Elevate

The SWIFT CSP Framework: What Banks Must Know in 2026

The SWIFT CSP framework, formally the Customer Security Controls Framework (CSCF), is the set of security controls that every institution connected to the SWIFT network must meet and attest to each year. It exists to protect the global financial system from the kind of attack that drains a payment account before anyone notices, and for 2026 it expanded in ways that affect institutions that were fully compliant a year ago. This guide is the starting point for understanding the framework, and it links out to deeper guides on the controls, the assessment, and the changes you need to plan for.

What the SWIFT CSP Framework Requires

The SWIFT CSP framework sits inside the broader Customer Security Programme (CSP), the initiative SWIFT launched to raise the security baseline across its entire user community. Every SWIFT user must attest annually against the CSCF, and that attestation must be validated through an independent assessment before it is submitted through the KYC-SA portal. A self-attestation on its own is no longer sufficient.

For 2026, CSCF v2026 defines 32 security controls across three objectives and seven principles. Of those controls, 26 are mandatory and 6 are advisory. The attestation window runs from July 1 to December 31, 2026, and your attestation status is visible to the counterparties you transact with, so it is not a private internal exercise.

Who Must Comply With the SWIFT CSP

Any institution that sends or receives messages over the SWIFT network falls under the programme, including banks, broker-dealers, asset managers, and corporates connected through a service provider. Which specific controls apply to you depends on your architecture type, a classification that ranges from Type A1, where you own both the communication and messaging interfaces, to Type B, where you have no local SWIFT infrastructure and use GUI or application access only. Because that classification drives everything downstream, it is worth understanding the SWIFT CSP architecture types before you assume which controls apply to you.

One point catches many institutions out: compliance responsibility stays with you even when a third party operates the infrastructure. Where a provider runs controls on your behalf, that assurance is typically evidenced through their SOC 2 or ISO 27001 reporting and mapped back to the relevant CSCF controls during the assessment.

The CSCF Objectives and Principles

The framework organizes its controls under three objectives. The first, Secure Your Environment, covers system hardening, network segmentation, vulnerability management, and, new for 2026, back-office data flow security. The second, Know and Limit Access, covers privileged access control, multi-factor authentication, and identity management. The third, Detect and Respond, covers logging and monitoring, anomaly detection, and incident response. Seven security principles group the 32 controls beneath those objectives, and whether a given control is mandatory or advisory can depend on your architecture type.

The SWIFT CSP Controls

The 32 controls are the heart of the SWIFT CSP framework, and they are assessed on evidence rather than intent. An institution can own strong security tooling and still have findings if it cannot demonstrate that a control is designed appropriately, implemented correctly, and operating effectively. The most common reason controls fail an assessment is not that they are missing, but that the evidence to support them is missing, outdated, or inconsistent. The full breakdown of each control, what an assessor looks for, and what strong evidence looks like is covered in the dedicated guide to the SWIFT CSP controls.

How SWIFT CSP Attestation Works

The process follows a clear sequence. First, confirm your architecture type, because it determines which controls apply and how much evidence you must produce. Next, run a gap assessment against the current CSCF to find where controls or evidence fall short. Then complete the independent assessment of at least all mandatory controls, and finally submit your attestation through KYC-SA. Because the independent assessment is now mandatory, the quality of that assessment matters, and it is worth understanding what a SWIFT CSP independent assessment involves before you choose how to approach it.

Timing matters more than most institutions expect. Assessors evaluate whether controls operate effectively, not just whether they are configured, and evidence of effective operation takes time to accumulate. A control implemented in November gives an assessor only a few weeks of operating history, which is thin. The institutions that pass the first time start their internal gap assessment in June, well before the window opens.

Getting ready for your 2026 attestation? Book a SWIFT CSP gap review with one of Elevate Consult’s certified assessors and find your gaps while there is still time to fix them.

What Changed in the SWIFT CSP Framework for 2026

The 2026 cycle expanded the SWIFT CSP framework in two ways that can create new gaps without any change to your environment. Control 2.4, back-office data flow security, moved from advisory to mandatory, and customer-client connectors such as APIs, middleware, and file transfer clients are now mandatory in scope. As a result, some institutions that attested as Type B may need to reclassify to Type A4. None of these changes require you to have altered your technology, which is exactly why they catch previously compliant institutions off guard. The full detail is in the guide to SWIFT CSP 2026.

Why the SWIFT CSP Framework Matters

The programme exists because of a real attack. In 2016, attackers used compromised local SWIFT credentials to send fraudulent payment instructions and stole roughly USD 81 million from a bank in Bangladesh. SWIFT responded by creating the CSP and the CSCF, on the principle that the security of the global financial system depends on every participant meeting the same baseline.

The consequences of non-compliance are concrete. Counterparties can see your status through KYC-SA, SWIFT randomly selects institutions for mandatory external assessment each year with non-compliant institutions facing a higher probability of selection, and SWIFT may report institutions to local supervisory authorities, which in the United States can include the Federal Reserve Board. In serious cases, this can mean heightened oversight and restrictions on your SWIFT connectivity.

How to Prepare for a SWIFT CSP Assessment

Strong preparation comes down to confirming your architecture type early, treating documentation as your primary deliverable, and maintaining evidence throughout the year rather than assembling it under deadline pressure. Because many CSCF controls overlap with other frameworks, institutions that already maintain SOC 2 controls or run regular penetration testing can often map that work to the SWIFT-connected environment instead of building a separate control set. For a step-by-step preparation plan, work through the SWIFT CSP audit checklist.

Elevate Consult’s certified assessors help financial institutions validate their architecture, close gaps against CSCF v2026, and complete their independent assessment. You can see the full approach on the SWIFT CSP assessment services page.

Key Takeaways

  • The SWIFT CSP framework is the CSCF, the set of security controls every SWIFT user must meet and attest to each year.
  • CSCF v2026 has 32 controls, 26 mandatory and 6 advisory, across three objectives and seven principles.
  • Attestation runs from July 1 to December 31, requires an independent assessment, and is visible to your counterparties.
  • The controls that apply depend on your architecture type, and compliance responsibility stays with you even when a provider runs the infrastructure.
  • For 2026, back-office data flows and customer-client connectors are now mandatory in scope, which can move some institutions from Type B to Type A4.
  • Start your internal gap assessment in June, because evidence of effective operation takes time to accumulate.

Frequently Asked Questions

What is the SWIFT CSP framework?

The SWIFT CSP framework is the Customer Security Controls Framework (CSCF), a set of mandatory and advisory security controls that every institution connected to the SWIFT network must meet and attest to each year. It sits inside the broader Customer Security Programme that SWIFT launched to raise the security baseline across its user community.

What is the difference between the CSP and the CSCF?

The CSP, or Customer Security Programme, is SWIFT’s overall initiative to raise security across its user community. The CSCF, or Customer Security Controls Framework, is the specific set of controls within that programme that institutions are assessed and attest against each year.

Who has to comply with the SWIFT CSP?

Any institution that sends or receives messages over the SWIFT network, including banks, broker-dealers, asset managers, and corporates connected through a service provider. The specific controls that apply depend on the institution’s architecture type.

Is SWIFT CSP attestation mandatory?

Yes. Every SWIFT user must attest annually against the CSCF, and the attestation must be validated through an independent assessment of at least all mandatory controls before it is submitted through the KYC-SA portal. A self-attestation on its own is not sufficient.

How many controls are in the SWIFT CSP framework?

CSCF v2026 defines 32 security controls, of which 26 are mandatory and 6 are advisory, organized across three objectives and seven principles.

How often do you attest to the SWIFT CSP?

Attestation is annual. For 2026, the window runs from July 1 to December 31, and attestations are submitted through the KYC-SA portal.