COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL on the Joint Report from the Commission and the U.S. Treasury Department regarding the value of TFTP Provided Data pursuant to Article 6 (6) of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program /* COM/2013/0843 final */
COMMUNICATION FROM THE COMMISSION TO
THE EUROPEAN PARLIAMENT AND THE COUNCIL on the Joint Report from the Commission
and the U.S. Treasury Department regarding the value of TFTP Provided Data
pursuant to Article 6 (6) of the Agreement between the European Union and the
United States of America on the processing and transfer of Financial Messaging
Data from the European Union to the United States for the purposes of the
Terrorist Finance Tracking Program 1. Legal basis In accordance with
Article 6 (6) of the Agreement Between the European Union and the United States
of America on the Processing and Transfer of Financial Messaging Data From the
European Union to the United States for the Purposes of the Terrorist Finance
Tracking Program (the Agreement), the European Commission and the U.S. Treasury
Department have prepared the joint report regarding the value of Terrorist
Finance Tracking Program (TFTP) Provided Data ('Joint Report'), “with
particular emphasis on the value of data retained for multiple years and
relevant information obtained from the joint review conducted pursuant to
Article 13.” 2. Procedural
aspects The modalities of this
Report have been determined jointly by the European Commission and the U.S.
Treasury Department, in line with Article 6 (6) of the Agreement. The European Commission
and the U.S. Treasury Department began discussions on the modalities, mandate,
and methodology for the report in December 2012. On 25 February 2013 the EU and
the U.S. assessment teams met in Washington, D.C. in order to discuss the
preparation of the Report and convened a second meeting at the Europol premises
in The Hague on 14 May 2013. During the meeting in The Hague, the EU and the U.S. teams also met with Europol representatives to discuss the initial input from all
parties and the next steps. On the EU side, the
European Commission held a classified meeting with representatives of the
Member States on 13 May 2013. Member States and Europol have provided written
contributions, which have been considered and reflected upon in the preparation
of this Report. To this end, Europol issued a questionnaire to all concerned
Member States in order to collect relevant information for its input for this
Report. The questionnaire aimed at obtaining a current overview of the added
value of TFTP Provided Data, in relation to specific cases investigated by
competent authorities in relevant Member States. Between 1 February and
24 May 2013, the U.S. assessement team interviewed counter terrorism
investigators at a variety of agencies, reviewed counter terrorism cases in
which the TFTP was used, and analysed over 1,000 TFTP reports to assess the
value of TFTP-derived information. 3. Scope The information for the
Report has been provided by the U.S. Treasury Department, Europol, and the Member States. The Report focuses on how the TFTP Provided Data have been used and the
value the data bring to counter terrorism investigations in the United States and the EU. The Report includes multiple concrete examples where TFTP data,
including data retained for three years or more, have been valuable in counter
terrorism investigations, in the United States and the EU, before and since the
Agreement entered into force on 1 August 2010. In addition to this Report,
other examples of the usefulness and value of the TFTP data have been presented
in the context of the two joint reviews, carried out in February 2011 and
October 2012, pursuant to Article 13 of the Agreement. As a whole, these
factual and concrete sets of information constitute a considerable step forward
in further explaining the functioning and the added value of the TFTP. The Report also
describes the methodology for the assessment of retention periods by the U.S.
Treasury Department and deletion of non-extracted data. The Report demonstrates
that TFTP Provided Data, including data retained for multiple years, have been
delivering very important value for the counter terrorism efforts in the United States, Europe, and elsewhere. With the present
Communication, the Commission transmits the Joint Report in Annex to the
European Parliament and the Council. ANNEX Joint
Report from the Commission and the U.S. Treasury Department regarding the value
of TFTP Provided Data pursuant to Article 6 (6) of the Agreement between the
European Union and the United States of America on the processing and transfer
of Financial Messaging Data from the European Union to the United States for
the purposes of the Terrorist Finance Tracking Program to
the Communication
from the Commission to the European Parliament and the Council on
the Joint Report from the Commission and the U.S. Treasury Department regarding
the value of TFTP Provided Data pursuant to Article 6 (6) of the Agreement
between the European Union and the United States of America on the processing
and transfer of Financial Messaging Data from the European Union to the United
States for the purposes of the Terrorist Finance Tracking Program
Executive
Summary
In accordance
with Article 6 (6) of the Agreement Between the European Union and the United
States of America on the Processing and Transfer of Financial Messaging Data
From the European Union to the United States for the Purposes of the Terrorist
Finance Tracking Program (the Agreement), the European Commission and the U.S.
Treasury Department have prepared this joint report regarding the value of
Terrorist Finance Tracking Program (TFTP) Provided Data, “with particular
emphasis on the value of data retained for multiple years and relevant
information obtained from the joint review conducted pursuant to Article 13.” The information
for the Report has been provided by the U.S. Treasury Department, Europol, and
the Member States. The Report focuses on how the TFTP Provided Data have been
used and the value the data bring to counter terrorism investigations in the United States and the EU. The Report includes multiple concrete examples where TFTP data,
including data retained for three years or more, have been valuable in counter
terrorism investigations, in the United States and the EU, before and since the
Agreement entered into force on 1 August 2010. In addition to this Report,
other examples of the usefulness and value of the TFTP data have been presented
in the context of the two joint reviews, carried out in February 2011 and
October 2012, pursuant to Article 13 of the Agreement. As a whole, these factual
and concrete sets of information constitute a considerable step forward in
further explaining the functioning and the added value of the TFTP. The Report also
describes the methodology for the assessment of retention periods by the U.S.
Treasury Department and deletion of non-extracted data. The Report
demonstrates that TFTP Provided Data, including data retained for multiple
years, have been delivering very important value for the counter terrorism
efforts in the United States, Europe, and elsewhere. 2.
Background The
TFTP was set up by the U.S. Treasury Department shortly after the terrorist
attacks of 11 September 2001 when it begun issuing legally binding production
orders to a provider of financial payment messaging services for financial
payment messaging data stored in the United States that would be used
exclusively in the fight against terrorism and its financing. Until the end of
2009, the provider stored all relevant financial messages on two identical
servers, located in Europe and the United States. On 1 January 2010, the
provider implemented its new messaging architecture, consisting of two
processing zones – one zone in the United States and the other in the European
Union. In order to ensure the continuity of the TFTP under these new conditions,
a new Agreement between the European Union and the United States on this issue
was considered necessary. After an initial version of the Agreement did not
receive the consent of the European Parliament, a revised version was
negotiated and agreed upon in the summer of 2010. The European Parliament gave
its consent to the Agreement on 8 July 2010, the Council approved it on 13 July
2010, and it entered into force on 1 August 2010. The
Agreement gives an important role to Europol, which is responsible for
receiving a copy of data requests, along with any supplemental documentation,
and verifying that these U.S. requests for data comply with certain conditions
specified in Article 4 of the Agreement, including that they must be as
narrowly tailored as possible in order to minimise the volume of data
requested. Once Europol confirms the request complies with the stated
conditions, the data provider is authorised and required to provide the data to
the U.S. Treasury Department. Europol does not have direct access to the data
submitted by the data provider to the U.S. Treasury Department and does not
perform searches on the TFTP data. The
Agreement stipulates that TFTP searches must be narrowly tailored and based
upon pre-existing information or evidence that demonstrates a reason to believe
that the subject of a search has a nexus to terrorism or its financing. In line
with Article 12 of the Agreement TFTP searches are monitored by independent
overseers with the ability to question and block overly broad or any other
searches that do not satisfy the strict safeguards and controls of Article 5 of
the Agreement. Article
13 of the Agreement provides for regular joint reviews of the safeguards,
controls, and reciprocity provisions to be conducted by review teams from the
European Union and the United States, including the European Commission, the
U.S. Treasury Department, and representatives of two data protection
authorities from EU Member States, and may also include security and data
protection experts and persons with judicial experience. Two joint reviews
have already been carried out, with a third joint review envisaged for 2014.
Each of the joint reviews examined cases in which TFTP-derived information has
been used for the prevention, investigation, detection, or prosecution of
terrorism or its financing. During
the first joint review conducted in February 2011, the U.S. Treasury Department
provided numerous examples (classified) of high profile terrorism cases where
TFTP-derived information had been used. The first joint review report
recognises the value of the TFTP and states that the “number of leads provided
since the start of the program and since the entry into force of the Agreement
indicates a continued benefit for preventing and combating terrorism and its
financing across the world, with a particular focus on the U.S. and the EU.”[1] During the
second joint review of the Agreement, conducted in October 2012, the U.S.
Treasury Department provided an annex containing 15 concrete examples of specific
investigations in which TFTP data proved critical to counter terrorism
investigations.[2]
The second joint review report concludes that “Europol and Member States have become increasingly aware of the value of TFTP data for their task to fight
and prevent terrorism and its financing in the EU”[3]
and, through the use of reciprocity arrangements, are “increasingly profiting
from it.”[4] Article 6 (6) of
the Agreement requires that the European Commission and the U.S. Treasury
Department prepare a joint report regarding the value of TFTP Provided Data
within three years of the Agreement’s entry into force, with particular
emphasis on the value of data retained for multiple years and relevant
information obtained from the joint review conducted pursuant to Article 13. 3.
Procedural
aspects The modalities of this Report have been
determined jointly by the European Commission and the U.S. Treasury Department,
in line with Article 6 (6) of the Agreement. The European Commission and the U.S.
Treasury Department began discussions on the modalities, mandate, and
methodology for the report in December 2012. On 25 February 2013 the EU and
the U.S. assessment teams met in Washington, D.C. in order to discuss the
preparation of the Report and convened a second meeting at the Europol premises
in The Hague on 14 May 2013. During the meeting in The Hague, the EU and the U.S. teams also met with Europol representatives to discuss the initial input from all
parties and the next steps. On the EU side,
the European Commission held a classified meeting with representatives of the
Member States on 13 May 2013. Member States and Europol have provided written
contributions, which have been considered and reflected upon in the preparation
of this Report. To this end, Europol issued a questionnaire to all
concerned Member States in order to collect relevant information for its input
for this Report. The questionnaire aimed at obtaining a current overview of
the added value of TFTP Provided Data, in relation to specific cases investigated
by competent authorities in relevant Member States. Between 1
February and 24 May 2013, the U.S. assessement team interviewed counter
terrorism investigators at a variety of agencies, reviewed counter terrorism
cases in which the TFTP was used, and analysed over 1,000 TFTP reports to
assess the value of TFTP-derived information. The examples
discussed in this report are drawn from highly sensitive investigations that
may be currently active. As such, some of the information has been sanitised
to protect these investigations. 4.
Value
of TFTP Provided Data Since the
inception of the TFTP in 2001, it has produced tens of thousands of leads and
over 3,000 reports (which contain multiple TFTP leads) to counter terrorism
authorities worldwide, including over 2,100 reports to European authorities.[5]
The TFTP has
been used to investigate many of the most significant terrorist attacks and
plots of the past decade, including: During the
period after the conclusion of the Agreement: ·
the
April 2013 Boston Marathon bombings;
threats
with respect to the 2012 London Summer Olympic Games;
the 2011
plot to assassinate the Saudi Arabian Ambassador to the United States;
the July
2011 attacks in Norway conducted by Anders Breivik; and
the October
2010 Nigerian Independence Day car bombings.
Prior to the
conclusion of the Agreement:
the July
2010 attack against fans watching a World Cup match in Kampala, Uganda;
the July
2009 Jakarta hotel attacks;
multiple
hijacking and hostage operations conducted by al-Shabaab – including the
April 2009 hijacking of the Belgian vessel MV Pompei;
the
November 2008 Mumbai attacks;
the
September 2007 Islamic Jihad Union plot to attack locations in Germany;
the 2007
plot to attack New York’s John F. Kennedy airport;
the 2006
liquid bomb plot against transatlantic aircraft;
the July
2005 bombings in London;
the
November 2005 Van Gogh terrorist-related murder;
the March
2004 Madrid train bombings; and
the October
2002 Bali bombings.
The EU and U.S. assessment teams heard
from Europol and the U.S. Treasury Department, as well as other authorities, on
the value of the TFTP. Counter terrorism investigators noted that the TFTP
contains unique, highly accurate information that is of significant value in
tracking terrorist support networks and identifying new methods of terrorist
financing. In cases where little is known about a terrorism suspect beyond the
individual’s name or bank account number, TFTP-derived information can reveal
critical pieces of information, including locations, financial transactions,
and associates. The unique value of the TFTP lies in the accuracy of the
banking information, since the persons concerned have a clear interest in
providing accurate information to ensure that the money reaches its
destination. Most counter
terrorism investigations rely on the collection, exchange, and analysis of
significant quantities of information from multiple sources. Based on the
experience of implementing the Agreement, cooperation with Member State
authorities in a high number of counter terrorism investigations, and general
competence in matters relating to terrorism and financial intelligence, a very
high value is placed on TFTP data as a unique instrument to provide timely,
accurate, and reliable information about activities associated with suspected
acts of terrorist financing and planning. U.S.
counter terrorism investigators from a variety of agencies benefiting from the
TFTP-derived information provided pursuant to the Agreement were interviewed to
determine the value of the program to their investigations. The investigators
surveyed agreed that the TFTP provides valuable information that can be used to
identify and track terrorists and their support networks. Furthermore, they
noted that the TFTP provides key insight into the financial support networks of
some of the world’s most dangerous terrorist organisations, including Al-Qaida,
Al-Qaida in the Lands of the Islamic Maghreb (AQIM), Al-Qaida in the
Arabian Peninsula (AQAP), Al Shabaab, Islamic Jihad Union (IJU), Islamic
Movement of Uzbekistan (IMU), and Iran’s Islamic Revolutionary Guard Corps-Qods
Force (IRGC-QF). Investigators observed that TFTP-derived information allows
them to identify new streams of financial support and previously unknown
associates, link front entities and aliases with terrorist organisations,
evaluate/corroborate existing intelligence, and provide information that can be
used to identify new targets for investigation. Several investigators
interviewed noted that financial transaction information derived from the TFTP
allows them to fill information gaps and make connections that would not have
been seen in other sources. Terrorist groups
depend on a regular cash flow for a variety of reasons, including the payment
of operatives and bribes, arrangement of travel, training and recruitment of
members, forging of documents, acquisition of weapons, and staging of attacks.
Counter terrorism investigators rely on multiple datasets to investigate and
disrupt these operations. However, there may be gaps in information that can
prevent investigators from fully understanding these networks. The TFTP
provides investigators with accurate financial messaging information that may
include account numbers, bank identification codes, names, addresses,
transaction amounts, dates, email addresses, and phone numbers. Using this
information, investigators can map terrorist financial support networks,
including identifying previously unknown associates. In one case in 2012, for
example, information derived from the TFTP detected that a known suspected
terrorist was one of the signatories on an account of an organisation through
which several suspicious transactions took place. Subsequent TFTP checks also
identified money flows between this organisation and another company suspected
of providing material support to other terrorist entities in the concerned
geographical area concerned. TFTP-derived
information may be used to provide leads that assist in identifying and
locating persons involved with terrorist networks and providing evidence of
financial activities in aid of terrorist attacks. For example, it is possible
to locate a suspect by checking when and where the suspect closed and/or opened
a new bank account in a city or country other than his or her last known place of
residence. This is a clear indicator that the person may have moved. However,
even when a suspect does not change bank accounts but rather moves and
continues using the ‘old’ account (e.g., through e-banking), it has been
possible to detect the change of location by, for example, identifying payments
for specific goods or services (e.g., for repairs or maintenance or other
activities which are usually carried out where a person lives). As a result of
the precision of the TFTP data, even when suspects are very careful with their
bank transactions, it has also been possible to locate them through the
payments and purchases of their close associates. The TFTP can provide key
information about the movements of suspected terrorists and the nature of their
expenditures. Even the ‘non-activity’ of one or more bank accounts tied to a
suspected terrorist, in terms of transactions, is a useful indicator of the
possible departure of a suspect from a certain country. Based on the
TFTP, it has been possible to obtain information on U.S. and EU citizens and
residents suspected of terrorism or terrorist financing in third countries
where requests for mutual legal assistance were not responded to in a timely
manner. In one case in 2010, the TFTP helped to locate an EU resident
suspected of a terrorist offence, who had disappeared from the EU. The person
turned out to be a new account holder in a country in the Middle East. Further
investigations confirmed that the person was indeed residing in this third
country, thus allowing the targeting of investigative resources in support of a
corresponding international arrest warrant. In another case,
the TFTP was used in the investigation of French national Rachid Benomari, a
suspected Al-Qaida and al-Shabaab recruiter and fundraiser. Benomari along
with two additional al-Shabaab operatives were arrested for illegally entering Kenya in July 2013. Benomari and his associates are wanted in the EU on
terrorism-related charges, and an Interpol Red Notice has been issued for
Benomari’s arrest. TFTP-derived information provided investigators with
Benomari’s bank account number and identified previously-unknown financial
associates. Treasury shared this information with Europol in response to an
Article 10 request. In numerous
cases, counter terrorism investigators have used information obtained from the
TFTP to provide accurate and timely leads that have advanced terrorism
investigations. For example, TFTP-derived information was used to help
identify funding sources used in the 2011 plot to kill the Saudi Arabian
Ambassador to the United States by Manssor Arbabsiar and the IRGC-QF.[6]
Using the TFTP, investigators were able to identify a $100,000 transaction sent
from a non-Iranian foreign bank to a bank in the United States, to an account
of the person recruited by Arbabsiar to carry out the assassination. Arbabsiar
was arrested, and has subsequently pleaded guilty and been sentenced to 25
years in prison. The TFTP has
also assisted in investigations of the al-Nusrah Front (ANF), which has been
identified as an alias of Al-Qaida in Iraq by the United Nations Security
Council’s Al-Qaida Sanctions Committee, as well as by the United States and the European Union, resulting in a mandatory UN-ordered freezing of any of its
assets around the world. Since September 2011, the ANF has claimed
responsibility for over 1,100 terrorist attacks, killing and wounding many
hundreds of Syrians. According to TFTP-derived information, a Middle East-based
fundraiser for the ANF received the equivalent of more than 1.4 million Euros
since 2012, donated in a variety of currencies from donors based in at least 20
different countries, including France, Germany, Ireland, the Netherlands, Spain, Sweden, and the United Kingdom. U.S. counter terrorism investigators have shared
this information with global counter terrorism authorities, including
authorities in Europe and the Middle East. In at least one case, a third
country has requested additional TFTP searches to assist with its continuing
investigation. Treasury
continues to use the TFTP to investigate EU-based terrorists training in Syria. Treasury counter terrorism analysts conducted TFTP searches on suspected terrorists
Mohommod Hassin Nawaz and Hamaz Nawaz. The Nawaz brothers were arrested in Dover, UK by UK authorities on September 16, 2013 after travelling from Calais, France and were charged with terrorism offenses, including traveling to a terrorist training camp in
Syria. TFTP-derived leads provided transaction information including account
numbers, amounts, dates, and potential associates, including a suspected
terrorist financer. Terrorist
organisations use multiple methods to fund their operations. These methods may
include money laundering, narcotics trafficking, theft, and the use of front
organisations to raise funds. TFTP-derived information can aid counter
terrorism investigators in identifying the means employed by terrorists and
their supporters to fund their operations. Terrorist organisations often use
front companies to establish a legitimate business presence so that they may
evade sanctions and use the global financial system. TFTP-derived information
contains key information – including names, bank identification codes,
transaction amounts, and dates – that can be used to link front organisations
with terrorist groups. The details of a transaction between a suspected front
company and a known terrorist may contain the information investigators need to
confirm that a supposedly legitimate organisation is raising funds on behalf of
a terrorist organisation. Furthermore, TFTP-derived information may identify
previously unknown front organisations and individuals leading those
organisations who are linked to terrorist groups. The TFTP was used to provide
leads for the investigation of the now-defunct U.S. branch of the Charitable
Society for Social Welfare founded by Specially Designated Global Terrorist[7]
Abd-al-Majid Al-Zindani. Deceased AQAP operative Anwar al-Aulaqi served as
vice president of the organisation. The charity was described by U.S. federal prosecutors as a front organisation used to support Al-Qaida and Usama Bin
Ladin. TFTP-derived information revealed transactions and associates linked to
this organisation. TFTP-derived
information also contributed to the investigation of Iran’s Bank Saderat for
its support to terrorism. Bank Saderat was designated for its illicit
activities, resulting in the freezing of its assets in the United States and the European Union, among other jurisdictions. Bank Saderat, which had approximately
3,200 branch offices, has been used by the Government of Iran to channel funds
to Hizballah and Hamas amongst others. From 2001 to 2006, Bank Saderat
transferred $50 million from the Central Bank of Iran through its subsidiary in
London to its branch in Beirut for the benefit of Hizballah front
organisations in Lebanon that support acts of violence. TFTP-derived
information has been crucial to efforts by counter terrorism investigators to
track Bank Saderat’s financial transactions to terrorist groups and its
affiliations with financial institutions it uses to evade global sanctions. Terrorist
organisations often use deception to mask their illicit funding schemes.
TFTP-derived information helped to identify a funding stream used by Hizballah
to launder drug money for its operations. In this highly complex scheme,
Hizballah would sell drugs in Europe and launder the funds with used cars
purchased in the United States and subsequently sold in Africa. The profits
from the sale of the used cars and drugs would be sent to Lebanon and specific Lebanese exchange houses. Treasury determined that the exchange houses were
used by Hizballah to transfer funds for operations or back to the U.S. to buy more used cars. As recently as early 2013, TFTP lead information allowed
investigators to identify the movement of money between Hizballah, certain
exchange houses, and used car dealerships in the United States. Treasury
continues to be concerned about the potential use of exchange houses to help
access the financial system, and is actively pursuing counter terrorism leads
and actions to detect and disrupt the use of the financial system to support
terrorist activity. Financial
transactions can also provide counter terrorism investigators with the
information needed to identify individuals facilitating terrorist training.
Terrorist organisations require funding to allow associates to travel to
training sites. These transactions often indicate when a suspected terrorist
has decided to become operational and affiliate with a group or organisation.
TFTP-derived information can provide investigators with the counter terrorism
information they need, including dates of travel, transaction amounts, names,
aliases, locations, and contact information, to track these individuals. For
example, the TFTP was used to help provide leads for the investigation of
al-Shabaab facilitator Omar Awadh Omar. Omar facilitated funding to al-Shabaab
and is believed to have facilitated the movement of foreign fighters and
supplies to Somalia. Omar was allegedly involved in planning the 11 July 2010
attack against fans watching a World Cup match in Kampala, Uganda. Al-Shabaab claimed responsibility for this attack, which killed 74 people. The TFTP
provided key lead information that was used to identify individuals in Omar’s
support network and identify previously unknown accounts. Omar is currently
under arrest and awaiting trial in Uganda. Omar was also designated by the
U.S. Treasury Department pursuant to Executive Order 13536, which targets
threats to the peace, security, and stability of Somalia.
Use
of TFTP by the Member States and the EU
While
the TFTP was developed by authorities in the United States, the Member States and the EU are permitted to use the TFTP for their own counter terrorism
investigations through reciprocity clauses included in the Agreement.
According to Article 10 of the Agreement, the Member States, Europol, and
Eurojust can request a search of information obtained through the TFTP, which
Treasury will then conduct in accordance with the safeguards of Article 5.
Separately, pursuant to Article 9 of the Agreement, the U.S. Treasury
Department spontaneously provides relevant information generated by the TFTP to
concerned Member States, Europol, and Eurojust. Since
the entry into force of the Agreement, the Member States have become
increasingly aware of the availability of the TFTP as an investigative tool.
Several Member States and Europol benefit on an ongoing basis from TFTP-derived
information and the valuable investigative leads which they receive. Over the
last three years, in response to 158 total requests made by the Member States and the EU pursuant to Article 10, 924 investigative leads were obtained from
the TFTP.[8] For
example, in the case of Spain, a total number of 11 requests, pursuant to
Article 10, generated 93 investigative leads on natural and legal persons
suspected of having a nexus to terrorism or its financing. Out of 11 requests,
three concerned domestic, separatist terrorist groups: two related to ETA[9],
which generated 25 leads, and one related to Resistência Galega[10],
which generated four leads. As concerns Al-Qaida, Spain sent four requests and
obtained 11 leads, whereas two requests related to Hizballah generated as many
as 27 leads. Furthermore, one request related to a separatist group PKK[11]
generated 19 investigative leads and one request related a counter terrorism
and counter proliferation investigation generated seven investigative leads. During
the same time period, pursuant to Article 9, the U.S. spontaneously provided
the Member States and the EU with relevant information on 23 occasions,
involving 94 investigative leads.[12]
The
following cases, which have been collected and provided by Europol,
are illustrations of how the TFTP has been used by the Member States and of the
investigative results triggered by the searches requested pursuant to Article
10 of the Agreement.[13]
They complement the information provided in section 4 of this Report, where
some European examples have also been used to explain the role TFTP-derived
information plays in counter terrorism investigations. The choice of examples
and the information provided had to respect the limits prescribed by the
requirements of confidentiality and security. Case
1: Islamist terrorist activities Terrorist
group/organisation: Islamist terrorist activities
(unknown/unnamed organisation) Description
of the case: An investigation against a 40-year-old male
suspected of being recruited for foreign armed service and membership in a
terrorist organisation. This person is further suspected of preparing and/or
conducting terrorist attacks. Feedback
from the Member State: Following an Article 10 request, the
information leads corroborated previously known information, they were
considered up-to-date, and the leads contained new links to terrorism/crime. Timeframe
of the leads: 2008-2011 Case
2: Hamas Terrorist
group/organisation: Hamas (Harakat al-Muqāwamah
al-Islāmiyyah, "Islamic Resistance Movement") is the Palestinian
Sunni Islamic or Islamist organisation, with an
associated military wing, the Izz ad-Din al-Qassam Brigades, located in the
Palestinian territories. The European Union, Israel, the United States, Canada, and Japan classify Hamas as a terrorist organisation. Description
of the case: An investigation into a Non Profit Organisation
(NPO) sanctioned under the Member State’s legislation. This NPO is a “sister”
organisation of a similar NPO operating in another Member State, which was
sanctioned for providing support to Hamas. It was suspected that the
organisation under investigation provided significant funding, via its “sister”
entity, to support Hamas financially. Feedback
from the Member State: Following an Article 10 request, the
information leads corroborated known information, and were considered to be
current. Funds
from the NPO were frozen prior to the launch of the Article 10 request;
however, the TFTP-provided “transactions were reported to the Financial
Intelligence Unit because of money laundering indications and these were later
identified as funding for a terrorist organisation.” Timeframe
of the leads: 2011 Case 3: PKK Terrorist
group/organisation: The Kurdistan Workers’ Party (Partiya
Karkerên Kurdistan or Parti Karkerani Kurdistan), commonly known as PKK, also
known as KGK and formerly known as KADEK (Freedom and Democracy Congress of
Kurdistan) or KONGRA-GEL (Kurdistan People’s Congress), is a Kurdish
organisation which has since 1984 been fighting an armed struggle against the
Turkish state for an autonomous Kurdistan and cultural and political rights for
the Kurds in Turkey. The group was founded on 27 November 1978 in the village of Fis, near Lice, and was led by Abdullah Öcalan. The PKK is listed as a
terrorist organisation internationally by states and organisations, including
the European Union, the United Nations, NATO, and the United States. Description
of the case: An investigation against an EU citizen who is
suspected of being a supporter of Kongra Gel/PKK. The suspect has extensive
international travel habits, including several trips to locations of security
interest. It is suspected that the suspect acts as a fundraiser, financier, or
facilitator for the proscribed terrorist organisation Kongra Gel/PKK. Feedback
from the Member State: Following an Article 10 request, the
information leads corroborated known information and also provided previously
unknown international links and previously unknown contacts and suspects. This
case continues to be part of an active investigation and, as such, only limited
further information can be disclosed for feedback purposes. However, as a
result of information obtained via the TFTP, financial enquiry could be more
narrowly focused on previously unknown associates and locations, resulting
in significant intelligence gaps being filled and the opening-up of new
investigative opportunities. Specifically, this gave the enquiry an
international dimension that was previously suspected but not readily
identifiable and therefore corroborated existing intelligence. This in
turn generated significant further enquiry and referrals to other law
enforcement agencies with regard to the main subject of interest and financial
associates. It should be highlighted that the information provided via the
TFTP would have been highly unlikely to have been discovered through other
channels and was therefore of considerable benefit in this case. Timeframe
of the leads: 2004-2011 Case 4: IJU Terrorist
group/organisation: The Islamic Jihad Union (IJU),
initially known as Islamic Jihad Group (IJG), is a terrorist organisation and
has conducted attacks in Uzbekistan and attempted attacks in Germany. IJU was founded in March 2002 by those separated from the Islamic Movement of
Uzbekistan (IMU) in Pakistan’s Tribal Areas. The organisation was responsible
for failed attacks in Uzbekistan in 2004 and early 2005. Then it changed its
name, Islamic Jihad Group, into Islamic Jihad Union. After this period, it
became closer to core al Qaida. Since its reorientation, the organisation’s
focus shifted and it began plotting terror attacks in Pakistan and Western Europe, especially Germany. Mirali
in South Waziristan is the organisation’s base where Western recruits for
attacks in the West are trained. Description
of the case: An investigation against six individuals
suspected of being members of the terrorist organisation IJU. One of the
suspects is believed to have travelled or will travel to receive
terrorist-related training in a hostile location. One individual is suspected
to be responsible for financing, recruitment, and illegal immigration in the
Member States. This suspect’s current residence is unknown. Feedback
from the Member State: Following an Article 10 request, the
information leads corroborated previously known information. Furthermore,
the leads generated previously unknown information (foreign bank accounts,
addresses, telephone numbers, etc.), unidentified international links, and
previously unknown additional contacts and suspects. The leads were considered
to be up-to-date. Timeframe
of the leads: 2009-2012 Case 5: Sikh terrorist activities Terrorist
group/organisation: Sikh terrorist activities
(unknown/unnamed organisation) Description
of the case: An investigation into Sikh terrorist activities:
An individual and the related business structure are suspected of accumulating
large sums of cash and performing transfers of funds between multiple accounts
and locations. These monies are suspected of being used to support and even
commission acts of terrorism. Feedback
from the Member State: Following an Article 10 request, the
information leads corroborated previously known information. Furthermore, the
leads generated previously unknown information (foreign bank accounts,
addresses, telephone numbers, etc.), unidentified international links, and
previously unknown contacts and suspects. The leads were considered to be
current. The
intelligence leads enabled a more accurate assessment of financial intelligence
obtained earlier in the enquiry to be made. Specifically, it had been
identified that the subject had large sums of money credited to his bank
account(s); however, the origin of these funds was not previously known. No
charges have been brought, but due to the sensitive nature of the
investigation, limited further information can be disclosed for feedback purposes.
In this case, the TFTP was considered at an early stage due to the suspicion
that the subject of interest may have a financial footprint outside the EU. A
swift and detailed response was received from the TFTP enquiry, which resulted
in the identification of international financial activity and foreign business
interests that proved of significant intelligence value. In turn, a more
informed assessment could be made of the activities of the subject of
interest, in the context of the investigative aims and other
intelligence held. Again, the nature of the financial associations and
transactions provided via the TFTP would have been unlikely to be discovered
through other channels of enquiry and greatly assisted in the progression of the
investigation and early assessment of the activity. Timeframe
of the leads: 2007-2012
Value of
TFTP Provided Data retained for multiple years
Counter
terrorism authorities demonstrated to the EU and U.S. assessment teams that
financial data retained over multiple years, known as historical data, are of
significant value to counter terrorism investigations. Historical data allow
investigators to identify funding trends, track group affiliations, and analyse
methodology. Due to the accuracy of TFTP data, investigators can use financial
transactions to track terrorists and their supporters world-wide over multiple
years. Since the Agreement entered into force in August 2010, 45 percent of
all TFTP data viewed by an analyst were three years or older. A terrorist may
operate in a particular country for multiple years. At some point, that
individual may move to another country to conduct terrorist operations. The
individual may change all of their previous identifiers, including name,
address, and phone number. However, TFTP information retained within the time
limits of Article 6 can link the individual to a bank account number that they
have previously used. Even when the terrorist has established new bank
accounts, investigators may be able to link the individual with the new account
– and any identifying information associated with it – by tracking transactions
associated with accounts known to be used by the terrorist’s organisation. In
fact, the investigators surveyed for this report agreed that the reduction of
the TFTP data retention period to anything less than five years would result in
a significant loss of insight into the funding and operations of terrorist
groups. For example,
TFTP-derived information was used to help track transactions of IJU operative
Mevlut Kar. Kar has provided more than 20 detonators to members of the IJU.
In January 2012, Kar was designated as a Specially Designated Global Terrorist
by the United States, resulting in the freezing of any of his assets subject to
U.S. jurisdiction. TFTP-derived information retained in excess of four years
was used to provide leads and track transactions between Kar and his
supporters. Kar is implicated in the 2007 European bomb plot targeting U.S. military installations and American citizens in Germany. Kar is currently wanted by the
Government of Lebanon, and an Interpol Red Notice has been issued for his
arrest and extradition. The Lebanese government has sentenced him in absentia
to 15 years in prison for attempting to establish an Al-Qaida cell in Lebanon. Without historical data, investigators would not have been able to obtain their
significant insight into Kar’s operations. The U.S.
Treasury Department conducted a review of over a thousand TFTP reports issued
between 2005 and 2012.[14]
This analysis revealed that, over that seven-year period, 35 percent of the
TFTP-derived leads contained data retained for at least three years. In addition to
the prevalence of historical data among TFTP-derived leads, the review of TFTP
reports from 2005 through 2012 reveals the relative importance of data retained
in excess of three years in the reports. As shown in the graph below, between
2005 and 2012, over 65 percent of reports compiled from TFTP-derived leads
contained TFTP data retained in excess of three years. For nearly 35 percent
of reports, historical data comprised at least half of the report’s source
material. Since 2010, fully 10 percent of TFTP reports compiled by analysts
pursuant to counter terrorism investigations relied solely on TFTP data
retained in excess of three years. Historical data
were crucial to identifying the funding sources and methodology that supported
Norwegian terrorist Anders Behring Breivik. A day after the attacks of 22 July
2011 that killed 77 persons and wounded hundreds more, Europol provided the
U.S. Treasury Department an emergency request pursuant to Article 10 of the
Agreement related to the events. On the same day, Treasury responded to
Europol with 35 TFTP-derived leads detailing Breivik’s extensive financial
activities and network that spanned nearly a dozen countries, most in Europe,
but also including the United States and certain off-shore destinations. Four
of the 35 leads involved financial transactions conducted within the two years
prior to the attacks, and one additional lead involved financial activity that
occurred just over three years prior to the attacks. The other 30 leads
involved financial transactions conducted between four and eight years prior to
the attacks[15],
as Breivik built his international financial network, set up a company that
produced phony educational credentials, also known as a “diploma mill,”
established a farming operation that could obtain materials used for
explosives, and worked with certain associates in other countries. As the Norway
attacks neared, Breivik apparently reduced his usage of the international
financial system, perhaps to avoid detection. Nevertheless, the older TFTP
leads allowed investigators to rapidly identify Breivik’s funding streams and
methodology, as well as his contacts and financial holdings in other countries,
which was particularly critical at the time, when authorities were trying to
determine whether he had acted alone or in concert with other unidentified
operatives. In one of the
other cases surveyed for the purposes of this report, investigators were able
to use TFTP-derived information to track over 100 transactions between a
suspected terrorist and supporters in multiple countries over the span of four
years. The suspected terrorist used accounts in several countries to solicit
funds to support plans for a potential attack. Further investigation of the
transactions identified previously unknown associates and supporters. In addition, in
several cases surveyed for this report, investigators were able to track
transactions between terrorist groups, including Al-Qaida, and new sources of
funding. In the majority of these cases, using information derived from TFTP
data retained in excess of three years – and, in many instances for searches
conducted prior to the July 2012 deletion, in excess of five years – led to
separate investigations into previously unknown entities. In the
illustrative examples of counter terrorism investigations in the EU included in
Section 5 of this Report, the investigative leads generated by the TFTP were
also several years old.
Retention
and deletion of data
The
Agreement contains several provisions related to data retention and deletion.
Article 6 (5) stipulates that during the term of the Agreement, the U.S.
Treasury Department shall undertake an ongoing and at least annual evaluation
to identify non-extracted data that are no longer necessary to combat terrorism
or its financing, and, when identified, permanently delete them as soon as
technologically feasible. To this end a large-scale audit and analysis of the
extracted data are conducted every year and analyse, on a quantitative and
qualitative basis, the types and categories of data, including by geographic
region, that have proven helpful for counter terrorism investigations. The audit and
analysis occur in several stages. First, a comprehensive assessment is
conducted of the extracted data to determine the message types and geographic
regions that are the most and least responsive to TFTP searches. Second, those
message types and geographic regions from which data have been pulled the
fewest times, quantitatively, are scrutinised to determine their qualitative
component – namely, whether the relatively few responses returned nevertheless
contained high-quality information or were of particular value for the purposes
of the prevention, investigation, detection, or prosecution of terrorism or its
financing. Third, those message types and/or geographic regions that, from a
quantitative or qualitative standpoint at the time of the evaluation, do not
appear necessary to combat terrorism or its financing are removed from the
future Article 4 Requests. Where such message types and/or geographic regions
are identified in non-extracted data, Treasury deletes them in accordance with
Article 6 (1) of the Agreement. Pursuant
to Article 6 (5) of the Agreement, the U.S. Treasury Department also conducts
an ongoing evaluation to assess that data retention periods continue to be no
longer than necessary to combat terrorism or its financing. A comprehensive
assessment consisting of investigator interviews, reviews of counter terrorism
investigations, and an evaluation of current terrorist threats and activity is
conducted regularly, in conjunction with the aforementioned annual review of
the extracted data received, to ensure that TFTP data retention periods are
relevant to ongoing counter terrorism efforts. The three annual evaluations
conducted since the Agreement entered into force, as well as the ongoing
assessments, have all concluded that the current retention period of five years
remains necessary for the investigations for which the TFTP is used. Article
6 of the Agreement also provides that all non-extracted data (i.e., data that
had not been extracted from the TFTP as part of a counter-terrorism
investigation) received prior to 20 July 2007 shall be deleted no later than 20
July 2012. The U.S. Treasury Department completed this deletion prior to the
deadline, which was confirmed by independent auditors employed by the provider
during the second joint review.[16] Furthermore, the
Agreement also stipulates that non-extracted data received on or after 20 July
2007 shall be deleted not later than five years from receipt. The U.S.
Treasury Department initially had intended to implement this provision via an
annual deletion exercise with respect to non-extracted data that would hit the
five-year deadline within that year.[17]
Following conversations during the second joint review, and at the
recommendation of the EU joint review team, the U.S. Treasury Department
revised its procedures to accommodate additional deletion exercises to ensure
that all deletions of non-extracted data be fully completed by the five-year
mark. Thus, all non-extracted data received prior to 31 December 2008 already
have been deleted.
Conclusion
The information
contained in this Report clearly shows the significant value of the TFTP
Provided Data in preventing and combatting terrorism and its financing. The
importance of the TFTP data is demonstrated by the insights given into the
actual use of the TFTP-derived information in U.S. and European counter
terrorism investigations accompanied by a number of concrete examples. Whilst
there are many more cases which strongly support the benefits of the TFTP,
their disclosure would be detrimental to the unclosed enquiries. The TFTP
information and its accuracy enable the identification and tracking of
terrorists and their support networks across the world. It sheds light on the
existing financial structures of terrorist organisations and allows for the
identification of new streams of financial support, previously unknown
associates, and new suspected terrorists. The TFTP information can also help
to evaluate and corroborate existing intelligence, confirm a person’s
membership in the terrorist organisation, and fill information gaps. The Report
looked into the value of data retained for multiple years and the intensity of
their use. Historical data may play a key role in the investigations of
individuals who would often attempt to conceal their identifying information,
including name, address, and phone number. However, with the TFTP and the data
retained in it, the investigators may be able to link an individual to a
previously-used bank account number and identify correct personal information
and linkages associated with it. According to the available statistics on the
TFTP reports issued between 2005 and 2012, 35 percent of the TFTP-derived leads
contained data retained for three years or more. Taking into account both the
unique value of historical data and its prevalence among the TFTP leads, the
reduction of the TFTP data retention period to anything less than five years
would result in significant loss of insight into the funding and operations of
terrorist groups. In accordance
with the requirements of Article 6 of the Agreement, the U.S. Treasury
Department has deleted all non-extracted data received prior to 31 December
2008. The requests for data are defined on the basis of a regular and
extensive evaluation of responsiveness of particular message types and
geographic regions. Moreover, the U.S. Treasury Department also conducts
ongoing evaluations to assess that data retention periods continue to be no
longer than necessary to combat terrorism or its financing. In parallel to
the preparation of this Report, on request of the Commission, consultations
have been launched under Article 19 of the Agreement with a view of media
allegations about a potential breach of the terms of the Agreement by U.S.
authorities. The information provided by the U.S. Treasury Department in its
letters of 18 September and 8 November 2013 and during high level meetings on 7
October and 18 November 2013 has further clarified the implementation of the
EU-U.S. TFTP Agreement and has not revealed any breach of the Agreement. The
Commission and the U.S. Treasury have agreed to carry out the next Joint Review
according to Article 13 of the Agreement in spring 2014. [1] First joint review report SEC(2011) 438 at p. 5. [2] Second joint review report SWD(2012) 454 at p. 38, Annex IV. [3] Second joint review report at p. 15. [4] Second joint review report at p. 17. [5] “Reports” have been used to share TFTP-derived information with EU
Member States and third-country authorities, beginning long before the TFTP
Agreement in 2010. A TFTP “lead” refers to the summary of a particular
financial transaction identified in response to a TFTP search that is relevant
to a counter terrorism investigation. Each TFTP report may contain many TFTP
leads. [6] IRGC-QF has provided material support to the Taliban, Lebanese
Hizballah, Hamas, Palestinian Islamic Jihad, and the Popular Front for the
Liberation of Palestine General Command. IRGC-QF has also provided terrorist
organisations with lethal support in the form of weapons, training, and
funding, and has been responsible for numerous terrorist attacks. [7] The term “Specially Designated Global Terrorist” or “SDGT” refers
to an individual or entity that is subject to sanctions pursuant to Executive
Order 13224, the U.S. Government’s primary counter terrorism sanctions
authority. [8] These numbers are current as of August 20, 2013. [9] ETA (Euskadi ta Askatasuna) – Basque Fatherland and Liberty. [10] Resistência Galega – Galician Resistance. [11] PKK (Partiya Karkerên Kurdistan) – Kurdistan Workers’ Party. [12] These numbers are current as of August 22, 2013. [13] The presentation of these examples is based on the descriptions
provided by the concerned Member States. [14] The reports were randomly selected in order to obtain a
representative sample of all TFTP reports produced during the period 2005
through 2012. As noted earlier, a single TFTP report may contain multiple TFTP
leads. [15] TFTP data older than five years were still available at that time as
according to Article 6 of the Agreement all non-extracted data received prior
to 20 July 2007 had to be deleted not later than 20 July 2012. [16] Second joint review report at p. 10. [17] Second joint review report at p. 10.