Cyber Horizon
Back to Blog
SWIFT CSPFinancial ServicesBanking

SWIFT Customer Security Programme (CSP): What Institutions Must Do

18 June 2026·8 min read·Cyber Horizon Team

After a string of high-profile attacks on the payment messaging network, SWIFT launched the Customer Security Programme (CSP). At its heart is the Customer Security Controls Framework (CSCF) — a set of security controls that every institution connected to SWIFT must implement and attest to each year.

Who it applies to

Any organisation that uses SWIFT — banks, market infrastructures, and corporates on the network. Your obligations scale with your architecture type (A1–A4 / B), which describes how much of the SWIFT-related infrastructure you operate yourself. The more you run in-house, the more controls apply.

Three objectives, seven principles

The CSCF organises its controls under three objectives:

ObjectivePrinciples
Secure your environmentRestrict internet access · segregate critical systems · reduce attack surface · physically secure
Know & limit accessPrevent credential compromise · manage identities and least privilege
Detect & respondDetect anomalous activity · plan incident response and information sharing

Mandatory vs advisory

Controls are split into mandatory (you must meet them and attest) and advisory (strongly recommended, trending toward mandatory over time). SWIFT updates the CSCF annually, so a control that’s advisory this year may become mandatory next — plan ahead rather than re-scoping every cycle.

Attestation — and independent assessment

Each year you must submit an attestation against the CSCF via SWIFT’s KYC-Security Attestation portal. Crucially, attestations must be supported by an independent assessment (internal audit or an external assessor) — self-attestation alone is no longer sufficient. Your counterparties can view your attestation status, so it directly affects trust on the network.

How to comply

  • Confirm your architecture type — it determines which controls are in scope.
  • Map the mandatory CSCF controls to your environment and close gaps.
  • Gather evidence continuously so the independent assessment isn’t a scramble.
  • Engage an independent assessor and submit the attestation on time.
  • Track advisory controls so next year’s mandatory additions don’t surprise you.

The bottom line

SWIFT CSP makes payment-network security a condition of doing business, attested annually and verified independently. Because its controls overlap with ISO 27001, NIST and PCI, an evidence-backed control library lets you satisfy the CSCF as part of one programme rather than a standalone fire drill.

Stay SWIFT CSP attestation-ready

Cyber Horizon maps the CSCF to your controls, automates evidence, and keeps you ready for the annual independent assessment — alongside ISO 27001, NIST and PCI DSS.

Book a Demo