1

SWIFT CSP
Table of content
2

 What is Swift?
 History
 What is Swift CSP!!
 What is the Customer Security Controls Framework (CSCF) v2021?
 Whom does SWIFT apply to?
 Statistics
 Objectives, Principles and Controls of SWIFT CSP
 SWIFT architectures
 System components of SWIFT architectures
What is Swift?
3
 SWIFT is an acronym for the Society for the Worldwide Interbank Financial
Telecommunication. SWIFT provides a platform for standard messaging and
communication that connects to over 11,000 banking and securities organizations, market
infrastructures, and corporate customers across the globe. The platform supports money
movement worldwide by facilitating secure, standardized financial messages between
organizations. Collectively, SWIFT members exchange in excess of 15 million transaction
messages per day worth a total of $5 TRILLION.
 SWIFT’s CSP also has a Payment Controls service that sends alerts for suspicious or out-of-
policy messages. The Payment Controls leverage real-time payments monitoring,
behavioral patterns, and independent daily reporting to help mitigate the risk of fraud.
 As powerful as SWIFT is, it is only a messaging system – SWIFT does not hold any funds or
securities, nor does it manage client accounts.
 SWIFT works like person A money will travel from one country to another, but to do that
there are often intermediary/correspondent banks involved. The SWIFT network doesn't
transfer funds, but instead it sends payment orders between institutions' accounts,
using SWIFT codes.
 History
4
 Prior to SWIFT, Telex was the only available means of message confirmation for international
funds transfer. Telex was hampered by low speed, security concerns, and a free message
format, Telex did not have a unified system of codes like SWIFT “bank identifier code (BIC) or
ISO 9362” to name banks and describe transactions. Telex senders had to describe every
transaction in sentences which were then interpreted and executed by the receiver. This led
to many human errors.
 To avoid these problems, the SWIFT system was formed in 1974.
 Concerned with the hacks which happened in 1900s and aware that similar attacks will grow
in numbers, SWIFT introduced the Customer Security Program (CSP) in May 2016. The goal of
the SWIFT CSP is to help members secure the systems of the financial institutions used to
connect to the SWIFT network.
 SWIFT was founded in 1973 and was supported by 239 banks in fifteen countries. It started to
establish common standards for financial transactions and a shared data processing system
and worldwide communications network. The first message was sent in 1977.
 What is Swift CSP
5
 Customer Security program (CSP) prevents and detects and aims to prevent fraudulent
activity through a set of mandatory and advisory security controls, in banking community-wide
information sharing initiatives and enhanced security features of their products and
Environment.
 SWIFT developed its CSP to help prevent cyberattacks and the negative consequences that
can occur on businesses, consumers, and organizations around the world.
What is the Customer Security
6
Controls Framework (CSCF) v2021?

 The CSCF v2021 provides additional guidance and clarification on the previous
implementation guidelines announced with the CSP. It includes 3 main objectives derived into
8 principles in which there are 31 controls out of which 22 are mandatory controls and 9 are
advisory controls.
 Mandatory controls examples restricting internet access, system hardening, vulnerability
scanning, physical security, multifactor authentication, etc.
 Advisory controls examples external transmission data protection, personnel vetting process,
intrusion detection, penetration testing, etc.
(CSCF) v2021
7
(CSCF) v2021
8
(CSCF) v2021
9
 Secure and protect: Securing local SWIFT-related infrastructure and putting in place the right
people, policies, and practices are critical to avoiding cyber related fraud.

 Detect and respond: Even with strong security measures in place, attackers are very
sophisticated, and you need to assume that you may be the target of cyberattacks. That’s
why it is also vital to put in place strong detection measures to increase the chances of
stopping or mitigating fraud in case your environment is breached.

 Share and prepare: The financial industry is truly global, and so are the cyber challenges it
faces. What happens to one company in one location can easily be replicated elsewhere in
the world. That is why it is really important to consume, operationalize, and share threat
intelligence information. This allows the whole community to protect itself, take mitigating
actions, and defend against further attacks.
Whom does SWIFT apply to?
10

 The robustness of the message format design allowed huge scalability through which SWIFT
gradually expanded to provide services to the following (but not limited to):
 Banks
 Brokerage Institutes and Trading Houses
 Securities Dealers
 Clearing Houses
 Corporate Business Houses
 Foreign Exchange and Money Brokers
Objectives, Principles and Controls of
11
SWIFT CSP
Objective 1: Secure Your Environment
Restrict Internet Access & Protect Critical Systems from General IT Environment (Principle 1 & 2
combined)
 Control 1: SWIFT Environment Protection (Mandatory): Ensure the protection of the user's local
SWIFT infrastructure from potentially compromised elements of the general IT environment and
external environment.
 Control 2: Operating System Privileged Account Control (Mandatory): Restrict and control the
allocation and usage of administrator-level operating system accounts.
 Control 3: A Virtualization Platform Protection (Mandatory): Secure virtualization platform and
virtual machines (VM’s) hosting SWIFT related components to the same level as physical
systems.
 Control 4: Restriction of Internet Access (Mandatory): Control/Protect Internet access from
operator PCs and systems within the secure zone.
Objectives, Principles and Controls of
12
SWIFT CSP
Objective 1: Secure Your Environment
Reduce Attack Surface and Vulnerabilities (Principle 3)
 Control 5: Internal Data Flow Security (Mandatory): Ensure the confidentiality, integrity, and
authenticity of application data flows between local SWIFT-related applications.
 Control 6: Security Updates (Mandatory): Minimize the occurrence of known technical
vulnerabilities on operator PCs and within the local SWIFT infrastructure by ensuring vendor
support, applying mandatory software updates, and applying timely security updates aligned to
the assessed risk.
 Control 7: System Hardening (Mandatory): Reduce the cyber attack surface of SWIFT-related
components by performing system hardening.
 Control 8: A Back Office Data Flow Security (Advisory): Ensure the confidentiality, integrity, and
mutual authenticity of data flows between local or remote SWIFT infrastructure components and
the back office first hops they connect to.
 Control 9: External Transmission Data Protection (Advisory): Protect the confidentiality of SWIFT-
related data transmitted or stored outside of the secure zone as part of operational processes.
Objectives, Principles and Controls of
13
SWIFT CSP
Objective 1: Secure Your Environment
Reduce Attack Surface and Vulnerabilities (Principle 3)
 Control 10: Operator Session Confidentiality and Integrity (Mandatory): Protect the confidentiality
and integrity of interactive operator sessions connecting to the local or the remote (operated by a
service provider) SWIFT-related infrastructure or applications.
 Control 11: Vulnerability Scanning (Mandatory / Advisory for B): Identify known vulnerabilities within
the local SWIFT environment by implementing a regular vulnerability scanning process and act
upon results.
 Control 12: Critical Activity Outsourcing (Advisory): Ensure protection of the local SWIFT infrastructure
from risks exposed by the outsourcing of critical activities.
 Control 13: Transaction Business Controls (Advisory): Restrict transaction activity to validated and
approved counterparties and within the expected bounds of normal business.
 Control 14: Application Hardening (Mandatory): Reduce the attack surface of SWIFT-related
components by performing application hardening on the SWIFT-compatible messaging and
communication interfaces and related applications.
Objectives, Principles and Controls of
14
SWIFT CSP
Objective 1: Secure Your Environment
Reduce Attack Surface and Vulnerabilities (Principle 3)
 Control 15: RMA Business Controls (Advisory): Restrict transaction activity to validated and
approved business counterparties.
Objectives, Principles and Controls of
15
SWIFT CSP
Objective 1: Secure Your Environment
Physically Secure the Environment (Principle 4)
 Control 16: Physical Security (Mandatory): Prevent unauthorized physical access to sensitive
equipment, workplace environments, hosting sites, and storage.
Objectives, Principles and Controls of
16
SWIFT CSP
Objective 2:
KNOW AND LIMIT ACCESS
Prevent Compromise of Credentials (Principle 5)
 Control 17: Password Policy (Mandatory): Ensure passwords are sufficiently resistant against
common password attacks by implementing and enforcing an effective password policy.
 Control 18: Multi-factor Authentication (Mandatory): Prevent that a compromise of a single
authentication factor allows access into SWIFT systems or applications, by implementing multi-
factor authentication.
Objectives, Principles and Controls of
17
SWIFT CSP
Objective 2:
KNOW AND LIMIT ACCESS
Manage Identities and Segregate Privileges (Principle 6)
 Control 19: Logical Access Control (Mandatory): Enforce the security principles of need-to-
know access, least privilege, and segregation of duties for operator accounts.
 Control 20: Token Management (Mandatory): Ensure the proper management, tracking, and
use of connected hardware authentication or personal tokens (if tokens are used).
 Control 21: Personnel Vetting Process (Advisory): Ensure the trustworthiness of staff operating
the local SWIFT environment by performing personnel vetting in line with applicable local laws
and regulations.
 Control 22: Physical and Logical Password storage (Mandatory): Protect physically and
logically recorded passwords.
Objectives, Principles and Controls of
18
SWIFT CSP
Objective 3:
DETECT AND RESPOND
Detect Anomalous Activity to Systems or Transaction Records (Principle 7)
 Control 23: Malware Protection (Mandatory): Ensure that local SWIFT infrastructure is protected
against malware and act upon results.
 Control 24: Software Integrity (Mandatory): Ensure the software integrity of the SWIFT-related
applications.
 Control 25: Database Integrity (Mandatory): Ensure the integrity of the database records for
the SWIFT messaging interface and act upon results.
 Control 26: Logging and Monitoring (Mandatory): Record security events and detect
anomalous actions and operations within the local SWIFT environment.
 Control 27: Intrusion Detection (Advisory): Detect and prevent anomalous network activity into
and within the local or remote SWIFT environment.
Objectives, Principles and Controls of
19
SWIFT CSP
Objective 3:
DETECT AND RESPOND
Plan for Incident Response and Information Sharing (Principle 8)
 Control 28: Cyber Incident Response Planning (Mandatory): Ensure a consistent and effective
approach for the management of cyber incidents.
 Control 29: Security Training and Awareness (Mandatory): Ensure all staff are aware of and fulfil
their security responsibilities by performing regular security training and awareness activities.
 Control 30: Penetration Testing (Advisory): Validate the operational security configuration and
identify security gaps by performing penetration testing.
 Control 31: Scenario Risk Assessment (Advisory): Evaluate the risk and readiness of the
organization based on plausible cyber attack scenarios.
SWIFT ARCHITECTURE
20

The framework can be applied to five types of SWIFT user architectures, titled A1, A2, A3, A4, and
B. SWIFT users must first identify which architecture applies to them before implementing the
applicable controls.

 Architecture A:
1. Architecture A1
2. Architecture A2
3. Architecture A3
4. Architecture A4

 Architecture B
SWIFT ARCHITECTURE – A1
21
SWIFT ARCHITECTURE – A1
22
SWIFT ARCHITECTURE – A2
23
SWIFT ARCHITECTURE – A3
24
SWIFT ARCHITECTURE – A4
SWIFT ARCHITECTURE – B
26
System components of SWIFT
27
architecture
 Messaging interface: SWIFT Communication interface is the default traffic gateway used
by SWIFT customers. It concentrates all SWIFT traffic and, provides together with SWIFTNet Link
software and PKI security, the core secure connection to any authorized SWIFT correspondent.
 Swift Alliance Gateway: Alliance Gateway is a software package that is installed on top of
SWIFTNet Link. SWIFTNet Link provides the basic set of network connection services. Alliance
Gateway enables application-to-application communication and facilitates connectivity to
the SWIFT secure IP network.
 SWIFT Communication interface: It is the default traffic gateway used by SWIFT customers. It
concentrates all SWIFT traffic and, provides together with SWIFTNet Link software and PKI
security, the core secure connection to any authorized SWIFT correspondent.
Cont…
28

 The Hardware Security Module (HSM) is the security device that contains your critical SWIFTNet
Public Key Infrastructure (PKI) certificates and generates signatures for your traffic. The
Hardware Security Module (HSM) is the security device that contains your critical SWIFTNet
Public Key Infrastructure (PKI) certificates and generates signatures for your traffic.
 SWIFT PKI is the core security infrastructure, designed to enable customers to securely access
applications and exchange information. SWIFT PKI provides certification services to entities,
typically end users, applications, and SWIFT interfaces, enabling them to securely authenticate
and/or to sign traffic.
 RMA: The RMA is a SWIFT-mandated authorization that enables financial institutions to define
which counterparties can send them FIN messages. RMA is the Relationship Management
Application, though in common use when discussing an RMA, what is described is the key
exchange and authorization process between two institutions.
Cont…
29

 SWIFTNet Link: SWIFTNet Link is used by all SWIFT-connected institutions that

maintain an on-premise SWIFT infrastructure. The software ensures technical
interoperability between users while ensuring integrity, authentication and
confidentiality. Offering consistent single-window access to SWIFT, SWIFTNet
Link ensures the reusability of your SWIFTNet infrastructure. Functions available
include transport, formatting, security and service management. SWIFTNet Link
enables Alliance Gateway to perform application-to-application
communication over SWIFTNet services. The software is also available under
license to vendors and customers for integration with vendor-developed and
customer-developed applications.
 Connector: SWIFT usership means you can connect to a secure network and
exchange information with other financial institutions and corporations. Embed
middleware/MQ servers and API end points when used to connect or transmit
transactions to service providers or SWIFT.
 30

Thank you!!!