SWIFT Customer Security Program (CSP) 2020
A sleeping giant wakes up.
A sleeping giant wakes up.
All of the companies participating in the SWIFT network used to settle payment transactions (that is, own a SWIFT BIC) have to meet the security requirements of SWIFT’s own Customer Security Program (CSP). These requirements were first made public in 2016.
We published an article on this in 2017. From the discussions and projects, we have had with payment operations and Treasury departments in German and international corporations, we know that in the meantime, the corporations affected understand why they need to implement the relevant security measures. Nevertheless, the degree of implementation leaves much to be desired. The CSP has experienced several updates that are then not properly implemented by many companies. Because as of 2020 the compliance with the standards must undergo an external audit, it is high time to take an honest look at the status quo so that everyone will be spared unpleasant surprises.
Safety requirements are on the rise
The standard was updated gradually with versions v2019 and v2020, evolving as time goes by. The tendency is clear: the number of controls is on the rise. For instance, architecture type A1 (whereby the company owns a local SWIFT infrastructure) used to require 16 controls (2017); in 2020 it is already 21 controls. The picture is similar for all other architecture types.
An overall trend is clearly visible. SWIFT is becoming much stricter in matters concerning IT security. It is doing this by making previously voluntary controls into binding ones. It is also introducing new controls, which will be voluntary in a first phase. However, it is already now clear that these will become binding in the near future. A good example is Control 2.10, which describes the way payment operations have to become more secure from a technical point of view. Typical actions would be securing the SWIFT Alliance software or similar software provided by third parties by changing the standard passwords or deleting user accounts no longer necessary. This control was introduced as optional in 2019 but in Version 2020 it is already binding.
Which architecture type are you?
Many medium-sized companies like operating Type A architecture, i.e. using software delivered by SWIFT, in some cases even using SWIFT’s own VPN boxes 1. From a costing point of view, this solution is often quite a bit cheaper than renting the service from a service bureau. From a CSP vantage, however, it is precisely these Type A architectures that make for a more costly implementation of the CSP with their special systems and infrastructure components. It is not only the number of controls that is higher in this context (20 or 21 in comparison to 14) but also the type and scope of the additional controls are generally also more complex.
While banks and insurance companies are generally used to putting in the extra effort for the sake of security of their IT systems, the implementation of CSP usually is a challenge not only for medium-sized companies but even for some international corporations. The reason for this is that the list of measures to be taken is long and complex. To be fair, it should also be said that after all, the idea is nothing less than securing the company’s cash flows. This means that state-of-the-art cyber security is not optional, but an absolute “must”. Numerous studies clearly prove this trend, such as the Consumer Loss Barometer or the study on “Computerkriminalität in der deutschen Wirtschaft 2019“(the effect of e-crime on Germany’s economy 2019).
Moving from Self-Attestation to Audit
Up until now, a company could prove its compliance with the CSP by means of a self-attestation that the company did by itself. Most companies were honest with their fulfillment levels and reported these truthfully to SWIFT. Nonetheless, some self-assessments stretched credibility. SWIFT now wants to put an end to this. SWIFT introduced mandated audits for some clients and has been taking a sample test approach already in 2019. From 2020 onwards, such an audit by independent third parties will now become mandatory.
In the context of CSP, independent third parties could be external auditors as well as internal persons that are completely independent from those using the SWIFT infrastructure, but which possess the necessary expertise. This means that specially trained IT security auditors that are formally independent of the company will be necessary. KPMG’s cyber security experts are currently noting an increase in requests for this type of auditor capabilities. One thing is clear already now: many more expert auditors will be necessary than are currently available.
Companies that have so far not yet gone from self-assessment to third-party opinion and thus have little experience with these types of audits may run the danger of overseeing a detail in the complex set of CSP rules. As a result, the auditor may possibly find that rules that so far had always been deemed as fulfilled but in fact weren’t fulfilled at all. In order to prevent such risks, it makes sense to perform a dry run of such an audit beforehand. Like this, any nasty surprises can be identified in time to be fixed before the audit becomes real. It is important to act quickly. After all, the audit results have to be reported to SWIFT by 31 December 2020.
Everything under control?
Practice has shown that it is best if all those involved work hand-in-hand on this project, i.e.
- the specialist department, the IT department and all relevant service providers, such as the hosting partners and software providers.
- If your company has not been audited by an independent third party, it is important to undergo a dry run before the real audit so you will have enough time to fix the gaps that may still exist.
- Voluntary controls remain optional – they do not need to be reported in the context of KYC. But it is still important to keep them in mind as they might become mandatory sooner than we think.
- Also, it is important to reserve your independent in-house or external auditors in time. Be sure to check whether your auditor has gathered some SWIFT experience over the years and is on the SWIFT list2.
- Keep up-to-date on what’s going on at SWIFT by subscribing to their newsletter3 so that the changes do not take you by surprise.
Source: KPMG Corporate Treasury News, Edition 98, January - February 2020
1 SWIFT VPN box: hardware that allows a direct connection with the SWIFT network
3 The newsletter is only available for registered users. In order to do this, go to the My tools – My profile and account – Personal Info – Newsletters in the SWIFT portal and click on “Security“ and “Security Notification“