Article

Swift CSP attestation: What organizations need to know to prepare

Laura Bedborough
Image of three officemates discussing and happy looking at a monitor

For financial institutions connected to Swift, the annual Customer Security Program (CSP) attestation is a critical milestone. With the cycle opening on 1 July and running through to 31 December, organizations have a defined window to review their controls, address any gaps, and submit a validated attestation confirming compliance.

This year’s cycle comes at a time when the scale of financial fraud continues to grow. According to the Global State of Scams 2025 report, 70% of adults worldwide have been exposed to a scam, and 23% have lost money, contributing to an estimated $442 billion in global losses.1

For global payment infrastructures like Swift, which connects more than 11,500 institutions worldwide, this goes beyond cybersecurity. It is about maintaining trust in the systems that underpin international finance.

Understanding Swift CSP

The Swift CSP is built around the Customer Security Controls Framework (CSCF), which establishes a mandatory cybersecurity baseline that all users must meet.

Currently, the framework consists of 32 security controls, broken down into:

  • 25 mandatory controls (non-negotiable baselines)
  • 7 advisory controls (highly recommended best practices)

These are aligned with widely recognized standards such as NIST, ISO 27002 and PCI-DSS, which helps ensure consistency with broader industry frameworks.

The goal is simple: strengthen the security of local Swift environments, reduce vulnerabilities, and improve the ability to detect and respond to threats.

A continuous and mandatory process

Swift CSP compliance is not a one-time exercise. It follows a yearly cycle, requiring organizations to reassess their controls on a regular basis.

Re-attestation must be completed annually during the July to December window. New participants are required to submit their attestation before going live on the Swift network.

All submissions are made through the KYC-Security Attestation (KYC-SA) application, where the updated version of the CSCF controls becomes available at the start of each cycle in early July.

Each year, institutions must:

  • Conduct an independent assessment, and
  • Submit a security attestation by 31 December

Self-assessment alone is no longer sufficient. Compliance must be validated by an independent assessor, either through an internal audit function or an external partner, to prove that controls are working effectively in practice.2

The growing complexity of compliance

While CSP adoption across the industry is high, maintaining compliance is becoming increasingly challenging. Recent findings from Deloitte highlight this gap, with 80% of large financial institutions failing their initial CSP assessments, often requiring further remediation before they can attest with confidence.3

This reflects a broader shift: CSP compliance is no longer a straightforward checklist, but an ongoing process that needs to evolve alongside the threat landscape.

Recent iterations of the framework place greater focus on areas such as:

  • Data flows between Swift secure zones and back-office environments
  • Client connectors, APIs and external integrations
  • Cloud-based and virtualized infrastructures

As a result, institutions need to take a more dynamic approach to compliance. This includes:

  • Regularly reassessing their architecture and system boundaries
  • Validating controls across interconnected environments
  • Ensuring alignment between IT, cybersecurity and compliance teams
  • Maintaining clear and audit-ready evidence to support attestations

How Finastra supports Swift CSP compliance

This is where structured and experienced support can make a difference. Finastra provides Swift CSP assessment services designed to help institutions navigate the process in a practical and manageable way.

The approach focuses on understanding the full Swift environment, including infrastructure, connectivity, user access, and operational processes. Key areas of support include:

  • Scope and architecture assessment, ensuring all Swift-related components are accurately identified
  • Control validation, with detailed evaluation against each CSCF requirement
  • Gap analysis and remediation planning, providing actionable steps to address weaknesses
  • Assessment reporting and attestation support, ensuring readiness for Swift submissions
  • Ongoing guidance, helping institutions adapt to annual framework updates

Finastra’s assessments cover the full Swift landscape, including secure zones, messaging interfaces, connectors, hardware security modules and operational processes.

Preparing effectively for attestation

CSP attestations should not be treated as an annual checkbox exercise. Organizations that embed it as a continuous security discipline are better positioned to identify gaps proactively, reduce last-minute remediation costs, and attest with confidence.

The goal is not simply to meet the 31 December deadline, but instead, to ensure that security controls are reliable, tested, and effective when it matters most.

1 “Global State of Scams 2025 Report”, Global Anti Scam Alliance, 2026.

2 “Perform an independent assessment”, swift.com, 2026.

3 “80% of major financial institutions failed their initial 2025 Swift CSP assessment”. https://www.deloitte.com/ca/en/Industries/consumer/perspectives/swift-csp-compliance.html. April 7, 2026.

Written By

Laura Bedborough
Laura Bedborough is Director of Sales & Account Management for the UK, Ireland, and Nordics within Finastra’s Financial Messaging team.