Last summer, global financial messaging service SWIFT (La Hulpe, Belgium) found itself at the center of a firestorm for providing the U.S. government with information to help investigations into terror financing. Critics, many of them based in the European Union, claimed that by complying with the subpoenas issued by the Department of Treasury, SWIFT violated the confidentiality of its users' data.
"A company like SWIFT that operates on a global basis is stuck between the need to fight terror and the right to data privacy for customers," says SWIFT CFO Francis Vanbever. "We would expect clearer guidelines regarding this. There is no solution to this problem from a legal viewpoint unless the E.U. and U.S. work together to create some kind of framework [around how data is handled]."
At issue is who controls the data when it resides in different countries, according to Colin Kerr, senior analyst, global payments, TowerGroup (Needham, Mass.), who recently authored a report in which he examines the SWIFT subpoena issue. "That's partly why the problem with SWIFT arose -- each bank is subjected to its country's regulations," Kerr says. However, "In a world of real-time information and international business, there has to be a pragmatic balance between ultimate protection and the basic facts of doing business."
In his report, Kerr concludes that there was much misinformation circulating regarding SWIFT's actions. "What was misrepresented by the mainstream media was [the assumption] that the government was accessing individuals' bank account data. So I think the role of SWIFT is largely misunderstood," Kerr explains. "SWIFT is a messaging system, not a payments system. The U.S. wanted to see who was sending and receiving the payments messages."
Kerr says SWIFT actually responded to a request in the early '90s by the Financial Action Task Force (FATF), a global group focused on preventing terror financing and money laundering, to include more information in its payments messages about the parties involved in transactions. "Ironically, that's what got SWIFT into hot water [with the subpoenas]," he comments.
Need to Know Only
According to SWIFT's Vanbever, the information handed to the U.S. was only what was needed. "We understood [the U.S. government's] need for data, but we only provided them with what they needed and no more," he emphasizes. "Once the Treasury had the data, they were only able to interrogate it if it had something to do with terror financing. There was no data mining."
Vanbever says SWIFT took precautions to ensure proper use of the data. "We have a memorandum of understanding with the Treasury that specifies that they cannot use this data for any other purpose but tracking terror financing," he says. SWIFT also instituted other controls, including real-time monitoring to stop inappropriate queries and external auditing controls that prevent backdoor access to data, Vanbever adds.
"We're taking all the steps we can as a private company, but we can't solve this problem without a legal framework," Vanbever continues, noting that SWIFT has established a Data Privacy Working Group to promote data transparency. "No one disputes the fact that we must track terror financing," he says. "The question is around how the data is used."