SWIFT CSP 2025 and Endpoint Security in the SIC System:

Stabilization, Clarity, and Next Steps for Financial Institutions and Payment Service Providers

The SWIFT Customer Security Programme (CSP) has been a central element in defending against cyber threats in the global financial system since 2016 – directly impacting the stability of international payments. Anyone using SWIFT must demonstrate that their systems meet the requirements defined in the Customer Security Controls Framework (CSCF). Since last year, compliance with the “Endpoint Security in SIC System” framework is also mandatory for all participants in the SIC payment system.

This is not just a regulatory checkbox: Failing to implement SWIFT and SIC requirements properly can lead to significant financial losses, erosion of partner trust, and, in the worst case, disruptions in payment operations. Compliance is therefore essential for financial institutions, payment service providers, and all organizations connected to SWIFT or SIC.

Changes in SWIFT CSCF v2025

With CSCF v2025, SWIFT focuses on stabilization. Unlike previous years, there are no new mandatory controls. The emphasis is on consolidation, clarity, and improved guidance for implementation. However, some developments already set the stage for the future.

Of particular importance is Control 2.4A, which addresses the security of back-office data flows. It is classified as advisory in 2025, becomes mandatory for new data flows in 2026, and mandatory for existing (legacy) data flows in 2028. Early planning here can prevent costly and complex retrofits later. Another key point concerns so-called “customer client connectors” – interfaces such as endpoints using APIs, middleware, or file transfer clients. These components fall under the scope of SWIFT architecture type A4 starting in 2025 as a recommendation, and become mandatory in 2026. For many institutions, this requires reviewing and potentially adapting their existing architecture. Under the new rules, only architectures under SWIFT architecture type B – where SWIFT transactions are entered manually through a service bureau – remain. Systems that process automated payment flows via back-office or treasury applications are classified as SWIFT architecture type A4. Many institutions will need to review their classification and adjust to A4, which has significant implications for the scope of controls from 2026 onwards.

Endpoint Security in the SIC System

In Switzerland, the “Endpoint Security in SIC System” framework of the Swiss National Bank (SNB) is also gaining focus. Similar to SWIFT CSP, it defines binding security requirements for all participants in the Swiss Interbank Clearing (SIC) network. Since 2024, an independent attestation is required.

For many institutions, this presents an opportunity to leverage synergies: many SIC framework security controls align with SWIFT CSP requirements. Attestation can be provided in an integrated approach. Institutions already conducting structured SWIFT attestations can expand them to reduce the additional effort required for SIC compliance.

Compared to 2024, a key update in the SIC framework is Control 7.3.2 “Third-Party Risk Management,” which has been upgraded from “recommended” to “mandatory”.

Practical Implications

For financial institutions, payment service providers, and all organizations using SWIFT directly or indirectly, it is time to review their compliance status. New topics such as “back-office data flow security” and “customer client connectors” should be addressed early. This not only ensures readiness for the next attestation but also strengthens overall cyber resilience. Attestation must be completed by the end of 2025 at the latest. By then, all participants must demonstrate compliance with both SWIFT and SIC requirements. Experience shows that the better and earlier the preparation, the smoother the process.

How we can support you

We help you prepare optimally for attestation – from gap analysis and prioritization of necessary measures to independent attestation.

Our team knows the common pitfalls, understands what SWIFT and SIC focus on, and provides practical recommendations. In addition to the formal attestation for 2025, we recommend a readiness assessment for the new mandatory aspects for 2026 – Control 2.4 “Back Office Data Flow Security” and changes to the “customer client connector.” This avoids unpleasant surprises and ensures you are ready for the 2026 requirements.

We are ready to guide you – with solid expertise, pragmatic advice, and execution of your attestation. Together, we ensure your SWIFT operations remain secure, compliant, and future proof.