SWIFT Customer Security Framework (CSCF) and Customer Security Program (CSP) were jointly established in 2017 in an attempt to strengthen the posture of cybersecurity and to maintain the cyber-hygiene of all users. Since then, while putting security measures in place, CSCF has served as a user reference point. Over the years, the framework has undergone several modifications in response to the ongoing evolution of cyber threats and the field of cybersecurity. The CSCF is typically updated and modified annually, with the most recent revisions being prepared a year in advance of its implementation. 

The 2025 edition of the Swift Customer Security Controls Framework (CSCF) represents a steady continuation from the 2024 version, maintaining stability in security expectations. This year, the Swift CSCF 2025 contains 32 security controls, of which 25 are mandatory controls and 7 are advisory controls, which is the same as in SWIFT CSCFv2024. SWIFT customers have to comply with these controls by 31 December 2025. 

The CSCF Working Group evaluated various change proposals—ranging from minor textual improvements and clarifications to broader scope adjustments—but no advisory control has been added to mandatory status in this cycle. Notably, they have already confirmed that Control 2.4 will become mandatory in 2026, which is an early announcement that is unusual.

Detailed Progression of making Control 2.4A a mandatory requirement:

Control 2.4A, which focuses on securing back-office data flows, continues on its phased path toward mandatory implementation, expected in 2026. Key future requirements include:

• By 2026: Protect ‘bridging servers’, the critical links between the user’s secure zone and the initial back-office systems

• Secure any new direct connections between the secure zone and the back office using modern, secure architecture.

• Provisionally targeting 2028, this control shall safeguard legacy flows between the user’s secure zone and the back-office first hops.

This control is still classified as advisory in 2025; however, Swift strongly recommends users begin prioritizing their security efforts for these flows, guided by both the sensitivity of the systems and associated risk.

Expanding Endpoint Scope for Customer Connections

To ensure a unified security approach for all users interacting with Swift services, any endpoint that connects indirectly via a service provider, whether server or client, will increasingly be recognized as a “customer connector.” The 2025 version introduces this concept through the advisory inclusion of the ‘customer client connector’ (e.g., API consumers, middleware systems, or file transfer clients).

In 2026, this classification will become mandatory in CSCFv2026. Customer Connector will include both a server and a client endpoint that connect to a Service Provider or SWIFT. Consequently, some users who previously identified their architecture as type B may need to reclassify to type A4, depending on their connector usage.

Minor Updates

Several updates were introduced to enhance clarity and facilitate implementation:

• Clarified Scope of Controls: The ‘Scope of Security Controls’ section now better defines “business transaction management,” which may allow certain components (e.g., those used only for pre-validation or value-added services) to be excluded, provided a risk-based justification is in place.

• Some terms have been redefined terminologically:‍
  
  • Swift connectivity providers: This defines entities like service bureaux, Business Connect, and L2BA providers.
  • Service providers: Broader term encompassing Swift connectivity providers, third-party IT/cloud vendors, outsourcing partners, and Group Hubs.
  • General (enterprise) IT environment: Now includes servers that support the Change and Release Management process.

• Tool and Interface References: Standalone Alliance Access is defined as a messaging interface, and the CREST WebAPI used within a browser from 2025 is listed as a new added SWIFT GUI example.

• Visual Enhancements: Diagrams are updated in the ‘Scope of Security Controls’ section to aid understanding, especially regarding the Swift API channel.

Controls- Specific Updates

• Environment Controls (1.1, 1.5): These controls' implementation guidance has been corresponded with the Scope of Security Controls for environments where components are co-hosted.

• Cloud Platform Protection Control, also known as virtualization (1.3): Advised for Architecture B configurations that use virtual desktops.

• Controls (2.1, 2.4, 2.5, 2.6): These controls emphasize the possibility of flows extending across both on-premises and remote (cloud) environments or a combination of both environments

• Vulnerability Scanning (2.7): This control clarifies the need for detection at both OS and application levels, and timely remediation based on reported results.

• Outsourcing Critical Activity Protection Control (2.8): This control has been enhanced to clarify the delineation of outsourced responsibilities and when Swift’s connectivity provider program can be relied upon.

• Cyber Incident Response Planning Control (7.1) and Scope of Security Controls (end of section A): These controls provide additional guidance offered for handling extreme or unusual cyber scenarios.

Appendix Updates

• (Service and Components) Appendix F: Streamlined to remove outdated content.

• (Shared Responsibilities in Cloud Model) Appendix G: Now includes visuals illustrating the typical division of responsibilities between a customer and their cloud provider.