Todays Dutch NRC features an article where the boss of the Dutch data protection authority, Mr Kohnstam, states that he is going to fine Dutch banks if they will not tell their customers that infomation sent via Swift-transfers may be read by US authorities. This happens in the same week where the Ministry of Finance informed parliament that the central-bank settlement system indeed uses SWIFT-messages, which in principle might be read by police authorities in the US.
I think all the fuss about SWIFT and disclosure of customer data is a bit of cheap publicity nonsense. Members of parliament and data protectors are among the first to judge and condemn banks and central banks on their bad and secretive behaviour with respect to consumer data. And quite interestingly we see recently that central banks keep on publishing statements that they comply with all rules (suddenly acting as the best in class). In my view, all those seeking and responding to this publicity are basically re-engineering history. Was anyone of those people paying attention lately? Why are we so forgetful about 09/11 and the things we all decided were necessary to do afterwards?
Let's recall what really happened. Immediately after the disaster there was this anti-terrorist hype. Everyone feared ghosts around the corner. And thought that police and government would require additonal competences in order to fight terrorists. So on an international level, what happened was the drafting of additional special recommendations by the Financial Action Task Force on Fraud. So that we could better fight terrorists in the future. And I remember our Ministry of Finance explaining this to Dutch parliament in 2002 ! See the Minstry's website; the letter and documents are still out there (in Dutch):
In the aftermath of the September 11 terrorist attacks in the United States and the discovery of the wide geographic extent of the terrorist financial infrastructure that enabled them, governments moved quickly to create new counter-measures that could be specifically used to detect and dismantle such structures. Building on the existing expertise of the FATF, its members expanded the remit of the Task Force to include terrorist financing and issued a set of Special Recommendations to address the issue.
Of all those FATF-recommendations special recommendation VII was quite clear: all banks in all jurisdictions are to include name/adress of the sender of the payment, so that receiving banks (but mostly: the authorities in receiving banks' countries) can more easily provide originator information to their authorities. Litterally this recommendation, adopted in 2001 says:
VII. Wire transfers
Countries should take measures to require financial institutions, including money remitters, to include accurate and meaningful originator information (name, address and account number) on funds transfers and related messages that are sent, and the information should remain with the transfer or related message through the payment chain.
Countries should take measures to ensure that financial institutions, including money remitters, conduct enhanced scrutiny of and monitor for suspicious activity funds transfers which do not contain complete originator information (name, address and account number).
So let's resume the facts about the SWIFT-incident:
- yes, there was a terrorist incident in 2001,
- yes, there was a worldwide consensus between governments that a good and quick response was to demand all customer data to be included in payment transfers,
- yes, one might argue now that the response was unnecessary and too much of a good thing, but no one at that point in time dared to argue this, so the policy stands,
- yes, the recommendations were communicated to the world and local parliaments in 2001/2002 and later on,
- yes, this meant that police and local governments may have (had) access to originator customer data (which is nothing new by the way, as local governments always have access as a part of criminal proceedings, and provided they ask properly),
- yes, the US government exercised their rights as to accessing the data, and quite some other governments will have undoubtedly done the same,
- yes, the local governments did change their laws to transpose the FATF-recommendation into formal regulation (see EU regulation here).
So can anyone explain to me, why on earth banks would risk being fined in 2007 for not telling their customers something which is already in the public domain for more than 5 years? And don't most data protection acts contains rules that say that companies do not need to inform their customers about data transfers if these have their origin in a formal government rule? And don't we all know about those rules since 2001? That is, if we would read the stuff that the Ministries sent us....
All this public SWIFT-stuff is really too much ado about nothing. All public statements, opinions and questions are very cheap shots that regulators and parliaments throw at banks nowadays. If these players would really have guts, they would insist on no less than withdrawing FATF special recommendation VII. All else is mere gallery play to demonstrate political correctness, rather than honest concerns as to consumer data protection.