New obligation for SWIFT connection holders

Connection holders of SWIFT (Society for Worldwide Interbank Financial Telecommunication) have been obliged to carry out independent security audits starting this year. The purpose of the mandatory audit is to make international payments safer and reduce the risk of fraud. The audit must be completed by 31 December 2021.

The initiative of SWIFT is part of the Customer Security Programme, a multi-year plan to strengthen the security and resilience of the transaction chain. The SWIFT network currently has more than 11,000 affiliated organisations in over 200 countries.

Cyber security audit

Until now, a certificate from SWIFT granted on the basis of a self-assessment was sufficient. SWIFT connection holders themselves made a risk assessment of the security of the party with whom messages were exchanged.

This is going to change. Before the end of the year, organisations must have a cyber security audit carried out by an independent IT auditor.

To whom does this obligation apply?

The audit applies to all organisations with a SWIFT connection:

  • Payments, securities and treasury market infrastructures
  • Brokers and dealers
  • Custodians
  • Investment managers
  • Clearing houses
  • Matching utilities
  • Fund participants
  • Trading venues

How does a cyber security audit work?  

To perform the audits, SWIFT provides the Customer Security Controls Framework (CSCF) to the auditors, consisting of a set of mandatory controls and optional controls. The controls that apply to your organisation depend on a number of factors such as your IT architecture and how you have organised your IT objects.

The first step in a SWIFT security audit is, therefore, to determine the scope, followed by a gap analysis and the actual audit. You will receive a report with which you can demonstrate to SWIFT that you have fulfilled your obligations.

In our flyer 'Cyber security audit, new obligation for SWIFT connection holders’, you can read more about the criteria on which your cyber security is tested, the way in which the scope of the audit is determined and our working method for performing the cyber security audit.

The audit must be completed before 31 December 2021

Given SWIFT's new requirement to have an independent audit conducted by 31 December 2021, we expect a spike in these activities for this year. It is recommended to take action as soon as possible to prepare and schedule the audit work.

Want to know more?

Would you like to know more about what we can do for you in terms of a SWIFT audit? Please contact Jan Matto by e-mail or by telephone: +31 (0)88 277 13 99 or Achmed Bouazza by e-mail or by telephone +31 (0)88 277 13 88. They will be happy to help you.


Cyber security audit, new obligation for SWIFT connection holders.pdf
Cyber security audit, new obligation for SWIFT connection holders.pdf