SWIFT Customer Security Programme – mandatory specifications to protect your local SWIFT infrastructures

The growing number of cyber-attacks, including those on the local infrastructures of SWIFT participants, has prompted SWIFT to create a security programme for its participants in order to fight together against cyber threats.

SWIFT published its Customer Security Programme in April 2017. It defines specific requirements to be met by all connected participants. The programme aims to improve the exchange of information within the SWIFT community, to ensure a high level of security for the local SWIFT infrastructure of participants, and to put in place an assurance framework to counter the ever growing number of cyber threats and strengthen the ability of SWIFT participants to combat cyber-attacks.

SWIFT Customer Security Programme

The programme calls upon all SWIFT participants to implement a control and assurance framework. The control framework consists of a set of 16 mandatory and 11 advisory security controls. The controls are based on existing SWIFT security guidelines, and are in line with good practice standards such as NIST, ISO/IEC 27002 and PCI-DSS. The mandatory controls establish a security baseline for the entire SWIFT community. SWIFT also recommends implementing the advisory controls to provide optimal protection for local SWIFT infrastructures.

Demands placed on SWIFT participants

The SWIFT Customer Security Programme will come into force on 1 January 2018. As well as applying to financial service providers, it is also valid for all companies that participate in the SWIFT network. Before the introduction of the programme, each SWIFT participant must conduct a self-assessment and notify SWIFT of its status regarding compliance with the controls (by the end of 2017). From 2018, all participants must confirm their compliance with controls on an annual basis. This confirmation can be provided via a self-assessment (self-attestation), internal audit (self-inspection) or external audit (third-party inspection). Participants are free to choose the type of confirmation they wish to submit. SWIFT will however also carry out regular spot checks of confirmations via internal or external audits for quality assurance purposes.

SWIFT participants must consider the following points in particular:

  • Should only the mandatory controls be implemented, or also the advisory ones?
  • How should the assurance framework be structured? Is self-assessment sufficient, or should an internal or external audit be conducted on a regular basis?
  • Should the status regarding compliance with controls be made public to other SWIFT participants?
  • How can it be ensured that controls continue to be adhered to in the future?

The support we offer you

SWIFT Readiness Assessment

We can help make sure you comply with the SWIFT requirements by 1 January 2018 by assessing your current status and highlighting any gaps.

SWIFT control support

We can provide support for the implementation of controls by means of a post-implementation review.

SWIFT compliance confirmation

We can assist you with your annual confirmation of compliance with SWIFT requirements.

Please feel free to contact our experts if you are interested in the topic.

More information

Contacts

Jens Probst
Director, Systems & Process
Assurance
+41 58 792 29 59
jens.probst@ch.pwc.com

Claudia Hösli
Senior Manager, Specialist Cyber Security
+41 58 792 14 85
claudia.hoesli@ch.pwc.com

Marco Schurtenberger
Senior Manager, Specialist Cyber Security
+41 58 792 22 33
marco.schurtenberger@ch.pwc.com

The opportunities opened up by video and online identification


Blog_4_ENThe digitisation of processes is a key issue for the Swiss financial industry. To create and elaborate the necessary regulatory framework, on 18 March this year FINMA issued Circular 2016/7 ‘Video and Online Identification’. We have written a series of blogs addressing the December 2015 draft circular, the opinions expressed in the public consultation, and the risks of implementing video and online identification. In this last blog we’ll compare the final circular published in March with the draft. We’ll also be taking a look at other countries and showing where their practice differs significantly from Switzerland’s. And finally we’ll look at the opportunities that video and online identification creates.

Since 1 January 2016 the revised Anti-Money Laundering Ordinance has been in force. This has enabled FINMA to take account of new technologies designed to assure an equivalent level of security in meeting the relevant due diligence requirements. FINMA also has to make this practice public. This is why it has published Circular 2016/7 ‘Video and Online Identification’, describing the due diligence requirements for intermediaries onboarding clients via digital channels.

Read more about the opportunities here.

Further blogs
Read more about the digitisation of processes in the Swiss financial industry and about other key developments in this field in our previous articles in our blog series on video and online identification.

If you´re interested in this topic or have any questions connected with it, please feel free to contact our experts:

Jens Probst
Director, Systems & Process
Assurance
jens.probst@ch.pwc.com
+41 58 792 29 59

Christian Hug
Senior Manager, Leader Information Governance
christian.hug@ch.pwc.com
+41 58 792 23 66

Marco Schurtenberger
Manager, Cyber security & IT
compliance
marco.schurtenberger@ch.pwc.com
+41 58 792 22 33

The security risks of video and online identification

SicherheitsrisikenThe digitisation of processes is a core issue for the Swiss financial industry. To create and elaborate the necessary regulatory framework, in December 2015 FINMA issued a draft circular governing the video and online identification of clients. In the meantime the final version of the FINMA circular has been published. In our first blog at the beginning of February we presented the draft FINMA circular on video and online identification. In the second we looked at the opinions expressed in the public consultation. In this, our latest entry, we address the concrete challenges involved in video and online identification.

Since 1 January 2016 the revised Anti-Money Laundering Ordinance has been in force. This has enabled FINMA to take account of new technologies designed to assure the requisite level of security in meeting the relevant due diligence requirements. FINMA also has to make this practice public, and has accordingly published the FINMA circular 2016/7 on video and online identification on 17 March 2016. The circular describes the due diligence requirements for intermediaries onboarding clients via digital channels without gaps in the information process. This is an opportunity for the Swiss financial industry to put the digitisation of business processes into practice. Our aim is to show where the risks lie and advise on how to deal with them.

Read more about the security risks here.

Further blogs
Read more about the digitisation of processes in the Swiss financial industry and about other key developments in this field in the next articles in our blog series on video and online identification.

If you´re interested in this topic or have any questions connected with it, please feel free to contact our experts:

Jens Probst
Director, Systems & Process
Assurance
jens.probst@ch.pwc.com
+41 58 792 29 59

Christian Hug
Senior Manager, Leader Information Governance
christian.hug@ch.pwc.com
+41 58 792 23 66

Marco Schurtenberger
Manager, Cyber security & IT
compliance
marco.schurtenberger@ch.pwc.com
+41 58 792 22 33

New FINMA circular on video and online identification – feedback from hearings

FINMA_Blog_Bild_ENThe digitisation of processes is a core issue for the Swiss financial industry. To create and elaborate the necessary regulatory framework, in December 2015 FINMA issued a draft circular governing the video and online identification of clients. In our first blog at the beginning of February we presented the draft FINMA circular on video and online identification.

Now in this second blog entry we’ll be looking at the publicly available opinions that were submitted to FINMA by the end of the consultation phase on 18 January 2016.

Read more about the new FINMA circular here.

Links to the FINMA consultation:
FINMA News
FINMA Documentation

Opinions published by authors:
Verein zur Qualitätssicherung von Finanzdienstleistungen
bob Finance AG
SWISS FINTECH
SwissBanking

Further blogs
In our next blog you´ll get to read about the opinions submitted during the consultation, the opportunities and risks for the Swiss financial market, and more key developments in this area.

If you´re interested in this topic or have any questions connected with it, please feel free to contact our experts Jens ProbstChristian Hug or Marco Schurtenberger.

New FINMA circular on video and online identification


FINMA_Blog_Bild_ENThe digitisation of processes is a core issue for the Swiss financial industry. To create the necessary regulatory framework, in December 2015 FINMA issued a draft circular governing the video and online identification of clients.

Since 1 January 2016 the revised Anti-Money Laundering Ordinance has been in force. Under its terms, FINMA can consider new technologies that provide the same level of security in terms of enforcing the due diligence requirements. FINMA also has to make this practice public. This is why it has drafted a circular on video and online identification.1 The draft describes the due diligence requirements that apply when onboarding clients via the internet. Those affected and other interested parties had until 18 January to comment on the draft. The definitive circular is scheduled to enter into force in March 2016.

Read more about the new FINMA circular here.

Further blogs
In our next blog you’ll get to read about the opinions submitted during the consultation, the opportunities and risks for the Swiss financial market, and more key developments in this area.

If you’re interested in this topic or have any questions connected with it, please feel free to contact our experts Jens Probst, Christian Hug or Marco Schurtenberger.

 1 Circular 2016/xx ‘Video and Online Identification’, due diligence requirements for acceptance of business relationships via the internet, FINMA, 21 December 2015