SWIFT CSCF v2026

As part of its ongoing strategy to keep pace with the evolution of information processing technologies in financial institutions, SWIFT is gradually updating its security control framework.

As the traditional “secure zone” shifts from a purely on-premises environment to more distributed and cloud-based connectivity models—often involving third-party service providers—components that were previously خارج of scope are now becoming part of it.

This shift aims to strengthen the overall security of financial transaction processing environments. However, it also requires institutions to review and, in many cases, adjust the scope of their controls to remain compliant with evolving requirements.

For those familiar with SWIFT architecture diagrams, a useful way to visualize this evolution is: while the “right-hand side” becomes more diffuse, the “left-hand side” expands—bringing more components into scope.

In this context, the 2026 version of the Customer Security Controls Framework (CSCF) introduces changes that organizations should understand and plan for in advance.

Why CSCF v2026 matthers

Launched in 2016, the Customer Security Programme (CSP) aims to enhance the security of the SWIFT ecosystem by:

– improving cybersecurity hygiene

– reducing the risk of cyberattacks

– minimizing the impact of fraudulent transactions

The CSCF defines mandatory and advisory controls that customers must implement and attest to on an annual basis.

As threats and regulatory expectations evolve, SWIFT updates the framework every year. While its overall structure remains stable, CSCF v2026 introduces relevant changes compared to 2025, including new mandatory requirements, expanded scope, and increased precision for hybrid, cloud, and API-based environments.

Change 1: back-office data flow security becomes mandatory

In CSCF v2026, Control 2.4 (Back Office Data Flow Security) moves from advisory to mandatory.

Its objective is to protect data exchanges between the secure zone and the back office when modern end-to-end encryption is not in place.

This includes:

– curing bridging servers and their operation

– protecting non-E2E data flows between the secure zone, bridging servers, and back office

– incorporating security by design into new direct data flows lacking modern E2E protection

While some legacy exchanges remain advisory until 2028, organizations are expected to plan their remediation.

A key step is reviewing the actual data transfer architecture and identifying where control evidence needs to be strengthened.

Change 2: customer client connectors enter scope

CSCF v2026 defines customer client connectors as endpoints that connect indirectly to SWIFT via shared service providers (e.g., APIs, middleware, file transfer clients).

These connectors are now in scope for multiple mandatory controls, including:

– system hardening

– authentication

– segregation

– logging and monitoring

– malware protection

In practice, this may require:

– reassessing the SWIFT architecture classification (e.g., moving to A4)

– expanding the evidence set for the annual assessment

Other key updates

Beyond the two major changes, CSCF v2026 introduces increased operational precision across several controls, raising expectations for consistent and auditable evidence.

Notable updates include:

– modernization of Alliance Connect (SD-WAN and virtual VPN on-prem in scope)

– clearer criteria for container environments (co-hosting by default with risk-based exceptions)

– cryptographic updates aligned with post-quantum roadmap

– enhanced hardening requirements (including WMI and PowerShell considerations)

– MFA requirements for external privileged access and LSO/RSO roles

– expanded expectations in malware protection, awareness, and penetration testing, including modern threat scenarios such as deepfakes

SWIFT also refines scope and terminology to better reflect:

– hybrid and cloud environments

– API-based data flows

– shared responsibility models in IaaS/SaaS architectures

Additionally, SWIFT confirms the end-of-life of IPLA and SIL in 2026, reinforcing the need to plan migrations and assess their impact on compliance evidence.

Preparing for the CSCF v2026 assessment

For many organizations, the main challenge lies in ensuring alignment between:

– declared scope

– actual architecture

– available control evidence

With more components entering scope and increased scrutiny on back-office data flows, it is essential to:

– validate architecture classification

– identify indirect connectors

– map data flows accurately

– ensure traceability between controls and evidence

Addressing these aspects early helps avoid delays, rework, or compliance issues during the attestation process.

How Datasec can help

With extensive experience in information security and the financial sector, Datasec is a strategic partner for institutions required to comply with SWIFT requirements.

As a SWIFT Certified Provider, and with consultants accredited as Certified Assessors, Datasec is authorized to perform Customer Security Programme (CSP) Assessments.

Our approach goes beyond compliance verification. We help organizations:

– assess their architecture and control environment

– identify gaps and risks

– strengthen their overall security posture

We support SWIFT users in preparing and submitting their CSCF compliance attestations with confidence, backed by a trusted and experienced team.