Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Learn More
866.254.0000
Contact Us
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
Build Your Compliance Roadmap
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

By: Schellman

Print/Save as PDF

How to Comply with the SWIFT Outsourcing Agent Security Baseline (OASBL)

Payment Card Assessments

Does your organization use the SWIFT network with some or all of your IT services outsourced to a third party? Are you one of those third-party organizations engaged by a SWIFT user for the hosting, installation, operation, and/or maintenance of components involved in your customer's SWIFT implementation?

If you answered yes to either of these two questions, you may be surprised to know that the scope of your SWIFT independent cybersecurity assessment may extend further than you thought.

To help you with that, in this video, we'll highlight key portions of the new SWIFT Outsourcing Agent Security Baseline.

I'm Jon Anderson, SWIFT Practice Leader here at Schellman. I've been conducting and managing SWIFT assessments since 2020 using the contemporaneous version of the SWIFT Customer Security Controls Framework (CSCF), and so I understand how the organizations and entities involved in the SWIFT ecosystem for financial messaging have always relied heavily on outsourcing agents for various information technology, development, and information security tasks.

As such, to ensure the security of this extended ecosystem, SWIFT enforces a robust security baseline specifically for outsourcing agents known as the SWIFT Outsourcing Agent Security Baseline or OASBL.

What is the SWIFT Outsourcing Agent Security Baseline (OASBL)?

The OASBL serves to acknowledge the shared responsibility between organizations that use SWIFT and the outsourcing agents they employ in maintaining a secure environment for financial messaging. 

While the organization that uses the SWIFT network is ultimately accountable for its own data and transactions, the outsourcing agent also has a critical role in safeguarding the entrusted information and systems—hence the OASBL.

What is a SWIFT OASBL Secure Zone?

As part of its goal to ensure the security of SWIFT third parties, the OASBL places significant emphasis on secure zones, or that part(s) of an outsourcing agent's environment interacts with SWIFT data or the customer's SWIFT infrastructure. SWIFT secure zones must be designated as such and have heightened security controls compared to the rest of the outsourced agent's environment.

That being said, the OASBL does acknowledge that it may not be possible for outsourcing agents to fully isolate their SWIFT-related activities based on:

  • The service that the outsourcing agent provides; and
  • How it's provided.

If that's the case for your environment, the OASBL has outlined an alternate set of reduced security expectations that must be met within the outsourcing agent's secure zone. The controls described within these reduced expectations cover areas like:

  • Access controls;
  • Network segmentation;
  • Data encryption; and
  • Logging.

It's important to note that while the OASBL does outline these security requirements, it doesn't necessarily mandate independent assessments for outsourcing agents.

How Third Parties Can Support Their SWIFT Users During CSCF Assessments

But even if outsourced agents do not undergo an independent SWIFT assessment, if it's found during the scoping process that the SWIFT user has outsourced in-scope security information technology tasks to an outsourced agent, the latter will need to support their customer's CSCF assessment. 

In this, outsourced agents have three options: 

  1. First, the outsourced agent can provide a third-party assurance report such as a Type 2 SOC 2 examination that covers their controls compliance with the CSCF in-scope components they operate.

  2. Second, the outsourcing agent can have an independent CSCF assessment performed to validate their level of compliance against the applicable CSCF controls before providing that assessment report and completion letter to their SWIFT user customer.

  3. Finally, the SWIFT network user can request that their outsourced agent participate in the SWIFT network user's annual independent assessment to the extent that the outsourced agent has responsibility over the in-scope components.

Getting Compliant with the SWIFT OASBL

Whether you are a SWIFT network user or an outsourced agent supporting your SWIFT network user customers, your organization should consider its place within the SWIFT ecosystem and your responsibilities for compliance with the customer security controls program.

Here at Schellman, we can help you complete your independent assessment and support your annual attestation. If you have any questions, please reach out to us—we'd love to speak with you.

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.