SWIFT misses open standards opportunity

SWIFT's relationship with its member banks is entering an interesting phase, particularly as the Brussels-based banking co-operative courts corporates as customers.

At Sibos some of SWIFT's member banks expressed their discomfort at the announcement of Alliance Lite, SWIFT's new low cost means of connecting to SWIFTNet, which "is as easy as logging onto a web site".

Alliance Lite was developed as a lower cost alternative for corporates, banks and investment managers that don't have the volumes of traffic to justify managing their own SWIFT infrastructure and want to get up an running on SWIFTNet in days rather than months.

However, within the Alliance Lite web browser corporates for example are able to initiate payments, which mirrors the functionality banks provide in their own online proprietary banking applications. So needless to say the banks were not happy with SWIFT treading on their toes. We also hear on the grapevine that the banks have told SWIFT they want to leverage their existing investment in IdenTrust for authentication and do not want SWIFT to reinvent the wheel with some other form of PKI.

But it raises an interesting challenge for SWIFT and its member banks as SWIFT moves into the solutions space and becomes focused on the agenda it wants to push, which is not necessarily that of the banks or corporates.

In a recent research note, analyst firm Financial Insights points out that while SWIFT was busy "selling itself through rebates and fee cuts for users, as well as a few new initiatives like a workers' remittance program and Alliance Lite," it missed an opportunity to promote the ISO 20022 standard and how banks could "leverage open standards to create new business opportunities".

SWIFT is the Registration Authority for ISO 20022 or the UNIFI standard as it is otherwise known, and although usage of the XML-based standard is not widespread, it does form the messaging foundation for the new SEPA payment instruments.

Financial Insights believes that ISO 20022 is the "leading candidate for standardization of corporate-to-bank messaging" but that only a handful of banks (notably Citi and JPMorgan Chase) had thrown their weight behind it, while other banks saw problems in meeting demands for "open messaging standards" unless the large volumes of new business are already there.

It is the old chicken and egg syndrome; banks don't want to develop new solutions based on open messaging standards unless their is significant customer demand and corporates believe that banks should want to fund new developments in order to keep their business.

At Sibos in Vienna, SWIFT had an opportunity to really sell ISO 20022 to the banks, but they were too busy it seems selling themselves. "SWIFT had the attention of the world's bankers at Sibos and failed to take advantage of it to promote a standard that could change the structure of the banking industry," said Financial Insights analysts.

But then of course would banks have had the appetite for such an initiative? After all, as Financial Insights points out, open standards would enable corporates to switch banks more easily. "For ISO 20022 to succeed, SWIFT and other industry players, including leading banks and technology vendors, have to coalesce around a set of new business opportunities like financial supply chain management and quantify the opportunities. Only then will banks be able to justify moving to open standards," Financial Insights concludes.

Data privacy back on the agenda

Last year, revelations that SWIFT had allowed US intelligence agencies access to data pertaining to financial transactions on it network, created a furore with data privacy groups.

SWIFT's assurances at the time that it had only shared limited sets of data with US Treasury failed to assuage the concerns of data privacy groups and led to calls for clearer guidelines on privacy laws and counter-terrorism procedures. Privacy groups expressed concerns that the SWIFT data could be used for non-terrorism related purposes such as taxation monitoring and espionage.

Well, this week the EU and the US reached an agreement on sharing of bank data with the US. That agreement says that SWIFT data can only be used for "counter-terrorism purposes" and kept for a maximum of five years. A European representative will be appointed to monitor how that data is used.

Vice President Frattini, Commissioner responsible for Justice, Freedom and Security, stated: "The EU will have now the necessary guarantees that US Treasury processes data it receives from Swift's mirror server in the USA in a way which takes account of EU data protection principles."

But what does "counter-terrorism purposes" actually mean as when the initial use of SWIFT data was revealed in US newspapers last year, US agencies maintained that they needed to monitor this data to combat terrorist financing.

However, one has to ask, how effective has monitoring of SWIFT data been in combating terrorist financing given that such financing has tended to use non-bank channels such as mobile phones? Furthermore, why does the US even require access to SWIFT data given that banks are meant to have by law, rigorous anti-money laundering measures in place?

In order to bring its own operations in line with EU data protection laws, SWIFT has joined the EU-US Safe Harbor Agreement, which provides a framework for ensuring that customers' data located in the US is protected under similar data privacy principles as those in Europe.

SWIFT has established a data privacy group and also announced a "system re-architecture" yet to be approved by its Board, which means "intra-European messages" will be stored only in Europe and the US. Currently, messages are processed simultaneously at SWIFT's European and US operations centres to prevent data loss.

Big Brother is watching

When quizzed at Sibos as to whether he would have done things differently regarding SWIFT allowing US intelligence agencies to monitor traffic on its network, Leonard Schrank said he never expected the Brussels banking co-operative to end up on the front page of major newspapers.

The bank owned financial messaging network has tended to avoid mainstream publicity and gone quietly about its business without the average Joe on the street knowing or caring what really goes on in its La Hulpe headquarters. Well, not for much longer it seems. SWIFT had better get used to the publicity it seems with the Wall Street Journal carrying a report on Tuesday that the EU was likely to concur with the Belgian Privacy Commission's ruling that SWIFT violated European privacy laws when it allowed intelligence agencies to monitor transactions on its network.

SWIFT hopes that the global community can agree on a set of data privacy standards to help organisations like itself in this situation. In its legal rebuttal to the Belgian Privacy Commission's ruling, SWIFT argues that "the boundary between security and data privacy must be defined by governments."

It did not take too kindly to the Privacy Commission's finding that SWIFT had "committed a serious error of judgement". SWIFT's argument is that as it simply transmits financial messages on behalf of financial institutions based on their instructions and does not access the data in financial messages, it is merely a "data controller" rather than a "data processor" and therefore as a "data controller" it has complied with Belgian privacy law.

The question is though should SWIFT be granting US intelligence agents access to the data in those messages without the permission of the banks sending them. Financial-i carried a report in its last issue saying that whilst SWIFT had alerted the G10 banks to its decision to allow US intelligence agents access to the messages, it had not informed its member banks. Obviously with 7000 member banks, informing all of them would be an onerous task.

But surely, the major banks with the most traffic on SWIFT deserved to be informed? After all SWIFT prides itself on the security of its network and therefore banks using that network assume that the messages they transmit on it are not going to be seen or tampered with by unauthorised parties.

SWIFT is correct in saying that a global data privacy framework needs to be formulated so that inconsistencies of interpretation where one country says it is OK to monitor transactions on a private network and another says it is not, does not arise again. However, by the same token, SWIFT perhaps also needs to address its own internal governance in terms of letting its member banks know what it is doing regardless of whether it is forced by certain laws in a particular country in which it operates to allow access to the transactions it carries.

Much like a packet of cigarettes carries a warning about the health risks, perhaps financial messaging networks should come with the warning that transactions transmitted on its network may be monitored for intelligence and surveillance purposes. After all isn't this the Big Brother era we live in?