SWIFT probed for leaks

David Canton - for the London Free Press - September 9, 2006 Read this on Canoe

Have you ever thought your banking information might be leaked to foreign authorities?

Canada's privacy commissioner, Jennifer Stoddart, is investigating the Society for Worldwide Interbank Financial Telecommunication (SWIFT) about whether that has happened.

The Belgium-based company provides more than 200 countries with messaging services and interface software to the global banking industry. SWIFT's purpose is to act as an intermediary to transmit secure financial information exchanges among financial institutions.

The data in SWIFT's possession are considered invaluable in the eyes of many foreign authorities.

The privacy commissioner suspects financial transactions by Canadians are being improperly disclosed to foreign government authorities via SWIFT.

There has been no confirmation that personal information pertaining to Canadians or Canadian banks has been subject to the improper distribution of information. On the other hand, neither SWIFT nor the U.S. government has said that the information given to the US government was limited to U.S. citizens and financial institutions.

SWIFT recognizes its role in the international financial infrastructure is a serious one, and co-operates with authorities to prevent illegal distribution of financial information. However, as to allegations involving SWIFT's release of information to U.S. authorities, SWIFT's website on policy compliance does not speak to the issue at all.

SWIFT's statement on policy compliance released just two months ago completely avoided the issue.

Instead, SWIFT has released generalized and vague statements regarding compliance, and has merely stated that SWIFT has complied with all subpoenas.

This is a concern of privacy commissioners worldwide. Stoddart has expressed concern over the risks associated with improper personal financial information disclosure to foreign police or other government authorities, which is contrary to Canadian privacy law, including the Personal Information Protection and Electronic Documents Act (PIPEDA).

Stoddart has declined in the past to investigate outside of Canada for lack of jurisdiction.

Perhaps this investigation stemmed from concerns regarding SWIFT expressed by privacy commissioners around the world. Stoddart revealed that there are many times when it is not appropriate for the commissioner to act when the jurisdiction is outside of Canada.

The Canadian government has implemented procedures for the international exchange of banking data, which are meant to prevent unnecessary or inappropriate disclosures. However, the transfer of personal financial information to the U.S. government, to which SWIFT admits, clearly circumvents Canadian procedures and thus violates the requirement of appropriate purposes pursuant to PIPEDA.

A complaint has been filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) under PIPEDA alleging that the six largest Canadian banks have failed to protect personal customer financial information from inappropriate disclosure by SWIFT. CIPPIC says Canada's big six banks all use SWIFT to process international money transfers. Even though it is SWIFT that is distributing the information, the banks do not escape liability and remain responsible under PIPEDA.

The outcome of the investigation will prove to be interesting. If information on Canadians was improperly obtained according to Canadian law, how do we enforce that when it is done by foreign companies and governments? And what responsibility do Canadian banks have? They clearly have a responsibility to require subcontractors to comply with their privacy policies and Canadian privacy laws. But if the subcontractor ignores that, what obligations and options do they have?

If you are a foreign entity faced with a government demand for information, do you choose to say no and incur the wrath of that government, or to violate your contract with your bank customer?