is designed to always hold the accountability for the attestation with the delegating Swift
user.
7
A Submitter can create, edit and submit the attestation for approval to the Approver who is releasing the attestation to Swift
for publication
Customer Security Programme Confidentiality: Restricted Page: 33 of 38
Date: 30 June 2023
Delegating users must ensure that the selection and engagement of their assessor
complies with all applicable laws and regulations and, without forming any adverse
opinion regarding the general application of previously mentioned text, does not give
rise to any violation of competition law. For example, by using as independent assessor
a competitor of the appointed third-party Service Provider (service bureau, L2BA or
other).
Practicalities
• The Service Provider must (i) be a registered Service Provider with a Partner
Identifier Code (PIC) or “soldto”, (ii) have a swift.com account and, (iii) have a
swift.com profile for each BIC for which it wants to be delegated a KYC-SA
Submitter role.
o For an external independent assessor, a dedicated swift.com user
account must be created under the sold-to of the Swift user
• The swift.com email address can be the same, but the Service Provider must
create a different user profile for each BIC. Useful links:
o Registration User Guide
o Identity Management: Request another profile
• The user’s swift.com administrator must approve the request from the Service
Provider or the independent assessor for the creation of a swift.com account
(profile) linked to the user’s BIC
• The user’s KYC-SA administrator must give the KYC-SA Submitter role to the
Service Provider’s or independent assessor swift.com account
• When logging in to the KYC-SA application, the Service Provider or independent
assessor must select the correct swift.com profile (for example, if a Service
Provider or the independent assessor has 10 users for different Swift users, it
will have at least 10 different swift.com profiles to select from when logging in)
As an example:
o The Service Provider creates an e-mail account for its staff in charge of
submission, such as kyc_submitter@service_provider.com
o On swift.com, the individual creates a swift.com account and links
kyc_submitter@service_provider.com with each BIC for which they will
submit an attestation
o In KYC-SA, the KYC-SA administrator of each BIC assigns the KYC-SA
submitter role to the related swift.com profile
(kyc_submitter@service_provider.com) of the Service Provider
o When connecting to swift.com, the account
kyc_submitter@service_provider.com selects the entity (BIC) for which
the attestation is submitted
• A Service Provider can apply to become a listed CSP assessor by following the
Partner Programme process
• Swift will consequently conduct certain due diligence activities before publishing
(with potential refusal) the Service Provider in the directory of CSP assessment
providers on swift.com (subject to the formal registration and fees as per the
Partner programme and Cyber Security Service Provider terms of use)
Customer Security Programme Confidentiality: Restricted Page: 34 of 38
Date: 30 June 2023
10 Glossary of Acronyms
Term / Acronym Definition
AICPA American Institute of Certified Public Accountants
BC Business Connect
BIC Business Identifier Code
CA Chartered Accountant
CISA Certified Information Systems Auditor
CISM Certified Information Security Manager
CISSP Certified Information Systems Security Professional
CPA Certified Public Accountant
CSCF Customer Security Controls Framework
CSCP Customer Security Controls Policy
CSP Customer Security Programme
GIAC Global Information Assurance Certification
HSM Hardware Security Module
IIA Institute of Internal Auditors
IPPF International Professional Practices Framework
ISO International Organization for Standardization
ISP Internet Service Provider
KYC-SA Know Your Customer – Security Attestation
KYS Know Your Customer for Supervisor
L2BA Lite2 Business Application
PCI DSS Payment Card Industry Data Security Standard
PIC Partner Identifier Code
QSA Qualified Security Assessor
SB Service Bureau
SIP Shared Infrastructure Provider
SOC System and Organisation Controls
SNL SwiftNet Link
Customer Security Programme Confidentiality: Restricted Page: 36 of 38
Date: 30 June 2023
Documentation
SwiftSmart modules
CSP Trainings
Note: translated versions are sometimes available; those are provided on a best effort
basis and out of courtesy; only the English version is the official version.
The below diagram is a guidance in which order the different key documents should be
read (however, it is not an exhaustive list):
Customer Security Programme Confidentiality: Restricted Page: 37 of 38
Date: 30 June 2023
Customer Security Programme Confidentiality: Restricted Page: 38 of 38
Date: 30 June 2023
Legal Notices
Copyright
Swift © 2023. All rights reserved.
Restricted Distribution
This publication contains Swift or third party confidential information. Do not disclose this
publication outside your organisation without Swift’s prior written consent. You may however share
this publication on a need-to-know basis with third parties that support you in connection with the
Swift Customer Security Programme initiatives provided (i) you inform the recipient of the
confidential nature of the information and (ii) you ensure that it is bound by no less stringent
obligations of confidentiality.
Disclaimer
The information in this publication may change from time to time. You must always refer to the
latest available version.
Translations
The English version of Swift documentation is the only official and binding version.
Trademarks
Swift is the trade name of S.W.I.F.T. SC. The following are registered trademarks of Swift: 3SKey,
Innotribe, MyStandards, Sibos, Swift, SwiftNet, Swift Institute, the Standards Forum logo, the Swift
logo, Swift gpi with logo, the Swift gpi logo, and UETR. Other product, service, or company names
in this publication are trade names, trademarks, or registered trademarks of their respective
owners.