Securing Financial Messaging: Addressing SWIFT CSP & SNB SIC Requirements

Common compliance hurdles facing Swiss banks. Over the past months, we’ve observed some patterns across Swiss banks: 

While awareness of SWIFT CSP and SNB SIC EPS requirements has grown, implementation still presents challenges. From governance gaps to evolving frameworks and third-party dependencies, certain issues continue to surface across institutions.

1. Unclear roles and responsibilities

Throughout our assessments, we have identified findings resulting from unclear control responsibilities. This lack of clarity can lead to ineffective governance and accountability. When roles are not explicitly defined, even minor oversights can disrupt operations or delay transactions. Additionally, relevant stakeholders might not receive proper training to securely operate components within the scope of the frameworks, as mandated by SWIFT CSCF control 7.2, “Security Training and Awareness.”

Insights: In 2024, approximately half of the identified findings in SWIFT CSP assessments at various institutions were linked to outdated or missing evidence. Most of these findings stemmed from the inability to identify a stakeholder responsible for the non-compliant controls. Banks can strengthen their cybersecurity posture by clearly defining responsibilities (for example via RACI matrices) and offering proper training to their stakeholders, ensuring accountability across business and technical teams.

2. Confronting framework evolutions

Some banks are grappling with challenges from the yearly updates in the SWIFT and SNB frameworks and overarching requirements. These frequent changes have left some institutions struggling to stay informed, often resulting in non-compliance with newly introduced mandatory controls.

Insights: One in three institutions assessed by EY in 2024 was not aware of the first SIC EPS deadline in December 2024, due to a lack of knowledge about the framework’s requirements, leading to the wrong assumption that self-attestation without an independent assessment was sufficient. Smaller banks also expressed uncertainty about their architecture classification, hindering their ability to identify mandatory controls. Pre-assessments with third-party experts can help banks understand the exact set of SNB and SWIFT requirements in a given year, as well as validate their architecture types and controls to ensure compliance.

3. Third-party risk management (TPRM)

Outsourcing payment management can create blind spots if not supported by effective oversight. The absence of visibility can expose institutions to substantial risks, including vendor-related disruptions, third-party data breaches, and failure to comply with contractual obligations. Recognizing these risks, SWIFT made Control 2.8 “Outsourced Critical Activity Protection” mandatory for all architectures in 2024, followed by the same decision from the SNB regarding control 3.7.2 "TPRM" in 2025.

Insights: Following the global CrowdStrike outage in July 2024 (CrowdStrike, 2024), several banks that outsourced their payment processing to a major SWIFT Service Bureau were surprised when their payments stopped executing, even though they did not use CrowdStrike’s services directly. Smaller institutions are especially vulnerable due to a lack of resources and contingency planning, which restricts them from properly monitoring their third- and fourth-party relationships. Banks should conduct regular vendor audits to assess third-party security practices, which are especially critical given the rise in supply chain attacks (ReversingLabs, 2025).

4. Incident management and reporting

As payment volumes continue to increase (PLANERGY, 2025), the ability to react quickly to malicious actions is critical. Both SWIFT and the SNB mandate that institutions establish comprehensive and tested response procedures, regardless of their architecture. The SNB requires participants to promptly report successful cyberattacks. Additionally, effective January 2025, the EU Digital Operational Resilience Act (DORA) imposes binding requirements on financial entities (including Swiss banks with EU operations or subsidiaries) particularly in areas like incident detection, classification and reporting. These banks must align with DORA’s strict timelines for reporting major ICT-related incidents to EU authorities, which may be more stringent than Swiss domestic requirements.

Insights: Recent assessments revealed shortcomings with incident management controls. Specifically, 1 in 7 banks, all of which fell under FINMA categories 4 and 5, failed to comply with SIC control "Reporting Serious Incidents to the SNB”. These banks had not updated their internal manuals or lacked defined response plans, thereby increasing the risk of prolonged payment processing failures. The overlap with DORA for affected banks also necessitates dual compliance strategies for cross-border regulation, ensuring adherence to both EU and Swiss regulatory regimes.

5. Ever-increasing technical expectation

The introduction of instant payments through the SIC system in August 2024 has brought new expectations for continuous system availability, as well as effective fraud detection and prevention (in less than 3 seconds). Facilitating this shift requires technological upgrades, like real-time fraud filters. To keep pace, banks must leverage automated tools, preferably AI-driven, to detect anomalies in near real-time.

Insights: Two-thirds of category-4 and -5 banks assessed by EY in 2024 have not yet aligned their governance or technical implementations with the demands of instant payments. This misalignment is evident in outdated recovery time objectives (RTOs), unclear fallback plans and fraud scenarios that still rely on delaying transactions to have them checked by a human operator. Smaller banks facing resource constraints can delegate their cybersecurity transformation to trusted firms, which offer scalable solutions through alliances with industry platforms to modernize, simplify, and secure digital operations.