Question 1

What does Control 2.4 mean in practical terms for a bank or fiduciary business?

Accepted Answer

In practical terms, Control 2.4 means you need to understand and secure how data moves between the SWIFT environment and connected back-office systems. For a bank, that may include payment initiation, confirmations, middleware and API-driven integration. For a trust, fund or corporate services provider, it may include payment files, treasury workflows, hosted interfaces or managed file transfer. The main question is not just whether the SWIFT platform is secure, but whether the data exchanges around it are understood, controlled and evidenced.

Question 2

How do customer-client connectors affect us in practice?

Accepted Answer

Customer-client connectors may widen scope beyond the components traditionally viewed as &ldquo;the SWIFT environment&rdquo;. In practice, this can bring more systems, teams and suppliers into the process, especially where the organisation uses integration layers, messaging gateways, middleware or user-side connector components. The operational effect is often broader stakeholder engagement and a larger evidence workstream, rather than just a technical change.

Question 3

What usually causes the most difficulty in a CSP assessment?

Accepted Answer

For many organisations, the hardest part is not understanding the control wording. It is confirming scope, identifying who owns each control and obtaining evidence from the right people at the right time. This is especially true where evidence sits across infrastructure teams, information security, operations, internal audit, outsourced providers and group functions. Starting with a control-to-evidence map is usually more effective than starting with document collection.

Question 4

When should we use an external assessment provider rather than relying only on internal teams?

Accepted Answer

An external provider is often helpful where the organisation wants independent challenge, has limited in-house capacity, operates a complex outsourced model, needs support interpreting scope changes or wants a more structured readiness process before attestation. Even where internal audit or another independent internal function performs the assessment, many firms still benefit from external support on scope analysis, evidence readiness and remediation planning.

Question 5

What does a good evidence pack look like?

Accepted Answer

A good evidence pack is structured by applicable control, clearly indexed and linked to named evidence owners. It typically includes configuration evidence, access governance outputs, monitoring artefacts, incident response materials, architecture or data flow information and relevant supplier or group assurance records. The key is not volume. It is whether the evidence is relevant, current, attributable and strong enough to support the attestation and the independent assessment.

Question 6

We rely on group-shared technology and security services. Can we use group evidence?

Accepted Answer

Usually yes, but only if it is relevant to the in-scope SWIFT environment and can be tied back clearly to the local entity's attestation. In practice, firms often need both group artefacts and local evidence of oversight, such as governance records, service review evidence, issue tracking, local control performance or confirmation that the relevant group controls actually cover the SWIFT-related environment. The more remote the control owner is from the regulated entity, the more important it is to evidence oversight and accountability.

Question 7

We use a hosted or outsourced SWIFT service. Are we still responsible for CSP compliance?

Accepted Answer

Yes. Using a hosted, managed or outsourced model does not remove your responsibility for attestation. Swift requires the user to attest to its level of compliance with the mandatory controls, and non-compliance may still be reported where, for example, a user connects through a non-compliant service provider. In practice, this means firms using service providers still need clear control ownership, timely supplier evidence and sufficient internal oversight to support the attestation.

Question 8

What might this look like in a real international finance centre scenario?

Accepted Answer

Consider a fund administration business in Jersey or Guernsey that uses a managed service provider for infrastructure, a hosted Swift interface for connectivity and a back-office platform that generates payment files through an integration layer. The controls may exist across the environment, but the evidence is likely to sit across the provider, internal operations, information security and risk. If no one has mapped the end-to-end architecture or assigned evidence owners in advance, the assessment can quickly become slow, manual and pressured. In that situation, the immediate priorities are usually to confirm scope, identify the key integration points, allocate evidence ownership and request supplier artefacts early.

Question 9

What happens if we leave evidence collection too late?

Accepted Answer

The usual result is a compressed cycle of chasing documents, scheduling late walkthroughs, discovering scope questions at the wrong point and having limited time to remediate gaps before submission. SWIFT's attestation timetable is fixed, and users without a valid attestation or without the required independent assessment may be reported. In practice, late preparation increases both delivery pressure and governance risk.

Question 10

How early should we start preparing for v2026?

Accepted Answer

Earlier than many firms expect. SWIFT's process is annual, with updated controls published in July and the attestation window running from July to December the following year. In practice, firms with outsourced delivery, multiple stakeholders or complex back-office integrations should not wait until the attestation window opens. A sensible approach is to confirm scope and ownership first, then run an evidence readiness review well before formal assessment activity starts.

Question 11

Do receive-only BICs still need to pay attention to v2026?

Accepted Answer

Yes. Receive-only BICs may, in some circumstances, submit a self-attestation without independent assessment if they meet all applicable mandatory controls, but they still need to understand which controls apply and be able to support that position. They should not assume that &ldquo;receive-only&rdquo; means &ldquo;no action required&rdquo;.

Question 12

What should senior management ask before the attestation window opens?

Accepted Answer

A practical management checklist is: have we revalidated scope against the current architecture, do we understand whether v2026 expands scope, do we know who owns each applicable control, can we obtain supplier and group evidence on time and is the independent assessment scheduled early enough to avoid year-end pressure? SWIFT publishes CSCF updates annually in July, one year before they come into effect, and the annual attestation window then runs from 1 July to 31 December, so there is a defined period for preparation.

Swift Attestation Services

Clear scope, structured evidence and independent assessment support — helping you achieve Swift attestation with confidence and reduce delivery risk.

Understanding Swift CSP compliance

Who needs to comply?

Independent assessment requirements

Consequences of non-compliance

What's changing in CSCF v2026?

Mandatory Control 2.4 — Back Office Data Flow Security

Expanded scope — customer-client connectors

Stronger third-party conformance requirements

The challenge for international and outsourced models

How we support you

Why BDO?

FAQs

Contact our dedicated Management Consulting team for more information