SWIFT

Customer Testing Policy

This document provides specific conditions for performance or vulnerability testing of SWIFT services and products
and non-SWIFT services and products. This document covers stress tests, throughput tests, intrusion tests or
penetration tests, and any other types of performance testing or vulnerability testing.

23 June 2017
Customer Testing Policy Table of Contents

Table of Contents
Preface .................................................................................................................................................3
Introduction.........................................................................................................................................4
1 Vulnerability Testing ................................................................................................................5
1.1 SWIFT software and hardware for which customer testing is permitted ................................5
1.2 SWIFT services and products for which customer testing is not permitted ............................5
1.3 Customer testing of non-SWIFT services and products .........................................................6
1.4 SWIFT services and products for which customer testing requires SWIFT’s express prior
consent ....................................................................................................................................6
2 Performance Testing ................................................................................................................7
2.1 Stress tests .............................................................................................................................7
2.2 FIN stress tests .......................................................................................................................7
2.3 Stress tests in CUGs managed by service administrators......................................................7
3 General Principles for Customer Testing ..............................................................................8
Legal Notices ......................................................................................................................................9

SWIFT 2 23 June 2017

Customer Testing Policy Preface

Preface
Purpose of this document
This document sets out specific conditions for performance or vulnerability testing of SWIFT
services and products and non-SWIFT services and products. This document covers stress
tests, throughput tests, intrusion tests or penetration tests, and any other types of
performance testing or vulnerability testing.
Customers must not conduct any performance or vulnerability tests on or through SWIFT
services and products unless expressly permitted in this Customer Testing Policy.
This Customer Testing Policy is an integral part of the contractual arrangement between
SWIFT and its customers.
Intended audience
SWIFT intends this document for its customers.
In particular, the following persons should read this document:
• technical experts who operate the SWIFT service
• security experts
• business decision makers who deal with security, risk management, and exposure
management
Related documentation
• SWIFT General Terms and Conditions and other terms and conditions governing the
provision and use of tested SWIFT services and products.
SWIFT-defined terms
This document contains terms that have a specific meaning in the context of SWIFT
documentation (for example, customer, user, or SWIFT services and products).
The definitions of SWIFT-defined terms appear either in this document or in the SWIFT
Glossary. In this document SWIFT differentiates these terms as shown in this example:
SWIFT provides secure, standardised messaging services and interface software to
its customers.

SWIFT 3 23 June 2017

Customer Testing Policy Introduction

Introduction
Performance and vulnerability testing by SWIFT and customers
SWIFT conducts regular tests to probe the availability, integrity, and confidentiality of SWIFT
services and products. SWIFT typically reports on such tests through SWIFT’s third-party
assurance framework such as SWIFT’s ISAE 3402 type 2 report.
SWIFT understands that, beyond SWIFT’s tests, customers may also wish to conduct
certain performance or vulnerability tests on or through SWIFT services and products.
Because such tests might adversely affect SWIFT’s operations or be indistinguishable from
real threats, customers must not conduct any such test unless expressly permitted in the
SWIFT Customer Testing Policy.
This policy applies to stress tests, throughput tests, intrusion tests or penetration tests, and
any other types of performance testing or vulnerability testing.

SWIFT 4 23 June 2017

Customer Testing Policy Vulnerability Testing

1 Vulnerability Testing
1.1 SWIFT software and hardware for which customer
testing is permitted
Subject to the conditions set out in this policy or elsewhere in the SWIFT Contractual
Documentation, customers are permitted to perform vulnerability testing on the SWIFT
software and hardware below.
SWIFT software
• Alliance Access, including custom modules built on Alliance Developers Kit (ADK) and
Alliance Access Integration platform (IPLA)
• Alliance Entry
• SWIFT Integration Layer
• Alliance Messaging Hub
• Alliance Gateway
• Alliance Web Platform
• Lite2 AutoClient
• SWIFTNet Link
SWIFT hardware
• Hardware Security module (HSM) box
• HSM Token
• HSM Card and Card reader
• 3SKey token
Without prejudice to other conditions governing the use of that SWIFT software or hardware
under other SWIFT Contractual Documentation, vulnerability testing on that SWIFT software
and hardware is permitted on the following supplemental conditions only:
• Any vulnerability testing must occur locally without any physical and logical connection
to the SWIFT network.
• Customer must test up-to-date and currently supported versions of software and
hardware only.

1.2 SWIFT services and products for which customer

testing is not permitted
Any testing with the intention to probe the security, reliability, and resilience of the following
SWIFT services and products is not permitted:
• Alliance Connect products (Gold, Silver, Silver Plus and Bronze), including the VPN
Boxes deployed at customer’s site and the network connectivity access ports
• Alliance Connect Everywhere, including the wireless router deployed at customer's site
but managed by SWIFT
• SWIFT messaging services and solutions, such as InterAct, FileAct, Browse,
WebAccess, FIN and related copy services such as FINCopy and FINInform, Sanctions
Screening, MIRS
• Business Application services, such as Accord and Trade Services Utility
• Alliance Lite, Alliance Lite2, Alliance Remote Gateway (ARG), SWIFT API (SWAP)

SWIFT 5 23 June 2017

Customer Testing Policy Vulnerability Testing

• SWIFT web sites, such as swift.com, and Internet/web based services or applications,
such as SWIFTRef or Sanctions Testing
• The SWIFT Certificate Centre, also known as the "3Skey Portal"
• SWIFT managed network infrastructure
The same restriction applies to all SWIFT systems and infrastructures supporting these
SWIFT services and products.

1.3 Customer testing of non-SWIFT services and

products
Customers may also want to test non-SWIFT products and services, such as services and
products supplied by their selected Network Partners, internet access provider, or third-party
software vendors.
While any testing of non-SWIFT products and services must be agreed upon with the
vendor(s) and other third-parties (if any) concerned, customers are permitted to perform
vulnerability testing on non-SWIFT products and services on the following supplemental
conditions only:
• Any vulnerability testing of non-SWIFT products and services must occur without any
physical or logical connection to the SWIFT network.
• Any vulnerability testing of the M-CPE (Managed Customer-Premises Equipment)
supplied by the Network Partners is prohibited.

1.4 SWIFT services and products for which customer

testing requires SWIFT’s express prior consent
Any vulnerability testing not expressly covered in the previous sections requires SWIFT’s
express prior written consent.
This applies to, for example, vulnerability testing of third-party services or platforms
accessible via SWIFT’s Browse service, organised by the service provider itself.
Any such testing may be subject to supplemental conditions including (without limitation)
fees.
Customers willing to perform any such vulnerability testing must seek SWIFT’s consent by
contacting the SWIFT Customer Support Centre. Customers willing to perform vulnerability
testing of a third-party service or platform via SWIFT services and products must first agree with
that third party on the conditions for any such testing before contacting SWIFT.

SWIFT 6 23 June 2017

Customer Testing Policy Performance Testing

2 Performance Testing
2.1 Stress tests
Stress tests on SWIFT messaging services must be carefully planned.
Except for limited FIN stress tests (see section 2.2), customers must always seek SWIFT’s
express approval to perform any stress tests on SWIFT messaging services and solutions,
such as InterAct, FileAct, Browse, WebAccess, FIN and related copy services (such as
FINCopy and FINInform), Sanctions Screening, MIRS and SWIFT gpi.
More information about the process to request such approval is available in the Knowledge
Base tip 2008531.

2.2 FIN stress tests

Individual and global stress testing
If a customer plans to test volumes of more than 20,000 FIN messages per hour
between Monday 00:01 GMT and Friday 23:59 GMT or of more than 100,000 FIN
messages per hour between Saturday 00:00 GMT and Monday 00:00 GMT, then it
must plan these tests beforehand and it must request approval from SWIFT following
the process described in Knowledge Base tip 2008531.

Important: If a customer plans to perform throughput tests using FINCopy, then all MT 096,
MT 097, and MT 012 must be included in the total number of messages.

2.3 Stress tests in CUGs managed by service

administrators
There are two types of stress tests in CUGs managed by service administrators, as follows:
• Individual and global stress testing
As part of its test and training qualification, a service administrator may request
participants to prove that they can achieve their respective peak hour throughput. The
service administrator plans and runs these tests at its best convenience. Participant
stress tests must also respect the rules about peak message volumes at the service
administrator level, as defined in the SWIFTNet Messaging Operations Guide.
• Global system stress testing
This means that all participants are testing the service's peak hour throughput.
Depending on the volumes, this can have a significant impact on the SWIFT network
(especially at the service administrator level).
In addition to SWIFT’s approval (see section 2.1), participants and service administrators
must agree with SWIFT before performing any stress tests in CUGs managed by service
administrators.

SWIFT 7 23 June 2017

Customer Testing Policy General Principles for Customer Testing

3 General Principles for Customer Testing

Without prejudice to any other conditions governing the provision and use of the tested
SWIFT services and products under other SWIFT Contractual Documentation, any customer
testing is subject to the following conditions:
• In the same way as the right to use SWIFT services and products, any right to test
SWIFT services and products is personal to the customer duly authorised to use the
SWIFT services and products to be tested;
• If the customer ever decides to delegate or sub-contract to a third party the exercise of
its testing rights or the performance of any obligations under this Customer Testing
Policy and other applicable SWIFT Contractual Documentation, it does so at its own risk
and must ensure that the scope of rights granted to any such third party does not
exceed those granted to it under this policy or other applicable SWIFT Contractual
Documentation. The customer that delegates or sub-contracts to a third party the
exercise of its testing rights or the performance of any obligations under this Customer
Testing Policy and other applicable SWIFT Contractual Documentation remains fully
responsible to SWIFT for the performance and observance by any such third party of
any obligations applicable to it;
• Any customer testing is at the customer’s own risk and expense;
• Any reverse engineering or any other attempt to access or change the software code,
or any physical tampering with hardware, is not permitted;
• The customer must perform a full reinstallation on re-initialised systems before
connecting to the SWIFT network and using SWIFT services and products;
• The customer must not initiate any customer testing before having successfully backed
up all relevant configuration and databases;
• SWIFT reserves the right to suspend or terminate at any time the provision or use of
SWIFT services and products to prevent or mitigate any adverse effect of customer
testing on the security, reliability, or resilience of SWIFT services and products;
• SWIFT support does not cover customer testing activities; and
• If customers believe that they have identified a potential performance or vulnerability
threat, then they must immediately inform SWIFT thereof and treat all related
information, data, or materials as SWIFT confidential information.
In order to facilitate further investigation by SWIFT, customers are expected to provide
the following information:
− product version(s)
− queries sent to the application and how such queries were generated
− results of the queries / screenshots
− impact as perceived by the customer and recommendations (if any) to address
such impact
This information must be communicated to SWIFT via the Customer Support Centre.

SWIFT 8 23 June 2017

Customer Testing Policy Legal Notices

Legal Notices
Copyright
SWIFT © 2017. All rights reserved.

Restricted Distribution
Do not distribute this publication outside your organisation unless your subscription or order expressly grants you
that right, in which case ensure you comply with any other applicable conditions.

Disclaimer
SWIFT supplies this publication for information purposes only. The information in this publication may change from
time to time. You must always refer to the latest available version.

Translations
The English version of SWIFT documentation is the only official and binding version.

Trademarks
SWIFT is the trade name of S.W.I.F.T. SCRL. The following are registered trademarks of SWIFT: the SWIFT logo,
SWIFT, SWIFTNet, Accord, Sibos, 3SKey, Innotribe, the Standards Forum logo, MyStandards, and SWIFT Institute.
Other product, service, or company names in this publication are trade names, trademarks, or registered trademarks
of their respective owners.

SWIFT 9 23 June 2017