Belgium, Netherlands investigate alleged NSA spying on bank payments data

The NSA reportedly unlawfully accessed SWIFT payments data

The Belgian and Dutch Data Protection Authorities (DPAs) said Wednesday that they will investigate the security of SWIFT, which runs an international bank messaging system, following allegations that the U.S. National Security Agency unlawfully accessed SWIFT data.

The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is member-owned and exchanges millions of standardized financial messages for more than 10,000 financial institutions in 212 countries each day. SWIFT is based in La Hulpe, Belgium, a municipality close to Brussels, and has an operating center in the Netherlands, where traffic is processed and stored.

On Sept. 15, a report from German magazine Der Spiegel alleged that an NSA program has been collecting global financial data, including credit card transactions and SWIFT data. The program is called "Follow the Money" and it feeds the financial information into a system called "Tracfin," according to Der Spiegel, which based its story on documents leaked by former NSA contractor Edward Snowden.

Beginning in June, documents leaked by Snowden to several news organizations have unleashed a series of disclosures about NSA spying internationally, setting off debate about the surveillance programs.

After publication of the report, SWIFT officials testified before the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) on Sept. 24. During that testimony, officials said it had no evidence to suggest that there has ever been any unauthorized access to the system or its data.

"There is in itself no reason to doubt this internal audit," said Lysette Rutgers, a spokeswoman of the Dutch Data Protection Authority (CBP), which will be conducting the investigation together with the Belgian Data Protection Authority (CPP). "But we are a supervisory authority and we will not depend on what an organization says," she said.

The DPAs will be conducting an investigation on whether third parties could have gained unauthorized or unlawful access to European citizens' bank data, they said in a news release.

If the U.S. indeed has gained direct access to that data, it could have handled the information in a manner contrary to the privacy terms in the Terrorist Finance Tracking Program II Agreement (TFTP agreement) that SWIFT is subject to, they said. This agreement between the European Union and the U.S. enables the U.S. to request data on bank transactions through a special procedure in order to fight terrorism.

However, the European Parliament though voted in October to suspend the TFTP because of the allegations that the NSA had spied on SWIFT data without going through legal channels. The Parliament has no formal powers to suspend an international agreement. However, the European Commission, the E.U.'s executive body, must take under advisement Parliament's votes on such deals.

The TFTP agreement includes strictures on how SWIFT data may be used as well as on external oversight of this use, the DPAs said.

Rutgers declined to comment on possible sanctions SWIFT could face or on how long the inquiry would take.

It is much too early to talk about possible sanctions, said CPP spokeswoman Eva Wiertz in an email. "Moreover, the Belgian DPA cannot impose sanctions," she said, adding that if the DPA determines Belgian privacy laws are breached it can pass its findings on to the public prosecutor. The investigation will take at least a few weeks, she said.

SWIFT is cooperating with the Belgian and Dutch Data Protection Authorities, the organization said in a statement on its website. "There is no evidence at this time to suggest that there has been any form of confidentiality breach. SWIFT takes these matters extremely seriously and looks forward to confirming the positive outcome of this DPA review," it said.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

Tags securitySwiftprivacy

More about European CommissionEuropean ParliamentIDGindeedNational Security AgencyNSASpiegel

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts