Swift Customer Security Programme v2025

Home
Insights
Articles
2025
Swift Customer Security Programme v2025

The main goal of the Swift Customer Security Programme (CSP) initiative is to strengthen the security of the global financial community. For financial institutions, the CSP is becoming increasingly important in risk and compliance programmes. Mainly because this initiative creates added value beyond mere compliance.

Curious to know what’s new with Swift and how BDO can help you as one of the top firms listed by the Certified Assessors Directory?

Here’s all you need to know:
•   Changes in Swift’s CSCF v2025
•   The value of Certified Assessors
•   Global quality standards: BDO’s Swift CSP Center of Excellence
•   What can BDO do for you?

Changes in Swift’s CSCF v2025

swift

© Swift

Architecture change from Type B to A4

Are you a Type B and using an API, middleware client or file transfer client to send payments?

Swift now considers your risk to be higher than if you’d be using only a GUI to enter payments, and considers the risk similar to when using a customer connector. Therefore, these customer client connectors are now treated equally, which requires you to attest as Type A4 instead of Type B.

This transition from Architecture Type B to A4 is significant for many organisations as it entails 8 new controls in scope (4 mandatory and 4 advisory). To allow for a transition period, these 8 controls are considered advisory for v2025 and any issues identified in those controls cannot lead to a non-compliant assessment.

In short: companies who solely use a graphical user interface (GUI) (point and click) to perform payments, remain Type B. However, any company that has a technical link or any type of integration for payment messages between their back office and Swift will be reclassified to A4. Compliance with the controls newly in scope will have to be demonstrated as of v2026.

Back Office Data Flow Security becomes mandatory in v2026 (Control 2.4A)

As expected, the first phase of this flow will become mandatory in next year’s update. The control objective is to ensure the confidentiality, integrity, and authenticity of data exchanged between back-office first hops and on-premises or remote user’s Swift infrastructure components.

In simpler terms, this control is about securing communication between Swift and your back office by applying strong encryption algorithms. More details of implementation can be found in the CSCF (here) on page 50.

swift

© Swift

Certified Assessors

At BDO, quality is at the core of what we do. We are proud to be one of the firms with the most Certified Assessors worldwide. This shows our commitment to the Swift CSP program and to delivering the highest quality assessments, all while remaining pragmatic and risk-based.

The purpose of the Swift CSP Certified Assessor certification is to increase the expert knowledge of independent assessors. It also creates a standard in assessment methodologies worldwide. This program leads to higher quality assessments, as certified assessors have a better understanding of your Swift environment and the requirements of the CSCF.

Find your nearest Certified Assessor here.

Why rely on a Swift certified assessor?

Recognised expertise: Assessors have to undergo rigourous training, submit other recognised certifications, such as ISO 27001 Lead Auditor or CISA which proves the assessors are experienced and qualified, and to pass the rigorous Swift exams. Furthermore, Swift CSP assessments performed are subject to inspections by Swift to ensure that assessments performed by assessors are of the upmost quality.
Prioritising security: Swift CSP assessment providers and certified assessors are featured in a dedicated directory on swift.com, and the KYC-SA application indicates whether an assessment was conducted by a certified assessor. This distinction helps you to find experts who are compliant with Swift's stringent security standards.
Collaboration and knowledge sharing: The certification program enables Swift CSP assessment providers to engage in round tables and working groups with fellow experts. Swift also offers additional support through resources to enhance effectiveness. This fosters collaboration and the exchange of best practices, empowering providers to deliver improved assessment services.

BDO’s Swift CSP Center of Excellence

To give you peace of mind about your compliance status and receive the most relevant and actionable recommendations, we created our global Center of Excellence (CoE). This framework is aimed at enhancing the effectiveness of our assessments and creating global standardisation.

Our BDO network of SWIFT CSP Certified Assessors guarantees the highest quality of service, as our assessments are performed by knowledgeable and veteran assessors.

The Center of Excellence (CoE) offers two significant advantages for your organisation:

Quality assurance: Our Certified Assessors can perform a quality review of all assessments worldwide, ensuring high-quality assessments globally. This allows you to demonstrate to your counterparties and Swift that your audit was conducted by a Certified Assessor, thereby increasing the value of your attestation.

Flexibility: BDO is active in over 160 countries across the world, delivering our exceptional service worldwide. As not all local BDO teams have the capabilities or resources to perform Swift CSP assessments, the CoE testing team can conduct the entire assessment. Performing interviews, detailed testing, and reporting following the highest quality standards. All while maintaining a close relationship between the client and the local BDO colleagues. A hybrid setup is also possible – we’re flexible by design and adapt to our client's needs!

Why BDO?

As your trusted partner, BDO will help you achieve your objectives in a pragmatic yet qualitative way.

As Swift Certified Assessor, our assessments are of the highest quality and strive to add value to your organisation instead of just tick-the-box compliance. Our detailed yet straightforward reporting pinpoints what areas you should focus on.
As implementation partners, we focus on the high-risk areas first, making sure your main security gaps are covered. Then, we focus on compliance areas, to ensure an assessment will pass the test.

Thanks to BDO’s broad expertise, experience and proven record of assisting organisations in both the implementation and the assessment of Swift security controls, you can rely on both enhanced security and compliance with the CSP framework.

BDO tailors its work to each individual client’s needs, to ensure our solutions add value where you most need it. Ranging from implementing an ISO27K-compliant GRC security program or a third party security management system to providing DORA and NIS2 assessments and implementations – always in a pragmatic way, tailored to your needs.

Our experts are well-versed in the Swift CSP controls and implementation guidelines, on top of their strong financial sector focus. This enables them to understand the complex regulatory landscape and the evolving cyber security threats.

All our Lead Auditors have proven experience in Swift CSP assessments, IT audits and ISO27K implementations and assessments, and have relevant certifications including the Swift Certified Assessors certification and a combination of CISA, CISM, CISSP, ISO27K Lead Auditor, etc. Furthermore, our low partner-to-staff ratio means high involvement and guidance from partners and experienced staff, and a solid and stable team to perform the assessments.

Frequently asked questions

We get many questions from our clients and prospects regarding the scope and depth of the assessment, timelines and compliance. In the dropdowns below, we answer the most common questions.

A cyber security audit is a review of an organisation’s cyber security policies, procedures and technology, following auditing standards as imposed by the Institute of Internal Auditors, for example. The goal is to ensure compliance with specific regulations and/or internal policies by looking back at a certain period of time and verifying the operating effectiveness of the controls.

In contrast, a cyber security assessment is a more high-level review of an organisation’s cybersecurity posture to identify potential risks and areas for improvement. As an assessment does not need to follow strict testing and reporting requirements, unlike an audit, the cost is often lower.

Swift recommends conducting an assessment instead of an audit to reduce the cost and workload for internal staff. All the while ensuring quality of the assessment is maintained and focused on the evaluation and review of security controls, and putting less emphasis on scoping, risk assessments and reporting.

The assessment in 2024 can potentially rely on an assessment performed in 2023, if four conditions are fulfilled for each control:

• Last year’s assessment was performed against last year’s version of the CSCF (or more recent)

• Last year’s assessment was not itself reliant on the year before or on an external assurance report*

• The new CSCF version does not materially affect the implementation

• The control design and implementation and Swift user environment have not materially changed

*Note that you can rely on Third Party Assurance reports such as SOC2, ISAE3000, PCI-DSS 4.0 or ISO27K, as long as the scope of the report covers the Swift CSP controls, and the timing of the report is recent enough – the period covered by the report must be no more than 18 months before the attestation is submitted (e.g. an attestation submitted on 24/12/2024 can still rely on a SOC2 Type II report for the period ending 30/06/2023. An example of the assessment to be made for an individual control is shown in the following image (for an attestation against v2023):

assessment cycle of control

Users are required to confirm their compliance with the mandatory security controls between 1 July and 31 December of each year (whether fully compliant or not!). New joiners or BICs must complete their attestation before accessing the Swift network.

The KYC Security Attestation application (KYC-SA) is used to submit security attestations. Swift releases the new version of the controls each year in early July, and these controls are then attested against between July and December the next year.

swift

We strongly urge all Swift users to implement and ensure compliance with the CSP controls as soon as possible. The CSP controls establish a baseline for security hygiene and should be within the capability of each organisation that processes financial transactions. Failing to implement CSP controls puts the organisation at an increased risk of cyber attacks, which can result in severe financial and operational losses and reputational impacts.

Nevertheless, if you submit a non-compliant attestation, you will not be kicked out of the Swift network. Your non-compliance status will, however, be listed in the KYC-SA directory for your counterparties to see, and Swift will communicate your non-compliance to your financial supervisory authority.

Swift does ask each user to submit an attestation, even if it is non-compliant. Failure to do so is in breach of your contractual obligations according to the Cloud Service Provider (CSP) Policy and Swift Terms and Conditions.

The typical scope of CSP is the secure zone, the underlying infrastructure (network security such as firewalls, IPS etc) and the middleware and file transfer servers. The back office and the connection to the Swift network are typically not within the scope of the CSP. Note that the latter will change in the near future as control 2.4A will become mandatory in the coming years.

Each control has its specific in-scope components that are well-defined in the controls framework. Review this together with your assessor to ensure mutual agreement on the scope of the assessment and to better prepare your staff.

in scope

In this case, you will most likely be an architecture type A4 or B. Depending on the depth of outsourcing, the responsibilities will be split between you and the third party providing your services (the outsourcing agent).

The visual below illustrates typical differences in architecture ranging from managed fully in-house to fully outsourced. In the end, your architecture type determines the CSP control in scope, but all responsibility for the assessment remains with you: you must obtain assurance on the compliance of your third parties.

data management you manage

Swift has a Knowledge Centre that you can use to find relevant articles, frequently asked questions and general information on Swift product and services. Furthermore, via SwiftSmart, Swift also offers e-learning courses specifically on the Swift CSP. Some useful links: