As of Q2 2017, customers of the Society for Worldwide Interbank Financial Telecommunication (SWIFT) will be required to use a set of core mandatory security standards, the organisation has announced.

They will also be required to demonstrate their compliance with the standards annually against the specified controls set out in an assurance framework. Compliance under this framework takes the form of self-attestation against 16 mandatory controls.

Copliance status will be made available to counterparts

Crucially, each customer's compliance status will be made available to their counterparts, says SWIFT, “ensuring transparency and allowing firms to assess risk of counterparts with whom they are doing business”. They will also have the option of disclosing their compliance with a further 11 non-mandatory controls.

The standards will apply to all customers connected to SWIFT, including those connected through service bureaus.

Non-compliant customers will be reported to regulators

Inspections and enforcement of the standards – as well as customers' compliance status – will begin on 1 January 2018. Any non-compliant customers will be reported to their regulators. SWIFT says it will also randomly select customers to provide additional assurance either from their internal or their external auditors.

Long haul

SWIFT Chairman Yawar Shah said: “We recognise that this will be a long haul, and will require industry-wide effort and investment, as well as active engagement with regulators. The growing cyber threat requires a concerted, community-wide response. This is also why the SWIFT board unanimously approved the framework and remains fully engaged in overseeing and driving the further development of SWIFT’s Customer Security Programme.”

The final standards will be published at the end of March 2017.