Remarks by the European Central Bank on the oversight of SWIFT
The European Central Bank (ECB) would like to note that central banks are responsible for fostering financial stability and promoting the smooth operation of payment and settlement systems. As SWIFT is a messaging provider and not a payment system, central bank oversight of SWIFT (performed by the G10  central banks and the ECB) focuses on its technical security, operational reliability, resilience, appropriate governance arrangements, and its having in place risk management procedures and controls. The monitoring of SWIFT activities that do not affect financial stability is not a matter for central bank oversight and therefore the US Treasury sub-poenas of SWIFT were outside the purview of central bank oversight. The Oversight Group has no authority to oversee SWIFT with regard to compliance with data protection laws. The request by the European Data Protection Supervisor to bring data protection compliance within the remit of central bank oversight would not be in line with the allocation of legal responsibilities.
In each jurisdiction where SWIFT operates, compliance with mandatory laws is the responsibility of the authorities designated by the law. This also applies to data protection. It has also been pointed out that SWIFT provides services throughout the world, and we recommend that any measure adopted should take into account the global aspect of SWIFT’s services. The ECB understands that initiatives have been taken in this context vis-à-vis the US Government; joint action by the EU institutions and bodies competent on data protection and on payment systems legislation as well as authorities responsible for the fight against terrorism is also urgently needed. The issue at stake requires action by the EU legislator, namely to provide legal certainty in areas where data protection might conflict with legislation on the fight against terrorism, and action by the European Union’s foreign relations bodies in what relates to specific action regarding the US subpoenas.
The ECB is subject to Council Regulation (EC) No 45/2001 of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data. When using SWIFT services, the ECB will seek the consent for such use from its individual counterparties in payment transactions (i.e. employees and individual service providers) and continue to make use of SWIFT services by means of an explicit condition in the relevant documentation. When asking for this consent, the ECB will explicitly refer to its use of SWIFT and SWIFT’s database storage. This processing conditional upon consent will be an explicit condition in the relevant documentation. Payment orders from natural persons who do not consent to the use of SWIFT cannot be processed. The ECB has investigated possible alternatives to using SWIFT services and has had to conclude that at this stage no feasible alternatives, which meet its expectations concerning availability, non-repudiation, security and reachability, are available.
On the same issue, the ECB has responded to questions raised by Mrs Pervenche Berès, the Chairwoman of the Committee on Economic and Monetary Affairs of the European Parliament and Mr Jean-Marie Cavada, the Chairman of the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament, regarding the ECB’s follow-up to the Article 29 Working Party on the processing of personal data by SWIFT. The reply is available on the ECB website.
 The G10 Group of central banks is composed of the Nationale Bank van België/Banque Nationale de Belgique, the Bank of Canada, Banque de France, Deutsche Bundesbank, Banca d' Italia, the Bank of Japan, De Nederlandsche Bank, Sveriges Riksbank, the Swiss National Bank, the Bank of England and the Federal Reserve System (USA) represented by the Board of Governors of the Federal Reserve System and the Federal Reserve Bank of New York.