Skip to main content

 

 

Coupa Success Portal

Coupa SWIFT Service Description

What are Coupa SWIFT Services?

The Coupa SWIFT Services is a service for all customers using SWIFT as a communication channel. This service can be divided into two categories: 

  • Token Management without SWIFT Customer Security Programme (CSP) Assessment

  • Token Management and SWIFT Customer Security Programme (CSP) Assessment

With this service the Coupa customer is not only able to transfer the effort and complexity for administering the SWIFT Setup to experts, but can also get support in regards to the mandatory SWIFT CSP Assessment. Still there are a few obligations remaining in the responsibility of the customer (e.g. BIC Validation, User account prolongation).

This document describes the Coupa SWIFT Services capabilities of helping organizations to address each of the components necessary for managing the Tokens and perform a security assessment.

SWIFT Services Prerequisites 

  • Coupa retains and maintains the client’s tokens.

  • Coupa treasury software is operated in the cloud.

Who Are “Coupa SWIFT Services” Clients?

Any customer who is a member of the SWIFT network and has their own BIC is subject to SWIFT regulations. All clients using the network underlie the SWIFT Customer Security Programme (CSP) and have to be compliant with the SWIFT regulatory framework.

Business challenge(s) addressed

Companies, especially treasury departments, want to use the SWIFT network as a central communication channel for payments and account statements. However, this connection entails a number of obligations. Fulfilling these obligations can require in-depth knowledge and sometimes be time-consuming. 

For example, the SWIFT setup must always be fully functional and comply with the regulations. As well, customers must meet the requirements of the SWIFT Customer Security Programme (CSP Programme) https://www.swift.com/myswift/customer-security-programme-csp and submit the Security Attestation in full, on time, and in compliance with the Customer Security Control Framework (CSCF Framework).

Failure to undertake an assessment, along with keeping an outdated assessment published, could be reported to supervisors by SWIFT and made visible to counterparties in the same manner as a failure to timely attest or the publication of a non-fully compliant attestation.

Coupa SWIFT Services supports the customer in the timely execution of these tasks and the compliance with all regulatory requirements. 

Coupa SWIFT Services capabilities and benefits

Coupa SWIFT Services include the management of SWIFT tokens as well as the execution of the independent CSP assessment required by SWIFT.

Customers Obligations

Participants and users of the SWIFT network have the obligation to fulfill certain requirements on the part of SWIFT as part of the contractual frameworks. 

Obligations in context of the SWIFT CSP Programme (initial state):

 

With a subscription to SWIFT Services:

 

Obligations for Token Management

  • At all times, the customer must have two active security officers registered at SWIFT.com.

  • The customer’s SWIFT setup must be amended to allow Coupa to perform the relevant administrative actions and manage the tokens.

  • The existing LEFT security officer and RIGHT security officer are retained on the customer side. 

Obligations for the  Customer Security Programme Assessment

  • The SWIFT Tokens are retained and maintained by Coupa. This is a prerequisite and is subject to an assessment.

  • The customer involves stakeholders departments on their end.

  • The customer delivers the evidence to prove the compliance against the controls. The SWIFT Services Team provides a guide for this.

  • The customer enters data and submits the KYC – SA.

  • The customer should read and understand the documents provided by SWIFT, as responsibility to fulfill SWIFT obligations ultimately lies with the customer. 

It’s the responsibility of the customer to get in contact with the Coupa SWIFT Services Team to start the assessment process for the respective year.

In order to be eligible for an assessment to be carried out within the current calendar year, customers must procure a subscription to the Coupa SWIFT Services before September 30th of that year. Otherwise, the assessment is conducted in the following calendar year.

SWIFT Services: Token Management

Coupa also offers to manage the SWIFT Tokens on behalf of the SWIFT customers. 

This includes the following services for the customer: 

  • Coupa performs the technical implementation of the SWIFT application (Alliance Lite 2) on behalf of the customer.

  • Coupa administers all of the SWIFT applications on behalf of the customer.

  • Coupa carries out Certificate Renewals of CSO (Customer Security Officer) and RMA tokens. 

  • Coupa handles Support Cases around SWIFT on behalf of the customer.

  • Coupa provides full traceability of actions in the SWIFT Setup. 

  • Coupa observes compliance with the CSP Control Token Management regarding the SWIFT Tokens 

The Management of the SWIFT Setup

The processes to secure and maintain tokens on behalf of the customer are regularly part of SWIFT Audits to ensure compliance with the respective controls. 

  • Coupa provides an additional LEFT Security Officer (LSO) and  RIGHT Security Officer (RSO).

  • The Security Officers are owners of the respective 

    • Customer Security Officer (CSO) Tokens

    • RMA Tokens

    • Secure Code Cards.

  • Coupa uses generic email addresses for LSO and RSO.

  • Only the LSO and the RSO (or their Backup) have access to their respective email addresses.

  • The configuration of the setup involves a dual approval process.

  • The CSO Tokens, RMA Tokens and Secure Code Cards for the LSO and RSO are stored in separate safes with limited access to the respective owner and their backup. 

  • The backups have permanent access to the corresponding safes containing the tokens and secure cards. 

  • There are processes in place to ensure access to the tokens in case of planned and unplanned absence of the RSO and LSO. 

  • The CSO token passwords, RMA token passwords, and SWIFT.com user passwords are stored on a software-based password manager and the access is only granted to the respective Coupa CSO and backup. 

The Tokens and/or Secure Code Cards are only removed from the safes for specific reasons:

  • Renewal of token certifications (without having a request from client).

  • Change of an existing setup on request of the customer.

  • Support-Case on request of customers.

SWIFT onboarding

During the SWIFT onboarding process, the Coupa Treasury Team will be registered as Customer Security Officers (CSOs).

Once the administrative SWIFT Onboarding is completed, SWIFT sends the Token Box and the Secure Code Cards to the registered CSOs.

SWIFT Services: Independent Assessment in context of the SWIFT Customer Security Programme

Once a year, our SWIFT Services team performs an assessment with our clients.

  • Kick-off meeting with the customer

    • Explaining assessment process and the security controls.

    • Determination of the SWIFT architecture type and the scope of the assessment (e.g. Full or Delta Assessment; Controls in Scope).

  • Provide an assessment guide covering the different controls.

  • Provide relevant documents from SWIFT regarding the SWIFT CSP Programme.

  • Schedule an assessment date with the customer.

  • Review evidence from the customer.

  • Work through the different controls, together with the customer.

  • Prepare and provide: assessment reports, a “letter of completion”, and any further requirements from SWIFT.

  • Support completing the KYC-SA at SWIFT.com, based on the results of the assessment.

Coupa will propose an assessment date taking into consideration the requirements of each customer. Coupa will confirm the assessment date in accordance with the availability of the Coupa assessment team.

Coupa retains the data provided by customers in a secure environment and stores the data as long as the customer has a valid contract with Coupa and for a period of two years after the end of the year in which the contract has ended.

Disclaimer

Coupa provides the assessment based solely on data provided by the customer. The assessment results are based on the documentation and other evidence delivered and provided at a specific time and date by the customer to the Coupa assessment team. As such, the assessment delivers a snap-shot of the customer's processes as presented to Coupa and shall not be deemed to be a certification of ongoing compliance or security by the customer.

The ultimate objective of the assessment is to provide customers with reasonable comfort on their compliance with stated CSCF control objectives. Accordingly, Coupa does not assume any warranty or liability with respect to customers being fully compliant with the CSCF control objectives on an operational level at any moment in time.

Glossary

 

Term

Definition

Backup of Coupa LSO/RSO

A person that is able to take over the part of a Coupa LSO/RSO in case of an absence. Separate Backups are required for the Coupa LSO and RSO.

SWIFT Setup

A SWIFT Setup is a functional setup and consists of two Security Officers and the appropriate SWIFT Administrator Tokens.

Broken SWIFT Setup

A SWIFT Setup that is not fully functional. This can be due to missing Security Officers or SWIFT Administrator Tokens.

CSP

Customer Security Programme

Initial Token Password

The Initial Token Password is only required to set up a blank token and cannot be used for a configured token. SWIFT sends this password to the RSO during the onboarding.

KYC

Know Your Customer

LSO

Left Security Officer

LSO Token

Administrator Token that is directly related to the LSO role

Password Manager

A password manager is a computer program that allows users to store passwords in an encrypted database, generate, and manage their passwords for local applications and online services.

RMA

Relationship Management Application

RMA Handshake

An RMA Handshake is required to set up the connection to a bank you want to exchange payment files (MT101) with.

RSO

Right Security Officer

RSO Token

Administrator Token that is directly related to the RSO role

SCC

Secure Code Card
Each of the registered Security Officers receive their own Secure Code Card. It is required to approve certain security-related tasks in the client’s SWIFT Setup.

SWIFT

The global provider

of secure financial messaging services

Token Box

The Token Box contains a total of 10 blank tokens and is sent by SWIFT to the initially registered LSO during the onboarding.

  • Was this article helpful?