Decision tree to assist Swift users identify their CSP

architecture type

Version date: 08/10/2024

Revision Record
Section Change Date
Overall Minor updates to text and clarifications. 08th October 2024
Alignment of architecture types and flow
charts with CSCF v2025
Overall Minor updates to text and clarifications 10th October 2023
Update generic architecture type decision
tree (Previously FIN user)
Add API consumer architecture type
decision tree
Remove non-FIN user architecture type
decision tree, merged with generic
architecture type
Add API consumer architectures to
example architectures

Purpose
This document provides guidance that can help Swift users determine their CSP Architecture type. It
is provided for information and illustrative purposes.

If you know the Swift component or product you own, then you can also refer to the CSP components
sheet here to determine your architecture type.

Nothing in this document shall be interpreted or construed as replacing or otherwise amending the
Customer Security Controls Framework and Customer Security Controls Policy. General principles (or
Architecture types) do not have any restrictive meaning when illustrated with examples.

Swift users connecting through a Swift connectivity provider (like a Service Bureau, a L2BA, Business
Connect or an Enabler) can also contact their provider for guidance. Otherwise, you can reach out to
your Swift account manager or support for assistance.

Audience
This document targets:
(i) Swift users that need to determine their architecture type
(ii) Assessor(s) selected by Swift users to assist them with their independent assessment
(iii) Swift connectivity providers that help Swift users determine their architecture type
(iv) Companies (also known as Outsourcing Agents) selected by Swift users to host and/or
operate their Swift components (more information can be found in the Outsourcing Agent
Security Requirement Baseline document)
Section contents
# Section Contents
Decision tree providing guidance on how to determine a Swift
1 Architecture types | Generic users architecture type based on the components they own.
Decision tree providing guidance on how to determine a Swift
Architecture types | API
2 users architecture type when they are consuming Swift API
Consumer
based on the components they own.
Decision tree providing guidance on how to determine a Crest
3 Architecture types | Crest users architecture type based on the components they own.

Examples of Architecture Provide Examples of architecture types for Swift users based on
4 the most common implementations.
types

Definition of Swift connector and Customer connector

A Swift connector is a connector specifically designed to support Swift business and is generally
provided by Swift. For example, Alliance Microgateway, Alliance Cloud SIL, Direct Link, Alliance Lite2
AutoClient (in combination with SIL or not). A Swift connector holding a Swift-compatible label can
also be provided by third-party vendors. A Swift connector is considered as a Swift footprint.

A Customer connector or Customer client connector is a commercial off the shelf product
configured for Swift purposes. It includes generic file transfer solutions or local middleware system
implementations (such as IBM® MQ, Apache, sFTP, Kafka or Solace server/broker) used to facilitate
an external connection with Swift-related components offered by a service provider or an outsourcing
agent.
These generic elements not provided by Swift (or not labelled as Swift-compatible) are considered as
a non-Swift footprint.
In addition, an API client or an application developed in-house that implements Swift API endpoints to
connect to Swift services exposed by the Swift API Gateway is also a customer (bespoke API)
connector or a non-Swift footprint.

Important note about Customer client connectors

While the bridging servers acting between the back-office and the secure zone are already in scope of
most of the controls, the ‘customer client connectors’ (such as an endpoint consuming APIs, a
Middleware or a File Transfer client) used to connect to a Swift connectivity provider, an outsourcing
agent or a Group Hub, is first introduced as an advisory component in-scope (v2025). Such ‘customer
client connector’ is expected to be considered as mandatory in scope with the CSCF v2026. As from
then, the term “customer connector” will cover both a server or a client endpoint connecting to a
Service Provider or to Swift. This document already incorporates the v2025 updates for the Customer
client connector. For further information see the Customer Security Controls framework v2025
(CSCF) page 6.

Ownership of the Messaging and/or Communication interface

The illustrations demonstrate that only a single BIC can be the license owner of a messaging or
communication interface, also referred to as the owner. In rare cases when there is no license owner
for the messaging interface, Swift recommend the user who owns (or operates) the communication
interface attests as A1, and the other BIC attest as A3, A4 or B, depending on the connector type.

Multiple Architecture types

• Swift users may own more than one interface or connector. In this case, users need
to complete their CSP attestation with their architecture type and/or service
provider details for the most comprehensive architecture type. For instance, if a
 user has a SwiftNet infrastructure using architecture type A, and a FIN
infrastructure using architecture type B, they must select architecture A when
attesting. The scope of the security controls needs to cover all in-scope
components from the FIN and SwiftNet infrastructure across all the required
environments, as set out in the CSCF.
• as per CSCF. The scope of the security controls must include all in-scope
components
• Swift users who alternate between service providers need to select the Architecture type
and/or service provider details for their main infrastructure. As an example, alternating
environments can happen when a Swift user connects through different infrastructures, and
traffic is swapped on a regular basis, or when a failover to another infrastructure is performed
for disaster recovery purposes. The user must select the Architecture type for the main
infrastructure.
• The scope of the security controls must include all components as outlined in the CSCF, and
all operational and online backup or disaster recovery infrastructures.

Back Office applications and Messaging and Communication Interfaces

Most users use a Swift messaging or communication interface, such as Alliance Access, Alliance
messaging hub or Alliance Gateway. Other compatible messaging and communication interfaces are
listed on Swift.com here.
The qualification of a customer application as a back-office application, or a messaging interface is
based on the connectivity method it uses to connect to the Swift connectivity components as follows:

• If the customer application is connecting to SwiftNet Link (SNL) and generates messages,
then it is considered a messaging Interface.
• If the customer application is connecting to a communication Interface (e.g., SAG) and is
using MQHA and RAHA adapter:
o If the related message partner is configured in “Relaxed” or “Strict” mode, then the
customer application is considered a messaging interface
o If the message partner is configured in “Basic” mode, then the application is
considered a Back-Office application.
• If the application is connecting to a messaging interface (SAA) then the customer application
is considered as a Back-Office application

The table below summarise the above options:

Alliance Gateway
Connected
SwiftNet Link MQHA/RAHA MQHA/RAHA Messaging Interface
with
“Relaxed/Strict” “Basic”
Customer
CI or MI MI BO BO
Application

Legend:
MI – Messaging Interface
CI – Communication Interface
BO – Back Office
Exceptions and additional information
• In the rare cases a Swift user owns only a communication interface, and no
messaging interface, this is an architecture type A1.

• In case of users connecting through a non-SWIFT user group hub that is not
registered under the Shared Infrastructure Programme, then the user heading the
traffic aggregation hierarchy , or one of the connected shareholding users must
submit a distinct attestation for the PIC of the group hub. In the absence of an
attestation being submitted for the PIC of the non-SWIFT user group hub, then all
users connected through that group hub must attest as architecture type A1.

• Shared Alliance Remote Gateway (ARG) users are those sharing the Alliance Access
owned by an ARG customer (The Alliance access owner is generally architecture
type A2). Therefore, the shared ARG users attest as architecture type A3, A4 or B
depending on how they connect, or use the shared Alliance Access interface. As an
example, this would be architecture type A3 when a Swift connector is used, A4 when
a middleware server/client is used, and B when only a GUI is used (see ‘examples of
architecture types’ in this document).
1. Architecture type | Generic
 2. Architecture type | Swift API consumer

Note: GUI (User-to-application) only connections to Alliance Cloud are considered Architecture type B
 3. Architecture types | Crest BIC

Note: Please refer to the architecture type generic flow chart for the architecture type of the BIC
related to the non-Crest service and sharing the same Alliance Access instance. For information it is
generally, a non-Crest BIC that owns the interface licenses and is either Architecture type A1 or A2
A Crest BIC back-office application typically exchanges data with the Alliance Access instance using
CRFI, CRPI, CRMI methods, which are not considered as a CSP in scope footprint.
4. Swift architecture
type examples
 Architecture types based on Swift
Page 3

products
Examples of
Architecture types
Architecture type A1 (Owner of Messaging and Communication interface)

General Enterprise IT Environment

Scope of Security Controls

User’s Swift Infrastructure

Back Office (Swift Secure Zone)
Messaging Communication
Interface Interface
Data exchange

RMA SNL Connection

GUI HSM PKI

PKI
Back Office
Swift network
Using Middleware
/ File Transfer
Client
Middleware/
File Transfer Data exchange
Data exchange
(Bridging)
Operator
Servers
(End User/Admin)

Example of architecture types 4

Architecture type A1 (Owner of Communication interface)

General Enterprise IT Environment

Scope of Security Controls

Back Office
Using Middleware User’s Swift Infrastructure
/ File Transfer (Swift Secure Zone)
Client
Communication
Interface
Data exchange

SNL Connection

GUI HSM PKI

PKI
Back Office
Swift network
Using Middleware
/ File Transfer
Client
Middleware/
File Transfer Data exchange
Data exchange
(Bridging)
Operator
Servers
(End User/Admin)

Example of architecture types 5

Architecture type A2 (Owner of Messaging interface)

General Enterprise IT Environment

Scope of Security Controls

User’s Swift Infrastructure

Back Office (Swift Secure Zone)

Data exchange Messaging

Interface Communication
Interface

RMA Connection SNL

HSM PKI
Swift network
Back Office GUI
Using Middleware
/ FileTransfer
Client Middleware/
File Transfer Data exchange
Data exchange Service Provider
(Bridging)
Operator
Servers
(End User/Admin)

Example of architecture types 6

Architecture type A3 (Swift connector)

General Enterprise IT Environment

Scope of Security Controls

Messaging
Interface
Back Office User’s Swift Infrastructure
(Swift Secure Zone) RMA
Data exchange
Communication
Interface
Swift Connector Connection
GUI

Back Office SNL Swift network

Using Middleware Middleware/
/ File Transfer File Transfer
Data exchange
(Bridging)
Data exchange HSM PKI
Client
Servers Operator
(End User/Admin)

Service Provider

Example of architecture types 7

Architecture type A4 (Middleware Server and File transfer solution as a customer connector)
No Swift footprint

General Enterprise IT Environment

Middleware Server /
Scope of Security Controls File Transfer Solution
Messaging
Back Office
Interface
(using
Middleware or User’s Swift Infrastructure
secure File (Customer Secure Zone) RMA
Transfer Client) Data exchange
Communication
Middleware Server/Client or Interface
File Transfer Server/Client Connection
(as Customer Connector) GUI

Back Office SNL Swift network

Using Middleware Middleware/
/ File Transfer File Transfer
Client
Data exchange
(Bridging)
Data exchange HSM PKI
Servers Operator
(End User/Admin)

Service Provider

Example of architecture types 8

Architecture type B (U2A)

General Enterprise IT Environment

Scope of Security Controls

Connection

Operator
(End User)
(Non-Swift) Service Provider Swift network

General Enterprise IT Environment

Scope of Security Controls

Connection

Operator
(End User)

Swift (Lite 2/
Alliance
Cloud)
 Group hub setups
Page 10

Examples of
Architecture types
Architecture type A1 (Owner of Messaging and Communication interface)

Group Hub BIC BBBBCCLL – Owner of the messaging and communication interface

Scope of Security Controls

User’s Swift Infrastructure

(Swift Secure Zone)
Messaging Communication
Interface Interface

RMA SNL Connection

GUI HSM PKI

PKI Swift network

General Operator
Enterprise (End User/Admin)
IT Environment

Example of architecture types 11

Architecture type A1 (Owner of communication interface)

Group Hub BIC BBBBCCLL – Owner of the communication interface

Scope of Security Controls

User’s Swift Infrastructure

(Swift Secure Zone)

Communication Connection
SNL
Interface

GUI HSM PKI

PKI

Swift network

General Operator
Enterprise (End User/Admin)
IT Environment

Example of architecture types 12

 Architecture type A2 (Swift user connecting to a group hub infrastructure)

Connecting BIC – Owner of the messaging Group Hub BIC BBBBCCLL – Owner of the communication interface
interface
Connecting BIC Group hub BBBBCCLL (Architecture type A1)
(Architecture type A2) Scope of Security Controls for the group hub
Scope of security controls for the
connecting BIC User’s Swift Infrastructure
(Swift Secure Zone)

Operator
(End User/Admin) Communication
SNL
Interface
User’s Swift Infrastructure Connection
(Swift Secure Zone)
GUI HSM PKI
PKI
Messaging Interface Connection
Swift network

RMA

GUI*
Operator
General General (End User/Admin)
Enterprise Enterprise
IT Environment IT Environment

Example of architecture types (*) The GUI (for example Alliance Webplatform) can be on the BIC or Group hub side 13
 Architecture type A4 (Swift user connecting to a group hub infrastructure)

Connecting BIC – Owner of a customer Group Hub BIC BBBBCCLL – Owner of the messaging and communication
connector interface
Connecting BIC Group hub BBBBCCLL (Architecture type A1)
(Architecture type A4) Scope of Security Controls for the group hub
Scope of security controls for the
connecting BIC User’s Swift Infrastructure
(Swift Secure Zone)

Messaging Communication
Interface Interface
Back Operator
office (End User/Admin)
Connection
application RMA SNL
User’s Swift Infrastructure
(Customer Secure Zone)
Connection
HSM PKI
PKI Swift network
Middleware Server/Client or GUI
File Transfer Server/Client
(as Customer connector)

Operator
General General (End User/Admin)
Enterprise Enterprise
IT Environment IT Environment

Example of architecture types 14

Architecture type B (Swift user connecting to a group hub infrastructure, only user-to-
application flows)

Connecting BIC – Architecture type B Group Hub BIC BBBBCCLL – Owner of the messaging and communication interface

Group hub BBBBCCLL (Architecture type A1)

Scope of Security Controls for the group hub
Connecting BIC
(Architecture type B) User’s Swift Infrastructure
Scope of security controls for the (Swift Secure Zone)
connecting BIC
Messaging Communication
Interface Interface

SNL Connection
RMA
Operator
(End User/Admin)
Connection
HSM PKI
PKI Swift network
GUI

Operator
General General (End User/Admin)
Enterprise Enterprise
IT Environment IT Environment

Example of architecture types 15

 Service Bureau and L2BA
Page 16

Examples of
Architecture types
Architecture type A2 (User connecting its own Messaging interface to a Service Bureau)

Scope of PSCF controls

General Enterprise IT Environment

Scope of Security Controls for connecting BIC

Back Office
User’s Swift Infrastructure
(using
Middleware or
(Swift Secure Zone)
secure File Messaging Communication
Transfer Client) Data exchange Interface Interface

RMA Connection SNL

GUI HSM PKI

Back Office Swift network
Using Middleware Middleware/
/ File Transfer Data exchange
File Transfer
Data exchange
Client (Bridging)
Servers Operator
(End User/Admin)

Swift user Swift Connectivity

provider
(Service Bureau)

Examples of Architecture Types 17

Architecture type A4 (User connecting their Back office to a Service Bureau using a
customer connector)

Scope of PSCF controls

General Enterprise IT Environment

Scope of Security Controls for connecting BIC Middleware Server /

File Transfer Solution
Back Office
(using Messaging
Middleware or User’s Swift Infrastructure Interface
secure File (Customer Secure Zone)
Transfer Client) Data exchange RMA
Middleware Server/Client or
File Transfer Server/Client Connection
(as Customer connector) Communication
Interface

Back Office GUI

Swift network
Using Middleware Middleware/
/ File Transfer Data exchange
File Transfer
Data exchange
Client (Bridging) SNL
Servers Operator
(End User/Admin)
HSM PKI

Swift user Swift Connectivity

provider
(Service Bureau)

Examples of Architecture Types 18

Architecture type A3 (User connecting to a Swift connectivity provider using a Swift
connector Autoclient or SIL)

Scope of PSCF controls

General Enterprise IT Environment

Scope of Security Controls for connecting BIC

Back Office
(using Messaging
Middleware or User’s Swift Infrastructure Interface
secure File (Customer Secure Zone)
Transfer Client) Data exchange RMA
Swift connector
Connection Communication
Interface

GUI
Back Office Swift network
Using Middleware Middleware/
/ File Transfer File Transfer
Data exchange
(Bridging)
Data exchange SNL
Client
Servers Operator
(End User/Admin)
HSM PKI

Swift user Swift Connectivity

provider

Examples of Architecture Types 19

Architecture type A4 (User connecting their Back office to a L2BA provider using a
customer connector )

General
Enterprise Scope of CSCF security
IT controls for the
Environment connecting BIC

Operator
(End user) General Enterprise IT Environment

Server environment
Operator Scope of PSCF controls
(End user/Admin)
Alliance Lite2
(Customer
Secure Connection Connection
Zone) GUI Operator
(Admin)

Middleware Swift network

Server/Client Swift connector
Back Office Data or File (Multi BIC
or exchange Business
Middleware
Transfer AutoClient)
Server/Client application
client
(as
Customer
connector)

Service Provider
Swift user L2BA
Swift
Examples of Architecture Types 20
Architecture type B (User connecting through L2BA, only user-to-application flows)

Scope of CSCF security

controls for the
connecting BIC

Operator
(End user) General Enterprise IT Environment

Server environment
Operator Scope of PSCF controls
(End user/Admin)
Alliance Lite2
GUI
Connection Connection
Operator
(Admin)

Multi BIC
Swift network
Business AutoClient
application

General
Enterprise IT
Environment

Service Provider
Swift user L2BA
Swift
Examples of Architecture Types 21
 Users of a Browse Service
Page 22

Examples of
Architecture types
Architecture type A1 (Browse Service and a Communication interface)

Example of architecture types 23

 Shared Alliance Remote Gateway
Page 24

Examples of
Architecture types
Architecture type A3 (Shared Alliance Remote Gateway, Swift connector)

Customer
Swift
Connector
Connector

Example of architecture types 25

Architecture type A4 (Shared Alliance Remote Gateway, customer connector)

Middleware
Customeror
Server/Client
File Transfer
Connector
Server/Client
(as Customer
connector)

Example of architecture types 26

Architecture type B (Shared Alliance Remote Gateway, user-to-application flows only)

Example of architecture types 27

 Business Connect Providers
Page 28

(Alliance Cloud)
Examples of
Architecture types
Architecture type A4 (User of a Business Connect Provider using a Customer connector)

General
Enterprise Scope of CSCF security
IT controls for the
Environment connecting BIC

Operator
(End user) General Enterprise IT Environment

Server environment
Operator Scope of PSCF controls
(End user/Admin)
Alliance Cloud
(Customer
Secure
Zone) Connection Connection
Operator
Middleware (Admin)
Server/Client Business
or File connect Swift network
Back Office Data Transfer solution
Server/Client Swift connector(*)
or exchange
Middleware or API
client server/client
(as
Customer
connector)

Service Provider
Swift user Business Connect
Swift
Examples of Architecture Types 29
(*) for example, could be SIL or AGI on the Business connect provider side
Architecture type B (User of a Business Connect Provider, user-to-application flows only)

Scope of CSCF security

controls for the
connecting BIC

Operator
(End user) General Enterprise IT Environment

Server environment
Operator Scope of PSCF controls
(End user/Admin)
Alliance Cloud

Connection Connection
Operator
(Admin)
Business
connect Swift network
solution
Swift connector(*)

General
Enterprise
IT
Environment

Service Provider
Swift user Business Connect
Swift
Examples of Architecture Types 30
(*) for example, could be SIL or AGI on the Business connect provider side
 Users connecting to a Service
Page 31

Provider using a Swift or Customer

connector
Examples of
Architecture types
Architecture type A3 (User connecting to a Service Provider using a Swift connector
Autoclient, SIL)

Example of architecture types 32

Architecture type A4 (Middleware server or File transfer solution as a Customer connector)
No Swift footprint

Example of architecture types 33

 Users connecting using an API
Page 34

Gateway
Examples of
Architecture types
 A component may be descoped depending on the API consumed, please
Architecture types – API Consumer see KB 5026358.

Secure zone (control 1.5)

A4
In-house
application
Swift (Security) SDK
Swift Messaging SDK

API Client Swift zero-footprint

(or Swift SDK*)
Secure zone (control 1.1)

A3
Swift
Microgateway Swift
API Platform
Provider Secure zone
B Provider (Enabler)
/ Group hub

API Client
A4 Swift
Microgateway
(or Swift SDK*)
When using
“Swift Messaging SDK”
B
Alliance Cloud

Out of scope of the CSP Out of scope of the CSP (in scope for provider)
In scope of the CSP
* Not using SwiftNet PKI
Examples of Architecture Types 36