In recent years, sophisticated cybercriminals have managed to compromise several banks' computer networks, learn their payment processes, and gain access to the relevant IT credentials—ultimately being able to send fraudulent payment instructions over the SWIFT financial messaging network.

The worst case so far was in 2016, when thieves successfully stole over US$81 million from a South Asian central bank. More banks have unfortunately fallen victims to similar attacks in 2017 and 2018.

This challenging cyber threat landscape has led SWIFT to launch the Customer Security Programme (CSP) which intends to help its user community increase its cyber defences by implementing specific security requirements.

In Luxembourg, the local supervisory bodies have recommended to the members of the local association of SWIFT users to seriously consider the adoption of the CSP and its framework to protect their SWIFT systems.

What are the requirements?

The security requirements to be implemented are set forth in the SWIFT Customer Security Controls Framework (CSCF), which specifies detailed implementation guidelines. At a high level, the requirements can be described as follows:

It should be noted the CSCF has been recently updated ("v2019" published in August 2018) in order to:

  • raise the bar by (i) making three of the advisory controls mandatory and (ii) creating two new advisory controls
  • provide additional guidance and clarify a number of existing controls
  • align with users' reality by taking into account valid alternative implementations

This update will come into force next year, and users will be required to self-attest their compliance for the first time by the end of 2019.

What must a user do to comply?

SWIFT users should perform an annual assessment of their security environment against the CSCF requirements (unless material changes occur). This assessment can be one of the following:

  • self-assessment
  • advisory review by an external firm
  • advisory review by an internal auditor
  • audit by an external auditor
  • audit by an internal auditor

Once the assessment has been completed, SWIFT users need to report their compliance status to SWIFT via the KYC Registry Security Attestation Application; this reporting process is referred to by SWIFT as "self-attestation".

What if a user does not comply?

Failure to submit self-attestation is visible to all counterparties

Details of a user's compliance with individual CSCF controls are by default restricted from that user's counterparties in the KYC Registry Security Attestation Application, unless specific access is granted by the user. However, the presence or absence of a submitted self-attestation is visible to the counterparties. It is therefore essential to perform both an assessment and self-attestation.

SWIFT can report a user's non-compliance to local supervisory bodies

Since the beginning of 2018, SWIFT has been able to report a user's (or its service provider's) late or missing submission from the first self-attestation to supervisory bodies. For Luxembourg banks, these are the CSSF, the Central Bank of Luxembourg, and/or European Central Bank.

In 2019, SWIFT will also begin reporting a user's failure to fully comply with the CSCF mandatory security controls to local supervisory bodies. Therefore, it is imperative for any issues identified in an assessment to be addressed quickly.

SWIFT can report a user's non-compliance to messaging counterparties

For those without a direct supervisory body (e.g. a large corporate with a treasury department), SWIFT can report the user's (or its service provider's) non-compliance status to their messaging counterparties instead.

What does this mean for users now?

The ongoing programme developments made by SWIFT, the recent recommendations of local supervisory bodies, and the seriousness of incidents involving payment systems suggest that executive management should ensure that initiatives are in place and proportionate to their organisation's risk appetite in order to identify control gaps in local SWIFT environments and establish plans to implement or reinforce the controls.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.