SWIFT CSP independent assessment for African banks

What the SWIFT CSP requires

The SWIFT Customer Security Programme (CSP) sets a baseline of security controls for every institution connected to the SWIFT network. Those controls live in the Customer Security Controls Framework, which groups mandatory and advisory controls across three objectives: secure your environment, know and limit access, and detect and respond. Every connected institution attests each year to which controls it meets, and the attestation is due by 31 December.

Rwanda's commercial banks are connected to the SWIFT network, so the programme applies to them, alongside other banks and financial institutions across Africa on the network. The submission window on the SWIFT KYC-SA portal runs roughly from July to December, which is why most institutions schedule their supporting assessment in the second half of the year, with time to close gaps before they attest.

Independent assessment: internal versus external

Since 2021, a pure self-assessment is no longer compliant. The attestation must be supported by an independent assessment of the in-scope controls. There are two valid routes, and external is not the only one:

• Internal but independent: a team inside your organisation that is independent of the people who operate your SWIFT infrastructure, such as internal audit or a second-line security function
• External assessor: an external independent third party such as us, who reviews the controls without competing internal priorities and without sitting in the operational chain

We position ourselves as an external independent assessor, not as the only compliant path. Many institutions choose an external review to get an independent pair of eyes on the controls and to keep their own staff on operations. If you would rather assess internally, the programme allows it; we are simply the external option when you want one. Confirm your assessor-qualification expectations under SWIFT's Independent Assessment Framework with us at scoping; our strength is hands-on technical verification of the controls, and we will tell you plainly if your attestation route needs an audit-credentialled co-assessor.

What we deliver

We assess the in-scope controls against the Customer Security Controls Framework and test the technical controls by hand rather than by questionnaire, so the assessment reflects your live environment:

• Scoped control assessment: a control-by-control review of your in-scope components, mapped to your SWIFT architecture type
• Hands-on technical testing: verification of the technical controls in your environment, drawing on our penetration testing practice rather than relying on a checklist
• Attestation-ready report: control-by-control findings, gaps with prioritised remediation, and evidence structured to map onto the attestation you file
• Free retest: verification after you remediate, so you can attest against controls you have actually closed
• Live debrief: a walkthrough with your technical team and management, so the findings are understood, not just received

Why the testing credential matters here

An independent assessment is only as good as the person performing it. Our assessments are led by an OSCP-credentialled practitioner with red-team and penetration-testing experience inside a Tier-1 Nordic bank, a pan-African banking group, and a top-5 South African bank. That bank red-team background means the technical CSP controls are tested the way an attacker would probe them, not ticked off a form. If your environment also falls under Rwandan banking supervision, see our BNR-compliant penetration testing, and for the background on the programme, read our guide to SWIFT CSP compliance in Rwanda.

How an assessment runs

Frequently asked questions

For the full scope of our manual testing across web, network, mobile, API, and cloud, see our penetration testing service, or read our guide to SWIFT CSP compliance in Rwanda.