Frequently Asked Questions
This document has been prepared to answer Frequently Asked Questions from SWIFT customers about SWIFT's compliance with data protection laws.
Although these FAQs are based on data protection standards applicable in the European Economic Area (EEA), the information contained herein reflects broadly-accepted data protection principles, and may therefore be relevant to all SWIFT customers.
1 SWIFT data processing operations
1.1 Does SWIFT encrypt data on its network?
Yes, SWIFT applies state-of-the-art encryption to all data transmitted over its network.
Some of SWIFT's services offer value-added processing features based on message data (for example message validation in the SWIFTNet FIN service). Message data is decrypted in SWIFT's central systems, thus allowing the value-added processing to be performed. Message data is then re-encrypted before further transmission to the beneficiary SWIFT customer.
As set forth in the SWIFT Data Retrieval Policy, 'message data' refers to the internal content of the message or file transfer.
Please refer to the relevant Service Documentation for more information on encryption and value-added processing.
1.2 Where are the SWIFT Operating Centres located?
Currently, SWIFT has operating centres (OPCs) in the Netherlands, Switzerland and the US. Message data is processed in one of two zones (see FAQ 1.4 )
1.3 Why does SWIFT mirror data in different OPCs?
Because its messaging infrastructure is critical to the smooth operation of the financial markets worldwide, SWIFT is required to protect its network from disruption and against the loss of data.
SWIFT, therefore, operates 2 OPCs for each zone and, for those services that offer archival, archives message data simultaneously in each OPC of the relevant zone.
SWIFT's ability to continue its operations despite the loss of an OPC is called 'resilience'. Resilience lies at the heart of SWIFT and is the cornerstone of its customers' trust in its services.
1.4 Why is SWIFT changing its network architecture?
In June 2007, the SWIFT Board of Directors approved, in principle, enhancements to its global messaging architecture. The new architecture leads to a more distributed data processing and storage model in the SWIFT network.
The changes expand SWIFT's messaging capacity and reinforce network resilience bringing considerable benefits to the SWIFT community as a whole. They improve SWIFT's commercial positioning. They are in line with our overall goal of reducing operational costs and prices. They will also allay data protection concerns raised by various data protection authorities.
The re-architecture allows for intra-European traffic to be processed and stored only in Europe.
Countries in the European Economic Area (EEA), Switzerland and other territories and dependencies considered to be part of the European Union or associated with EU countries are assigned to the European zone and must remain in the EU zone. The United States and its territories are assigned to the Trans-Atlantic zone and must remain in the TA zone. All other countries are allocated to either the TA or the EU zone in line with operational and technical criteria such as load balancing.
Apart from the countries that have been assigned to a zone by default, such as the US to the TA zone, or European Economic Area countries to the EU zone, all other countries may request to change zones.
The current country to zone allocation list, as well as more detailed information on the distributed architecture project, are available here.
2 Data protection related matters
2.1 How does SWIFT document its compliance with data protection laws?
SWIFT's compliance with data protection laws is documented in its customer documentation. SWIFT has enhanced transparency of both its data processing operations and its compliance with data protection laws in the following documents:
- the SWIFT General Terms and Conditions set out SWIFT's confidentiality obligations.
- the SWIFT Data Retrieval Policy sets out SWIFT's policy on the retrieval, use, and disclosure of message and traffic data.
- the SWIFT Personal Data Protection Policy sets out the roles and responsibilities of SWIFT and its customers with regard to the processing of personal data.
- the SWIFT Safe Harbor Policy provides an adequate level of protection for SWIFT's mirroring of data in its US OPC.
- other relevant Service Documentation provides more information on how the different SWIFT messaging services work and on the security measures used by SWIFT to protect data.
2.2 How long does SWIFT keep data?
SWIFT offers different financial messaging services, which include SWIFTNet InterAct, SWIFTNet FileAct and SWIFTNet FIN.
Some services offer archival of messages, others do not. The archival periods, if any, for the different services are set forth in the Service Documentation. For example, in the SWIFTNet FIN service, customers can retrieve messages up to 124 days.
2.3 Does SWIFT have security policies?
Yes, SWIFT is known for having robust security policies, especially with regard to the protection of message data.
The SWIFT Personal Data Protection Policy explains which security measures protect message data, and how customers can verify SWIFT's compliance with these measures.
For the SWIFTNet and SWIFTNet FIN messaging services, key security commitments are summarised in the SWIFT Security Control Policy.
2.4 Does SWIFT audit these security measures?
Yes, an independent, external audit of the SWIFTNet and SWIFTNet FIN messaging services is conducted annually. This audit is conducted in accordance with the guidelines stated in the ISAE 3402 statement of auditing standards. The ISAE 3402 report is made available to each customer upon written request and under appropriate confidentiality arrangements.
2.5 How does SWIFT ensure adequate data protection in its US OPC?
In many countries (such as in the EEA countries), data protection laws prohibit the transfer of personal data to countries that do not offer an "adequate level of data protection", except under certain conditions. SWIFT has joined the Safe Harbor framework to ensure an adequate level of data protection for data transfers to its US OPC. SWIFT's Safe Harbor membership confirms that the personal data processed in its US OPC are protected under similar data protection principles as in the EEA.
SWIFT's adherence to Safe Harbor can be verified on the US Department of Commerce website.
2.6 What is Safe Harbor?
Safe Harbor is a framework that consists of seven data protection principles based on the EU's data protection principles. It allows US organisations to conform to these principles when importing personal data from the EU and from Switzerland.
The adequacy of the U.S.-EU Safe Harbor program was recognized by EU Commission Decision 2000/520/EC of 26 July 2000. The U.S.-Swiss Safe Harbor Program negotiated between Switzerland and the U.S. entered into force on 16 February 2009.
2.7 What is relevant for SWIFT customers in the SWIFT Safe Harbor Policy?
SWIFT customers are hereby informed of the need, where required by their applicable data protection laws, to take the following steps:
SWIFT customers may be required to provide notice to their client individuals, including as to (1) the purposes for which personal data are collected by SWIFT customers when used as part of their use of the SWIFT messaging services; (2) how to contact the SWIFT customer with any inquiries or complaints; (3) the types of third parties to whom personal data are disclosed; and (4) the choices and means that individuals are offered for limiting use and disclosure of personal data.
SWIFT customers may be required to allow their client individuals to choose whether their personal data are to be disclosed to a third party (other than a third party acting under the instructions of the customers), or to be used for a purpose that is incompatible with that for which it was originally collected or subsequently authorized.
SWIFT customers may be required to put in place procedures to ensure that message data (which may contain personal data) are reliable for their intended use, accurate, complete, and current.
SWIFT customers may be required to provide individuals with access to their personal data contained in message data under the following procedure:
- A query should first be directed to the SWIFT customer (typically the individual's bank) that originally collected the individual's data. When required by customers, SWIFT will provide them with the necessary assistance in handling this query.
- When the individual is unable to contact the customer, or does not obtain a response from the customer, SWIFT will provide the necessary assistance in forwarding the individual's access request to the customer.
SWIFT customers may also be required to allow client individuals to correct, amend, and delete their personal data when they are inaccurate.
DISPUTE RESOLUTION AND ENFORCEMENT
SWIFT customers are hereby informed of the SWIFT Safe Harbor dispute resolution procedure, which operates as follows:
- the individual should first contact the SWIFT customer (typically the individual's bank) that originally collected the data, and use the customer's relevant dispute resolution mechanism (if available). SWIFT will participate in this mechanism at the request of the customer or the individual;
- If the individual is still dissatisfied, then the matter may be submitted to the Judicial Arbitration and Mediation Services Inc. (JAMS), a mediation provider, for mediation under the JAMS International Mediation Rules (the 'Rules'), which are accessible on the JAMS web site. Mediation may be commenced as provided for in the rules. Mediation shall be conducted using electronic communications mechanisms such as telephone, e-mail, and Internet. The mediator may propose any appropriate remedy, such as publicity for findings of non-compliance, the payment of compensation for losses incurred as a result of non-compliance, or the cessation of processing of the personal data of the individual who has brought the complaint. SWIFT will assume the costs of administrative fees (as referred to in paragraph 14 of the Rules) if the mediator makes a written recommendation that finds SWIFT to be in breach of its duties under Safe Harbor. However, SWIFT need not take any action which would conflict with national security, public interest, or law enforcement requirements applicable to SWIFT.
- The mediator or the individual may also refer the matter to the US Federal Trade Commission (FTC), which has legal jurisdiction over SWIFT. The FTC may be contacted here.