Coffee Break Session:
What Is the SWIFT Customer Security Program?
Alexa Cook, Strategic Treasurer
Craig Jeffery, Strategic Treasurer
Episode Transcription - (Coffee Break Session Series) - Episode 46 - What is the SWIFT Customer Security Program
Alexa Cook 0:14
Hey guys, welcome to The Treasury Update Podcast Coffee Break Session, the show where we cover foundational Treasury topics and questions in about the same amount of time it takes you to drink your coffee. I am your host Alexa and I’m joined today with Craig Jeffrey, Managing Partner of Strategic Treasurer. Welcome back, Craig.
Craig Jeffery 0:33
Good day, Alexis. Good to talk with you again on these topics.
Alexa Cook 0:37
Yeah, so we’ve been discussing security, you know, in the last episode and now on today’s episode. So, today we’re really gonna pivot into SWIFT and the SWIFT customer security program or better known as the CSP, so can you go ahead and give us a high-level overview of what that is Craig?
Craig Jeffery 0:52
Yes, SWIFT CSP is the SWIFT customer security program, and it’s a security program for those that use the SWIFT network. So, it’s geared towards corporations that are on the SWIFT network and it’s designed to protect all of the end-points in the network to ensure safety of the network.
Alexa Cook 1:16
Okay, that makes sense. So, when did this program start?
Craig Jeffery 1:19
I think the official date was May 27th, 2016. So, at the time of this recording, it’s a little bit over five years. And each year, the requirements have increased the security level is increased reflecting broader more sophisticated attacks on companies of all sizes and it grew out of increased levels of fraud that were impacting network members and there’s been a number of newsworthy situations as well as secret situations where people who accessed the network had had their own internal system compromised, lost significant money or had significant attacks that may have resulted in a small or large loss. And so, this idea of insufficient security of the endpoints that access a network threaten the network and therefore the network needs to make sure all of the links are at an adequate level is really the concept of SWIFT CSP and some of these other security frameworks that are run by by payment and messaging networks.
Alexa Cook 2:24
That makes sense. I really like how you said that it’s kind of evolved to, you know from all ends up being secured to them, just all the links within the network being at that adequate level.
Craig Jeffery 2:33
You know it’s interesting because you know there were some issues and people like “Oh SWIFT ran into problems or there was a loss on the SWIFT network”. Well, no, there were end customers who had their systems compromised. They sent in delivered messages that move money out of their account to criminal parties accounts, but the messages were valid, delivered in a secure way, but the endpoint was compromised which, which led to a problem, but even that leads to can lead to a loss of confidence and so the idea of protecting everyone helps the network and helps raise the attention level of, we’ve got to protect payments, payment networks and messaging networks.
Alexa Cook 3:17
So, that kind of actually pivots into the next question which is, who should really care about SWIFT CSP specifically.
Craig Jeffery 3:24
Well, banks need to care about it for their particular corporate counterparts that use SWIFT for messaging for payment messages, etc., but also corporations who use SWIFT, they have a requirement to apply, and these requirements need to be met and attested to and reviewed or audited annually. And these requirements, continue to be strengthened each year, which means they’re higher-level requirements each year. So, it’s, you have to care about it if you’re part of that but more broadly, you need to care about it because this is the second major payment network that’s requiring participants to have higher level of security.
Alexa Cook 4:06
Yeah, that’s a great point. So really, I guess what can we learn from the customer security program that SWIFT has?
Craig Jeffery 4:12
Yeah, part of part of that I started on in my last response, but you know we see this as the second major payment or messaging network that added security standards to their participants as a bit of a repeat but this, this shows the expansion of fraud the success of the criminals attacking organizations, and that emphasizes the requirement, the need for more discipline around security, and more continual improvements around security. And so the human element, the human firewall as Adrian …. likes to say is part of this requirement as well. It’s not just about the endpoint, the surface attack areas access redundancy in their control framework but it also has a security training component that’s required on annual basis in and amongst a number of those technical requirements and again I say that again because we spoke about card security in your last podcast and that fraud helped to drive this standard and the security framework, and we do expect other payment channels and messaging channels to follow suit over time to require certain minimum standards for security to protect themselves but also protect the payment and messaging networks.
Alexa Cook 5:32
That makes sense and I feel like you really just started my recap on that, but I’ll just do a quick one anyway on SWIFT CSP so it’s really the SWIFT Customer Security Program that’s been in place since May of 2016, and it’s a program for using the SWIFT network or banks that are maybe using it for their corporate counterparts or even corporations that use it directly. And it’s designed to really protect all the points to ensure the safety of the network and I think we’ve, you know, kind of touched on it a little bit here about how it was, end to end, and then it really started to care more about those individual links to just make sure that the security level is 360 degrees or across the entire program. So, is there anything else you wanted to add to that Craig.
Craig Jeffery 6:14
Yeah, I’ll say one thing, I thought your summary was great, but it made me think of something else, which is this whole process of increased security between payment networks and those that are party to it, so like the banks and, and the corporation to participate is one aspect. But as we think about how we ensure our counterparts are protected there’s something that SWIFT does which I think is becoming, will become, more standard because there’s a communication method where you can expose, here are the results are at that station work each year on so CSP you can expose that to your bank counterparts, through their platform you can share the information so that a bank and say here’s my 400 customers I can see how when they’ve attested while we’re in any issues that they had when will they be remediated, and were they remediated, and they can share that information. And I think of a couple of factors that come up, you know, the more we deal with counterparts, the more detailed, you know, we have to be when we’re filling out security questionnaires and going through their security information, protocol, standards, questionnaires and it’s no we’re filling out dozens, 100’s sometimes 300 or 400 questions, and you have to update these, each year. Some of the mindset that SWIFT uses for sharing among the community gives you the right to say hey you can see my security standards. And, you know, we expect that aspect of being able to share security standards to help with the efficiency, filling out 300 questions for 20 counterparties is massive work, exposing your results from one place to your counterparties is easy. Comparatively, so it’s no we’re just finding ways to be more efficient in how we communicate our security among our counterparties I think that’s another key aspect that we’re sure that’s another podcast, but that was just the thought came to mind as we were talking.
Alexa Cook 8:27
Yeah, that’s great, thank you for adding that in Craig, and thanks for joining me today to talk about security and to all of our listeners thank you guys for joining us too. And make sure you tune back in every first and third Thursday of the month for a new episode. And if you have any questions or topics you want to cover or even just comment on the show you can always send us an email at firstname.lastname@example.org. Thanks again for joining me, Craig.
This podcast is provided for informational purposes only, and statements made by Strategic Treasurer LLC on this podcast, are not intended as legal business consulting or tax advice. For more information, visit and bookmark Strategictreasurer.com.