Swift CSP and CSCF v2026: Why taking action now matters

Prepare for Swift CSCF v2026 with a clear overview of the Customer Security Programme, key control changes, scope considerations and planning steps for organisations using Swift.

International finance centre and hub

Swift sits at the heart of global payments, securities and financial messaging. For many organisations, it underpins business-critical processes, client service and market confidence. It is also an attractive target for cyber criminals.

That is why Swift's Customer Security Programme (CSP) is so important. It provides a structured framework to help users strengthen the security of their Swift-related infrastructure. At its core sits the Customer Security Controls Framework (CSCF) — the baseline of mandatory and advisory controls for all Swift users.

CSCF v2026 raises the bar in several areas. For some organisations, the impact will be incremental. For others — particularly those with back-office integrations, outsourced delivery models or hosted connectivity — it may widen scope, increase evidence requirements and require earlier planning.

The message is simple: if you rely on Swift, now is the time to confirm scope, understand the changes and prepare in a disciplined way.


What the CSP requires

CSP operates as an annual cycle: understand the controls, implement them, complete an independent assessment where required and submit a security attestation via KYC Security Attestation (KYCSA).

In practice, three areas drive most of the work:

1. Annual attestation

All Swift users must submit an attestation through KYCSA between July and December. New users must attest before going live.

2. Independent assessment

Most organisations are required to support their attestation with an independent assessment — delivered either by an appropriately independent internal function or an external provider.

Receive-only BICs may be eligible for self-attestation, where all mandatory controls are met.

3. Visibility of non-compliance

Swift may report organisations that do not submit a valid attestation, fail to meet mandatory controls, do not complete required assessments, or rely on non-compliant service providers. Non-compliance can also be made visible to supervisors.

CSP is not just about stating compliance — it is about demonstrating it with clear, credible evidence.


Getting scope right

CSP applies to all Swift users, including those with receive-only BICs. In practice, scope can become complex where organisations operate across multiple entities, jurisdictions or connectivity models.

A common issue is relying on historic assumptions rather than validating scope against the current architecture. Errors at this stage often surface later — bringing unexpected systems into scope, delaying assessments and creating avoidable pressure.

Early clarity is critical.


What is changing in CSCF v2026?

Three changes are particularly relevant for many organisations:

1. Control 2.4 becomes mandatory

Control 2.4 (Back Office Data Flow Security) now requires organisations to secure and evidence data exchanges between the Swift environment and back-office systems.

This includes APIs, middleware, file transfers and managed integrations. While many organisations have secured the Swift environment itself, the interfaces around it often present the greater challenge. Data flows must now be clearly understood, controlled and evidenced.

2. Customer-client connectors move into scope

Customer-client connectors are now in mandatory scope. This can expand the systems, teams and stakeholders involved in the assessment, requiring broader coordination across application, infrastructure, integration and operations teams.

3. Increased focus on third-party conformance

Swift has introduced new conformance requirements for providers of messaging and connectivity solutions. Organisations relying on third parties must confirm what assurance evidence is available and how customer obligations will be met.

Outsourcing may simplify delivery — but accountability remains with the user.


The challenge in outsourced and group models

Many organisations — particularly in international finance centres — operate Swift through outsourced IT, hosted connectivity, shared services or cloud delivery.

In these models, the challenge is rarely whether controls exist. It is whether the organisation can clearly demonstrate:

  • what is in scope
  • who owns each control
  • what evidence supports it
  • how third-party and group dependencies are governed

This distinction matters. In regulated environments, responsibility sits with the organisation — regardless of how services are delivered.


What this looks like in practice

In multi-provider environments, control evidence is often distributed across internal teams, service providers and group functions. Where ownership is unclear, assessments become slower, more complex and more resource-intensive.

Similarly, organisations using APIs and middleware to exchange payment or messaging data are now required to demonstrate stronger control over these flows. This typically means better documentation, clearer ownership and more consistent evidence.

Where group services provide capabilities such as identity, monitoring or security tooling, local management must still demonstrate effective oversight and control operation within the Swift environment.


A practical readiness approach

The most effective approach is to treat v2026 readiness as an operational workstream — not a year-end exercise:

  • Confirm scope early: Validate architecture, integrations and third-party dependencies to avoid late surprises
  • Define the evidence model: Identify what evidence is required, who owns it and where dependencies sit
  • Assess evidence readiness: Address gaps early where evidence is incomplete or fragmented
  • Engage suppliers proactively: Structure, track and manage third-party evidence requests
  • Plan backwards from attestation: Reduce pressure by aligning timelines to the July–December submission window


What senior leaders should be asking

Senior management should be asking:

  • Has scope been revalidated against the current architecture?
  • Do the v2026 changes expand systems or integrations in scope?
  • Are control ownership and evidence responsibilities clearly defined?
  • Can internal, supplier and group evidence be obtained on time?
  • Is the independent assessment being planned early enough?

These questions help shift CSP from a reactive annual exercise to a controlled and efficient process.


How BDO Jersey can help

At BDO Jersey, we support organisations across the full CSP lifecycle — from scope validation and evidence readiness to independent assessment support and KYCSA preparation.

We work with organisations operating across internal, outsourced and group service models, helping bring clarity to control ownership, evidence and oversight. Our focus is practical: enabling an efficient, credible and well-supported attestation process.

As part of a global Swift CSP Centre of Excellence, we also bring consistency, alignment with Swift requirements and robust quality assurance.


Start early, strengthen assurance

For organisations impacted by CSCF v2026, early action is the most effective response. Confirm scope, understand the changes and build an evidence-led plan ahead of the attestation window.

Done well, this reduces pressure, strengthens assurance and gives senior management greater confidence in the outcome.

To discuss your CSCF v2026 readiness, contact Arthur Mainja at amainja@bdo.je

The team at BDO Jersey are ready to support any clients with their strategic journey and helping them thrive in an uncertain world.

If you would like to know more about our Swift Attestation Services or discuss any aspects of your strategy further, get in touch with the team via the contact form below.