No, SWIFT is not a bank. SWIFT is a messaging network used by banks and other financial institutions to securely transmit information and instructions using a standardized system of codes.
SWIFT (Society for Worldwide Interbank Financial Telecommunication) is a cooperative endeavor formed by financial community members. SWIFT was founded in 1973 by 239 banks in 15 countries to standardize the format of financial information to make it easier to exchange that information between financial or corporate entities electronically. Since then, a SWIFT transaction has become the incumbent standard across the worldwide financial sector for funds transfers. Today over 11,000 institutions connect to SWIFT in more than 200 countries and territories. The SWIFTNet financial messaging system is a highly stable messaging network, with 99.999% availability. The standardization efforts of SWIFT have led to advances in automation and payments, including cross-border payments and real-time payments. Because of the security implications of transferring funds, SWIFT has developed a security framework known as the SWIFT Customer Security Controls Framework (CSCF).
Background on SWIFT
The SWIFT system is a cooperative made up of actively involved stakeholders. As an organization, SWIFT is controlled by the central banks of Belgium, France, the United States, Canada, Germany, Italy, the Netherlands, Sweden, Switzerland, Japan, and the United Kingdom.
As well as standardizing financial messaging, SWIFT also provides a framework of security controls for SWIFT users; the SWIFT CSCF comprises advisory and mandatory security controls.
How Akamai helps organizations comply with SWIFT CSCF
The SWIFT CSCF requires that organizations secure their environment using measures such as least-privilege access controls. The CSCF extends the protective measures to include robust responses and incident handling. Akamai security solutions provide intelligence and end-to-end protection to protect financial data from breaches and accidental exposure. Akamai helps your security teams to maximize the effectiveness and ROI of your security investments by moving beyond traditional endpoint detection to provide a powerful Zero Trust solution for the security and privacy of data.
Akamai provides:
- A global security platform that enforces Zero Trust security with comprehensive coverage of your IT, IoT, and OT environments
- Deep visibility into assets, access, and network flows
- Granular enforcement of security policy
The SWIFT CSCF (Customer Security Controls Framework)
The increasing volumes and evolving complexity of fraud targeting the SWIFT network and the other payments systems has led to the creation of the SWIFT Customer Security Controls Framework (CSCF), part of their Customer Security Programme (CSP). CSCF is a security framework with mandatory and advisory security controls that apply to any financial institution that uses the SWIFT messaging system. Three objectives form the CSCF, and seven strategic security principles are under these objectives. The CSCF framework covers four SWIFT user architectures: A1, A2, A3, and B. The security controls required depend on which architecture a SWIFT user falls under.
Objective 1: Secure your environment
- Restrict internet access and protect critical systems from the general IT environment
- Reduce the attack surface and vulnerabilities
- Physically secure the environment
Objective 2: Know and limit access
- Prevent compromise of credentials
- Manage identities and segregate privileges
Objective 3: Detect and respond
- Detect anomalous activity in system or transaction records
- Plan for incident response and information sharing
How does SWIFT CSCF affect your organization?
Large, targeted SWIFT hacks, such as the 2016 Bangladesh central bank heist that involved over $81 million, led to the development of the CSCF cybersecurity framework to mitigate attacks on SWIFT customers. However, cybercriminals continue to target SWIFT, with a 2021 European Payments Council report recording examples of multi-vector cyberattacks exploiting the SWIFT-related banking infrastructure. The report points out some major data breaches involving bank card data based on targeted APT attacks against the SWIFT service bureau. In 2021, SWIFT updated its CSCF measures to restrict internet access from advisory to mandatory, along with more robust multi-factor authentication use during the presentation or when accessing a SWIFT-related service, application, or component operated by a service provider. The following institutions are required to adhere to SWIFT’s CSCF:
Financial institutions — Financial institutions that use the SWIFT messaging platform must abide by the mandatory controls of the CSCF. This means these institutions must have robust security controls protecting the organization against external and internal threats. The controls include protection from vulnerabilities to stop malware and ransomware infections, and segregation of roles and access privileges to protect sensitive data, credentials, and critical assets. One of the core principles behind the CSCF controls is that of least-privilege access management. By implementing a Zero Trust security model, financial organizations can secure their environment, protect against vulnerability exploitation, and manage identities and segregate privileges, bringing them in line with the CSCF.
Third parties and vendors — Any entity that helps financial institutions to process, store, or transmit SWIFT financial transaction information must also comply with the CSCF controls. The same Zero Trust security model will help these third-party entities adhere to the mandatory controls of SWIFT’s CSCF. In doing so, these vendors will protect their organization from supply chain targeted cyberattacks and other supply chain members, including the financial institutions they serve.
How does Akamai help with SWIFT CSCF compliance?
SWIFT CSCF compliance requires attestation through independent assessment. An organization must have the proper security measures to prepare for this assessment. Addressing SWIFT’s CSCF requires a systematic approach to security. A Zero Trust architecture supports the necessary mandatory and advisory controls of the SWIFT CSCF. It enforces the CSCF controls to merge technology and policy, and to enable security at a granular level that filters across the entire potential attack surface. Akamai provides a comprehensive solution family covering a broad range of the controls required by SWIFT CSCF. Akamai also supports SWIFT CSCF compliance by providing risk management, reporting, and documentation, all delivered using a Zero Trust strategy.
SWIFT messaging services
SWIFT provides three core messaging services:
FIN — FIN is the leading messaging service from SWIFT; it is designed to facilitate the exchange of individual structured messages using the MT/MX and ISO 15022 message formats. In addition, FIN performs message format validation, delivery monitoring, and storage and retrieval.
FileAct — FileAct is a system to support large and bulk structured file transfers, such as bulk payments files or securities value-added information.
InterAct — InterAct provides a non-repudiation service for XML-based financial messages, including SWIFT MX and ISO 20022 formatted messages.
Other SWIFT initiatives
SWIFT GPI — Over 4,000 financial institutions have signed up for SWIFT GPI, a cross-border payments platform. The platform is optimized for fast payments and provides tracking capability.
SWIFT GPI Instant — SWIFT GPI Instant combines instant payments of SWIFT GPI with domestic real-time payment networks to make cross-border payments fast and seamless.
SWIFT Go — SWIFT Go is a standard for low-value international payments.
ISO and SWIFT
SWIFT and sanctions
SWIFT is not responsible for monitoring or controlling SWIFT messages sent through the SWIFT system. Instead, financial transactions that fall under sanctions are determined by the financial institutions and national authorities that oversee them. The financial sanctions that were applied during Russia’s invasion of Ukraine were enforced by national entities; for example, the European Union agreed to exclude key Russian banks from the SWIFT system.
Frequently Asked Questions (FAQ)
SWIFT stands for Society for Worldwide Interbank Financial Telecommunication. It is a network to facilitate financial institutions’ payment instructions worldwide when they send and receive information about financial transactions; SWIFT performs these transactions in a secure, standardized, and reliable environment. SWIFT provides a unique business identifier code (BIC) that is used to identify banks across the banking system and financial institutions globally.
SWIFT does not transfer money; it acts as a set of messaging rails to facilitate financial transactions. In summary, SWIFT uses codes (SWIFT code / BIC code) to communicate money transfers between banks. SWIFT expedites the transfer of monies between an individual and a business as electronic transfers or credit card payments. Because of the standardization of SWIFT messages, cross-border payments are seamless. This standardization has allowed SWIFT to become highly scalable and dominant in the financial messaging arena.
Why customers choose Akamai
Akamai is the cybersecurity and cloud computing company that powers and protects business online. Our market-leading security solutions, superior threat intelligence, and global operations team provide defense in depth to safeguard enterprise data and applications everywhere. Akamai’s full-stack cloud computing solutions deliver performance and affordability on the world’s most distributed platform. Global enterprises trust Akamai to provide the industry-leading reliability, scale, and expertise they need to grow their business with confidence.