SWIFT CEO Lázaro Campos told EU Parliamentarians today, "whatever the outcome of the current discussions about the use of data for counter-terrorism purposes, what we must not jeopardize are the protections which exist today for citizens' data, the certainty of the legal framework within which companies operate and the commercial level playing field." Mr Campos was also keen to emphasise that the debate is not about SWIFT, but about how Europe plans to cooperate with the US for counter-terrorism purposes. "SWIFT is affected by this debate but should not be singled out nor treated differently from any other European company," said Mr Campos.
Mr Campos was speaking at a joint hearing of the EU's LIBE and ECON committees on a new interim agreement under which the US will gain access to European financial messaging data necessary to the US Treasury Department's (UST) Terrorist Finance Tracking Program. The agreement may apply to SWIFT message data located in Europe.
"In the case of the US Treasury subpoenas, SWIFT established protections for the subpoenaed data, protections which have been recognised as ground breaking - and are now cited as best practice", said Mr Campos. "In the case of a new arrangement between the EU and US, these safeguards must not be compromised."
While acknowledging that decisions on the appropriate balance between security and protection of citizens' data must be the outcome of the political debate, one must not lose sight of the legitimate interests of private companies and the customers they serve in the process", said Mr Campos. "We understand and agree that the private sector - and SWIFT is not an exception - must co-operate with the public sector in that endeavour. In turn, we expect the public sector to support the private sector by providing legal certainty and immunity. In today's competitive landscape and challenging economic environment, it is necessary to have a level playing field for all financial network and messaging providers."
Today, SWIFT data subpoenaed by the UST for anti-terrorism purposes is limited and protected, searches are targeted, independently audited and monitored. Mr Campos concluded that whatever the outcome of the current debate, these safeguards must remain in place.
During the hearing, European politicians and authorities echoed SWIFT’s calls for legal certainty and a robust European data protection framework that does not compromise SWIFT’s existing safeguards.
Lázaro Campos, CEO, SWIFT
Statement made at the LIBE-ECON hearing at the European Parliament on Thursday 3 September 2009
I would like to start by thanking the Chairs of the Committees for their invitation to participate in today’s meeting.
I note that the title of today’s discussion focuses on proposals for an EU-US agreement because of a new SWIFT architecture. However, I would highlight at the outset that today’s debate is not about SWIFT, it is about how Europe plans to cooperate with the US for counter-terrorism purposes. SWIFT is affected by this debate but should not be singled out nor treated differently from any other European company.
The matters we are discussing are of universal importance. They affect all European citizens, European companies, as well as the European and global financial system.
We of course welcome the opportunity to share SWIFT’s perspective with you today.
We understand that the European authorities would like to co-operate with the US Treasury in the fight against terrorism and share information stored in the European Union, including SWIFT data. We also understand that the implementation of SWIFT’s new system architecture has been the catalyst for the current EU negotiations with the US. This new system architecture, which will go live by the end of this year, was announced back in June 2007 as part of a set of measures to increase system capacity, improve system resilience, respond to customer requirements, whilst responding to data privacy concerns in the EU. By now, the representations made by SWIFT in that occasion and the additional measures taken since have been endorsed by the public authorities, the Working Party 29, the Belgian Data Privacy Commission and the Eminent person appointed by the Commission.
SWIFT also understands the obligation of our public authorities to strike the right balance in between privacy concerns and the needs of national security.
Within the limits of a private company, SWIFT has always sought to take all possible actions to uphold these objectives.
SWIFT is a key infrastructure in the financial system, providing the messaging network at the heart of today’s payments and securities clearing and settlement infrastructure. SWIFT underpins the global financial system – ensuring the much needed systemic resilience and security for financial messaging. This has never been more important than during this time of turbulence in our financial system.
Whatever the outcome of the current discussions about the use of data for counter-terrorism purposes, what we must not jeopardize are:
- The protections which exist today for citizens’ data
- The certainty of the legal framework within which companies operate
- The commercial level playing field and the competitive position of European companies, including SWIFT.
As already mentioned, SWIFT is a private member-owned cooperative connecting nearly 9,000 banking organisations, central banks, clearing and settlement infrastructures, securities institutions and corporates in 209 countries worldwide. SWIFT is also overseen by the central banks of the G10 countries.
Maintaining the availability, confidentiality and integrity of our messaging data is at the core of our business. For this, we invest heavily in security and resilience. Today, we simultaneously back up data transmitted across our network in two operating centres, in two different continents – one in Europe and the second in the US. We do this to counter systemic risk and maintain availability of our services under the harshest doomsday scenarios. Under the new system architecture referred to earlier, we will improve this with a third operating centre in Switzerland and create two SWIFT processing zones, one in the US and one in the EU. This split into two processing zones will allow us to maintain intra-European data in Europe. This is completely in line with European data privacy concerns. This option has also been given to other (non-EU) countries and they can choose the zone to which they will connect.
You will recall that the last occasion in which SWIFT participated in a joint hearing of the committees was in October 2006. On that occasion, the discussion concerned the mandatory US Treasury subpoenas for data held in SWIFT’s US operating centre. Today, almost three years later, we are here to discuss EU proposals to establish a mechanism to subpoena data in support of the same US Treasury programme.
We expect that the same principles of robust protection for customer data and the need to ensure legal certainty for private companies will continue to be respected.
Safeguards established to secure data
In the case of the US Treasury subpoenas, you will recall that SWIFT established protections for the subpoenaed data. Protections that have been recognised as groundbreaking – and are now cited as best practice.
- Limited Scope: Not all SWIFT message data are subject to subpoena. For example batches and large files such as SEPA-related transactions are out of scope
- Protected: The data is held in a separate, secure and highly confidential environment
- Targeted: The US Treasury does not have access to all of SWIFT’s data nor can it simply browse through the subpoenaed data. The US Treasury can only see data in response to targeted searches in the context of specific ongoing terrorism investigations
- Audited and overseen: The process and protections are monitored in real time by SWIFT staff and checked by an independent audit firm contracted by SWIFT
In the case of a new arrangement between the EU and US, these safeguards must not be compromised.
Since we last exchanged views on this issue, a further development has been the confirmation by the Belgian Data Privacy Commission of the legality of SWIFT’s actions with respect to our processing of data in general and with respect to our response to the US subpoenas. We welcome the confirmation by of the legal basis upon which we acted. We appreciate the clarification of the responsibilities of the different stakeholders in the processing of personal data and we have noted with interest their call to set up European mechanisms to assist private companies in situations similar to SWIFT.
As stated at the beginning of my intervention, we acknowledge the imperative of the public authorities to strike the appropriate balance in between anti-terrorism policy and data protection.
We understand and agree that the private sector – and SWIFT is not an exception - must co-operate with the public sector in that endeavour. In turn, we expect the public sector to support the private sector by providing legal certainty and immunity.
In today’s competitive landscape and challenging economic environment, it is necessary to have a level playing field for all financial network and messaging providers. All companies competing in this space should be subject to the same treatment by the public authorities. SWIFT’s customers all over the world, including central banks and clearing and settlement institutions, must maintain their confidence in us being the highly secure and reliable financial messaging network and critical infrastructure they have trusted since its creation in 1973.
This agreement should not affect SWIFT’s competitive position.
Today, SWIFT data subpoenaed by the US Treasury for anti-terrorism purposes is limited and protected: searches are targeted, independently audited and monitored. With the measures that we have taken over the last three years, we have further improved the protection of our customers’ personal data and our new system architecture is a key component of such improvement. Let us ensure that these safeguards and protections remain intact at the end of the current debate.
And I look forward to the date when these matters are handled by international regulation and private companies like SWIFT are not caught in the middle.
New challenges require new solutions. However, the principles of robust data protection and legal certainty must remain constant.
History of United States Treasury Department's access to SWIFT messaging data
SWIFT responds to data privacy concerns
After the September 11, 2001 attacks SWIFT responded to compulsory subpoenas for data for the purpose of terrorism investigations from the United States Department of the Treasury (UST). SWIFT is subject to lawful subpoenas in the United States because it has substantial business and operations there, including data storage.
SWIFT negotiated with the UST over the scope and oversight of the subpoenas to protect the confidentiality of its members' data and obtained extraordinary protections and assurances as to the purpose, confidentiality, oversight and control of limited sets of data produced under the subpoenas. These protections ensure that only a limited set of data is accessed, and for the sole purpose of supporting ongoing investigations into terrorism financing under the UST's Terrorist Finance Tracking Program.
The New York Times revealed the programme in June 2006, which led to interpretation issues surrounding Belgian and European data privacy laws and US counter terrorism laws.
After an in-depth investigation, the Belgian Data Privacy Commission, in consultation with Europe's data privacy working party 29 (WP29), concluded in December 2008 that SWIFT was obliged to comply with lawful subpoenas in the United States, issued a revised opinion and concluded that there was no evidence to challenge SWIFT's actions. It also praised SWIFT on the precautions it took when responding to the subpoenas. Namely that SWIFT data are used exclusively for counter terrorism purposes; that the Treasury ensures that subpoenas are narrowly focused; that searches against the TFTP database are targeted and designed to minimise extraction of data; that appropriate measures are in place to identify and delete data which are no longer considered necessary for the fight against terrorism; and that necessary physical and logical systems exist to ensure the security of subpoenaed data.
In 2008, the European Commission designated Judge Jean-Louis Bruguière to review these controls. In January 2009, Judge Bruguière recognised that SWIFT had obtained extraordinary safeguards and reported that the UST has been vigilant from the outset in respecting these, and notably the strict counter terrorism limitation.
Moreover, the Commission expressed satisfaction with additional measures SWIFT took to ensure the protection of personal data contained in messages processed by its messaging services.
From its inception, SWIFT has taken all possible measures to protect the security and confidentiality of its customers' data while ensuring that its network and services offer the highest levels of reliability and resilience. As part of this commitment, two years ago, it announced the implementation of a new distributed system architecture and the addition of an Operating Centre in Switzerland, by end 2009. Both projects are on schedule.