During 2020, SWIFT was lenient and did not push hard towards the compliance with CSP due to the pandemic and the tight measures of lockdowns. CSCF 2021 was released with minor changes to CSCF 2020. CSCF 2021 has 22 mandatory and 9 advisory controls with elaborate clarifications. SWIFT further introduced a new architecture A4 in this version. Community-Standard Assessment will be put into action during 2021 within the Independent Assessment Framework (IAF), while retiring the Self-Assessment starting July 2021. By mid 2021, Community-Standard Assessment will be mandated, and self-assessment alone will no longer be compliant. Therefore, assessment and attestation will take place as per the below table.
Utilizing the services of an external third party is compliant for both options and the resulted assessment is valid for 2 years. However, if the bank has not submitted an attestation based on one of the above assessment types by the end of 2021, the bank will be subjected to reporting.
Is it worth the hassle to publish a compliance status? Well, your compliant status reflects your security standards in front of your correspondents. This, first hand, affects the reputation of your organization, and your reputation strongly affects the business as a whole. After all, no bank or financial institution would be willing to deal with an insecure correspondent. Moreover, by the end of December 2021, if attestation is not performed under the umbrella of IAF, SWIFT will report the bank or financial institution to the regulator.
As an information security consultancy, SBS performs the assessment as per SWIFT requirements and provides all the needed support to reach compliance status and publish it. These activities can be summarized as follows: