Belgian And Dutch DPAs To Investigate Security Of SWIFT System

News & Analysis
Belgian and Dutch DPAs to investigate security of SWIFT system

In a move that echoes strong action taken in the past by European officials to protect privacy, the Belgian and Dutch data protection authorities on Wednesday announced that they will begin an investigation into the security of the SWIFT financial system.

The announcement comes on the heels of our letters to twenty-eight European DPAs last month, which sought answers regarding the NSA's reportedly unauthorized access to SWIFT's financial messaging system and asked for an investigation into the scandal. Yesterday, the Dutch DPA responded to Privacy International confirming that the DPAs are undertaking their investigation following the international press reports and our letters.

The Belgian and Dutch DPAs' announcement is an important first step in getting to the bottom of NSA's purported access to the SWIFT system, and we commend the European DPAs for taking this potential breach of SWIFT's system seriously and refusing to allow SWIFT and the NSA to escape investigation with cursory denials.

The public have a right to know if their financial information was ever compromised by the NSA, and we hope that the Belgian and Dutch DPAs will thoroughly examine whether the NSA, with its sophisticated technological abilities, has been able to gain unauthorised access to SWIFT's system.  Without assurances that the SWIFT system is secure, the global banking community will be left to wonder whether the NSA has unlimited access to the vast majority of their cross border financial transactions. 

In order to make their investigation effective and transparent, we ask that the Belgian and Dutch DPAs consider doing the following:

Engage a technical expert who can evaluate, in a deep and thorough manner, the SWIFT system and any potential breach;
In conjunction with the technical expert, undertake an independent evaluation of the security of the SWIFT system instead of relying solely on assurances from SWIFT;
Seek additional details regarding the NSA's purported access from those news agencies that broke the story;
Reach out to banks that use the SWIFT system for assurances that they have not provided access to that system to the NSA; and
Commit to being transparent regarding the elements and progress of the investigation, and to publishing a detailed report regarding its results so that those whose data may have been breached can be fully informed.

In 2006, the last time insecurities in SWIFT's system were revealed, Belgium took the lead in determining whether SWIFT's release of European data to the US violated EU data protection regulations. Its investigation helped highlight European concerns that pressured the US into agreeing to apply certain safeguards and limitations to its ability to access European's financial information. We hope the current investigation will similarly shed light on the failure of the present accord between the US and the EU regarding the US's access to financial data.

In particular, if the NSA has cracked SWIFT's system, that would be a clear breach of the 2010 US-EU agreement that sets forth various rules the US must follow when obtaining and processing financial data stored in the EU. This concern has already motivated the European Parliament to vote to recommend suspension of the agreement.

That agreement purportedly gives Europeans a right to redress if their financial data has been obtained in breach thereof.  But, as we explained previously, it's not at all clear how Europeans can effectuate that right.

For that reason, at the same time that Privacy International wrote to the European DPAs, we also reached out to the NSA, the US Treasury Department and the UK ICO asking for details on how Europeans can seek the redress they were promised. In contrast to the European DPAs announcement yesterday, the US and UK responded with deafening silence. This only highlights the problem we had already identified -- that at least when it comes to redress, the EU-US agreement may not be worth the paper its written on. Without an effective redress mechanism, the agreement fails its purpose of protecting the privacy rights of Europeans.