US terrorist financing investigations and the role of SWIFT
A summary of developments to date on SWIFT compliance
As we enter 2007, we summarise below the events of 2006 following the disclosure by US newspapers of US terrorist financing investigations and the role of SWIFT.
After the September 11th attacks, SWIFT responded to compulsory subpoenas for limited sets of data for the exclusive purpose of terrorism investigations from the Office of Foreign Assets Control of the United States Department of the Treasury (UST).
SWIFT has substantial business and operations in the United States, including data storage. This subjects SWIFT to lawful subpoenas in the United States*. Subpoenas were served in the United States to SWIFT US operations, and the subpoenaed data are delivered from SWIFT US operations to the US authorities.
Protections and assurances
Given the sensitivity of any SWIFT data, and SWIFT’s commitment to protect the confidentiality of its members’ data, SWIFT negotiated with the UST over the scope and oversight of the subpoenas. Through this process, it received extraordinary protections and assurances as to the purpose, confidentiality, oversight and control of the limited sets of data produced under the subpoenas. These protections go well beyond and are more stringent than SWIFT’s legal obligations. They ensure that only a limited set of data is accessed, and for the sole purpose of terrorism financing. Independent audit controls provide additional assurance that these protections are fully complied with.
SWIFT’s has always stated that it acted responsibly within applicable laws by complying with the subpoenas. The extraordinary protections and control mechanisms obtained from the UST meet both its obligations to protect the confidentiality of its members’ data and requirements to follow EU and US laws.
SWIFT informed its Board and the Central Banks overseeing it of the US subpoenas. All our members were informed in the 1990’s about SWIFT’s general policy on member data retrieval including that SWIFT could be subject to judicial requests such as subpoenas. Informing our members on the specifics of the UST requests would have been inconsistent with our published policy of not commenting on sensitive activities such as subpoenas.
Since June, SWIFT has endeavoured to work with members of the European Parliament and data privacy authorities, including the Belgian Data Privacy Commission and the Article 29 Working Party (WP29).
The advisory opinions of the Belgian Data Privacy Commission and WP 29 claim that SWIFT failed to respect the provisions of EU Data Protection Directive 95/46/EC. SWIFT objects to both opinions because they reflect serious interpretation issues surrounding current data privacy laws. SWIFT is caught in the middle of a conflict between Belgian data privacy laws and US counter-terrorism laws.
It is noteworthy that on 22 October 2006, the public editor of the New York Times reversed himself and wrote that as the SWIFT programme was legal and that since there was not one shred of evidence that anyone’s private data was abused, the programme should have remained secret.
SWIFT was gratified that on 13 December 2006, after examining the Belgian Data Privacy Commission’s advisory report and SWIFT’s comprehensive legal rebuttal, the Belgian public prosecutor announced that he would not be taking legal action.
To resolve this matter, SWIFT supports calls by Belgian Prime Minister Verhofstadt and European Central Bank President Trichet for dialogue between the EU and US as the most effective way to achieve the legal certainty which internationally active companies require. In December 2006, EU Vice President Frattini announced that EU-US talks would commence to establish a legal framework for providing financial intelligence for counter terrorism purposes with adequate data protection.
Simultaneously, and despite a difference of interpretation with WP29, SWIFT's focus is to move on. Following constructive and productive meetings in December 2006 with data privacy officials from Belgium and WP29, SWIFT is now working with its user community and the authorities to address several important areas of concern to data privacy authorities. These include improved transparency for customers with regard to the processing of their financial transactions, and adhering to the European privacy regulations for Safe Harbor to make SWIFT’s US operations conform to European data privacy legislation.
SWIFT hopes that the next months will allow quick progress to be made towards a US-EU solution that will provide legal certainty for itself and its member banks. SWIFT encourages legislators on both sides of the Atlantic to support the ongoing discussions.
What are the protections and assurances obtained by SWIFT?
The United States Department of the Treasury (UST) subpoenas to SWIFT are only for a limited set of data and for the exclusive purpose of terrorism investigations and for no other purpose.
Important restrictions apply to how the UST can access and use the data. The UST does not have access to all of SWIFT’s data nor can it simply browse through the data. The UST is only allowed to see data that is responsive to targeted searches in the context of a specific terrorism investigation. Data searches must be based only on persons, entities or related information with an identified connection to an ongoing terrorism investigation or other intelligence that the target is connected to terrorism.
The UST cannot search the data for any other purpose such as ‘economic espionage’ or for evidence of any non-terrorist related crimes such as tax evasion, money laundering or any other criminal activity. As a result, the UST accesses only a minute fraction of the limited data sets that SWIFT is required to provide. A record is made of every search.
Contrary to unfounded assertions in the press and in some data privacy opinions, the subpoenaed process is legal, limited, targeted, protected, audited and overseen. In fact, SWIFT maintains virtual control of the entire end-to-end process involving its data.
How does SWIFT audit the US Treasury’s access to data?
SWIFT cares deeply about the privacy of its data, including its subpoenaed data. It has obtained substantial audit mechanisms which provide extremely high assurance that access to the data is limited exclusively to ongoing terrorism investigations. SWIFT has internal auditors on site who review every query. External auditors are also commissioned to provide additional assurance that all the protections and conditions are fully adhered to.