Terrorist Finance Tracking Program

The Terrorist Finance Tracking Program is a United States government program to access the SWIFT transaction database revealed by The New York Times, The Wall Street Journal and The Los Angeles Times in June 2006. It is part of the Bush administration's "Global War on Terrorism". Based in Belgium, SWIFT (Society for Worldwide Interbank Financial Telecommunication) establish common standards for financial transactions worldwide.

Introduction
A series of articles published on June 23, 2006, by The New York Times, The Wall Street Journal and The Los Angeles Times revealed that the United States government, specifically the United States Treasury Department and the CIA, had a program to access the SWIFT transaction database after the September 11th attacks. According to the June 2006 New York Times article, the program helped lead to the capture of an al-Qaeda operative known as Hambali in 2003, believed to be the mastermind of the 2002 Bali bombing, as well as helped identify a Brooklyn man convicted in 2005 for laundering money for an al-Qaeda operative in Pakistan. The Treasury Department and White House responded to the leak the day before it was published and claimed that the leak damaged counter-terrorism activities. They also referred to the program as the Terrorist Finance Tracking Program ("TFTP"), similar to the Terrorist Surveillance Program in the NSA wiretapping controversy.

The Terrorist Finance Tracking Program was viewed by the Bush administration as another tool in the "Global War on Terrorism". The administration contends the program allows additional scrutiny that could prove instrumental in tracking transactions between terrorist cells. Some have raised concerns that this classified program might also be a violation of U.S. and European financial privacy laws, because individual search warrants to access financial data were not obtained in advance. In response to the claim that the program violates U.S. law, some have noted that the U.S. Supreme Court in United States v. Miller (1976) has ruled that there is not an expected right to privacy for financial transaction records held by third parties and that "the Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities, even if the information is revealed on the assumption that it will be used only for a limited purpose and the confidence placed in the third party will not be betrayed."

Immediately following the disclosure, SWIFT released an official press statement asserting that they did give information to the US in compliance with Treasury Department subpoenas, but claiming that "SWIFT received significant protections and assurances as to the purpose, confidentiality, oversight and control of the limited sets of data produced under the subpoenas". The central bank of Belgium, the National Bank of Belgium, was revealed on June 27, 2006, to have known about the U.S. government's access to the SWIFT databases since 2002. Belgian Christian Democratic and Flemish party claimed on June 28, that the actions of the CIA with SWIFT were in breach with Belgian privacy laws. The Belgian parliamentary committee (Comité I), that deals with the workings of the Belgian State Security Service reported that SWIFT was indeed in violation with Belgian and European privacy laws. The New York branch of the Dutch Rabobank is said to deliver information on its European customers to the U.S. government, in contempt of European privacy laws. The Dutch Data Protection Authority claims that Dutch banks could face monetary fines if they hand over data on their customers to the American government. Consequently the European Union (EU) has obtained the possibility to send a high rank magistrate as High Representative of EU to United States of America for the Financing of Terrorism, in order to monitor the TFTP activities. This magistrate, Jean-Louis Bruguière, has a permanent office in Washington DC at the US Department of Treasury.

Legal Treaty Development
After European concerns with wholesale SWIFT data export were raised, it became necessary for the US to negotiate a treaty with the EU in order to be able to continue accessing the SWIFT database. The Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program was negotiated during 2009. The treaty was first rejected by the European parliament, however after a few months and a visit by U.S. Vice president Joe Biden to the parliament, the European Commission introduced the same proposal once again, and then it was adopted.

Scope
The scope of the treaty is to use financial payment messaging data to prevent, investigate, detect and prosecute conduct pertaining to terrorism or terrorist financing. Terrorism is defined as acts which involves violence or are otherwise dangerous to human life or create a risk of damage to property or infrastructure with the intent to intimidate a population or government or an international institution to act or abstain from acting or to seriously destabilize or destroy fundamental structures of a country or international organization.

Process
The U.S. Treasury department serve production orders to a designated provider of financial data. SWIFT is the only designated provider today. The request shall identify as clearly as possible the data necessary for the purpose of the treaty. The request should clearly substantiate the necessity of the data, and be tailored as narrowly as possible. Payments within the Single Euro Payments Area are excluded.

Safeguards
The U.S. Treasury department shall process the data only for the purpose of the treaty. Data mining is not allowed. The data must be secured and cannot be interconnected with any other database. Access to data shall be limited to investigations of terrorism. All searches must be based upon preexisting information or evidence of connection with terrorism. Information may only be shared with law enforcement, public security or counter terrorism authorities in the US or EU.

Citizen's rights
Any person has the right to obtain a confirmation through the data protection authority in the EU member state that the person's data protection rights have been respected. Any person has the right to seek the rectification, erasure or blocking of his or her personal data where the data is inaccurate or the processing contravenes the treaty.

European TFTP
EU may request the aid of the US to build up a European TFTP.

2012

 * February 26: the Danish newspaper Berlingske reported that USA authorities evidently have sufficient control over SWIFT to seize money being transferred between two EU countries (Denmark and Germany), since they have seized around U$26,000 which were being transferred from a Danish to a German bank. The money was a payment by a Danish businessman for a batch of Cuban cigars previously imported to Germany by a German supplier. As justification for the seizure, the U.S. Treasury has stated that the Danish businessman has violated the United States embargo against Cuba.

2011

 * October 25
 * European Data Protection Supervisor communication entitled Terrorist Finance Tracking System (TFTS) - European Commission Communication of 13 July 2011 (2011-0699) to Ms Cecilia Malmstrom, Commissioner for Home Affairs, European Commission:
 * We support all the points made by the Article 29 Working Party in its letter of 29 September, based on its specific experience in analysing and monitoring the original agreement between the US and the EU regarding the Terrorist Finance Tracking Programme (the 'US TFTP agreement'), which is the source of the developments of the Terrorist Finance Tracking System ('TFTS') at EU level.
 * We would like to complement the observations of the WP29, especially in relation to the context in which the TFTS is envisaged, about [the question of] its necessity and proportionality, the procedural guarantees that should be introduced and finally with regard to its consequences on the existing US TFTP agreement.
 * European Data Protection Supervisor offers Comments on the Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions of 13 July 2011: “A European terrorist finance tracking system: Available options”:
 * [The] main reason for the development of a European terrorist finance tracking system (‘EU TFTS’) has its source in the present US TFTP agreement (and in particular its Article 11) and in the Council Decision of 13 July 2010 (‘the Decision’). Currently, under TFTP, data are sent in bulk to the US, to be stored and filtered according to requests of the US Treasury Department. This has raised serious criticism, especially by the European Parliament (and obviously the EDPS and WP29), notably with regard to the necessity and proportionality of the 'bulk' data flows.
 * If the filtering of data is performed within the EU under TFTS, according to criteria which should be particularly strict (in order to comply with the necessity and proportionality tests), the data sent to the US would be restricted as a result. This is essential in order to meet the EU data protection requirements, even if the data would not totally meet the (broad) requests of US authorities.
 * September 29
 * Article 29 Working Party letter regarding TFTP

2010

 * November 19:
 * Article 29 Working Party communication entitled EU-US General Agreement (D(2010) 837566) to Vice-President Viviane Reding, Commissioner for Justice, Fundamental Rights and Citizenship, European Commission:
 * On 26 May 2010 the European Commission presented the draft negotiating mandate for an agreement between the European Union and the United States of America on the protection of personal data when transferred and processed for the purpose of preventing, investigating, detecting or prosecuting criminal offences, including terrorism, in the framework of police cooperation and judicial cooperation in criminal matters (hereafter: the EU-US general agreement). The Article 29 Working Party understands the negotiating mandate has been under discussion in both the Council and the European Parliament in recent months and may be adopted by the Justice and Home Affairs Council in early December. The Working Party regrets that it has not been consulted on the content of the negotiating mandate for this agreement, since these negotiations with the US are bound to be one of the most important steps within the area of data protection the EU is to take in the coming years.
 * July 13: 'Council Decision'
 * EDPS: In the Decision, the Council agreed to the conclusion of the agreement between the EU and the US while at the same time inviting the Commission to submit to the European Parliament and to the Council a legal and technical framework for the extraction of data on EU territory. Furthermore, in giving its approval to the conclusion of the agreement on 8 July 2010, the European Parliament explicitly acknowledged the commitment by the Council and the Commission to set up the legal and technical framework allowing for the extraction of data on EU soil. This commitment would in the mid-term ensure the termination of bulk data transfers to the US authorities.  The requirement for a prior filtering of data within the EU is supported by the EDPS, as it would prevent the sending of bulk data to a third country. However, the Communication goes beyond the acknowledged purpose of filtering data in the EU, as it clearly indicates that the "system should not be set up just to provide relevant information to US authorities", as the authorities of the Member States "have a real interest in the results of such a system as well".  The Communication therefore seems to legitimise the setting up of a whole new TFTS scheme, in an EU specific context, on the basis of the existing TFTP agreement. In other words, the Communication seems to justify the introduction of a new system which invades the privacy of EU citizens for the benefit of the authorities of EU Member States while using as a justification the assessment of utility of a system conceived and implemented to allow the US authorities to pursue their own investigation linked to terrorism.  The EDPS has strong doubts about this approach, which does not appear to respect the principles of necessity and proportionality (as developed below). (Comments on the Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions of 13 July 2011: “A European terrorist finance tracking system: Available options” (2011-10-25))
 * May 26: European Commission presents draft mandate.
 * The Article 29 Working Party understands the negotiating mandate has been under discussion in both the Council and the European Parliament in recent months and may be adopted by the Justice and Home Affairs Council in early December. The Working Party regrets that it has not been consulted... - EDPS, EU-US General Agreement (D(2010) 837566, 2010-11-19.

2001-2006

 * November 22, 2006: Article 29 Working Party adopts Opinion 10/2006 on the processing of personal data by the Society for Worldwide Interbank Financial Telecommunication (SWIFT).
 * [The] Article 29 Working Party emphasizes that even in the fight against terrorism and crime fundamental rights must remain guaranteed. It insists therefore on the respect of global data protection principles.
 * The Article 29 Working Party calls upon SWIFT and the financial institutions to take measures in order to remedy the currently illegal state of affairs without delay.
 * September 2006: The Belgian government declared that the SWIFT dealings with U.S. government authorities were, in fact, a breach of Belgian and European privacy laws.
 * June/July, 2006
 * At the end of June and beginning of July 2006, press coverage in the European and US media questioned the role and responsibilities of the Society for Worldwide Interbank Financial Telecommunication (SWIFT) in relation to the transfer of personal data to the Office of Foreign Assets Control (OFAC) of the United States Department of the Treasury (“UST”). SWIFT is a Belgian based cooperative active in the processing of financial messages. It was revealed that personal data, collected and processed via the SWIFT network for international money transfers using the bank identification code (“BIC”) or “SWIFT” code, had been provided to the UST since the end of 2001 on the basis of subpoenas under American law for terrorism investigation purposes. - Article 29 Working Party, Opinion 10/2006 on the processing of personal data by the Society for Worldwide Interbank Financial Telecommunication (SWIFT).

Controversy regarding The New York Times' decision to publish
There have been discussions on whether The New York Times should be prosecuted for its actions for violating the Espionage Act of 1917 and other related federal statutes. In response, some have questioned why The New York Times alone should be singled out for discipline, since The Los Angeles Times and The Wall Street Journal divulged information about the TFTP at the same time. The New York Times itself argued in a June 28, 2006 editorial that its reporting about the TFTP is protected by the First Amendment and serves a vital role, providing "information the public needs to make things right again." The New York Times editorial further argued that terrorists would have to be "fairly credulous" to believe their finances were not being tracked and that the reporting bore "no resemblance to security breaches, like disclosure of troop locations, that would clearly compromise the immediate safety of specific individuals.

Some have also questioned whether the information in the original June 23, 2006 newspaper articles was even secret, despite its U.S. government classification, because of previous newspaper articles discussing SWIFT. Specifically, a 1998 Washington Post article, in the wake of the U.S. embassy bombings, mentioned that the "CIA and agents with Treasury's Financial Crimes Enforcement Network also will try to lay tripwires to find out when bin Laden moves funds by plugging into the computerized systems of bank transaction monitoring services – operated by the Federal Reserve and private organizations called SWIFT and CHIPS – that record the billions of dollars coursing through the global banking system daily." Also, a September 21, 2001 Baltimore Sun article mentioned SWIFT "headquartered in Belgium" and conjectured about the ability of the U.S. National Security Agency "to follow the money through its electronic intercepts of such transactions." Still others have questioned the secrecy of the TFTP because the Bush administration has made public announcements that it planned to track terrorist-related finances. For example, in a speech shortly after the September 11th attacks, George W. Bush elaborated on the Administration's intention to track terrorist funding, saying "if [financial institutions] fail to help us by sharing information or freezing accounts, the Department of the Treasury now has the authority to freeze their bank's assets and transactions in the United States".

However, critics of the decision to disclose the classified program's existence, including U.S. Treasury Secretary John W. Snow, responded by arguing that there is a vast difference between stating general intentions to track terrorist finances and actually revealing the exact means employed to do so. Some of these critics called attention to The New York Times itself making no mention of either SWIFT or the Terrorist Finance Tracking Program in a November 29, 2005 article ironically detailing the Bush administration's apparent lack of progress in tracking terrorist finances. Moreover, in an editorial on the press's obligations in wartime, the Wall Street Journal clarified the basic differences between its approach to the story and that of the "Times." As for Secretary Snow, he disagreed with executive editor of The New York Times Bill Keller's claim that terrorists are now exclusively using "other means" to transfer funds, by stating that terrorists "have continued to [use] the formal financial system, which has made this program incredibly valuable." Testifying before the House Financial Services Subcommittee on Oversight and Investigations on July 11, 2006, Stuart Levey, the Department of the Treasury’s Under Secretary for Terrorism and Financial Intelligence, stated:

"'Since being asked to oversee this program by then-Secretary Snow and then-Deputy Secretary Bodman almost two years ago, I have received the written output from this program as part of my daily intelligence briefing. For two years, I have been reviewing that output every morning. I cannot remember a day when that briefing did not include at least one terrorism lead from this program. Despite attempts at secrecy, terrorist facilitators have continued to use the international banking system to send money to one another, even after September 11th. This disclosure compromised one of our most valuable programs and will only make our efforts to track terrorist financing - and to prevent terrorist attacks - harder. Tracking terrorist money trails is difficult enough without having our sources and methods reported on the front page of newspapers.'"

On October 22, 2006, Public Editor of The New York Times Byron Calame stated that he didn't think the article should have been published. reversing his strong support of the Times in his June 2 column. "I haven't found any evidence in the intervening months that the surveillance program was illegal.... The lack of appropriate oversight—to catch any abuses in the absence of media attention—was a key reason I originally supported publication. I think, however, that I gave it too much weight."

In September 2006, however, the Belgian government declared that the SWIFT dealings with U.S. government authorities were, in fact, a breach of Belgian and European privacy laws. New York Times editor Bill Keller responded to Calame’s “revisionist epiphany” in a letter published on November 6, 2006. Keller felt that Calame’s premise that “the press should not reveal sensitive secret information unless there is a preponderance of evidence that the information exposes illegal or abusive actions by the government” set too high a bar. Keller explained that “The banking story landed in the context of a national debate about the concentration of executive power. The Swift program was the latest in a series of programs carried out without the customary checks and balances — in this case, Congressional oversight. Key members of Congress who would normally be apprised of such a program and who would be expected to monitor its safeguards only learned of the program because we did.”