What Is SWIFT?

SWIFT (Society for Worldwide Interbank Financial Telecommunication) is a cooperative endeavor formed by financial community members. SWIFT was founded in 1973 by 239 banks in 15 countries to standardize the format of financial information to make it easier to exchange that information between financial or corporate entities electronically. Since then, a SWIFT transaction has become the incumbent standard across the worldwide financial sector for funds transfers. Today over 11,000 institutions connect to SWIFT in more than 200 countries and territories. The SWIFTNet financial messaging system is a highly stable messaging network, with 99.999% availability. The standardization efforts of SWIFT have led to advances in automation and payments, including cross-border payments and real-time payments. Because of the security implications of transferring funds, SWIFT has developed a security framework known as the SWIFT Customer Security Controls Framework (CSCF).

The SWIFT system is a cooperative made up of actively involved stakeholders. As an organization, SWIFT is controlled by the central banks of Belgium, France, the United States, Canada, Germany, Italy, the Netherlands, Sweden, Switzerland, Japan, and the United Kingdom.

As well as standardizing financial messaging, SWIFT also provides a framework of security controls for SWIFT users; the SWIFT CSCF comprises advisory and mandatory security controls.

The SWIFT CSCF requires that organizations secure their environment using measures such as least-privilege access controls. The CSCF extends the protective measures to include robust responses and incident handling. Akamai security solutions provide intelligence and end-to-end protection to protect financial data from breaches and accidental exposure. Akamai helps your security teams to maximize the effectiveness and ROI of your security investments by moving beyond traditional endpoint detection to provide a powerful Zero Trust solution for the security and privacy of data. 

Akamai provides:

• A global security platform that enforces Zero Trust security with comprehensive coverage of your IT, IoT, and OT environments
• Deep visibility into assets, access, and network flows
• Granular enforcement of security policy

The increasing volumes and evolving complexity of fraud targeting the SWIFT network and the other payments systems has led to the creation of the SWIFT Customer Security Controls Framework (CSCF), part of their Customer Security Programme (CSP). CSCF is a security framework with mandatory and advisory security controls that apply to any financial institution that uses the SWIFT messaging system. Three objectives form the CSCF, and seven strategic security principles are under these objectives. The CSCF framework covers four SWIFT user architectures: A1, A2, A3, and B. The security controls required depend on which architecture a SWIFT user falls under.

Large, targeted SWIFT hacks, such as the 2016 Bangladesh central bank heist that involved over $81 million, led to the development of the CSCF cybersecurity framework to mitigate attacks on SWIFT customers. However, cybercriminals continue to target SWIFT, with a 2021 European Payments Council report recording examples of multi-vector cyberattacks exploiting the SWIFT-related banking infrastructure. The report points out some major data breaches involving bank card data based on targeted APT attacks against the SWIFT service bureau. In 2021, SWIFT updated its CSCF measures to restrict internet access from advisory to mandatory, along with more robust multi-factor authentication use during the presentation or when accessing a SWIFT-related service, application, or component operated by a service provider. The following institutions are required to adhere to SWIFT’s CSCF:

Financial institutions — Financial institutions that use the SWIFT messaging platform must abide by the mandatory controls of the CSCF. This means these institutions must have robust security controls protecting the organization against external and internal threats. The controls include protection from vulnerabilities to stop malware and ransomware infections, and segregation of roles and access privileges to protect sensitive data, credentials, and critical assets. One of the core principles behind the CSCF controls is that of least-privilege access management. By implementing a Zero Trust security model, financial organizations can secure their environment, protect against vulnerability exploitation, and manage identities and segregate privileges, bringing them in line with the CSCF.

Third parties and vendors — Any entity that helps financial institutions to process, store, or transmit SWIFT financial transaction information must also comply with the CSCF controls. The same Zero Trust security model will help these third-party entities adhere to the mandatory controls of SWIFT’s CSCF. In doing so, these vendors will protect their organization from supply chain targeted cyberattacks and other supply chain members, including the financial institutions they serve.

SWIFT CSCF compliance requires attestation through independent assessment. An organization must have the proper security measures to prepare for this assessment. Addressing SWIFT’s CSCF requires a systematic approach to security. A Zero Trust architecture supports the necessary mandatory and advisory controls of the SWIFT CSCF. It enforces the CSCF controls to merge technology and policy, and to enable security at a granular level that filters across the entire potential attack surface. Akamai provides a comprehensive solution family covering a broad range of the controls required by SWIFT CSCF. Akamai also supports SWIFT CSCF compliance by providing risk management, reporting, and documentation, all delivered using a Zero Trust strategy.

SWIFT provides three core messaging services:

FIN — FIN is the leading messaging service from SWIFT; it is designed to facilitate the exchange of individual structured messages using the MT/MX and ISO 15022 message formats. In addition, FIN performs message format validation, delivery monitoring, and storage and retrieval.

FileAct — FileAct is a system to support large and bulk structured file transfers, such as bulk payments files or securities value-added information.

InterAct — InterAct provides a non-repudiation service for XML-based financial messages, including SWIFT MX and ISO 20022 formatted messages.

SWIFT GPI — Over 4,000 financial institutions have signed up for SWIFT GPI, a cross-border payments platform. The platform is optimized for fast payments and provides tracking capability.

SWIFT GPI Instant — SWIFT GPI Instant combines instant payments of SWIFT GPI with domestic real-time payment networks to make cross-border payments fast and seamless.

SWIFT Go — SWIFT Go is a standard for low-value international payments.

SWIFT works with ISO to develop standards: 

• ISO 15022: used for securities settlement and asset servicing.
• ISO 20022: a new open global messaging standard that applies to all financial industry processes.

SWIFT is not responsible for monitoring or controlling SWIFT messages sent through the SWIFT system. Instead, financial transactions that fall under sanctions are determined by the financial institutions and national authorities that oversee them. The financial sanctions that were applied during Russia’s invasion of Ukraine were enforced by national entities; for example, the European Union agreed to exclude key Russian banks from the SWIFT system.