Demanding accountability for the NSA's breach of SWIFT financial agreement

News & Analysis
Demanding accountability for the NSA's breach of SWIFT financial agreement*Update: The European Parliament has voted to recommend suspension of its Terrorist Finance Tracking Program (TFTP) agreement with the US. The vote in favour of suspension only highlights how the NSA’s reported activities have undermined the agreement. Negotiations should immediately commence to strengthen the privacy and redress provisions, to ensure that governments cannot spy on individuals and obtain their data in violation of the agreement. The recommended suspension of the agreement, however, does not change our position that Europeans are entitled to seek redress regarding the NSA’s breach since the alleged violations occurred while the agreement was still clearly in effect.

Amongst the recent blockbuster revelations of global government surveillance and espionage has emerged a quieter, less ostentatious story surrounding allegations that the NSA is gaining unauthorized access to the international financial messaging system, SWIFT.

Despite the limited coverage of these revelations, they have huge implications for the operation of the global financial system, which is founded on the highest guarantees of security and privacy of financial transfers. Claims that the NSA has tapped the computing infrastructure of the SWIFT system and consequently has access to information about more than 90% of the world’s international banking transactions has huge implications for financial institutions and the individuals who bank with them.

The allegations have not gone unnoticed in the European Parliament, which in uproarious response has asked the US to explain its actions and to divulge whether the NSA’s actions are in violation of a US-EU agreement that sets forth various rules the US must follow when obtaining and processing financial data stored in the EU. The agreement came about in 2010 because of allegations of this very nature – that the US was seeking direct and virtually unrestrained access to Europeans’ SWIFT data.

The response by the European Union has been so strong that a vote to suspend the agreement is scheduled to come before the plenary tomorrow (see above update). Regardless of how the vote falls, if the NSA is obtaining SWIFT messages outside of the rules set forth in the 2010 US-EU Agreement, such action imperils further the relationship between the two parties, and violates the privacy rights of millions of Europeans.

Privacy International is seeking answers as to why the NSA has seen fit to circumvent an international agreement between the US and EU that specifically regulates the transfer of SWIFT data between the two parties, and what means of redress exist for European citizens who have had their data illegally accessed. Accordingly, today we are:

  • Writing to the UK’s Information Commissioner’s Office, the UK Financial Conduct Authority, and several Data Protection Authorities throughout Europe, calling on them to obtain from SWIFT and other relevant actors more clarity as to how the system may have been compromised.
  • Writing to the NSA, US Treasury Department, and the UK ICO requesting guidance on the administrative process by which Europeans can seek redress (a mechanism guaranteed under the Agreement) or judicial remedies for the processing of their data in breach of the 2010 US-EU Agreement.

The Agreement

The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a Belgian-based industry-owned co-operative that supplies a messaging infrastructure to facilitate international financial transfers among the global banking community, consisting of banks, securities broker-dealers, and regulated investment management institutions. The SWIFT messages regularly include personal data ranging from the names of the payer and payee to, in some cases, communications in text form that can accompany transactions. SWIFT provides these messaging services to more than 10,000 financial institutions in 214 countries and territories.

In 2006, the New York Times reported that a secret Bush administration surveillance program known as the “Terrorist Finance Tracking Program” (TFTP) run out of the CIA and overseen by the Treasury Department had been obtaining financial records from a number of financial institutions to create a “vast international database.” 

In the aftermath of the New York Times’ report, the EU and the US began negotiating an agreement on the US’s access to international financial information in order to better protect the privacy rights of EU citizens.  After long negotiations, the EU and US entered into a new agreement in 2010 that set forth various rules the US must follow when obtaining and processing international financial payment messaging data that is stored in the EU.

Among other things, the agreement requires that any US request for data must be served on a designated service provider and provided to Europol. Europol must verify the request complies with the requirements of the agreement before the service provider turns over data in response to the request. Any searches run on provided data must be narrowly tailored, and the US is not allowed to engage in “data mining or any other type of algorithmic or automated profiling or computer filtering.” European citizens are also given rights of access, rectification, and redress.

Troubling developments

Recently, though, SWIFT made it back into the headlines. On 8 September 2013, Brazil’s TV Globo revealed that a May 2012 presentation leaked by Edward Snowden identifies SWIFT as a target of NSA spying, despite the 2010 Agreement. A few days later, on 16 September 2013, Der Spiegel reported that the NSA has “several means of accessing the internal data traffic”of SWIFT’s system. According to Der Spiegel:

A document from the year 2011 clearly designates the SWIFT computer network as a ‘target.’ The secret data collection also involves the NSA department for ‘tailored access operations.’

According to the documents, one of the various means of accessing the SWIFT information has existed since 2006. Since then, it has been possible to read the ‘SWIFT printer traffic from numerous banks.’"

In response to these reports, and the inquiry initiated by the European Parliament, the US claims it abides by the 2010 Agreement.  It has not denied, however, that it may also obtain financial data such as SWIFT messages through other means, including via “intelligence channels” and subpoenas to SWIFT client financial institutions.

SWIFT claims it has no reason to believe there has been unauthorized access to its system. However, the co-operative has failed to elaborate on the measures it has taken to assure itself and others that the NSA has not gained access to its system.

The right to redress

If the NSA is accessing SWIFT messages outside of the protocol set forth in the 2010 Agreement such action would be a breach of the Agreement.

According to Article 18 of the Agreement,“[a]ny person who considers his or her personal data to have been processed in breach of this Agreement is entitled to seek effective administrative and judicial redress in accordance with the laws of the European Union, its Member States, and the United States, respectively.” Redress rights are available to “[a]ll persons, regardless of nationality or country of residence.”

The spirit of Article 18, therefore, seems to be that any person, regardless of nationality, should be able to seek redress if their information is obtained in breach of the Agreement. The process for seeking that redress is less clear. The Agreement provides only for redress against the US government agency overseeing its implementation, the Treasury Department.  But the latest allegations are that the NSA, not the Treasury Department, is accessing Europeans’ SWIFT messages. How, then, do we effectuate the promise of redress in Article 18 where the US agency that breached the Agreement is not the Treasury Department but the NSA?

That’s what we are trying to find out, and we hope to know more soon. Otherwise, not only will the Agreement be violated, but the single method to protect the rights of Europeans from abuse will also be toothless, damaging US-EU relations in the process, and essentially reversing any gains made through the 2010 A