The Swift CSCF is a set of mandatory and advisory security controls designed to protect the global financial community against cyber threats. Banks, payment processors, and other organisations on the Swift network need to implement these controls to keep their operations secure and compliant. Each year, Swift updates the framework to address emerging threats and new trends in cybersecurity.
What’s New in the 2025 Version?
The SWIFT Customer Security Controls Framework (CSCF) v2025 maintains stability in security expectations after years of gradually increasing requirements. Key points include:
- No advisory control or component in scope becomes mandatory in this release.
- Control 2.4A (Back Office Data Flow Security) remains advisory in 2025 but is set for a phased promotion to mandatory status by 2026. Swift recommends organisations to prepare a prioritisation plan for identified flows between the secure zone and the back-office first hops.
Progressive scope alignment for all flavours of customer’s endpoints
To keep things consistent across Swift flows, all user endpoints (applications or system footprints) that connect indirectly to Swift via a service provider will now gradually be treated as customer connectors. This means it won’t matter if the endpoint is a server or a client.
The first step in this change introduces the concept of a ‘customer client connector’ as an advisory component. This includes endpoints like API consumers, Middleware, or File Transfer clients. By CSCF v2026, these connectors are expected to be moved from advisory to mandatory. This means that both server and client endpoints connecting through a Service Provider or directly to Swift will officially fall under the customer connector category.
This amendment might mean some users, who previously attested as Architecture type B, will need to switch to Architecture type A4 when using a customer client connector. It’s a heads-up for anyone needing to realign their attestations to meet these new requirements.
Additional clarifications
Further minor clarifications or changes have been made to specific controls or to the overall CSCF framework to improve the usability and understanding of the document and to help users implement the framework as intended:
- The section ‘Scope of Security Controls’ clarifies the notion of ‘business transactions management’ which may support, under strict conditions and risk assessment, the descoping of components used only for pre-validation or value-added services
- Several definitions have been amended:
- ‘Swift connectivity providers’ refers to providers such as service bureaux, Business Connect and L2BA providers
- ‘Service providers’ encompass ‘third parties’ (IT or Cloud providers and outsourcing agents), ‘Swift connectivity providers’ and ‘Group Hubs’
- ‘General (enterprise) IT environment’ includes servers supporting the Change and Release Management process
- The Standalone Alliance Access is identified as a messaging interface and the expected in 2025 CREST WebAPI is identified as an additional example of graphical user interface (GUI)
- Additional drawings have been added in the section ‘Scope of Security Controls’ to visualise usual elements in scope especially with the ramp up of the Swift API channel
- Controls 1.1 and 1.5 (Environment Protection) implementation guidelines have been aligned with the Scope of Security Controls for what regards components co-hosting
- Control 1.3 (Virtualisation or Cloud Platform Protection) is also advised to Architecture type B when using virtual desktops
- Controls 2.1, 2.4, 2.5 and 2.6 reminds the flows can span over multiple on-premises or remote (such as in the cloud) environments or a combination
- Control 2.7 (Vulnerability Scanning) reminds it covers detection at OS and application level and to act upon reported results
- Control 2.8 (Outsourced Critical Activity Protection) has additional wording to properly delineate the outsourced activities and when reliance on Swift connectivity providers programme can be used
- Control 7.1 (Cyber Incident Response Planning) and Scope of Security Controls (end of section A) provide guidance when considering extreme scenarios
- Appendix F has been updated and cleaned off some obsolete elements
- Appendix G presents visually the usual sharing of responsibilities between a user and a cloud provider.
How to Get Ready for 2025
Here are a few tips to help you prepare:
- Review the Full Framework: Make sure you’re familiar with the detailed requirements in the 2025 version. Swift provides plenty of guidance to help you interpret the controls.
- Conduct a Gap Analysis: Compare your current setup against the new controls. Identify where you’re compliant and where you need to make improvements.
- Engage Your Team: Make sure all relevant stakeholders, from IT and security to compliance and operations, understand the changes and their implications.
- Start Early: Don’t wait until the last minute to implement any changes. Some of these, like continuous monitoring, may require significant investments in technology and training.
- Consider External Support: If resources are tight or expertise is lacking, Dionach can help to guide you through the process.
How Dionach Can Help
Dionach is here to assist with Swift CSCF v2025 compliance, offering expert gap assessments ahead of your attestation to ensure you are fully prepared and aligned with the current requirements. We provide tailored support to help you understand the complexities of the new framework, assess your security posture, and implement necessary changes. Our team of experts will guide you through the process, ensuring a smooth transition and helping you avoid costly delays or non-compliance penalties. Let us help you safeguard your operations and stay ahead of the curve in the ever-evolving landscape of cybersecurity.