Statement by the President of the ECB at the public hearing at the European Parliament on the interception of bank transfer data from the SWIFT system by the US secret services
Speech by Jean-Claude Trichet, President of the ECB
Public hearing at the European Parliament
4 October 2006
Madame la Présidente, Monsieur le Président, Mesdames et Messieurs les membres de la commission des libertés civiles, de la justice et des affaires intérieures, Mesdames et Messieurs les membres de la commission des affaires économiques et monétaires,
Je suis ici aujourd’hui pour vous expliquer plus en détail le rôle de la BCE dans la surveillance de SWIFT après que SWIFT a répondu aux citations à comparaître émises par le Trésor américain en vertu de son Programme de traque du financement du terrorisme (Terrorist Finance Tracking Programme). Comme je l’ai déjà expliqué dans ma lettre du 3 août 2006 en réponse à M. le Parlementaire Klinz, la BCE est membre du Groupe de surveillance de SWIFT (SWIFT’s Co-operative Oversight Group - OG). Par conséquent, je voudrais, dans la première partie de ma déclaration, préciser les objectifs et le mandat de ce Groupe de surveillance. Dans un deuxième temps, j’exposerai les contraintes juridiques découlant des statuts du Système européen de banques centrales et de la Banque centrale européenne dans ce domaine, y compris le régime de confidentialité en vigueur. À la suite de la déclaration de M. Praet, je serai à votre disposition pour répondre à toutes vos questions.
1. Umfang der Aufsichtstätigkeit
Zunächst einmal möchte ich darauf eingehen, was die Aufsichtstätigkeiten der Zentralbanken umfassen und wie dies im Fall von SWIFT in der Praxis umgesetzt wird. Wie Ihnen bekannt sein dürfte, sind die Zahlungs- und Wertpapierinfrastrukturen vielfältigen Risiken ausgesetzt, beispielsweise Kreditrisiken, Liquiditätsrisiken und operationellen Risiken, die dem Systembetreiber, den Systemteilnehmern und auch der breiten Öffentlichkeit Kosten verursachen können. Unter bestimmten Umständen können diese Risiken sogar systemisch werden. Erfolgt nämlich seitens einer Bank keine Verrechnung, kann dies in einigen Fällen die Fähigkeit anderer Banken, bereits abgewickelte Geschäfte reibungslos zu verrechnen, beeinträchtigen und somit eine Kettenreaktion auslösen, die zur Destabilisierung des gesamten Finanzsystems führen kann.
Similarly, delays in settling transactions by a participant will typically affect the ability of other participants to pay. If the functioning of the system as a whole is disrupted, its participants and possibly the general public might be adversely affected. In such cases, individual participants (or the system operator) externalise costs to other parties and therefore do not necessarily have sufficient incentives to act prudently and avoid risk. This is particularly true if the participants or operator assume that they are “too big to fail” and expect that a public authority will intervene in a crisis situation. The central bank oversight function represents one form of public involvement in controlling such systemic risks. It aims to ensure that both participants and operators have adequate incentives to act prudently, avoid risk and minimise social costs.
SWIFT is the most important provider of messaging services for financial transactions in the world. As a consequence, the sound functioning of SWIFT is a precondition for the overall smooth functioning of payment and settlement systems and, as such, also for financial stability. As a matter of fact, any disruption of SWIFT’s messaging activity could trigger further disruption amongst its users, which include a very large number of systemically important payment and settlement systems.
In view of SWIFT’s critical role in the smooth functioning of the global financial system, the G10 central banks decided to set up a special cooperative framework for the oversight of SWIFT. This oversight framework was formalised in 2004 through the establishment of the Oversight Group. The ECB participates in this Group, which is led by the National Bank of Belgium (NBB). The ECB’s involvement in the oversight of payment and clearing systems is based on its role, under the EC Treaty, “to promote the smooth operation of payment systems”. The safe and efficient functioning of market infrastructure, and of payment systems in particular, is also an indispensable precondition for the proper implementation of two other core central bank tasks, namely to maintain financial stability and to ensure price stability through the smooth implementation of monetary policy operations.
The Oversight Group has been given a very specific mandate. Its role is not to assess the entirety of risks which may occur. Rather, the Oversight Group monitors SWIFT’s activities only insofar as they are relevant to the smooth functioning of payment systems and to financial stability. To that end, it assesses whether SWIFT has in place the appropriate governance arrangements, risk management procedures and controls to prevent and/or address effectively the risks posed to the smooth functioning of payment systems and financial stability. The monitoring of activities that do not affect the proper functioning of market infrastructure and financial stability is outside the Oversight Group’s remit.
It is important to understand that SWIFT is not a “payment” or “clearing” system, or a financial institution. As a consequence, in performing their oversight role, the overseers of SWIFT have limited competences vis-à-vis SWIFT. Indeed, oversight of SWIFT is not based on a comprehensive legal framework, contrary to, for instance, the supervision of financial institutions. For example, the Oversight Group cannot impose any sanctions on SWIFT to enforce decisions. Therefore, overseers rely mainly on “moral suasion” to convince SWIFT of the need to improve the sound functioning of its systems.
The Oversight Group was informed in 2002 about the subpoenas issued by the US Treasury. As you know, these subpoenas were part of a US programme to track terrorist financing, targeted to specific investigations. The Group considered that this matter would not have financial stability implications and therefore concluded that it fell totally outside the remit of its oversight role.
I would like to stress that the SWIFT Oversight Group did not give SWIFT any kind of approval or “blessing” in relation to its compliance with the US subpoenas. The Oversight Group could not in fact have given such an authorisation, as it was outside its competence to do so. As the overseers’ competences only relate to oversight, they are obliged to refrain from any actions that go beyond these parameters. SWIFT therefore remained solely responsible for its decisions concerning compliance with the US subpoenas.
The question has recently been raised whether the Oversight Group should not have considered SWIFT’s compliance with applicable data protection rules. However, the task of protecting personal data is outside the remit of the Group’s oversight function, since it is unrelated to the functioning of market infrastructure and financial stability. If the Oversight Group were to assume this task, it would conflict with the competences assigned by the Data Protection Directive to national and EU data protection authorities. In this regard, SWIFT informed the Oversight Group that it had obtained significant protections and assurances from the US Treasury to ensure that the data concerned were used exclusively for the purpose of antiterrorist investigations. An audit commissioned by SWIFT also confirmed that there was no indication that the subpoenas and their implementation had any other purpose than the fight against terrorism.
2. Professional confidentiality
Let me now turn to the second topic, that is, why the ECB was unable to use the information it received in the context of the oversight framework for other purposes or to share such information with other relevant authorities.
First, SWIFT has requested that the information it provides to the central banks in the context of oversight must only be used for oversight purposes.
Second, the Memoranda of Understanding concluded by the NBB, in its capacity as lead overseer, with each individual G10 central bank involved in the cooperative oversight of SWIFT, including with the ECB, stipulate that all non-public information shared by the signatories, including information provided by SWIFT, must be treated as confidential and must also be subject to the respective obligations of professional secrecy of the signatories, as applicable.
Third, the applicable obligations of the ECB, as referred to in the Memorandum of Understanding signed with the NBB, are laid down in Article 38 of the Statute of the ESCB, which imposes professional secrecy on the ECB.
As I have explained, the SWIFT oversight function is not based on a comprehensive legal framework including powers to impose sanctions, but on “moral suasion”. The tool of “moral suasion” can only work properly if there is a close dialogue and mutual trust between the overseers and SWIFT. In this context, a strict confidentiality regime is of the essence. After all, the oversight role involves the sharing of very sensitive information, and the disclosure of this information may have severe consequences.
Although the ECB became aware of the subpoenas being imposed on SWIFT in June 2002, this information could neither be transmitted to third parties nor be made public.
Moreover, the ECB has no authority to supervise SWIFT with regard to compliance with data protection laws. The difficult questions arising in that regard must be addressed by the relevant data protection authorities, as data protection is a matter which falls outside the ECB’s competence.
Let me now conclude my remarks with a brief summary of the main points I have made. First, the G10 central banks, including the ECB, perform the oversight of SWIFT under the leadership of the NBB. As such, our responsibilities are precisely to ensure that SWIFT has an appropriate framework in place to avoid systemic risks. In executing these responsibilities, the central banks – as overseers – rely not on a comprehensive legal framework, including powers to impose sanctions, but on “moral suasion”. Second, compliance with the US subpoenas fell outside the context of financial stability and thus outside the remit of our oversight role. Third, we did not give SWIFT any blessing in relation to its compliance with these subpoenas. In fact, we could not have given any such authorisation even if we had wanted to, as this fell outside our competence. Therefore, SWIFT remained solely responsible for its decisions. The conclusion that SWIFT’s compliance with the US subpoenas was and is beyond the remit of oversight by central banks remained unchallenged in the Belgian data protection authority’s report of 27 September 2006.