Wednesday, November 22, 2006

Big Brother is watching

When quizzed at Sibos as to whether he would have done things differently regarding SWIFT allowing US intelligence agencies to monitor traffic on its network, Leonard Schrank said he never expected the Brussels banking co-operative to end up on the front page of major newspapers.

The bank owned financial messaging network has tended to avoid mainstream publicity and gone quietly about its business without the average Joe on the street knowing or caring what really goes on in its La Hulpe headquarters. Well, not for much longer it seems. SWIFT had better get used to the publicity it seems with the Wall Street Journal carrying a report on Tuesday that the EU was likely to concur with the Belgian Privacy Commission's ruling that SWIFT violated European privacy laws when it allowed intelligence agencies to monitor transactions on its network.

SWIFT hopes that the global community can agree on a set of data privacy standards to help organisations like itself in this situation. In its legal rebuttal to the Belgian Privacy Commission's ruling, SWIFT argues that "the boundary between security and data privacy must be defined by governments."

It did not take too kindly to the Privacy Commission's finding that SWIFT had "committed a serious error of judgement". SWIFT's argument is that as it simply transmits financial messages on behalf of financial institutions based on their instructions and does not access the data in financial messages, it is merely a "data controller" rather than a "data processor" and therefore as a "data controller" it has complied with Belgian privacy law.

The question is though should SWIFT be granting US intelligence agents access to the data in those messages without the permission of the banks sending them. Financial-i carried a report in its last issue saying that whilst SWIFT had alerted the G10 banks to its decision to allow US intelligence agents access to the messages, it had not informed its member banks. Obviously with 7000 member banks, informing all of them would be an onerous task.

But surely, the major banks with the most traffic on SWIFT deserved to be informed? After all SWIFT prides itself on the security of its network and therefore banks using that network assume that the messages they transmit on it are not going to be seen or tampered with by unauthorised parties.

SWIFT is correct in saying that a global data privacy framework needs to be formulated so that inconsistencies of interpretation where one country says it is OK to monitor transactions on a private network and another says it is not, does not arise again. However, by the same token, SWIFT perhaps also needs to address its own internal governance in terms of letting its member banks know what it is doing regardless of whether it is forced by certain laws in a particular country in which it operates to allow access to the transactions it carries.

Much like a packet of cigarettes carries a warning about the health risks, perhaps financial messaging networks should come with the warning that transactions transmitted on its network may be monitored for intelligence and surveillance purposes. After all isn't this the Big Brother era we live in?

No comments: