By invitation, Blanche Petre, General Counsel SWIFT, today testified before the EU Parliament's LIBE Committee (Civil Liberties, Justice and Home Affairs Committee), together with EU Commissioner Malmström and the Director of Europol Rob Wainwright.
Statement made by Blanche Petre, General Counsel, SWIFT
Thank you for giving me the opportunity to speak before the Committee today. SWIFT takes its data protection responsibilities very seriously and recognises the Committee's important work on data protection. As a company that is focused on security and data protection, we share the concerns of the European Parliament, support its work and are happy to cooperate to the fullest extent possible.
SWIFT is a private mid-sized European company headquartered near Brussels. We were created in 1973 as a cooperative to replace the telex and to facilitate the secure exchange of financial messages; security is still, forty years on, core to our mission. Integrity and the confidentiality of our customers' data has always been our highest priority.
Our key function is to act as a global messaging intermediary between financial institutions. We are not a bank. Private individuals do not have access to, or any direct relationship with, SWIFT. We do not hold money, accounts or assets of any customers. We are not a clearing or settlement system.
Today, our company provides secure, standardised messaging services to more than 10,000 financial institutions and corporates in 212 nations. In addition, SWIFT is a standardisation body, and in this capacity also issues message templates or "standards" which enable automation and straight through processing. These standards have been widely adopted and are used both on and off the SWIFT messaging system.
At SWIFT, we operate our services to the highest data protection and security standards. Data protection is key to what we do - maintaining the confidentiality, integrity and availability of our message data and related systems. For this, we invest heavily both in security and in resiliency. Given the objectives of this hearing, I will focus today on the security aspects.
SWIFT has zero tolerance for confidentiality or integrity incidents. Security is at the center of our activities and is of utmost importance to our customers. We continually reinvest in our protections to ensure we are fit for purpose and fully prepared in what we know is a continually evolving threat landscape. We are not complacent.
SWIFT's objectives relating to the security of its messaging services are clearly defined and policies are rigorously followed. To achieve our objectives, messages and data flows are encrypted, logical security, and physical security requirements have been identified, implemented and are continuously monitored to ensure continued effectiveness.
Throughout the conception design, implementation and deployment of our services and systems, security is SWIFT's paramount consideration. To that end, our business people, security engineers and architects work closely together to deliver a defensive security architecture for our critical systems and services.
- The design and deployment of our systems is based on multiple layers of state-of-the-art encryption technology;
- We rely on internationally recognised cryptographic standards with long key lengths;
- We also benefit from home grown cryptographic technologies that are regularly vetted by renowned cryptographic experts.
- Customers’ data "at rest" is encrypted and authenticated to prevent unauthorised access by, or injection of data from, internal or external threats;
- Our security architecture is not based on external parties, such as customer, telecommunication or other service providers;
- We subject our internally-developed software to code reviews, by peers and external experts, as well as by using automated tools.
Throughout the system life cycle, including operations and retirement, we ensure integrity of our systems. We have a structured and tiered internal network infrastructure which ensures that servers and data are shielded away from threats, whether internal or external; we isolate our network from the pure Internet; we restrict all external network accesses and we strictly segregate internal duties. We also impose tight network controls and operate on strong security baselines.
We have also deployed a set of deterrence and detective controls, including: intrusion-detection systems and protected logging; application-specific correlation capabilities and network behaviour analysis tools.
Next, in the hypothetical case of an incident, we have developed reaction, recovery and crisis management practices that explicitly cover integrity and confidentiality breaches.
In order to strengthen management assurance on the effectiveness of our security controls, SWIFT also has an intrusion-testing programme (including, logical and physical security, as well as social engineering aspects) and a process in place to help ensure that findings are prioritised so that appropriate and timely actions are taken accordingly. This programme covers all exposed components of the service delivery, from network to application level.
SWIFT has defined strict guidelines for the maintenance, repair and disposal of equipment or media such as computers with hard disks, disk units, and other storage media to ensure that data cannot be recovered.
We also have rigorous staff vetting procedures, which include background screening and reference checking and maintain security awareness through on-going training and communication programmes.
Finally, physical access. Physical access to our premises, computer equipment, data storage and resources is restricted. The SWIFT operating centres (OPCs) are designed to house mission-critical computer operations. Physical security controls are in place to prevent, deter, detect and delay penetration. The perimeters around the OPCs are enclosed, guarded and monitored. Access tokens and associated Personal Identification Numbers or Biometrics exist for doors and provide audit trails of access to computer floors.
SWIFT’s commitment to providing solutions which meet our customers’ data protection and security requirements remains the lynch pin to our offering.
Cyber threats and available solutions are an ever evolving landscape. SWIFT continuously monitors threats, vulnerabilities and incidents that are reported through public or other channels. When relevant, the outcome of our thorough assessments is used to boost our cyber investments.
We also work closely with our peers and participate in market and country-level cyber exercises in order to benchmark our practices.
Oversight of SWIFT’s Security
SWIFT plays a vital role in supporting the daily operations of its customers, so it is critical that we ensure that security, technical infrastructure and operational objectives are met at all times. For this reason we are subject to a number of complementary reviews and assessments.
Most importantly, SWIFT is overseen by the central banks of the G-10 under a system of cooperative oversight. The National Bank of Belgium (NBB) is the lead overseer as SWIFT is incorporated in Belgium. The ECB is also part of this oversight framework. One of the key oversight objectives is to ensure that SWIFT has the appropriate processes, procedures and technical controls in place to ensure its customers’ data is appropriately protected.
We additionally subject ourselves to independent external reviews. We are assessed by external auditors annually in compliance with the International Standard On Assurance Engagements (ISAE) 3402 established by the International Auditing and Assurance Standards Board (IAASB). This is the internationally recognised industry standard that enables service providers like SWIFT to obtain independent assurance on their control objectives and processes, including data protection.
Finally, SWIFT’s security is subject to review by our internal Audit department, which has a direct reporting line to the Board.
Further to recent allegations in the press and to the questions raised by the committee, we have no evidence to suggest that there has ever been any unauthorised access to our systems or our data. You can be assured that we constantly monitor cyber-security threats, and whenever we believe there is any risk to the security of our services, you can be sure we investigate very thoroughly and take whatever actions we deem appropriate to mitigate the risk.
SWIFT and Data Requests
As a private company, SWIFT is not immune from lawful requests by authorities. In 1993 SWIFT developed a policy for compliance with requests from authorities. This compliance policy was communicated by our SWIFT Board to all our customers and has since been incorporated in our User Hand Book, which is the official contract between ourselves and all our users.
Our policy clearly states that while SWIFT takes all necessary measures to ensure the highest degree of data protection, integrity and confidentiality for the data that we transport, we have to comply with legally binding requests for data issued by competent authorities. In such cases, we can be compelled to provide data to these authorities but we would do so respecting any relevant agreements, would seek to protect our customers’ data to the largest extent possible and would inform our customers unless this were prohibited by law. This has always and will always be the policy of SWIFT, as shown by the outcome of the Belgian Privacy Commission’s investigation in the period 2006-2008. The above policy is well understood by our customers, since, as financial institutions, they face similar obligations.
Additionally, authorities seeking financial transaction information can and do obtain this directly from the financial institutions they supervise – including such institutions’ related messages sent in the SWIFT formats, whether sent over the SWIFT system or through other communications channels.
As you know there is a programme in place governed by the EU-US TFTP agreement which obliges us to periodically provide certain message data to the US Treasury. There are strong safeguards in place to ensure that this arrangement is limited in scope; that the principles of necessity and proportionality are respected, that the data is protected, that searches are targeted, that Europol verifies each EU data request, that onward transfers are limited, that the process is audited and that it is constantly overseen and periodically reviewed.
- EUROPOL is involved in verifying the US Treasury’s requests for EU data and receives a copy of each request directly from the US Treasury. SWIFT must first receive Europol’s confirmation to comply with the US Treasury request to turn over any EU data.
- The two EU-U.S. joint review reports on the implementation of the TFTP agreement, which were issued based on the agreement in 2011 and 2012 respectively, generally concluded that the data protection provisions of the agreement have been well implemented, that the independent oversight and audit practices inspire significant confidence, that the safeguards are in fact respected, and that Europol is accomplishing its tasks pursuant to the agreement.
- The 2008 and 2010 reports of Judge Jean-Louis Bruguière, who was appointed as an independent "Eminent European person" by the European Commission, concluded that the US Treasury complies with the stringent privacy safeguards set out in the TFTP Representations (i.e., UST’s 2007 commitment to privacy safeguards prior to the adoption of the EU-US TFTP agreement).
Additionally, SWIFT has instituted controls to ensure, to the fullest extent possible, that the limitations and protections of the programme are respected, and that searches of the data are targeted exclusively for the purposes described in the TFTP agreement.
Like the EU, SWIFT has representatives on site who review every query that is made. They can stop any query in real time if they are not satisfied that it meets with the stipulated criteria. Moreover, SWIFT has commissioned an external independent auditor to provide assurance that the protections and conditions are fully adhered to, all under best practice audit standards. They review the search records and give SWIFT the assurance that the data has only been viewed and used for the agreed purposes. These auditors, as well as SWIFT’s internal auditors, review the end-to-end security of the system and provide us with the assurance that the data has been protected from unauthorised access.
These data protections and controls have been recognised by the Belgian Privacy Commission and by the European Working Party 29 after a thorough review of SWIFT’s compliance with the mandatory requests.
Finally, under the terms of the EU-US TFTP Agreement, the conditions under which the onward transfer of extracted data can be made are strictly limited. For instance:
- the information that can be shared must have been extracted as a result of an individualised search;
- such information can only be shared with law enforcement, public security, or counter terrorism authorities;
- the information can only be shared for lead purposes for the exclusive purpose of the investigation, detection, prevention, or prosecution of terrorism or its financing.
By way of conclusion, be assured we have no evidence to suggest that there has ever been any unauthorised access to our system or our data. For actors like SWIFT, data protection is critical. Trust in the system is everything; our community depends on SWIFT’s ability to protect its data. Similarly, legal certainty is of vital importance. We must, and do, comply with the law. We are based in the EU, but our activity is global and we operate in a competitive landscape; we cannot be faced with conflicting laws and be "caught in the middle". We appreciate the effort that European lawmakers undertake to ensure appropriate data protections are in place and to provide companies such as SWIFT with a legal framework that allows us to fulfill our core mission of providing a secure messaging service.
We look forward to continuing our dialogue with the Committee Chair and members, and thank you for your attention.