Frequently Asked Questions
This document has been prepared to answer Frequently Asked Questions from SWIFT customers about SWIFT's compliance with data protection laws.
Although these FAQs are based on data protection standards applicable in the European Economic Area (EEA), the information contained herein reflects broadly-accepted data protection principles, and may therefore be relevant to all SWIFT customers.
1 SWIFT data processing operations
1.1 Does SWIFT encrypt data on its network?
Yes, SWIFT applies state-of-the-art encryption to all data transmitted over its network.
Some of SWIFT's services offer value-added processing features based on message data (for example message validation in the SWIFTNet FIN service). Message data is decrypted in SWIFT's central systems, thus allowing the value-added processing to be performed. Message data is then re-encrypted before further transmission to the beneficiary SWIFT customer.
As set forth in the SWIFT Data Retrieval Policy, 'message data' refers to the internal content of the message or file transfer.
Please refer to the relevant Service Documentation for more information on encryption and value-added processing.
1.2 Where are the SWIFT Operating Centres located?
Currently, SWIFT has operating centres (OPCs) in the Netherlands, Switzerland and the US. Message data is processed in one of two zones (see FAQ 1.4 )
1.3 Why does SWIFT mirror data in different OPCs?
Because its messaging infrastructure is critical to the smooth operation of the financial markets worldwide, SWIFT is required to protect its network from disruption and against the loss of data.
SWIFT, therefore, operates 2 OPCs for each zone and, for those services that offer archival, archives message data simultaneously in each OPC of the relevant zone.
SWIFT's ability to continue its operations despite the loss of an OPC is called 'resilience'. Resilience lies at the heart of SWIFT and is the cornerstone of its customers' trust in its services.
1.4 Why is SWIFT changing its network architecture?
In June 2007, the SWIFT Board of Directors approved, in principle, enhancements to its global messaging architecture. The new architecture leads to a more distributed data processing and storage model in the SWIFT network.
The changes expand SWIFT's messaging capacity and reinforce network resilience bringing considerable benefits to the SWIFT community as a whole. They improve SWIFT's commercial positioning. They are in line with our overall goal of reducing operational costs and prices. They will also allay data protection concerns raised by various data protection authorities.
The re-architecture allows for intra-European traffic to be processed and stored only in Europe.
Countries in the European Economic Area (EEA), Switzerland and other territories and dependencies considered to be part of the European Union or associated with EU countries are assigned to the European zone and must remain in the EU zone. The United States and its territories are assigned to the Trans-Atlantic zone and must remain in the TA zone. All other countries are allocated to either the TA or the EU zone in line with operational and technical criteria such as load balancing.
Apart from the countries that have been assigned to a zone by default, such as the US to the TA zone, or European Economic Area countries to the EU zone, all other countries may request to change zones.
The current country to zone allocation list, as well as more detailed information on the distributed architecture project, are available here.
2 Data protection related matters
2.1 How does SWIFT document its compliance with data protection laws?
SWIFT's compliance with data protection laws is documented in its customer documentation. SWIFT has enhanced transparency of both its data processing operations and its compliance with data protection laws in the following documents:
- the SWIFT General Terms and Conditions set out SWIFT's confidentiality obligations.
- the SWIFT Data Retrieval Policy sets out SWIFT's policy on the retrieval, use, and disclosure of message and traffic data.
- the SWIFT Personal Data Protection Policy sets out the roles and responsibilities of SWIFT and its customers with regard to the processing of personal data.
- the SWIFT Ad Hoc Clauses provides an adequate level of protection for SWIFT's mirroring of data in its US OPC.
- other relevant Service Documentation provides more information on how the different SWIFT messaging services work and on the security measures used by SWIFT to protect data.
2.2 How long does SWIFT keep data?
SWIFT offers different financial messaging services, which include SWIFTNet InterAct, SWIFTNet FileAct and SWIFTNet FIN.
Some services offer archival of messages, others do not. The archival periods, if any, for the different services are set forth in the Service Documentation. For example, in the SWIFTNet FIN service, customers can retrieve messages up to 124 days.
2.3 Does SWIFT have security policies?
Yes, SWIFT is known for having robust security policies, especially with regard to the protection of message data.
The SWIFT Personal Data Protection Policy explains which security measures protect message data, and how customers can verify SWIFT's compliance with these measures.
For the SWIFTNet and SWIFTNet FIN messaging services, key security commitments are summarised in the SWIFT Security Control Policy.
2.4 Does SWIFT audit these security measures?
Yes, an independent, external audit of the SWIFTNet and SWIFTNet FIN messaging services is conducted annually. This audit is conducted in accordance with the guidelines stated in the ISAE 3402 statement of auditing standards. The ISAE 3402 report is made available to each customer upon written request and under appropriate confidentiality arrangements.
2.5 How does SWIFT ensure adequate data protection in its US OPC?
In many countries (such as in the EEA countries), data protection laws prohibit the transfer of personal data to countries that do not offer an "adequate level of data protection", except under certain conditions.
SWIFT has put in place Ad Hoc Clauses, signed by the SWIFT group entities in Belgium and the US, in order to ensure an adequate level of data protection for transfers of
messages sent by its EU-zone customers to its Trans-Atlantic zone customers. These clauses specifically cover personal data contained in message data that relate to individuals resident of European Economic Area (“EEA”) Member States or from Switzerland or that are sent by SWIFT customers established in one of the EEA Member States or Switzerland.