SWIFT's Microsoft deal leaves privacy issues open

The Society for Worldwide Interbank Financial Transactions (SWIFT) has entered into a global partnership with Microsoft Corp. in order to simplify the way financial service providers and mid-to-large enterprises connect to its financial messaging platform. But while industry observers say the move solidifies SWIFT’s position as the de facto financial messaging network, data protection still remains an issue for the Belgium-based organization.

In its new partnership with the Redmond, Wash. software giant, Microsoft BizTalk Server 2009 with BizTalk Accelerator for SWIFT will enable Microsoft partners and financial institutions easier access to build solutions for SWIFT connectivity. According to one analyst though, the agreement will not have a significant impact on Canadian financial institutions.

“SWIFT is a global standard that more people are moving toward and Microsoft’s support of it suggests we’re going to see even more of this,” Rob Burbach, senior analyst for Financial Insights' Canadian Financial Advisory Service, said. “There are a lot of app developers using Microsoft .Net already, so it will probably just make it easier to integrate with financial service products.”

What the partnership won’t address is the privacy concerns at the top of mind for many industry observers. As SWIFT becomes the financial industry’s global messaging network standard, privacy advocates say new standards on cross-border, online data protection need to be drafted. In 2006, SWIFT came into the global spotlight after it was discovered that the U.S. Treasury used administrative subpoenas to access tens of thousands of SWIFT records – including data from Canadian financial institutions – for anti-terrorism purposes. Because SWIFT operates a data centre within the U.S., the subpoenas were granted.

Privacy Commissioner Jennifer Stoddart launched an investigation into the matter in early 2007, but did not offer a solution for what some have called a “privacy loophole.” Her office concluded that Canada must respect the legal frameworks of other countries and that foreign authorities can lawfully access the personal information of Canadians held by organizations within their jurisdiction.

According to some privacy advocates, similar issues will continue to arise if foreign jurisdictions continue to take inconsistent views on data protection.

“It’s a taboo topic because nobody wants to interfere in global commerce,” Pippa Lawson, executive director at the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic (CIPPIC), said. “With large and small corporations are sending our personal information around the world, we’re also seeing these companies choose to do data processing in the cheapest locations in the world – many of which aren’t always the most secure either.”

Lawson said as the global information flow continues to increase, the need to develop international standards for privacy protection will increase with it. In Europe, she said, countries are not allowed to outsource data outside of the continent unless the government determines the country it wants to outsource to practices adequate privacy measures.

“In Canada, we have not followed that approach,” she said. “Our rule says that if you’re going to use an organization like SWIFT, you just have to ensure they have a comparable level of protection. The big issue is, if they’re located in a jurisdiction that has a lower standard of privacy protection or allows state surveillance in circumstances that we would not allow in Canada, does that constitute a comparable level of protection?”

Lawson said while the European approach appears to be more effective than the Canadian approach, both are largely unsuccessful in practice – underscoring the need for global data protection standards. “The desire is to facilitate these information flows rather than impede them,” she added. “Information is going to be shared anyway, even if the U.S. doesn’t meet the adequate requirements.”

As for SWIFT itself, the organization has started to take measures to ensure privacy and data protection. Last year, SWIFT’s supervisory board approved plans to create a new global data processing centre in Switzerland and a command-and-control centre in Hong Kong. The organization wants to create two message processing zones: Europe and Transatlantic. The new global computing centre would act as a mirror to the current U.S. facility and should be completed by the end of next year.