I want a "Red Teaming"
Michael Schneider
Global players, and financial services in particular, use the term Cross Border for a great many things. The media, however, seems to be using the term exclusively for the on-going tax conflict between Switzerland and the United States. But Cross Border is much more than that.
The term Cross Border Business is generally used to describe international business. More precisely, it’s used to describe business that crosses border, such as the export of a service, the sale of a product on foreign grounds or an investment into a foreign market with its own regulations. Regarding banks, Swiss Financial Market Supervisory Authority FINMA uses the term for international private clients that cross borders, but doesn’t define the term per se.
If we want to take a more generalized look at Cross Border, we have to look at the following fields of security:
There are further factors that would be deserving of more elaboration. These things will find a spot in this article as food for thought, because they would make this article way too long.
Important legal requirements are:
Apart from the discussion relating to the tax conflict, there have been a number of incidents with implications for Switzerland regarding the practises of Cross Border: A few happened a number of years ago, but were influential on the current developments and tendencies, even if the media did not pick up on them. I would like to mention a few of those.
After the terrorist attacks on September 11th, 2001, the US Ministry of Finance developed the Terrorist Finance Tracking Program TFTP in order to find and prosecute people or organizations that support terrorists via financial means. During this process they ordered the Society for Worldwide Interbank Financial Telecommunication (SWIFT) to hand over transaction data. This was done, so the claim, for the overruling reason of the war on terrorism. This is confirmed by the New York Times. The newspaper writes that there have been over 20 million entries of transaction data handed over to the US authorities.
This was a direct violation of the Swiss Bank Secrecy as well as the Federal Act on Data Protection in the following ways:
In March 2008 SWIFT announced that they want to establish a new data centre in or around Zürich in order to separate the European transfer data from the American data. This should protect the European transaction data from US governmental agencies. The data centre went operational in 2009.
Related to the tax debate and _Cross Border, there are other problematic areas that are often forgotten.
When looking at administrators working under the Follow the Sun principle have access to central Swiss business application and infrastructure all over the globe, there will be less popular Cross Border related risks. It can’t be entirely avoided that people in the United States access Swiss applications as well as core systems and data.
The US government could use this new data stream to gain access to Swiss business, client and personal data by claiming some superior interest, maybe the Terrorist Finance Tracking Program or maybe because they want to prosecute tax crime extraterritorially and without respect for local Swiss Laws.
What is the Follow the Sun principle? Companies that operate globally try to organize their branches in a way that a so-called Follow the Sun service is guaranteed. This means that the company is able to provide IT services such as support and administration 24 hours a day by strategically placing offices in different time zones.
This results in the following risks if Follow the Sun needs privileged access to core systems that are located in Switzerland:
Due to territoriality, Swiss government can only enforce bank secrecy and data protection in Switzerland. A service provider on foreign grounds can only be bound to these laws as well as other laws by having him sign a contract.
This also means that foreign governments can legitimately demand and gain access to Swiss data as soon as that data crosses borders. Client data must not be transmitted to foreign soil without having the data anonymized and aggregated in order to ensure that bank secrecy and data protection is guaranteed. Furthermore, it’s important to pay attention to the fact that it should be impossible to deduce client or personal data from the transmissions.
Revelation or transmission of personal data includes the following:
If there is a written consent by the affected clients that allows a business the forwarding of data, the forwarding is in order as long as the following is included in the consent form:
The signed consent form should be archived as a formality, if it’s not already included in other contracts.
The regulatory complexity of business activity with Cross Border aspects is partially based not only local regulations such as those by FINMA but also foreign ones.
If a Swiss bank wants to manage foreign capital, the bank has to respect both local and foreign legislations. If the bank fails to respect those laws, it risks prosecution. That’s why FINMA sees a lot of potential for legal and reputational risks in these foreign legislations. The way FINMA sees it, regarding the goings-on of recent years, it’s of vital importance that financial service providers analyse all possible requirements of their Cross Border business. This includes a critical look at all connected risks, adaptation of processes as well as IT infrastructure. All Cross Border activity is to be checked for their compliance. The risks should be documented, limited and controlled using a risk framework. Focus should expand beyond the usual Cross Border Asset management themes and encompass money transaction as well as general subjects of data protection and privacy.
In connection with Cross Border and outsourcing there are a number of scenarios for transmission across borders or access to Swiss data, depending on service provider and the outsourcing company:
Regarding data, there are four cases
The most important data fields, the ones with client data, that can’t be encrypted or anonymized have to be identified and evaluated in order to guarantee that there’s no identification of clients is possible.
In the context of Cross Border, the Swiss bank secrecy is a spot of bother. The media don’t mention the primary problem of bank secrecy: Third parties claim it’s an insufficient tool for legal help in case of tax evasion and not a tool to protect client privacy. This is an important distinction.
The problem with tax evasion is being tackled by AIA, the automatic information exchange. The participating nations of the G20 and OECD, among others, want to implement this until 2017 (2018 at the latest). The AIA is a process that directs how tax agencies of the participating countries exchange data about bank accounts and other assets of taxpayers. Its goal is to make tax evasion a thing of the past. Related reading: The standard for automatic exchange of financial account information for tax matters written by the OECD.
The problem when protecting our privacy in general remains or even increases. The omnipresent surveillance by secret services such as the NSA and espionage by private corporations that we’re powerless against seems to be worrying. Especially when private and state surveillance continue to merge in terms of Big Data.
If democratic states can no longer protect the privacy of their citizens or if they don’t even want to do just that, then certain important aspects of a democratic state endangered. But new regulations that will challenge these threats are underway.
Optimistically thinking, the location Switzerland offers many an advantage apart from bank secrecy. Switzerland will grow to be even more important in the international business world. Traditional strengths such as political and economic stability, protection of privacy and property as well as the strong Swiss Franc but also the high quality of services, the multilingualism and discretion will remain attractive.
Our experts will get in contact with you!
Michael Schneider
Marisa Tschopp
Michèle Trebo
Andrea Covello
Our experts will get in contact with you!