SWIFT Customer Security Programme – Combating Fraud

SWIFT has released a set of core security standards that are mandatory for all corporates and financial institutions connected to SWIFT. By implementing these standards, you will:

  • Raise the security bar on the SWIFT network,
  • Support their efforts to prevent and detect fraudulent use of their infrastructure, and
  • Increase security awareness and education in the on-going fight against cyber-related wire fraud.

Important dates:

  • To ensure adoption, SWIFT requires all corporations and financial institutions and financial institutions on SWIFT, to provide self-attestation against the mandatory controls by the December 31 2017 and on an annual basis thereafter.
  • Enforcement of controls January 01 2018 onwards

Architecture Types

Each institution must identify which of the three reference architecture types most closely resembles their own architecture deployment to determine which components are in scope. Depending on the architecture type, some security controls may or may not apply.

The three reference architectures are as follows:

Architecture A1 – Full stack

Both the messaging interface (SAA or equivalent) and communication interface (SAG, SNL, HSM and VPN box) are within the user or Client environment. This architecture type also includes hosted solutions where the user has the licenses for both the messaging interface and communication interface.

Architecture A2 – Partial stack

The messaging interface is within the user environment, but a service provider (for example, a service bureau, SWIFT Alliance Remote Gateway or a group hub) owns a license for and manages the communication interface. This architecture type also includes hosted solutions of the messaging interface where user has license for the messaging interface.

Architecture B – No local user footprint

No SWIFT-specific infrastructure component is used within the user environment. Two type of set-ups are covered by this architecture type:

  • Users only access SWIFT services via a GUI application at the service provider (user-to-application)
  • Users’ back-office applications communicate directly with the service provider (application-to-application) using a middleware product (for example, IBM® MQ or similar) or APIs from the service provider. Categorizing this set-up as architecture type B is in line with the scope of the security controls which excludes user back office and middleware applications.

Enforcement of mandatory requirements by SWIFT will start from January 2018, including inspections from internal and external auditors conducted with samples of customers to check quality. The detailed compliance status of each customer will be made available to their counterparties (for example via the KYC Registry), providing transparency on their self-attestation and inspection results; allowing other users on the network to apply risk based decision-making to their counterparty relationships.

2 King Arthur Court, Suite A-1, North Brunswick, NJ – 08902 Tel: 732-296-0001.

Find out more