The Belgian and Dutch Data Protection Authorities (DPAs) said Wednesday that they will investigate the security of SWIFT, which runs an international bank-messaging system, following allegations that the U.S. National Security Agency unlawfully accessed SWIFT data.
The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is member-owned and exchanges millions of standardized financial messages for more than 10,000 financial institutions in 212 countries each day. SWIFT is based in La Hulpe, Belgium, a municipality close to Brussels, and has an operating center in the Netherlands, where traffic is processed and stored.
On Sept. 15, a report from German magazine Der Spiegel alleged that an NSA program has been collecting global financial data, including credit card transactions and SWIFT data. The program is called “Follow the Money” and it feeds the financial information into a system called “Tracfin,” according to Der Spiegel, which based its story on documents leaked by former NSA contractor Edward Snowden.
Beginning in June, documents leaked by Snowden to several news organizations have unleashed a series of disclosures about NSA spying internationally, setting off debate about the surveillance programs.
After publication of the report, SWIFT officials testified before the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) on Sept. 24. During that testimony, officials said it had no evidence to suggest that there has ever been any unauthorized access to the system or its data.
“There is in itself no reason to doubt this internal audit,” said Lysette Rutgers, a spokeswoman of the Dutch Data Protection Authority (CBP), which will be conducting the investigation together with the Belgian Data Protection Authority (CPP). “But we are a supervisory authority and we will not depend on what an organization says,” she said.
The DPAs will be conducting an investigation on whether third parties could have gained unauthorized or unlawful access to European citizens’ bank data, they said in a news release.
If the U.S. indeed has gained direct access to that data, it could have handled the information in a manner contrary to the privacy terms in the Terrorist Finance Tracking Program II Agreement (TFTP agreement) that SWIFT is subject to, they said. This agreement between the European Union and the U.S. enables the U.S. to request data on bank transactions through a special procedure in order to fight terrorism.
However, the European Parliament though voted in October to suspend the TFTP because of the allegations that the NSA had spied on SWIFT data without going through legal channels. The Parliament has no formal powers to suspend an international agreement. However, the European Commission, the E.U.’s executive body, must take under advisement Parliament’s votes on such deals.
The TFTP agreement includes strictures on how SWIFT data may be used as well as on external oversight of this use, the DPAs said.
Rutgers declined to comment on possible sanctions SWIFT could face or on how long the inquiry would take.
It is much too early to talk about possible sanctions, said CPP spokeswoman Eva Wiertz in an email. “Moreover, the Belgian DPA cannot impose sanctions,” she said, adding that if the DPA determines Belgian privacy laws are breached it can pass its findings on to the public prosecutor. The investigation will take at least a few weeks, she said.
SWIFT is cooperating with the Belgian and Dutch Data Protection Authorities, the organization said in a statement on its website. “There is no evidence at this time to suggest that there has been any form of confidentiality breach. SWIFT takes these matters extremely seriously and looks forward to confirming the positive outcome of this DPA review,” it said.