Skip to main content
  • English
    Discover SWIFT
  • Español
    Descubra nuestros contenidos en español
  • Français
    Découvrez notre contenu disponible en français
  • 中文
    了解我们提供的中文内容
  • 日本語
    日本で入手可能なコンテンツをお探しください

Swift on privacy and data protection

Table of contents

Privacy is a fundamental commitment at Swift, an essential component of our core services and integral to the Swift environment. We protect the data and privacy of our customers around the world. We operate our services to strict privacy and data protection standards and in compliance with EU data protection regulation, considered as the most stringent privacy legislation in the world.

We take our commitment to privacy extremely seriously and seek to deliver a very strong degree of privacy by ensuring that all data is protected by design in the Swift environment, as well as by ensuring our full compliance with all applicable privacy and data protection laws.

Privacy protections are embedded into the design and architecture of our systems and business practices at Swift. We operate according to two important principles: privacy by design, and data minimisation.

Swift’s approach to protecting data is proactive and preventative: we aim to anticipate and prevent events before they happen; we do not wait for privacy risks to materialise; and we trust, but verify.

Privacy protections at Swift are extended securely throughout the entire lifecycle of the data involved, from start to finish. This ensures that data is securely retained, and then securely destroyed at the end of the process, in a timely fashion. Thus, we ensure cradle-to-grave, secure lifecycle management of data.

Over the years Swift has repeatedly improved transparency by enhancing its contractual documentation with respect to the processing of customers’ data (including personal data). In doing so, Swift has been assisted by a working group of data protection and compliance experts from Swift users around the world.

Swift policies, principles and practices

Swift has corporate policies and practices in place that are designed to ensure privacy and to protect all data in our possession, whether personal or not.

Swift operates according to its stated promises and objectives, as set out in its data policies. These policies are governed by the following key principles:

  • Appropriateness:  We regularly review our data policies and contractual documentation to ensure we explain clearly how we handle data, whether personal or not.
  • Transparency: Our customer related data policies are made publicly available on our website and form an integral part of the contractual documentation for Swift’s messaging services.
  • Privacy by design: Respect for privacy is paramount at every stage of the design, development and delivery of our products and services.
  • Data minimisation: We collect the minimum amount of data needed to fulfil our messaging service obligations.
  • Awareness: We provide awareness training to all employees to ensure they have a clear understanding of the importance of data privacy and how to ensure data is protected.

At Swift, use and protection of data is strictly controlled according to formal policies and audited processes. Our annual ISAE 3000 report on our SwiftNet and FIN messaging services, includes data protection controls and our Data Protection Officer regularly reviews these controls and makes appropriate modifications within the related policies as required.

Data Protection Officer

Swift has appointed a Data Protection Officer who ensures that Swift complies with all applicable data protection legislation and that Swift’s own privacy and data protection policies are up to date and fit for purpose.

Messaging Services

Swift messages and data flows are encrypted, and both logical and physical security measures are implemented and monitored for continued effectiveness. Encryption and customer-to-customer authentication prevent unauthorised access by, or malicious injection of data from, internal or external sources. We constantly monitor the Swift messaging services for suspicious activity.

Some of our messaging services require Swift to store message data for 124 days. This is to ensure that customers have the ability to retrieve their own data in the case of disasters, catastrophe, queries or disputes.

Message data is stored at our operating centres (OPCs). Our OPCs are highly secure, and access to them is strictly controlled. Our security measures are designed to prevent unauthorised physical and logical access, and include physical measures that protect premises as well as logical measures that prevent unauthorised access to data.

Swift maintains three OPCs in two different continental zones (EU and Trans-Atlantic) to ensure full site redundancy.

Customers located in countries inside the European Economic Area (EEA), Switzerland and other territories and dependencies considered to be part of the European Union or associated with EU countries, are assigned to the European Zone (OPCs based in the Netherlands and Switzerland) and their intra-zone message data must remain in the EU Zone.

Customers located in the United States and its territories are assigned to the Trans-Atlantic Zone (OPCs based in US and Switzerland) and their intra-zone message data must remain in the Trans-Atlantic Zone. Customers in all other countries are allocated either to the Trans-Atlantic or to the EU zone according with their preference, and in line with operational and technical criteria, such as load balancing. Messages exchanged between Swift customers in different zones are stored both in the Netherlands OPC and in the Virginia OPC, as well as in the Switzerland back-up OPC.

Data is held in two OPCs so that there is always a back-up in the case of disruption to an OPC.

Law enforcement requests

We do not share customers’ data (personal or not) with any third party unless we are authorised by our customers to do so or compelled to do so by law. We carefully review each demand we receive and, in the rare cases where we are legally compelled to provide customers’ data (which may include personal data), we respect any relevant agreements, protect our customers’ personal data to the largest extent possible, and inform our customers of our compliance with such enforceable requests unless this is prohibited by law. Transparency is important for Swift.

For example, as a consequence of the TFTP ("Terrorist Finance Tracking Program"), Swift is subject to legally binding requests to provide the U.S. Treasury Department (UST) with data located in its US operating centre, which is necessary for the purpose of the prevention, investigation, detection or prosecution of terrorism or terrorist financing. The TFTP programme is controlled and audited, constantly overseen, and periodically reviewed.

It is limited in scope, searches are targeted, and the data is protected. Controls and safeguards are in place to ensure that the subpoenaed data, which is limited in nature, is used strictly and only for counterterrorism purposes. The controls and safeguards ensure that data may only be retained for as long as necessary for counterterrorism purposes and that all data is maintained in a secure environment and properly handled.

Similarly and for the same purposes, Swift is subject to legally binding requests under the international EU-US TFTP Agreement to provide data located in its EU OPC to the US Treasury. Swift provides such data to the US Treasury after verification of each request by Europol. The EU-US TFTP Agreement upholds EU data protection principles and provides additional safeguards, ensuring that the EU data is adequately protected and used in accordance with the principles described above.

Data Policies

Swift’s commitments in terms of data protection compliance are set out in the following documents:

  • Swift General Terms and Conditions:

Swift’s General Terms and Conditions provide the general framework of Swift’s contractual documentation and underpin other applicable documents, including Swift’s data policies.

  • Swift Personal Data Protection Policy:

Personal data, whether collected by Swift, provided by its users, or contained within Swift messages, is protected by the Swift Personal Data Protection Policy. This policy sets out the roles and responsibilities of Swift and its customers with regard to the processing of personal data that either Swift collects for its own purposes or that Swift’s users collect as a result of their use of Swift’s messaging services. The Swift Personal Data Protection Policy forms an integral part of the contractual arrangements between Swift and its customers for the provision of the Swift services and products.

  • Swift Data Retrieval Policy:

The Swift Data Retrieval Policy covers Swift’s policy for the retrieval, use and disclosure of traffic and message data. Swift traffic data is the technical routing and processing data of a message (such as the date and time the message was sent, details of the sending and receiving institution), but not the business content. Swift traffic data does not contain any information about, nor can it be used to identify, individuals. Message data refers to the business content of a message which can contain both personal and non-personal data, depending on the nature of the message content.

  • Privacy statement:

Swift’s Privacy Statement on Swift.com refers to the protection of personal data collected on our websites for the purposes of recruitment, attendance at events or training courses, the provision of newsletters, and participation in surveys and through cookies and online questionnaires.

  • General Data Protection Regulation:

Swift is GDPR-compliant since May 2018, and has consequently aligned its contractual provisions related to the use of the Swift messaging services by the Swift customer to the GDPR requirements.

For the Swift messaging services, the Belgian Privacy Commission concluded in December 2008 that Swift processes the Swift customers’ message data in its capacity of ‘De Facto Delegate by default’ of the Swift community. This role of Swift as De facto Delegate was re-confirmed in the Privacy Commission’s official opinion of May 2016 on Swift’s Ad Hoc Clauses (implemented in order to replace Swift’s Safe Harbor Policy). Both documents are publically available on the official website of the Belgian Privacy Commission:

As a consequence, Swift processes the customers’ message data neither as data controller nor as data processor. This implies that the related contractual relationship between Swift and its customers cannot be covered by a standard data processing agreement between a data controller and data processor.

The roles and responsibilities between Swift (including its role of De facto Delegate), the Swift community and its customers with regards to the processing of personal data are set out in the Swift contractual documentation, which is compliant with the GDPR requirements. The main relevant documents are the Personal Data Protection Policy and the Data Retrieval Policy.

As explained in these documents, the respective roles of the customers and Swift are as follows:

  • Swift customers must, each with regard to the individuals that are their clients, comply with the obligations that require a direct contact with these individuals (such as obligations concerning data quality, information, personal data breach notification, access, correction, and opposition rights).
     
  • As De Facto Delegate by default of the Swift community, Swift has no relationship with the customers’ clients and does not have any search capabilities in order to look for specific individuals mentioned in the customers’ message data. Consequently, Swift is not able to assist its customers to respond to any data protection requests coming from their clients for exercising their data subject's rights and can only comply with those obligations that cannot be performed individually by Swift customers (such as the obligations to notify personal data breaches to the Belgian Privacy Commission and to Swift users - if and as required under applicable law - and to ensure an appropriate legal ground for the data transfers between its operating centres).

Supervision by Data Protection Authorities

In May 2014 the Belgian Data Protection Authority (Commission de la protection de la vie privée/Commissie voor de bescherming van de persoonlijke levenssfeer) and the Dutch Data Protection Authority (College bescherming persoonsgegevens) announced the successful completion of their investigation into the security of Swift’s networks.

The authorities concluded there were no indications that third parties have had, or could have had, unlawful access to financial messaging data. The authorities also verified that there had been no violations of the security obligations under EU data protection law.

Swift takes its security and data protection responsibilities extremely seriously and cooperated fully during the six-month long investigation. We appreciate the efforts the authorities made in order to reach this positive conclusion.

Statements on Data Privacy

Swift Statements on data privacy

2014

 

8 May 2014 Data Protection Authorities confirm positive conclusion to investigation

2013

 

13 Nov 2013 Statement on data protection review

24 Sep 2013

Swift testifies before European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE)

2011

 

2 Feb 2011

Swift Clarifies Misleading Information Regarding SEPA Message Data Disclosures

2010

 

8 Jul 2010

EU reaches political accord on EU-US Terrorist Finance Tracking Program Agreement
European Parliament adopts EU-US Terrorist Finance Tracking Program Agreement

11 Feb 2010

The European Parliament s rejection of the interim EU-US agreement on the Terrorist Finance Tracking Programme
The European Parliament today voted to reject the interim EU-US agreement on the processing and transfer of financial messaging data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Programme

2009

 

3 Sep 2009

Swift CEO addresses EU Parliament
Swift stresses to EU Parliament that the principles of robust data protection and legal certainty must remain constant

18 Feb 2009

Subpoenaed Swift message data is adequately protected
Eminent European person confirms UST controls and safeguards

2008

 

10 Dec 2008

Swift respects data protection legislation
Decision by the Belgian Data Protection Commission regarding Swift

11 Mar 2008

EU to review USTs handling of Swift data under subpoena
Judge Brugui re appointed eminent European person

2007

 

4 Oct 2007

Swift Board approves messaging re-architecture
Distributed messaging topology enables multiple processing zones

20 Jul 2007

Swift completes transparency improvements and obtains registration for Safe Harbor
New policies available on this web site

29 Jun 2007

Swift welcomes outcome of EU-US talks
Political arrangement to reinforce legal certainty

15 Jun 2007

Swift announces plans for system re-architecture
New structure to expand network capabilities, improve commercial positioning, allay data privacy concerns

4 Apr 2007

Canadian Data Privacy Commission concludes Swift upheld privacy law
Canadian DPC Report issued

29 Mar 2007

Important actions resulting from March 2007 Board meeting
Swift seeking legal certainty while pursuing safe harbor status, increased contract transparency and global architecture alternatives

11 Feb 2007

US terrorist financing investigations and the role of Swift
A summary of developments to date on Swift compliance

2006

 

22 Dec 2006

Swift welcomes announcement by European Commission Vice-President Frattini to open talks with US Government
Recent developments conclude 2006 on optimistic note

29 Nov 2006

US bi-partisan panel "impressed" by Swift's controls to protect civil liberties
US bi-partisan panel "impressed" by Swift's controls to protect civil liberties

23 Nov 2006

Swift strongly objects to advisory opinion from WP 29
Global solution needed to balance data privacy concerns with security and public safety

16 Nov 2006

Swift supports calls for debate to move beyond data privacy to security and public safety
Submits comprehensive legal rebuttal to Belgian Privacy Commission

24 Oct 2006

New York Times public editor reverses himself on 23 June article
Says no evidence of abuse of private data is a key reason

8 Oct 2006

Commentary: Swift defends compliance at EU Parliament hearing
Urges global framework

4 Oct 2006

EU Parliament hearing: Swift statement and press release
Swift re-iterates calls for EU-US dialogue on security and data privacy

28 Sep 2006

Swift supports calls for EU-US talks on security and data privacy
Urges solution at EU-US governmental levels

25 Aug 2006

Update and Q&A to Swift's 23 June 2006 statement on compliance
Compliance with subpoenas is legal, limited, targeted, protected, audited and overseen

23 Aug 2006

Statement on bank secrecy from the Swiss Federal Government
Statement on bank secrecy from the Swiss Federal Government

23 Jun 2006

Swift statement on compliance policy
Following recent press coverage, Chairman, Deputy Chairman and CEO provide statement to Swift community

Loading...