Shortly after the September 11, 2001 attacks, the U.S. Treasury Department (UST) initiated the Terrorist Finance Tracking Program (TFTP). Under the TFTP, the Treasury Department issues administrative subpoenas for terrorist-related data.
SWIFT's US Operating Center falls under this program and must comply with subpoenas served from time to time by the UST’s Office of Foreign Assets Control (OFAC).
These subpoenas require SWIFT to provide the UST with certain financial transaction records (in the form of SWIFT messages) which are located in SWIFT US Operating Center, to be used exclusively for counterterrorism purposes. The TFTP is ongoing and SWIFT receives from time to time requests to provide data located in the US.
On 28 June 2007, the UST transmitted to the Council Presidency of the European Union and to the European Commission a set of representations that describes the controls and safeguards governing the handling, use and dissemination of subpoenaed data under the TFTP. These controls and safeguards ensure that the subpoenaed data, which are limited in nature, are used strictly for counterterrorism purposes, and that data are retained only for as long as necessary for counterterrorism purposes and that all data are maintained in a secure environment and properly handled.
In December 2008, the Belgian data protection commission (Commission belge de la Protection de la Vie Privée) concluded that SWIFT complied with all applicable Belgian data protection legislation. Read more at SWIFT respects data protection legislation.
In February 2009, the European Commission confirmed that the United States Treasury has from the outset, respected the safeguards in the handling of personal data obtained from SWIFT under subpoena. Read more at Subpoenaed SWIFT message data is adequately protected.
On 1 August 2010, the EU-US Agreement "on the processing and transfer of financial messaging data from the EU to the US for purposes of the Terrorist Finance Tracking Program" has entered into force.
We welcome the fact that this international Agreement offers legal certainty and takes into account the protections and safeguards that SWIFT had obtained in the past.
The Agreement is generic in nature and can apply to any provider of messaging services with operations in Europe and in the US. At this point, SWIFT has been designated in the Agreement and accordingly is subject to legally binding requests to transfer data which are located in its EU Operating Center to the authorities for counter terrorism purposes. It is clear that the authorities have reserved the right to designate other providers.
SEPA data are not in the scope of the EU-US agreement. Since the implementation of SWIFT’s distributed architecture in the beginning of 2010, intra-European messages are only channelled (and archived, where applicable) in SWIFT’s European operational centers and no longer in the US. SEPA messages are typically exchanged between European financial institutions and therefore are normally not processed at SWIFT’s US operations and therefore not subject to subpoenas.
In addition, SEPA payment messages are sent by banks over a messaging service called FileAct, a file transfer service. By design, SEPA files sent over FileAct are not archived by SWIFT and, therefore, cannot be retrieved for purposes of a subpoena.