In the world of business and even more so in the payments and banking industries, assessments are a critical part of ensuring that organizations operate in compliance with regulations, standards, and best practices to help ensure that critical sensitive data is adequately protected.
The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a cooperative society providing services related to the execution of financial transactions and payments between banks worldwide. Its principal function is to serve as the main messaging network through which international payments are initiated.
The SWIFT Customer Security Programme (CSP) defines security requirements within the Customer Security Controls Framework (CSCF) for participating institutions. The Customer Security Programme (CSP) consists of three types of assessments: internal assessments, external assessments, and mandated external – noting that one can also opt for a hybrid approach given certain conditions. The internal and external assessments are self-explanatory with the mandated assessments only applying to organizations randomly selected by SWIFT for a compulsory external assessment.
The latest figures shared by SWIFT at SIBOS 2022 indicate there is almost 50/50 split of internal vs. external assessments in the industry since self-assessments were phased out in 2021. All types of assessments have their advantages and disadvantages, and it's important to understand them to determine which type of assessment is most appropriate for your organization.
The internal assessment function is usually nested in the second line of defense within an organization, normally performed by internal audit department who are responsible for evaluating and improving the effectiveness of the organization’s risk management, control, and governance processes. Ideally this function is provided by an independent part of an organization that can provide objective assurance and consulting designed to add value and improve an organization's operations, oftentimes reporting to the board of directors (or similar). Internal assessors are responsible for conducting a wide range of assessments of an organization's operations, financial reporting, compliance with laws and regulations, and other areas as needed.
External SWIFT CSP assessments are performed by an independent third-party assessor who has no stake in the organization being assessed. External assessments must be conducted by qualified organizations like Online that meet the criteria defined by SWIFT, and can be found in their Directory of CSP assessment providers. The main purpose of an external assessment is to provide fully independent assurance to stakeholders as the assessing firm has no material financial dependency on the entity being assessed. External assessments firms often have governing bodies / institutions to ensure their independence, quality assurance and engagement consistency
Both external assessments and internal assessments have their advantages and disadvantages. Ultimately, the choice between external and internal assessments depends on the organization's specific needs, skills, and resources. As previously mentioned, a hybrid approach is also possible – for example: an internal audit function may contract an external assessor to either lead or assist in specialized standards assessments. NOTE: It is recommended that you consult the SWIFT CSP Independent Assessment Framework when considering such an approach.
Download our Service Overview today for more information on how to get started.