Global players, and financial services in particular, use the term Cross Border for a great many things. The media, however, seems to be using the term exclusively for the on-going tax conflict between Switzerland and the United States. But Cross Border is much more than that.

The term Cross Border Business is generally used to describe international business. More precisely, it’s used to describe business that crosses border, such as the export of a service, the sale of a product on foreign grounds or an investment into a foreign market with its own regulations. Regarding banks, Swiss Financial Market Supervisory Authority FINMA uses the term for international private clients that cross borders, but doesn’t define the term per se.

If we want to take a more generalized look at Cross Border, we have to look at the following fields of security:

• Information security
• Cross Border Access Management, specifically privileged access and administrative access
• Confidentiality of client and personal data
• Information barriers such as the Chinese Wall
  • The business world uses the term Chinese Wall to describe the practise to separate sections, franchises and other resources that are divided by different legislations in other countries. This leads to the avoidance of data exchange between legislation areas.
• Business secrets
• Outsourcing
• Records management

There are further factors that would be deserving of more elaboration. These things will find a spot in this article as food for thought, because they would make this article way too long.

Important legal requirements are:

• Bankengesetz, BankG: Bundesgesetz über die Banken und Sparkassen (Article 47) – Swiss Banking Law
• Federal Act on Data Protection
• EU Directive 95/46/EC governing the protection of individuals with regard to the processing of personal data and the free movement of such data
• FINMA Circular 2008/21 Operational risks at banks
• FINMA position statement on Legal and reputational risks in cross-border financial services

Early Incidents with Subsequent Implications

Apart from the discussion relating to the tax conflict, there have been a number of incidents with implications for Switzerland regarding the practises of Cross Border: A few happened a number of years ago, but were influential on the current developments and tendencies, even if the media did not pick up on them. I would like to mention a few of those.

After the terrorist attacks on September 11th, 2001, the US Ministry of Finance developed the Terrorist Finance Tracking Program TFTP in order to find and prosecute people or organizations that support terrorists via financial means. During this process they ordered the Society for Worldwide Interbank Financial Telecommunication (SWIFT) to hand over transaction data. This was done, so the claim, for the overruling reason of the war on terrorism. This is confirmed by the New York Times. The newspaper writes that there have been over 20 million entries of transaction data handed over to the US authorities.

This was a direct violation of the Swiss Bank Secrecy as well as the Federal Act on Data Protection in the following ways:

1. The Swiss financial institutes have not informed their clients of the potential passing on of their data by SWIFT.
2. Data was transferred to a nation that has a different understanding of data protection and privacy. Therefore, the assumption that data protection as seen by Swiss standards cannot be guaranteed, is reasonable.

In March 2008 SWIFT announced that they want to establish a new data centre in or around Zürich in order to separate the European transfer data from the American data. This should protect the European transaction data from US governmental agencies. The data centre went operational in 2009.

Underestimated Risks

Related to the tax debate and _Cross Border, there are other problematic areas that are often forgotten.

When looking at administrators working under the Follow the Sun principle have access to central Swiss business application and infrastructure all over the globe, there will be less popular Cross Border related risks. It can’t be entirely avoided that people in the United States access Swiss applications as well as core systems and data.

The US government could use this new data stream to gain access to Swiss business, client and personal data by claiming some superior interest, maybe the Terrorist Finance Tracking Program or maybe because they want to prosecute tax crime extraterritorially and without respect for local Swiss Laws.

What is the Follow the Sun principle? Companies that operate globally try to organize their branches in a way that a so-called Follow the Sun service is guaranteed. This means that the company is able to provide IT services such as support and administration 24 hours a day by strategically placing offices in different time zones.

This results in the following risks if Follow the Sun needs privileged access to core systems that are located in Switzerland:

1. Violation of local laws and duties
   • If the US government agencies gain access to Swiss business, client and personnel data information could be revealed that could violate local Swiss laws regarding data protection and bank secrecy
   • If access to said data by an administrator can’t be excluded, foreign parties could gain insight into personal data of employees.
   • By law enforcement and citing higher interest such as the war against terror, the US government can extraterritorially access data via means that would be illegitimate in any country and violate Swiss law
   • In the same context, there’s lawful interception or legal interception which sees governments demand and use the possibility that connection data of communications networks are being revealed to them so that they can analyse it or use it as evidence
2. Loss of privacy / Loss of trust in the location Switzerland
   • Even public knowledge of the existence of practises that allow access to central systems, confidential information and data will damage reputation that will weaken trust in politics and economy
3. Politically motivated attacks and economic espionage
   • In the ever-present economic race for the top spot on the financial markets politically motivated attacks could be carried out by these means.
   • Central IT services of global companies are developed in house. Therefore their source code is a sensitive business asset

Due to territoriality, Swiss government can only enforce bank secrecy and data protection in Switzerland. A service provider on foreign grounds can only be bound to these laws as well as other laws by having him sign a contract.

This also means that foreign governments can legitimately demand and gain access to Swiss data as soon as that data crosses borders. Client data must not be transmitted to foreign soil without having the data anonymized and aggregated in order to ensure that bank secrecy and data protection is guaranteed. Furthermore, it’s important to pay attention to the fact that it should be impossible to deduce client or personal data from the transmissions.

Revelation or transmission of personal data includes the following:

• Outsourcing of client or personal data to a third party server in a foreign country
• Granting access to data
• Forwarding of unencrypted or encrypted but encryptable data and statistics
• Exchange of data lists and data statistics

If there is a written consent by the affected clients that allows a business the forwarding of data, the forwarding is in order as long as the following is included in the consent form:

• Reason for forwarding
• Agreement that data is to be transferred that can’t be misunderstood
• Identity of the third party
• Explicit confirmation that the data is being transferred across borders

The signed consent form should be archived as a formality, if it’s not already included in other contracts.

More Food for Thought

• Confidential data of clients, employees or third parties must always be treated confidentially
• Transparency regarding business, law and regulation demands as well as a timely consultation by experts in order to guarantee adequate and lawful handling and processing of data is of great importance

The regulatory complexity of business activity with Cross Border aspects is partially based not only local regulations such as those by FINMA but also foreign ones.

If a Swiss bank wants to manage foreign capital, the bank has to respect both local and foreign legislations. If the bank fails to respect those laws, it risks prosecution. That’s why FINMA sees a lot of potential for legal and reputational risks in these foreign legislations. The way FINMA sees it, regarding the goings-on of recent years, it’s of vital importance that financial service providers analyse all possible requirements of their Cross Border business. This includes a critical look at all connected risks, adaptation of processes as well as IT infrastructure. All Cross Border activity is to be checked for their compliance. The risks should be documented, limited and controlled using a risk framework. Focus should expand beyond the usual Cross Border Asset management themes and encompass money transaction as well as general subjects of data protection and privacy.

• Legal & Compliance as well as IT security have to be informed not only of local but also foreign legislation and security protocols. They need to be able to understand and explain legislations and protocols. Awareness and workshops concerning data protection and confidentiality of sensitive data have to be conducted.
• Agreement from Clients is mandatory if
  • Cross Border / Cross Entity transmission of confidential data takes place
  • Cross Border / Cross Entity business access to sensitive information or systems should be granted and legal or contractual secrecy applies
• If possible, aggregated and consolidated data should be used that can cross borders and entities safely without violating laws, contracts or secrecy
• Regional management and supervision can, depending on the need to know of the functions involved, allow access to certain sensitive information on-site. But under no circumstance can regional manage permit cross border-privileged access to sensitive systems if legal or contractual secrecy applies. There is one notable exception, though: Aggregated, consolidated or anonymized data can be permitted to access if the clients involved sign a consent form.

Some Aspects of Cross Border and Outsourcing

In connection with Cross Border and outsourcing there are a number of scenarios for transmission across borders or access to Swiss data, depending on service provider and the outsourcing company:

• Internal: Service Provider belongs to the outsourcing company
• Domestic: Outsourcing company and service provider are both either in Switzerland or in regions that are covered by FINMA circulars
• External: Service provider does not belong to the company
• Cross Border: Outsourcing company and service provider are not in the same country

Regarding data, there are four cases

1. Cross Border / Cross Entity processes do not include client or personal data. This is unproblematic as no confidentiality issues arise
2. Aggregated, consolidated data: Names can’t be deduced from data, even from additional secondary data. Industry and country codes are online or in possession of a third party or governmental agencies. If identities can be deduced from secondary data, there’s a confidentiality issue.
3. Anonymous, encrypted client data: Are best practises for anonymization respected? Key management needs to take place in Switzerland. Decryption at the destination site is not part of the process and can needs to be ruled out. It needs to be impossible for people do decode the data with additional or secondary data available to them. Regular checks ensure if additional measures to protect client identities are necessary.
4. No client consent: No cross border / cross entity access possible.

The most important data fields, the ones with client data, that can’t be encrypted or anonymized have to be identified and evaluated in order to guarantee that there’s no identification of clients is possible.

Summary

In the context of Cross Border, the Swiss bank secrecy is a spot of bother. The media don’t mention the primary problem of bank secrecy: Third parties claim it’s an insufficient tool for legal help in case of tax evasion and not a tool to protect client privacy. This is an important distinction.

The problem with tax evasion is being tackled by AIA, the automatic information exchange. The participating nations of the G20 and OECD, among others, want to implement this until 2017 (2018 at the latest). The AIA is a process that directs how tax agencies of the participating countries exchange data about bank accounts and other assets of taxpayers. Its goal is to make tax evasion a thing of the past. Related reading: The standard for automatic exchange of financial account information for tax matters written by the OECD.

The problem when protecting our privacy in general remains or even increases. The omnipresent surveillance by secret services such as the NSA and espionage by private corporations that we’re powerless against seems to be worrying. Especially when private and state surveillance continue to merge in terms of Big Data.

If democratic states can no longer protect the privacy of their citizens or if they don’t even want to do just that, then certain important aspects of a democratic state endangered. But new regulations that will challenge these threats are underway.

Optimistically thinking, the location Switzerland offers many an advantage apart from bank secrecy. Switzerland will grow to be even more important in the international business world. Traditional strengths such as political and economic stability, protection of privacy and property as well as the strong Swiss Franc but also the high quality of services, the multilingualism and discretion will remain attractive.

About the Author

Flavio Gerbino has been in information security since the late 1990s. His main areas of expertise in cybersecurity are the organizational and conceptual security of a company.

Links

• http://en.wikipedia.org/wiki/Data_Protection_Directive
• http://en.wikipedia.org/wiki/Society_for_Worldwide_Interbank_Financial_Telecommunication
• http://en.wikipedia.org/wiki/Terrorist_Finance_Tracking_Program
• http://www.admin.ch/opc/de/classified-compilation/19340083/index.html
• http://www.admin.ch/opc/de/classified-compilation/19340083/index.html#a47
• http://www.admin.ch/opc/en/classified-compilation/19920153/index.html
• http://www.finma.ch/e/faq/beaufsichtigte/Pages/faq-grenzueberschreitendes-geschaeft.aspx
• http://www.finma.ch/e/regulierung/pages/rundschreiben.aspx
• http://www.keepeek.com/Digital-Asset-Management/oecd/taxation/standard-for-automatic-exchange-of-financial-account-information-for-tax-matters_9789264216525-en#page11
• http://www.nytimes.com
• http://www.swissbanking.org/home/dossiers-link/aia.htm