16.03.2021 | Markus Günther

Swift CSP: What Will Change for BIC Users in 2021


2021 brings two changes for SWIFT users. Firstly, the need for an Independent Self-Assessment and secondly, a new version of the Customer Security Controls Framework (CSCF) in the 2022 version. While the latter is a calculable innovation, the former is a serious tightening.

What will change for BIC users in 2021

The change from pure self-assessment to an independent, in many cases probably external, audit offers potential for surprises. While it was previously possible to assess the effectiveness of implemented measures yourself, an independent view of the existing risk landscape is now necessary. SWIFT’s approach is interesting and groundbreaking: independent auditors are not required to verify the more than 20 detailed control points of the Implementation Guidelines, but are encouraged to assess the effectiveness of the overall measures in relation to the control objectives. The auditors must therefore abandon checklists and accept a high degree of variance in the measures actually taken in their assessment.

There is no question that this step is important and correct. Our environment is constantly changing - be it in terms of regulation, players or technology. Every BIC user can assess whether this adaptation is sufficient in a self-assessment. Only a switch to an independent assessment will provide clarity as to whether the measures taken are actually appropriate to the risk. If they are not, SWIFT users may face costly changes this year that have been postponed until now. Added to this is the time pressure: users must certify their compliance in the KYC-SA by 31.12.2021, otherwise they will be reported to the responsible authorities from 1.1.2022. Anyone who schedules their assessment in the second half of the year may therefore risk their compliance. In the event of inadequate implementation of the CSCF, measures must be planned, the budget organized and, where necessary, service providers found to ensure that a second gap assessment can be carried out as quickly as possible. This represents a considerable uncertainty factor from both a monetary and a time perspective. In addition to the resulting costs, there are also the expenses for the assessment itself. The more extensive the selected architecture, the greater the effort required to carry out an assessment. Anyone using a type A architecture has seven additional mandatory controls compared to a user using a type B architecture. While cost calculations have so far prompted some users to carry out the operation themselves, the tightening could lead to the use of a service bureau or outsourcing to external partners becoming more attractive.

Our specific recommendations for action are as follows:

  • Find an assessor as soon as possible who strikes a balance between risk and business. The SWIFT CSCF does not provide any conclusive guidelines on how risks can be reduced. There is therefore room for interpretation: not every IAM needs to be renewed, not every data center needs to be rebuilt.
  • In order to reduce the scope of the assessment, existing certifications can be taken into account in some cases. This must be checked on a case-by-case basis.
  • Plan a sufficient budget for any necessary measures. This also includes internal resources for implementation. Also make sure that your specialists are available.

Cybersecurity Security Architecure

About the author
Markus Günther
About the author
Markus Günther, Senior Security Consultant