Professional Documents
Culture Documents
Swift CSP Ebook October 2021
Swift CSP Ebook October 2021
1.0 Overview →
2.0 Combatting the cyber threat with CSP attestation data →
3.0 Collecting and assessing attestation data →
4.0 Handling non-compliance →
5.0 Success factors →
5.1 Methodology →
5.2 Resources →
5.3 Communication →
5.4 Tools and processes →
5.5 Community →
6.0 Best practices: A planning and execution checklist →
7.0 Conclusion →
Ebook | Unlocking the value of your counterparties’ CSP attestation data 3
Overview
Ebook | Overview 4
financial institutions has own security controls, you can also access
your counterparties’ attestation data – and
never been greater. thereby tap into another data point to help
you manage counterparty risk.
institutions need to have the are leading the way in this field share the
insights they have learned along the way,
right controls in place to protect and some key success factors that can help
their own organisations — and you and your organisation get additional
value from counterparty attestation data.
they also need to understand
the risks associated with
their counterparties.
Combating the
cyber threat with
CSP attestation data
Ebook | Combating the cyber threat with CSP attestation data 6
Cybercrime continues to
present a major challenge for
financial institutions. In today’s
93-99%
average compliance
environment, you need to have rate for individual
robust defences in place to mandatory controls
protect yourself from attacks. in 2020.
Introduced in 2016, SWIFT’s Customer
And, as attacks such as the Security Programme (CSP) aims to
Requesting counterparty data entities in the SWIFT community, it was Learn from the early adopters
As well as submitting your own attestations, formed in early 2019. A CCRM guide was Many institutions may wish to use their
you can also request attestation data from also published, focused on the sharing and counterparties’ attestation data to better
counterparties in order to find out whether integration of counterparties’ cyber risk data manage risks, but don’t always know where
those counterparties are compliant with into institutions’ existing risk management to start. Now there is an opportunity to learn
CSP controls. processes. from leading financial institutions that have
taken the initiative and are already using
The work of the Counterparty Cyber Risk This practice benefits the financial CSP attestation data to gain more insights
Management Forum (CCRM) has been key community in several ways. into their counterparties.
to developments in this area. Comprising
Following on from our previous publication,
Assessing Cybersecurity Counterparty Risk
– A Getting Started Guide, and building on
the information and good practices shared
by the CCRM forum, this ebook explores
how you can use counterparty attestation
data to measure risk more effectively. In
1. Counterparties Counterparties that allow attestation data the following pages, leading institutions
to be used in this way can raise their profile share the insights they have gained as
and engender trust with other entities by early adopters. They also identify some
demonstrating a ‘clean bill of health.’ Without key success factors that can help others
this, financial institutions could find they are make the most of counterparty attestation
subject to additional security measures when data – from the methodology and
doing business. processes needed, to the importance of
communicating effectively with internal and
2. Supervisors Supervisors benefit from a stronger external stakeholders.
ecosystem if their supervised entities allow
their attestation data to be used.
Collecting
and assessing
attestation data
Ebook | Collecting and assessing attestation data 9
interact and do business with may approach the task in different ways.
Some request attestation data from all their
those counterparties. counterparties, whereas others focus on
specific groups such as high-risk countries.
Handling
non-compliance
Ebook | Handling non-compliance 12
While financial institutions report You’ll need to decide for yourself how to
handle each of these scenarios. In some
that most of their counterparties are cases, this may mean initiating a one-to-one Enhancing CSP processes
compliance in the following ways: missing controls. data. However, this issue was largely
addressed with the introduction of the
“We’ve drawn a line in the sand, which However, as Abiola notes, there are
basically says that if a counterparty does not still options available when it comes to
comply with all mandatory controls, we will addressing a shortfall in controls. “If you
not onboard them – we’re quite upfront about don’t have those choices, and the only
that,” says Tony Valente, Senior Manager, partner you depend on in a particular country
Economic Crime Prevention, Commercial doesn’t have those strong controls, how do
Banking, Lloyds Bank. “I think there’s a bit you make a decision about that? It might be
more complexity with existing relationships. that you focus on working it out with that
That’s where we really have to understand the bank, or improving the dialogue,” he explains.
other factors, and see if there’s anything else
we can draw comfort from.”
Ebook | Unlocking the value of your counterparties’ CSP attestation data 14
Success
factors
Ebook | Success factors 15
5.1 Methodology →
5.2 Resources →
5.3 Communication →
5.4 Tools and processes →
5.5 Community →
Ebook | Success factors 16
5.2 Resources
Tips for your institution
“He established a process to consistently
“Aligning teams and deciding who should
interpret the information received from
be involved – both on your side and on
counterparties, where they fell short of
your counterparty’s side – will be more
compliance and where they had plans to
and more important as you get more into
remediate; and he was able to present that
using CSP data to form appetite, make
information in an easily digestible way.”
decisions or conduct follow-up due
diligence with counterparties.”
With the process developed, the contractor
was able to hand the resulting model over
Victor Abiola — Global Head,
to a business as usual team. Key to this
Operational Risk, Corporate and
As with any project, it’s essential to have new and existing clients. This approach approach, notes Baggott, was being able to
Investment Bank, Standard Bank
the right resources in place. An important has helped streamline and progress the explain the importance of cyber controls to
step is getting engagement from all relevant CSP programme, and in sharing ongoing senior management in order to secure the
stakeholders and gaining senior sponsorship. information with relevant stakeholders, necessary budget.
including client oversight and relationship
“We set up a small team covering our internal divisions,” comments Citi’s Mohanty. “As an
efforts to work with the CSP programme, organisation, this contributes to the ongoing
both in terms of our own self-attestation, conversation on the risk(s) when making
and also in terms of consuming and making decisions about a relationship.”
sense of counterparty data,” says Deutsche
Bank’s Simon. “The important thing was to Bringing in resources
involve a number of stakeholders right from In some cases, the project may call for
the beginning – the earlier you get everyone additional resources. Lloyds Bank, for
on board, the easier it is to work as a team.” example, opted to bring in an external
contractor to help develop the process.
In practice, there are a number of
stakeholders to consider, from key subject “He wasn’t from a financial crime or
matter experts for the lines of business to cybersecurity background, but he did
risk, compliance and legal teams, as well as understand how things work in large
internal and external auditors. financial institutions in terms of management
information and reporting,” says John
“We have operationalised our CSP Baggott, Senior Manager, Payments,
Consultation and Consumption efforts for Industry & Development, Lloyds Bank.
Ebook | Success factors 18
Another important success factor is the FAQ document to ensure questions are Joanne Cash — Head of Operations
ability to communicate effectively about responded to with a consistent message. Control Management, BNY Mellon
the CSP programme, both within the
organisation and with external stakeholders. Set a drumbeat for your activity “Socialising the Customer Security
Other communication measures may Programme initiative at various internal
From general updates to targeted include monthly working groups to review forums will help increase organisational
discussions counterparty attestation data and updates awareness and the cyber resilience value
Deutsche Bank’s Simon explains that from internal and external audit teams. one can get from CSP consultation and
communication efforts include providing Oonagh McGrane, Director, FI consumption.”
general information about the CSP Commercialisation, Client Products at
programme widely within the bank. Lloyds Bank, says that a monthly forum Kamal Mohanty – SVP Cyber Risk,
“Then, of course, we had more focused enables the bank to review progress and Global Payments & Receivables, Citi
communications for target groups such exceptions in a structured way. “That
as sales and client managers so they provides an effective drumbeat to the “Keep those channels of communication
understood what they needed to do with activity,” she adds. open with the different business lines,
counterparties flagged as non-compliant.” because they’re the ones that are
Communicating with clients working with the counterparties.”
BNY Mellon, likewise, provides talking And, of course, a key part of managing
points to relevant front-office staff to help attestation data is communicating with Kevin Domaratius — Senior Associate,
them answer questions from counterparties counterparties to understand any issues or Operations, BNY Mellon
or clients. Other initiatives include an queries that may arise in relation to controls
intranet site that provides links to resources and compliance.
on the SWIFT website, as well as an
Ebook | Success factors 19
5.4 Tools and processes Other approaches can also work very
effectively. “As far as the process goes
internally, it doesn’t need to be anything
complicated,” says Lloyds Bank’s Baggott.
“A simple spreadsheet and PowerPoint deck
is all we required. The portal provides all the
data you need to consume – you can then
just leverage existing ways of working.”
When it comes to tools and processes, one that lists all the controls, mandatory and Tips for your institution
there is more than one way to approach the advisory, along with the controls status and “The number of counterparties we
management and analysis of attestation data. some other base data of the counterparty.” interact with is significant and we are
able to manage CSP consultation and
For financial institutions that have a sizeable From there, the bank applies logic to consumption at scale by focusing on
number of counterparties, the first step is interpret the data. “We read out which automation. Institutions with fewer
to download the counterparty attestation control is compliant, which is not compliant, counterparties can also start their CSP
report available on the KYC-SA tool. The which is compliant by a given date and journey by manually managing their data.”
data can then be reviewed, with different whether the attestation is expired or valid.
criteria applied to identify counterparties that This flows into reporting that we regularly do Kamal Mohanty — SVP Cyber Risk,
fall short of full compliance with the controls. internally, and map against those parties we Global Payments & Receivables, Citi
have requested access to.”
Getting started
As Deutsche Bank’s Reinecke explains, In-house tools vs spreadsheets
the “bare minimum” needed to get started Some institutions opt to build internal
is having the core roles in place to operate tools in order to handle their counterparty
the KYC-SA portal, both for counterparty attestation data. As mentioned earlier, Citi,
attestation consumption and to manage for example, downloads data from KYC-SA
your own CSP attestation. and uploads it to an application for data
interpretation. BNY Mellon, likewise, has
“We take a report from the KYC-SA tool,” built a process and a tool structure that
Reinecke comments. “It is possible to incorporates a lot of the detail provided by
download a number of reports, including SWIFT’s report.
Ebook | Success factors 20
5.5 Community
Tips for your institution
“This isn’t competitive – it’s in the interest
of the whole community. So let’s keep
talking and helping each other reach a
fully compliant position.”
Last but not least, community has an “By working together, we can strengthen the
important role to play for financial institutions community, and also share lessons learned
looking to make the most of their attestation and best practices. For example, during a
data. In a post-pandemic world, you should counterparty CSP conversation, we discussed
take any opportunity to meet with your the topic of staying resilient while evolving with
peers and share experiences. virtualisation, and both parties walked away
with innovative industry approaches.”
One important resource has been SWIFT’s
group of peer global transaction banks. Beyond the CSP, financial institutions can
Communicating with them has enabled tap into further opportunities for information
information sharing about how best to sharing. “We don’t just receive information
handle attestation data, as well as providing from SWIFT and from the CSP – there are
an opportunity to discuss potential also other information-sharing activities that
operational enhancements. go on at a senior level within the IT intelligence
community,” says BNY Mellon’s Cash. “That
“The community element has definitely information, handled on a need-to-know
helped by providing us a common platform basis, can provide insights that you can use to
for bi-lateral conversation regarding research a particular CSP control.”
cyber resilience,” says Citi’s Mohanty.
Ebook | Unlocking the value of your counterparties’ CSP attestation data 21
Best practices:
A planning and
execution checklist
Ebook | Best practices: A planning and execution checklist 22
Here are some key actions you Gain senior sponsorship and engage all
relevant stakeholders.
can take to start using your
counterparties’ CSP attestation Make sure the necessary resources are
Conclusion
Ebook | Conclusion 24
CSP attestation data may not For example, while some financial
institutions may ask all counterparties for
be a silver bullet. But when it attestation data, others may benefit from
the toolbox that you can use approach if you have a high number of
counterparties – but there is still much that
very effectively alongside other can be achieved using readily available tools
While some financial institutions help you improve cybersecurity in a way that
is both affordable and accessible. And as
may face challenges in terms of Deutsche Bank’s Simon notes, “The single
For more information about our Financial • Providing CSP data to the world’s leading
Crime Compliance solutions, including anti-virus providers, thereby promoting
Payment Controls for enhanced fraud collaboration and data sharing while
detection and prevention, visit strengthening cybersecurity efforts
www.swift.com/fcc. across industries.