Compliance with subpoenas is legal, limited, targeted, protected, audited and overseen
On 23 June 2006, a number of US newspapers published stories about the US government’s ongoing terrorist investigations and the role of SWIFT. On the same day, SWIFT posted a formal statement on www.swift.com. Since then we have been working actively to keep our Board, membership, overseers and staff informed of our activities. We have also been responding to questions from other stakeholders including media, politicians, concerned individuals, and interested NGOs.
SWIFT remains committed to cooperating with public authorities currently undertaking reviews of SWIFT's compliance with subpoenas. We have provided comprehensive responses to these reviews and are currently in the process of meeting with national data privacy commissions, including the Belgian Data Privacy Commission, and the EU data privacy advisory group, the Article 29 Working Party. Findings from the first of these public reviews, being undertaken by the Belgian Data Privacy Commission, are expected by October.
As we wrote in our 23 June statement, SWIFT’s fundamental principle has been to preserve the confidentiality of our users’ data while complying with the lawful obligations in countries where we operate. Striking that balance has guided SWIFT through this process. SWIFT values the trust that our members have placed in us for more than 30 years, and we will continue to work vigorously to protect and maintain that confidence.
The Questions and Answers (Q&A) below aim to address key questions raised since our first formal statement in late June.
Do the US authorities have unlimited access to data held by SWIFT?
No. The United States Department of the Treasury (UST) subpoenas to SWIFT are only for a limited set of data and for the exclusive purpose of terrorism investigations and for no other purpose.
Can the data be used for any purpose?
No. Important restrictions apply to how the UST can access and use the data. The UST cannot simply browse through the data. They are only allowed to see data that is responsive to targeted searches in the context of a specific terrorism investigation. Data searches must be based only on persons, entities or related information with an identified connection to an ongoing terrorism investigation or other intelligence that the target is connected to terrorism.
The UST cannot search the data for any other purpose such as ‘economic espionage’ or for evidence of any non-terrorist related crimes such as tax evasion, money laundering or any other criminal activity. As a result, the UST accesses only a minute fraction of the data that SWIFT is required to provide. A record is made of every single search.
How can you be sure the data is not misused?
SWIFT is aware of the concern that any system is subject to potential abuse. That is why SWIFT has obtained substantial audit mechanisms which provide extremely high assurance that access to the data is limited exclusively to ongoing terrorism investigations. SWIFT has internal auditors on site who review every query. External auditors are also commissioned to provide additional assurance that all the protections and conditions are fully adhered to. Via these mechanisms, SWIFT maintains virtual control over its subpoenaed data.
How is the data protected?
SWIFT cares deeply about the privacy of its data, including its subpoenaed data. SWIFT has obtained safeguards, which it audits, to ensure that the subpoenaed data is stored in an extremely secure environment and is treated with the highest security and confidentiality.
What was the legal basis for complying with the subpoenas?
SWIFT has complied with lawful compulsory subpoenas issued by the UST. These are fully consistent with US laws, which date back to at least the 1970’s, and with SWIFT’s own published policies and procedures. SWIFT has substantial business and operations in the United States, including data storage. This subjects SWIFT to lawful subpoenas in the United States. Subpoenas were served in the US to SWIFT US operations, and the subpoenaed data are delivered from SWIFT US operations to the US authorities.
Why didn’t SWIFT inform everyone about the subpoenas?
SWIFT did inform its full Board and the Central Banks overseeing it of the US subpoenas.
SWIFT’s data retrieval policy is part of our contractual documentation and published in our ‘User Handbook’. The policy states that SWIFT will ultimately have to disclose users’ information, when required by valid legal requests including subpoenas. Our policy on compliance is published on www.swift.com, “Fighting Illegal Financial Activities”. The SWIFT Chairman has also repeatedly spoken about compliance at our annual general meetings.
Informing our members of the subpoenas would have been inconsistent with our policy of not commenting on sensitive activities such as subpoenas. Informing our more than 7,800 members and users of the subpoenas would also have been against the purpose and value of such subpoenas, connected to the fight against terrorism, which require high discretion from the subpoenaed party.
Has SWIFT complied with data privacy laws?
Yes. SWIFT is dedicated to maintaining the confidentiality and privacy of its members’ data, and our responses to subpoenas are in line with our legal obligations and our published policy. More importantly, SWIFT has obtained, on behalf of its members, unique and extraordinary protection and assurances of the subpoenaed data.
As a global financial messaging infrastructure, SWIFT acts as a transmitter/processor of data on behalf of its members. By sending messages over the SWIFT network, financial institutions instruct SWIFT to process, on their behalf, financial messages. Unlike its member banks, SWIFT has no relationship with the bank’s clients. The financial institutions, who know their clients, collect their private data and act on their instructions.
As an international processor of financial messages, SWIFT complies with high security standards and conforms to best practice systems architecture which, for strong resilience and availability reasons, requires redundant systems spanning multiple continents. This architecture has been in place for decades.