Data protection in international payment transactions (SWIFT)

A report published in the New York Times on 23 June 2006 revealed that the Society for Worldwide Interbank Financial Telecommunication (SWIFT) had provided the USA with limited access to data held at its US Operation Centre within the context of the fight against terrorism. The data protection issues this raised were discussed with the Federal Council and the Swiss banks. As part of the political solution negotiated with the USA, security guarantees were agreed and Swiss bank customers were informed proactively that their data might be passed on to the US authorities. Furthermore, SWIFT announced that in future it would only process transaction data in the USA that concerned the transatlantic transfer of funds. In order to be able to implement this solution technically, SWIFT decided to establish a third Operations Centre in Switzerland.

Following the revelations published by the New York Times, according to which the US administration had, within the context of its fight against terrorism, gained access to SWIFT transaction data (cf. our 14th Report on Activities 2006/2007, paragraph 1.8.1), measures were taken by us and the Swiss government to guarantee data protection in international funds transfers. After examining the facts, we came to the conclusion that by passing on transaction data, SWIFT had violated the FADP on two counts. First of all, financial institutions domiciled in Switzerland had failed in their duty towards their customers by not informing them that SWIFT had either disclosed, or could disclose their data. Second, the data transfer had taken place in the USA, a country which does not provide an adequate level of data protection. Both issues were resolved after discussions with the Swiss government and the financial institutions domiciled in Switzerland.

With regard to banks’ obligation to inform, we have opted for an innovative approach based on the principle of supervised self-regulation. What this means is that we leave it up to the banks to comply with their obligation to inform in the way they deem most suitable to their needs. The reason we decided to go down this path was primarily influenced by the trust Switzerland enjoys as a financial centre. In close cooperation with the Swiss Bankers Association, we have drafted an information circular for bank customers which satisfies the obligation to inform. The letter has now been sent out by the Swiss banks. By contrast with the practice in other European countries where such information is provided by a clause in the General Terms and Conditions, we have succeeded here in getting the banks to actively inform their customers. At the same time, the very fact that the information to customers is done proactively and independently has increased people’s trust in the efficiency of our data protection system.

A political solution had to be found which satisfied both the objective of fighting terrorism and respecting the data protection regime of the countries concerned, including Switzerland. The United States agreed to provide security guarantees with regard to access to SWIFT data. Thus, the US administration can only ask SWIFT to search their data files if evidence is provided that the target person is connected with terrorism or its financing. The results of the search may only transferred to the US authorities if the search is positive. This means that access to the relevant data is only granted if it relates to an identified, preexisting terrorism investigation. In addition, records will be kept of all requests for searches, including the evidence produced in support of those requests. The agreement also foresees that a respected European expert will be appointed to verify that the programme complies with the undertaking given regarding the protection of personal data originating in the European Union. The US authorities have thus provided guarantees that SWIFT data will enjoy a level of data protection that conforms to Swiss law.

As part of the reorganization of its operational activities, and in response to the strong increase in the volume of money transfers that has occurred in the last few years, SWIFT decided that in addition to its Operation Centres in Belgium and the USA, it would add a third centre in Switzerland by the end of 2009. It also decided to separate transfers into two zones, one for Europe and one for transatlantic transactions. Thus, all internal European transfers will in future be covered by the two Operation Centres in Switzerland and Belgium, and all transatlantic transfers will be handled by the Operation Centre in the USA and Switzerland. As the US administration can only gain access to the data processed by the US Operation Centre, it will no longer have direct access to all intra- European transfers.

Last modification 30.06.2008

Top of page

https://www.edoeb.admin.ch/content/edoeb/en/home/documentation/annual-reports/older-reports/15th-annual-report-2007-2008/data-protection-in-international-payment-transactions--swift-.html