Just a few weeks ago, it was disclosed that the US had an international secret ally in its war against terrorism (at least, it was a secret ally until the identity was exposed). Imagine the surprise and consternation when it was revealed that this secret aid was none other than the Belgium-based Society for Worldwide Interbank Financial Telecommunication, better known as SWIFT. (SWIFT is the industry owned organization that supplies secure, standardized messaging services and interface software to over 7,800 financial institutions worldwide. SWIFT is solely a messaging intermediary for transmitting secure and confidential financial messages between financial institutions.)
According to various sources, SWIFT has granted the US Department of the Treasury and the US Central Intelligence Agency (CIA) access to data concerning millions of financial transactions involving €6bn daily at the request of the US authorities, and this scheme has been in place for over four years.
Legal Use of Information?
In an early statement on the data transfer set-up between SWIFT and the CIA, an EU Commission spokesman said that this was not a breach of EU law since ‘the data protection directive does not apply to data transfers for security purposes’ and furthermore it does not apply to transfers from a private entity to a state, only between states. The EU Parliament did, however, adopt a resolution on 6 July 2006 asking EU governments, the Commission and the European Central Bank ‘to explain fully the extent to which they were aware of the secret agreement between SWIFT and the authorities of the US’.
SWIFT’s activities are overseen by the Belgian National Bank, which in turn is overseen by the Belgian Ministry of Finance. In a press release on 26 June 2006, the National Bank acknowledged that it knew of the transfers, but claims it could do nothing about them because its primary task is to oversee the soundness of financial transactions, not that of data transfers. According to press reports, Belgian finance minister Didier Reynders was informed about the practice ‘informally’ in April 2006, when it had been going on for about four and a half years.
The National Bank recently released a statement on compliance outlining SWIFT’s involvement with the CIA and the background to the data transfer (the statement is available on the SWIFT website). According to this statement, ‘SWIFT is not a bank, nor does it hold accounts of any customers… SWIFT takes its role as a key infrastructure in the international financial system very seriously and cooperates with authorities to prevent illegal uses of the international financial system. Where required, SWIFT has to comply with valid subpoenas’.
It is explained in the compliance document that following the September 11 attacks in the US, SWIFT responded to compulsory subpoenas for limited sets of data from the Office of Foreign Assets Control of the US Department of the Treasury. The statement reads: ‘Our fundamental principle has been to preserve the confidentiality of our users’ data while complying with the lawful obligations in countries where we operate. Striking that balance has guided SWIFT through this process with the United States Department of the Treasury. It is more than likely that their office of Terrorism and Financial Intelligence (TFI), which was established on 28 April 2004, is involved. This office marshals the department’s intelligence and enforcement functions with the twin aims of safeguarding the financial system against illicit use and combating rogue nations, terrorist facilitators, money launderers, drug kingpins, and other national security threats’.
According to the statement, SWIFT negotiated with the US Treasury over the scope and oversight of the subpoenas whereby SWIFT received ‘significant protections and assurances as to the purpose, confidentiality, oversight and control of the limited sets of data produced under the subpoenas. Independent audit controls provide additional assurance that these protections are fully complied with’.
The document also highlights the fact that all actions have been undertaken with advice from international and US legal counsel and following the longstanding procedures on compliance, established by the SWIFT Board. In addition, SWIFT is overseen by a senior committee drawn from the G10 central banks which has also been informed of the matter.
So there we have it – SWIFT has been acting in pursuance of subpoenas on legal advice and is doing the right thing. Indeed, this transfer of data has allegedly led to the arrest of high-rank terrorists. The New York Times, which revealed the practice, quotes Treasury Department Under-Secretary, Stuart Levey, as saying that the data provided by SWIFT “has provided us with a unique and powerful window into the operations of terrorist networks and is, without doubt, a legal and proper use of our authorities.”
But there are still some vital questions that need to be answered in order to justify and legitimize the data transfers completely.
The CIA’s Role
The subpoenas that SWIFT refers to in its compliance statement come from the US Department of Treasury. This government department is the parent of FinCEN, the US Financial Crimes Enforcement Network, which receives all suspicious activity reports from banks in the US. The issue that has attracted attention is that this institution is passing on information to the CIA. But where do they fit into this? The CIA is not an investigation agency.
Based at the George Bush Center for Intelligence, Langley, Virginia, the CIA was created in 1947 with the signing of the National Security Act by President Harry S. Truman. The role of the CIA is to collect ‘intelligence through human sources and by other appropriate means, except that he shall have no police, subpoena, or law enforcement powers or internal security functions’. Its responsibilities include the correlation and assessment of intelligence related to national security and providing appropriate dissemination of such intelligence.
It is interesting to note that the CIA has no powers of subpoena but is responsible for assessing and disseminating intelligence. The data from SWIFT is obtained by the US Department of Treasury and passed onto the CIA for analysis and dissemination. This leads to a number of significant questions. Who safeguards the confidentiality of the bank customers whose banks have used SWIFT? Where is the responsibility for these protections and what criteria is being used? Is it determined by the CIA, by the US Department of Treasury or by SWIFT? It is important to remember that under the regulations that govern how banks report suspicious transactions, the banks themselves have the responsibility, not the government bodies they make the report to (see section below on Bank Confidentiality).
According to a statement on the CIA’s website, ‘As changing global realities have re-ordered the national security agenda, the CIA has met these challenges by creating special, multi-disciplinary centers to address high-priority issues, such as non-proliferation, counter-terrorism, counter-intelligence, international organized crime and narcotics trafficking, environment, and arms control intelligence’. It has also formed ‘stronger partnerships between the several intelligence collection disciplines and all source analysis’ and takes an ‘active part in intelligence community analytical efforts and produces analysis on the full range of topics that affect national security’.
This is an integral and growing aspect of the overall US national strategy for combating terrorism which calls for the defeat of terrorist organizations by eliminating their sanctuaries, leadership, finances, command, control and communications capabilities. But does this strategy include international cooperation?
Role of Government and Rules on Bank Confidentiality
In the fight against the international terrorist, the arsenal used does not necessarily include conventional weapons of warfare. The link between the terrorist and the international narcotics’ trafficker is more than tenuous and this ongoing struggle was greatly assisted by the G7 group of countries forming the Financial Action Task Force (FATF).
The subsequent development of legislation by member nations caused the establishment of agencies to routinely receive information from financial institutions of suspicious customer transactions suspected of being related to drugs, crime or terrorism. This initiated a system that now has a worldwide reach and is used in the investigative process, a hopeful precursor to the judicial process.
The fact that the activity is deemed suspicious is, of course, no guarantee that any unlawful activity is taking place, so there has to be confidentiality about the handling of this information. It must be understood that the disclosures or suspicious activity reports are information, not just intelligence, and there is a difference. This must apply to all banking or financial information.
As with all disclosures or suspicious transaction reports, the subject of the report is not informed. The knowledge should stay only with the institution making the report and the receiving or investigating agency. The only time that these matters surface publicly should be during a subsequent trial.
The rules of banking confidentiality go back to the Tournier principles. First of all, a banker’s duty of confidentiality is not absolute. The 1924 case of Tournier versus National Provincial and Union Bank of England sets out four areas where a bank can legally disclose information about its customer:
- Where the bank is compelled by law to disclose the information;
- If the bank has a public duty to disclose the information;
- If the bank’s own interests require disclosure; and
- Where the customer has agreed to the information being disclosed.
These four principles are still valid today. If a bank discloses information about a customer in any circumstances other than those described above, then it has acted wrongly and should, as a general rule, be held liable for the consequences of its action.
In the battle against terrorism, the role of government is also critical because it must identify who the enemy really is in order to successfully defeat it. Determining how to combat terrorism is based on a number of factors, including:
- How does the relative strength of the terrorist organization compare with that of the government it opposes?
- What kinds of affiliations, financial or otherwise, do they have with outside groups who may support them?
Is there a real cause for concern here over the data transfer scheme between SWIFT and the US, or is it a storm in a political teacup? I would suggest that the answer is probably a mixture of both. Concern must be raised, however, that there appears to be a carte blanche monthly arrangement between SWIFT and US authorities, supported by a subpoena that allows a government fishing expedition. If it is, then surely it completely changes the rules of transaction reporting and the way that governments abide by the legislation they impose on financial institutions.
And finally, let us not forget that we are talking about this story because it appears to have been leaked from somewhere. A timely reminder that within governments, perhaps there is never such a thing as confidentiality.
Information within this article has been obtained from government and other publicly available sources.
There has been an uptick of treasurers inquiring about interest rate risk management in recent months as interest rates in the US and UK have started to show a rise in momentum, said Chatham Financial at the annual Bellin treasury conference.
PSD2 is set to remake the EU payments marketplace. This deliberate public policy exercise is going to regulate and demonstrate what next generation financial crime competencies must be and cement the standard going forward.
Europe’s introduction of the General Data Protection Regulation (GDPR) next May will have implications for businesses around the world and US corporates should start getting ready if they haven’t already done so.
The recent NotPetya cyberattack underlined the need for organisations to address their exposure and how to mitigate the risk.