This document has been prepared to answer Frequently Asked Questions from SWIFT customers about SWIFT's compliance with data protection laws.
Although these FAQs are based on data protection standards applicable in the European Economic Area (EEA), the information contained herein reflects broadly-accepted data protection principles, and may therefore be relevant to all SWIFT customers.
Yes, SWIFT applies state-of-the-art encryption to all data transmitted over its network.
Some of SWIFT's services offer value-added processing features based on message data (for example message validation in the SWIFTNet FIN service). Message data is decrypted in SWIFT's central systems, thus allowing the value-added processing to be performed. Message data is then re-encrypted before further transmission to the beneficiary SWIFT customer.
As set forth in the SWIFT Data Retrieval Policy, 'message data' refers to the internal content of the message or file transfer.
Please refer to the relevant Service Documentation for more information on encryption and value-added processing.
Currently, SWIFT has operating centres (OPCs) in the Netherlands, Switzerland and the US. Message data is processed in one of two zones (see FAQ 1.4 )
Because its messaging infrastructure is critical to the smooth operation of the financial markets worldwide, SWIFT is required to protect its network from disruption and against the loss of data.
SWIFT, therefore, operates 2 OPCs for each zone and, for those services that offer archival, archives message data simultaneously in each OPC of the relevant zone.
SWIFT's ability to continue its operations despite the loss of an OPC is called 'resilience'. Resilience lies at the heart of SWIFT and is the cornerstone of its customers' trust in its services.
In June 2007, the SWIFT Board of Directors approved, in principle, enhancements to its global messaging architecture. The new architecture leads to a more distributed data processing and storage model in the SWIFT network.
The changes expand SWIFT's messaging capacity and reinforce network resilience bringing considerable benefits to the SWIFT community as a whole. They improve SWIFT's commercial positioning. They are in line with our overall goal of reducing operational costs and prices. They will also allay data protection concerns raised by various data protection authorities.
The re-architecture allows for intra-European traffic to be processed and stored only in Europe.
Countries in the European Economic Area (EEA), Switzerland and other territories and dependencies considered to be part of the European Union or associated with EU countries are assigned to the European zone and must remain in the EU zone. The United States and its territories are assigned to the Trans-Atlantic zone and must remain in the TA zone. All other countries are allocated to either the TA or the EU zone in line with operational and technical criteria such as load balancing.
Apart from the countries that have been assigned to a zone by default, such as the US to the TA zone, or European Economic Area countries to the EU zone, all other countries may request to change zones.
The current country to zone allocation list, as well as more detailed information on the distributed architecture project, are available here.
SWIFT's compliance with data protection laws is documented in its customer documentation. SWIFT has enhanced transparency of both its data processing operations and its compliance with data protection laws in the following documents:
SWIFT offers different financial messaging services, which include SWIFTNet InterAct, SWIFTNet FileAct and SWIFTNet FIN.
Some services offer archival of messages, others do not. The archival periods, if any, for the different services are set forth in the Service Documentation. For example, in the SWIFTNet FIN service, customers can retrieve messages up to 124 days.
Yes, SWIFT is known for having robust security policies, especially with regard to the protection of message data.
The SWIFT Personal Data Protection Policy explains which security measures protect message data, and how customers can verify SWIFT's compliance with these measures.
For the SWIFTNet and SWIFTNet FIN messaging services, key security commitments are summarised in the SWIFT Security Control Policy.
Yes, an independent, external audit of the SWIFTNet and SWIFTNet FIN messaging services is conducted annually. This audit is conducted in accordance with the guidelines stated in the SAS 70 statement of auditing standards. The SAS 70 report is made available to each customer upon written request and under appropriate confidentiality arrangements.
In many countries (such as in the EEA countries), data protection laws prohibit the transfer of personal data to countries that do not offer an "adequate level of data protection", except under certain conditions. SWIFT has joined the Safe Harbor framework to ensure an adequate level of data protection for data transfers to its US OPC. SWIFT's Safe Harbor membership confirms that the personal data processed in its US OPC are protected under similar data protection principles as in the EEA.
SWIFT's adherence to Safe Harbor can be verified on the US Department of Commerce website.
Safe Harbor is a framework that consists of seven data protection principles based on the EU's data protection principles. It allows US organisations to conform to these principles when importing personal data from the EU and from Switzerland.
The adequacy of the U.S.-EU Safe Harbor program was recognized by EU Commission Decision 2000/520/EC of 26 July 2000. The U.S.-Swiss Safe Harbor Program negotiated between Switzerland and the U.S. entered into force on 16 February 2009.
SWIFT customers are hereby informed of the need, where required by their applicable data protection laws, to take the following steps:
SWIFT customers may be required to provide notice to their client individuals, including as to (1) the purposes for which personal data are collected by SWIFT customers when used as part of their use of the SWIFT messaging services; (2) how to contact the SWIFT customer with any inquiries or complaints; (3) the types of third parties to whom personal data are disclosed; and (4) the choices and means that individuals are offered for limiting use and disclosure of personal data.
SWIFT customers may be required to allow their client individuals to choose whether their personal data are to be disclosed to a third party (other than a third party acting under the instructions of the customers), or to be used for a purpose that is incompatible with that for which it was originally collected or subsequently authorized.
SWIFT customers may be required to put in place procedures to ensure that message data (which may contain personal data) are reliable for their intended use, accurate, complete, and current.
SWIFT customers may be required to provide individuals with access to their personal data contained in message data under the following procedure:
SWIFT customers may also be required to allow client individuals to correct, amend, and delete their personal data when they are inaccurate.
SWIFT customers are hereby informed of the SWIFT Safe Harbor dispute resolution procedure, which operates as follows: