Overview of SWIFT CSCF v2026

As part of its Customer Security Programme (CSP), SWIFT has updated its security requirements for clients and released the Customer Security Controls Framework (CSCF) v2026. This article provides a summary of the latest changes and guidance on how to prepare.

The financial sector remains a prime target for cybercriminals, leading to continuous updates in compliance standards. Each year, SWIFT revises its CSCF, which can impact payment operations and associated technologies. These updates apply to all organisations using SWIFT. To meet the 2026 requirements, businesses must undergo an independent review to verify that at least all mandatory controls are in place before completing their attestation. Advisory controls are recommended as part of best practice, and to ensure compliance ahead of these becoming mandatory.

Understanding the Customer Security Controls Framework (CSCF)

The framework consists of 32 security controls – 25 mandatory and 7 advisory – structured around key objectives to strengthen the security of SWIFT users’ infrastructure. These controls serve as the basis for independent security assessments and the required Know Your Customer-Security Attestation (KYC-SA), which all SWIFT users must complete.

What are the Main New Features of SWIFT CSCF v2026?

The latest update to SWIFT’s Customer Security Controls Framework (CSCF) for 2025 introduces no major changes, with a focus instead on minor adjustments and clarifications to improve understanding and consistency. Unlike previous years, no advisory controls have been elevated to mandatory status, and SWIFT has indicated that the overall requirement level will remain stable after successive increases in recent updates. Uncharacteristically, they have already announced Control 2.4 becomes mandatory in 2026.

The latest update to SWIFT’s Customer Security Controls Framework (CSCF) for 2026 introduces one major change alongside a series of more minor changes.  One advisory control has been elevated to mandatory status, the details of which can be found below.

• Control 2.4A (Back Office Data Flow Security) is now mandatory – This change was announced ahead of v2025, and highlights the need for  encryption  between an organisation’s general IT environment and its secure SWIFT infrastructure, including via bridging server. Relatively new direct connections, and SWIFT connect servers to bridging server connections, must have encrypted protection.  Not all back-office flows require additional controls – legacy direct connections and data flows from any bridging server to the back office first hops are not yet mandatory, but SWIFT are indicating that they expect this to become mandatory in v2028.

• Extending the Definition of a SWIFT Custom Connector – In v2025, SWIFT realigned some architecture definitions.  V2026 makes further adaptations to these definitions, with a service provider’s resource now included in the definition of system-to-system connection.  As such, any middleware such as APIs or file transfer facilities provided by your third-party now requires you to be assessed as A4.

Smaller Changes and Clarifications 



• Updated cryptography requirements.  SWIFT have introduced minimum key size requirements alongside new cypher requirements.  There are also new requirements for PKI certificates and key algorithms.  TLS must now be 1.2 or higher, and SSH must use SSH2.
• Additional requirements for hardening Windows machines in control 2.3 – Windows Management Instrumentation (WMI) and PowerShell must be restricted.
• Organisations can now use SWIFT Universal Confirmation data to satisfy control 2.9.
• Luna backup device Hardware Security Modules (HSMs) are now in scope of controls 3.1 and 5.4. 
• Alliance Left and Right Security Officer (LSO and RSO) accounts are now regarded as privileged accounts and so to comply with control 4.2 must have MFA enabled, and to comply with control 2.10 access to these accounts must be hardened.
• MFA must also now be applied to administrator external firewall access.
• Wherever technically possible, non-Windows systems located within a secure zone or hosting a customer client connector must now have anti-malware installed.
• Security awareness training for control 7.2 must now include Deepfake technology awareness training to complement existing training requirements.
• For control 7.3A, SWIFT now provide guidance on the scope and testing scenarios of penetration tests.  There are three scenarios that SWIFT suggest, and these three must be covered within a three-year penetration testing cycle.