SWIFT Public Key Infrastructure (PKI) certificates are cryptographic credentials used to secure communications over the SWIFT network. Let’s evaluate each option:

•Option A: Asymmetric signing and encryption end to end

This is correct. SWIFT PKI certificates utilize asymmetric cryptography (public and private key pairs) for both signing and encryption. Signing ensures the authenticity and integrity of messages (e.g., verifying the sender), while encryption provides confidentiality end to end—from the sender’s environment to the receiver’s environment across the SWIFT network. This end-to-end security is achieved using PKI certificates managed by Hardware Security Modules (HSMs), as mandated by CSCF Control "1.3 Cryptographic Failover." SWIFT documentation confirms that PKI supports full message security throughout the transmission process.

•Option B: Asymmetric signing and encryption end to SWIFT only

This is incorrect. The security provided by PKI certificates extends beyond just the connection to SWIFT (e.g., to the SWIFT Secure IP Network). It covers the entire message journey, including the recipient’s environment, ensuring end-to-end protection rather than stopping at SWIFT’s boundary.

•Option C: Symmetric encryption only

This is incorrect. SWIFT PKI relies on asymmetric cryptography for key exchange and signing, not symmetric encryption alone. While symmetric encryption may be used internally (e.g., for session keys derived from asymmetric key exchange), the PKI certificates themselves are based on asymmetric algorithms (e.g., RSA), as outlined in SWIFT’s security guidelines.

•Option D: Asymmetric signing only

This is incorrect. PKI certificates are used for both asymmetric signing (for authenticity and integrity) and encryption (for confidentiality), not just signing. The dual purpose is essential for the secure transmission of SWIFT messages.

Summary of Correct Answer:

SWIFT PKI certificates are used for asymmetric signing and encryption end to end (A), ensuring comprehensive security.

References to SWIFT Customer Security Programme Documents:

•SWIFT Customer Security Controls Framework (CSCF) v2024: Control 1.3 specifies the use of PKI for end-to-end security.

•SWIFT Security Guidelines: Details PKI usage for asymmetric signing and encryption.

•SWIFT PKI Documentation: Confirms end-to-end cryptographic protection using PKI certificates.

========

The "Outsourcing Agents - Security Requirements Baseline v2025" and "Independent Assessment Framework" address reliance on outsourcing agents’ assessments. Let’s evaluate each option:

•Option A: Yes, after confirmation and validation of the scope

This is correct. The SWIFT user can rely on the outsourcing agent’s independent assessment report if it covers the relevant CSP components and uses the latest CSCF version. However, the user’s assessor must confirm and validate the scope and findings to ensure alignment with the user’s attestation, as per the "Independent Assessment Process for Assessors Guidelines."

•Option B: Yes, only if the outsourcing agent is a global trusted provider and published the report on their compliance portal

This is incorrect. The CSP does not require the outsourcing agent to be a "global trusted provider" or publish the report publicly; validation by the user’s assessor is sufficient.

•Option C: No, an audit report (and not an assessment) is required from the outsourcing agent as an external provider

This is incorrect. An independent assessment report is acceptable, not necessarily an audit report, as long as it meets CSCF standards, per the "Outsourcing Agents - Security Requirements Baseline v2025."

•Option D: No, except if the cloud provider components are partially covered by the SWIFT Alliance Connect Virtual programme

This is incorrect. The Alliance Connect Virtual programme’s coverage is irrelevant; the key is the report’s validity and scope validation.

Summary of Correct Answer:

The report is sufficient after confirmation and validation of the scope (A).

References to SWIFT Customer Security Programme Documents:

•Outsourcing Agents - Security Requirements Baseline v2025: Allows reliance on agent assessments.

•Independent Assessment Process for Assessors Guidelines: Requires scope validation.

•Swift_CSP_Assessment_Report_Template: Supports integrated reporting.

========

Alliance Gateway (SAG) is a SWIFT product that facilitates connectivity between messaging interfaces and the SWIFT network. Let’s evaluate the statement:

•A messaging interface in SWIFT terminology refers to applications like Alliance Access (SAA) or Alliance Entry, which are responsible for creating, validating, and processing SWIFT messages (e.g., FIN MT messages). These interfaces handle the business logic of message flows, interfacing with back-office systems and preparing messages for transmission.

•Alliance Gateway, however, is classified as a communication interface. It acts as a hub to consolidate message flows from multiple messaging interfaces (e.g., Alliance Access) and connects them to the SWIFT network via SwiftNet Link (SNL). SAG does not create or process messages; it manages their transport, ensuring secure transmission over the SWIFT Secure IP Network (SIPN). This distinction is clear in SWIFT documentation, where SAG is described as a connectivity layer, not a messaging interface.

•The CSCF reinforces this separation by applying specific controls to messaging interfaces (e.g., "2.1 Internal Data Transmission Security" for Alliance Access) and communication interfaces (e.g., "1.1 SWIFT Environment Protection" for SAG). Since SAG does not perform the functions of a messaging interface, the statement is false.

Summary of Correct Answer:

Alliance Gateway is a communication interface, not a messaging interface, making the statement false.

References to SWIFT Customer Security Programme Documents:

•SWIFT Customer Security Controls Framework (CSCF) v2024: Differentiates messaging interfaces (Control 2.1) from communication interfaces (Control 1.1).

•SWIFT Alliance Gateway Documentation: Describes SAG as a communication interface for SWIFTNet connectivity.

•SWIFT Architecture Glossary: Clarifies the roles of messaging interfaces (e.g., Alliance Access) versus communication interfaces (e.g., Alliance Gateway).

========

The SWIFT CSP defines architecture types (A1 to A4) based on the components a user owns and manages, as outlined in the "CSP Architecture Type - Decision tree" and "Swift Customer Security Controls Framework v2025." These types determine the applicable security controls and assessment requirements. Let’s analyze the scenario:

•A local communication interface refers to a component like Alliance Gateway (SAG), which manages connectivity to the SWIFT network via SwiftNet Link (SNL) and VPN boxes. The user owns this interface locally as their main channel.

•A connector (or customer connector) is a custom application or integration layer that connects to SWIFT services, often used as an alternative or backup channel. In this case, it serves as a contingency backup.

•The architecture types are:

oA1: Full stack (owns messaging interface, communication interface, and network components, e.g., Alliance Access, Alliance Gateway, VPN boxes).

oA2: Owns a customer connector and communication interface, with the messaging interface hosted elsewhere (e.g., by a service bureau or SWIFT).

oA3: Owns only a customer connector, relying on external communication and messaging interfaces.

oA4: Uses a fully hosted solution (e.g., Alliance Cloud or Lite2), owning no local components.

•The scenario indicates the user owns a local communication interface (e.g., SAG) as the primary channel and a connector as a backup. However, there is no mention of owning a messaging interface (e.g., Alliance Access) locally. This suggests the messaging interface is likely hosted externally (e.g., by a service bureau or SWIFT), which aligns with the A2 architecture type. The "CSP Architecture Type - Decision tree" classifies A2 as a user with a communication interface and a customer connector, where the messaging interface is not locally owned. The backup connector does not change the primary architecture type, as it is an additional component within the A2 framework.

•Option A: A1

This is incorrect. A1 requires ownership of a messaging interface (e.g., Alliance Access), which is not mentioned.

•Option B: A2

This is correct. A2 fits the scenario of owning a communication interface and a customer connector, with the messaging interface potentially hosted elsewhere.

•Option C: A3

This is incorrect. A3 involves only a customer connector, not a communication interface.

•Option D: A4

This is incorrect. A4 applies to fully hosted solutions with no local ownership of connectors or interfaces.

Summary of Correct Answer:

The SWIFT user with a local communication interface as the main channel and a connector as a backup is of architecture type A2 (B).

References to SWIFT Customer Security Programme Documents:

•Swift Customer Security Controls Framework v2025: Defines architecture types A1-A4.

•CSP Architecture Type - Decision tree: Classifies A2 for communication interface and customer connector ownership.

•Assessment template for Mandatory controls: Applies to A2 architecture.

========

This question determines the minimum number of Swift Security Officers (SOs) required by an organization under theSwift Customer Security Programme (CSP).

Step 1: Understand Security Officer Requirements

TheSwift Customer Security Controls Framework (CSCF) v2024, underControl 2.3: System Access Control, and theSwift User Handbookoutline the roles and minimum requirements for Security Officers, who manage security settings and keys.

Step 2: Analyze the Requirement

TheSwift User HandbookandSwift Security Best Practicesspecify that at least two Security Officers are required to ensure segregation of duties and continuity (e.g., in case one is unavailable).

This minimum is enforced to prevent single points of failure and align withControl 2.3, which mandates multi-factor authentication and role separation for privileged access.

Step 3: Evaluate Each Option

A. 1: Insufficient, as a single SO risks unavailability or lack of segregation, perSwift Security Best Practices.Conclusion: Incorrect.

B. 2: Meets the minimum requirement for redundancy and segregation, as stated in theSwift User Handbook.Conclusion: Correct.

C. 3: Exceeds the minimum but is not required unless the organization’s risk assessment demands it, per theCSCF v2024.Conclusion: Incorrect (not minimum).

D. 4: Also exceeds the minimum, not mandated as a baseline.Conclusion: Incorrect (not minimum).

Step 4: Conclusion and Verification

The correct answer isB, as theCSCF v2024andSwift User Handbookmandate a minimum of two Swift Security Officers.

References

Swift Customer Security Controls Framework (CSCF) v2024, Control 2.3: System Access Control.

Swift User Handbook, Section: Security Officer Roles.

Swift Security Best Practices, Section: Segregation of Duties.

This question addresses the obligations of a Swift user who has switched from one Service Bureau (SB) to another under the Customer Security Programme (CSP).

Step 1: Understand CSP Obligations for Changes

TheSwift Customer Security Controls Framework (CSCF) v2024andIndependent Assessment Frameworkrequire Swift users to maintain accurate and up-to-date information regarding their infrastructure,including changes in service providers like Service Bureaus. Such changes may impact compliance and architecture types.

Step 2: Evaluate Each Option

A. To inform the SB certification office at Swift WWThere is no specific "SB certification office" mentioned in theCSCF v2024orSwift CSP Guidelines. Notifications are typically handled through attestation updates, not a dedicated office.Conclusion: Incorrect.

B. To reflect that in the next attestation cycleWhile changes must be reflected in attestations, delaying this until the next cycle (e.g., annually) is insufficient if the change affects compliance. TheSwift CSP Compliance Guidelinesrequire timely updates for significant changes.Conclusion: Incorrect.

C. None if there is no impact in the architecture typeEven if the architecture type (e.g., A2, A4) remains unchanged, a switch in Service Bureau may affect security controls, vendor management, or connectivity. TheCSCF v2024underControl 1.1: Swift Environment Protectionrequires users to report changes that could impact compliance, regardless of architecture type.Conclusion: Incorrect.

D. To submit an updated attestation reflecting this change within 3 monthsTheSwift CSP Compliance GuidelinesandIndependent Assessment Frameworkmandate that significant changes (e.g., switching Service Bureaus) be reported through an updated attestation within 3 months. This ensures Swift is informed of potential compliance impacts and allows for review.Conclusion: Correct.

Step 3: Conclusion and Verification

The correct answer isD, as theCSCF v2024andSwift CSP Compliance Guidelinesrequire an updated attestation within 3 months to reflect a change in Service Bureau.

References

Swift Customer Security Controls Framework (CSCF) v2024, Control 1.1: Swift Environment Protection.

Swift Independent Assessment Framework, Section: Change Reporting.

Swift CSP Compliance Guidelines, Section: Timely Updates.

The SWIFT Customer Security Controls Framework (CSCF) defines the scope of components that must comply with its security controls, particularly those handling SWIFT-related data or connectivity. Let’s analyze the scenario:

•A Treasury Management System (TMS) application is a back-office system used to manage financial operations, such as payments or liquidity management. A customer connector is a custom application or integration layer that connects the user’s systems (e.g., TMS) to the SWIFT infrastructure, in this case via a Service Bureau. The hosting system is the physical or virtual machine on which both applications are installed.

•The TMS and customer connector are on the same machine, and the customer connector connects to a Service Bureau, which hosts the SWIFT communication infrastructure (e.g., Alliance Gateway).

•CSCF Scope: The "Swift Customer Security Controls Framework v2025" and "CSP Architecture Type - Decision tree" define the scope as including:

oCustomer connectors: These are in scope because they facilitate SWIFT connectivity (e.g., sending/receiving SWIFT messages), even if connecting via a Service Bureau.

oSystems hosting in-scope components: The hosting system (machine) is in scope because it runs the customer connector, which is directly involved in SWIFT data flows.

oBack-office systems (e.g., TMS): Normally, back-office systems are out of scope unless they are closely integrated with SWIFT infrastructure. In this case, the TMS is installed on the same machine as the customer connector, creating a shared environment. The CSCF considers systems in the same environment as in-scope if they could impact the security of SWIFT-related components (e.g., Control "1.1 SWIFT Environment Protection").

•Service Bureau Context: Connecting to a Service Bureau (architecture type A2) does not exempt the local components from CSCF scope. The "Independent Assessment Framework" requires assessing all local components that interact with SWIFT, even if the communication layer is outsourced.

•Option A: The TMS application, the customer connector, and the hosting system are in the scope of the CSCF

This is correct. The customer connector is explicitly in scope as it handles SWIFT data flows. The hosting system is in scope because it runs the connector. The TMS, while typically a back-office system, is in scope because it shares the same machine, creating a risk of lateral movement or privilege escalation (e.g., CSCF Control "1.1"). The "CSP_controls_matrix_and_high_test_plan_2025" includes shared environments in the assessment scope.

•Option B: Only the customer connector application is in scope of the CSCF. The TMS application is a back-office

This is incorrect. While the TMS is a back-office system, its co-location on the same machine as the customer connector brings it into scope due to shared risks, as per CSCF guidelines.

•Option C: The TMS application is the highest risk and must be secured appropriately. The customer connector should be secured on a best effort basis

This is incorrect. The CSCF does not prioritize the TMS as the "highest risk" nor suggest "best effort" security for the customer connector. Both components must be secured per mandatory controls when in scope.

•Option D: The TMS application, the customer connector, and the hosting system are in scope only if they connect directly to SWIFT, not towards a Service Bureau

This is incorrect. The CSCF scope includes components connecting via a Service Bureau, as they still handle SWIFT data and are part of the user’s architecture (e.g., A2).

Summary of Correct Answer:

The TMS application, customer connector, and hosting system are all in scope of the CSCF (A) due to their shared environment and connectivity to SWIFT via a Service Bureau.

References to SWIFT Customer Security Programme Documents:

•Swift Customer Security Controls Framework v2025: Control 1.1 includes shared environments in scope.

•CSP Architecture Type - Decision tree: Classifies A2 for Service Bureau setups with local connectors.

•Independent Assessment Framework: Requires assessing all components in shared environments.

========