The SWIFT CSP defines architecture types (A1 to A4) based on the components a user owns and manages, as outlined in the "CSP Architecture Type - Decision tree" and "Swift Customer Security Controls Framework v2025." These types determine the applicable security controls and assessment requirements. Let’s analyze the scenario and options:
•A customer connector is a component (e.g., a custom application or integration layer) that connects to SWIFT services, such as through the SWIFT API or a messaging interface. It handles data flows but is not a standard SWIFT-provided interface.
•A communication interface refers to a component like Alliance Gateway (SAG), which manages connectivity to the SWIFT network via SwiftNet Link (SNL) and VPN boxes.
•The architecture types are:
oA1: Full stack (owns messaging interface, communication interface, and network components, e.g., Alliance Access, Alliance Gateway, VPN boxes).
oA2: Owns a customer connector and communication interface, with the messaging interface hosted elsewhere (e.g., by a service bureau or SWIFT).
oA3: Owns only a customer connector, relying on external communication and messaging interfaces.
oA4: Uses a fully hosted solution (e.g., Alliance Cloud or Lite2), owning no local components.
•In this case, the user owns a customer connector and a communication interface but does not mention owning a messaging interface (e.g., Alliance Access). This matches the A2 architecture type, where the user manages a custom integration (connector) and the communication layer (e.g., SAG), while the messaging interface is provided by another party (e.g., a service bureau or SWIFT-hosted environment). The "CSP Architecture Type - Decision tree" confirms this classification, and the "Assessment template for Mandatory controls" applies A2-specific requirements.
•Option A: A1
This is incorrect. A1 requires ownership of a messaging interface (e.g., Alliance Access), which is not mentioned.
•Option B: A2
This is correct. A2 fits the scenario of owning a customer connector and communication interface without a messaging interface.
•Option C: A3
This is incorrect. A3 involves only a customer connector, not a communication interface.
•Option D: A4
This is incorrect. A4 applies to fully hosted solutions with no local ownership of connectors or interfaces.
Summary of Correct Answer:
The SWIFT user with a customer connector and a communication interface is of architecture type A2 (B).
References to SWIFT Customer Security Programme Documents:
•Swift Customer Security Controls Framework v2025: Defines architecture types A1-A4.
•CSP Architecture Type - Decision tree: Classifies A2 for customer connector and communication interface ownership.
•Assessment template for Mandatory controls: Applies to A2 architecture.