There are open exceptions leading to multiple CSP controls being non-compliant.

The SWIFT CSP requires users to maintain compliance with the CSCF controls and submit attestations via the KYC-SA (Know Your Customer - Security Attestation) portal. The "Swift Customer Security Controls Framework v2025" and "Independent Assessment Process for Assessors Guidelines" outline the process for handling non-compliance. Let’s evaluate each option:

•Option A: The user must remediate all the exceptions within 3 months before submitting the CSP attestation in KYC-SA

This is incorrect. While SWIFT encourages prompt remediation, there is no strict 3-month deadline mandated by the CSP for resolving all exceptions before submission. The "Independent Assessment Framework" allows submission with open exceptions, provided they are documented and a remediation plan is in place.

•Option B: The SWIFT user may remediate the exceptions and then re-submit an attestation reflecting the new compliance status, but only after compliance validation by the same independent assessor

This is incorrect. The CSP does not require the same independent assessor to re-validate compliance. Any certified assessor can perform the follow-up assessment, as per the "Independent Assessment Process for Assessors Guidelines."

•Option C: The SWIFT user may remediate the exceptions and re-submit an updated attestation reflecting the new compliance status but only after compliance validation by an independent assessor

This is correct. The "Swift_CSP_Assessment_Report_Template" and "Independent Assessment Framework" allow users to remediate exceptions and submit an updated attestation. However, the updated compliance status must be validated by an independent assessor to ensure objectivity and meet CSP requirements. The user can submit an initial attestation with exceptions, followed by a re-assessment after remediation.

•Option D: The attestation cannot be submitted before all exceptions are resolved

This is incorrect. The CSP permits submission of an attestation with open exceptions, provided they are disclosed and a remediation plan is submitted, as outlined in the "CSCF Assessment Completion Letter" guidelines.

Summary of Correct Answer:

The SWIFT user may remediate exceptions and re-submit an updated attestation after validation by an independent assessor (C).

References to SWIFT Customer Security Programme Documents:

•Swift Customer Security Controls Framework v2025: Allows submission with exceptions and remediation plans.

•Independent Assessment Process for Assessors Guidelines: Requires independent validation for updated attestations.

•Swift_CSP_Assessment_Report_Template: Supports re-assessment after remediation.

========