52013DC0843

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

on the Joint Report from the Commission and the U.S. Treasury Department regarding the value of TFTP Provided Data pursuant to Article 6 (6) of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program

1. Legal basis

In accordance with Article 6 (6) of the Agreement Between the European Union and the United States of America on the Processing and Transfer of Financial Messaging Data From the European Union to the United States for the Purposes of the Terrorist Finance Tracking Program (the Agreement), the European Commission and the U.S. Treasury Department have prepared the joint report regarding the value of Terrorist Finance Tracking Program (TFTP) Provided Data ('Joint Report'), “with particular emphasis on the value of data retained for multiple years and relevant information obtained from the joint review conducted pursuant to Article 13.”

2. Procedural aspects

The modalities of this Report have been determined jointly by the European Commission and the U.S. Treasury Department, in line with Article 6 (6) of the Agreement.

The European Commission and the U.S. Treasury Department began discussions on the modalities, mandate, and methodology for the report in December 2012. On 25 February 2013 the EU and the U.S. assessment teams met in Washington, D.C. in order to discuss the preparation of the Report and convened a second meeting at the Europol premises in The Hague on 14 May 2013.  During the meeting in The Hague, the EU and the U.S. teams also met with Europol representatives to discuss the initial input from all parties and the next steps.

On the EU side, the European Commission held a classified meeting with representatives of the Member States on 13 May 2013. Member States and Europol have provided written contributions, which have been considered and reflected upon in the preparation of this Report.  To this end, Europol issued a questionnaire to all concerned Member States in order to collect relevant information for its input for this Report.  The questionnaire aimed at obtaining a current overview of the added value of TFTP Provided Data, in relation to specific cases investigated by competent authorities in relevant Member States.

Between 1 February and 24 May 2013, the U.S. assessement team interviewed counter terrorism investigators at a variety of agencies, reviewed counter terrorism cases in which the TFTP was used, and analysed over 1,000 TFTP reports to assess the value of TFTP-derived information. 

3. Scope

The information for the Report has been provided by the U.S. Treasury Department, Europol, and the Member States.  The Report focuses on how the TFTP Provided Data have been used and the value the data bring to counter terrorism investigations in the United States and the EU. The Report includes multiple concrete examples where TFTP data, including data retained for three years or more, have been valuable in counter terrorism investigations, in the United States and the EU, before and since the Agreement entered into force on 1 August 2010.  In addition to this Report, other examples of the usefulness and value of the TFTP data have been presented in the context of the two joint reviews, carried out in February 2011 and October 2012, pursuant to Article 13 of the Agreement.  As a whole, these factual and concrete sets of information constitute a considerable step forward in further explaining the functioning and the added value of the TFTP. 

The Report also describes the methodology for the assessment of retention periods by the U.S. Treasury Department and deletion of non-extracted data.

The Report demonstrates that TFTP Provided Data, including data retained for multiple years, have been delivering very important value for the counter terrorism efforts in the United States, Europe, and elsewhere.

With the present Communication, the Commission transmits the Joint Report in Annex to the European Parliament and the Council.

ANNEX

Joint Report from the Commission and the U.S. Treasury Department regarding the value of TFTP Provided Data pursuant to Article 6 (6) of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program

to the

Communication from the Commission to the European Parliament and the Council

on the Joint Report from the Commission and the U.S. Treasury Department regarding the value of TFTP Provided Data pursuant to Article 6 (6) of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program

Executive Summary

In accordance with Article 6 (6) of the Agreement Between the European Union and the United States of America on the Processing and Transfer of Financial Messaging Data From the European Union to the United States for the Purposes of the Terrorist Finance Tracking Program (the Agreement), the European Commission and the U.S. Treasury Department have prepared this joint report regarding the value of Terrorist Finance Tracking Program (TFTP) Provided Data, “with particular emphasis on the value of data retained for multiple years and relevant information obtained from the joint review conducted pursuant to Article 13.”

The information for the Report has been provided by the U.S. Treasury Department, Europol, and the Member States.  The Report focuses on how the TFTP Provided Data have been used and the value the data bring to counter terrorism investigations in the United States and the EU. The Report includes multiple concrete examples where TFTP data, including data retained for three years or more, have been valuable in counter terrorism investigations, in the United States and the EU, before and since the Agreement entered into force on 1 August 2010.  In addition to this Report, other examples of the usefulness and value of the TFTP data have been presented in the context of the two joint reviews, carried out in February 2011 and October 2012, pursuant to Article 13 of the Agreement.  As a whole, these factual and concrete sets of information constitute a considerable step forward in further explaining the functioning and the added value of the TFTP. 

The Report also describes the methodology for the assessment of retention periods by the U.S. Treasury Department and deletion of non-extracted data.

The Report demonstrates that TFTP Provided Data, including data retained for multiple years, have been delivering very important value for the counter terrorism efforts in the United States, Europe, and elsewhere.

2. Background

The TFTP was set up by the U.S. Treasury Department shortly after the terrorist attacks of 11 September 2001 when it begun issuing legally binding production orders to a provider of financial payment messaging services for financial payment messaging data stored in the United States that would be used exclusively in the fight against terrorism and its financing.  Until the end of 2009, the provider stored all relevant financial messages on two identical servers, located in Europe and the United States.  On 1 January 2010, the provider implemented its new messaging architecture, consisting of two processing zones – one zone in the United States and the other in the European Union.  In order to ensure the continuity of the TFTP under these new conditions, a new Agreement between the European Union and the United States on this issue was considered necessary.  After an initial version of the Agreement did not receive the consent of the European Parliament, a revised version was negotiated and agreed upon in the summer of 2010.  The European Parliament gave its consent to the Agreement on 8 July 2010, the Council approved it on 13 July 2010, and it entered into force on 1 August 2010.

The Agreement gives an important role to Europol, which is responsible for receiving a copy of data requests, along with any supplemental documentation, and verifying that these U.S. requests for data comply with certain conditions specified in Article 4 of the Agreement, including that they must be as narrowly tailored as possible in order to minimise the volume of data requested.  Once Europol confirms the request complies with the stated conditions, the data provider is authorised and required to provide the data to the U.S. Treasury Department.  Europol does not have direct access to the data submitted by the data provider to the U.S. Treasury Department and does not perform searches on the TFTP data.

The Agreement stipulates that TFTP searches must be narrowly tailored and based upon pre-existing information or evidence that demonstrates a reason to believe that the subject of a search has a nexus to terrorism or its financing. In line with Article 12 of the Agreement TFTP searches are monitored by independent overseers with the ability to question and block overly broad or any other searches that do not satisfy the strict safeguards and controls of Article 5 of the Agreement.

Article 13 of the Agreement provides for regular joint reviews of the safeguards, controls, and reciprocity provisions to be conducted by review teams from the European Union and the United States, including the European Commission, the U.S. Treasury Department, and representatives of two data protection authorities from EU Member States, and may also include security and data protection experts and persons with judicial experience.  Two joint reviews have already been carried out, with a third joint review envisaged for 2014.  Each of the joint reviews examined cases in which TFTP-derived information has been used for the prevention, investigation, detection, or prosecution of terrorism or its financing. 

During the first joint review conducted in February 2011, the U.S. Treasury Department provided numerous examples (classified) of high profile terrorism cases where TFTP-derived information had been used.  The first joint review report recognises the value of the TFTP and states that the “number of leads provided since the start of the program and since the entry into force of the Agreement indicates a continued benefit for preventing and combating terrorism and its financing across the world, with a particular focus on the U.S. and the EU.”[1]

During the second joint review of the Agreement, conducted in October 2012, the U.S. Treasury Department provided an annex containing 15 concrete examples of specific investigations in which TFTP data proved critical to counter terrorism investigations.[2]  The second joint review report concludes that “Europol and Member States have become increasingly aware of the value of TFTP data for their task to fight and prevent terrorism and its financing in the EU”[3] and, through the use of reciprocity arrangements, are “increasingly profiting from it.”[4]

Article 6 (6) of the Agreement requires that the European Commission and the U.S. Treasury Department prepare a joint report regarding the value of TFTP Provided Data within three years of the Agreement’s entry into force, with particular emphasis on the value of data retained for multiple years and relevant information obtained from the joint review conducted pursuant to Article 13. 

3. Procedural aspects

The modalities of this Report have been determined jointly by the European Commission and the U.S. Treasury Department, in line with Article 6 (6) of the Agreement.

The European Commission and the U.S. Treasury Department began discussions on the modalities, mandate, and methodology for the report in December 2012.  On 25 February 2013 the EU and the U.S. assessment teams met in Washington, D.C. in order to discuss the preparation of the Report and convened a second meeting at the Europol premises in The Hague on 14 May 2013.  During the meeting in The Hague, the EU and the U.S. teams also met with Europol representatives to discuss the initial input from all parties and the next steps.

On the EU side, the European Commission held a classified meeting with representatives of the Member States on 13 May 2013.  Member States and Europol have provided written contributions, which have been considered and reflected upon in the preparation of this Report.  To this end, Europol issued a questionnaire to all concerned Member States in order to collect relevant information for its input for this Report.  The questionnaire aimed at obtaining a current overview of the added value of TFTP Provided Data, in relation to specific cases investigated by competent authorities in relevant Member States.

Between 1 February and 24 May 2013, the U.S. assessement team interviewed counter terrorism investigators at a variety of agencies, reviewed counter terrorism cases in which the TFTP was used, and analysed over 1,000 TFTP reports to assess the value of TFTP-derived information. 

The examples discussed in this report are drawn from highly sensitive investigations that may be currently active.  As such, some of the information has been sanitised to protect these investigations.

4. Value of TFTP Provided Data

Since the inception of the TFTP in 2001, it has produced tens of thousands of leads and over 3,000 reports (which contain multiple TFTP leads) to counter terrorism authorities worldwide, including over 2,100 reports to European authorities.[5]

The TFTP has been used to investigate many of the most significant terrorist attacks and plots of the past decade, including:

During the period after the conclusion of the Agreement:

· the April 2013 Boston Marathon bombings;

threats with respect to the 2012 London Summer Olympic Games; the 2011 plot to assassinate the Saudi Arabian Ambassador to the United States; the July 2011 attacks in Norway conducted by Anders Breivik; and the October 2010 Nigerian Independence Day car bombings.

Prior to the conclusion of the Agreement:

the July 2010 attack against fans watching a World Cup match in Kampala, Uganda; the July 2009 Jakarta hotel attacks; multiple hijacking and hostage operations conducted by al-Shabaab – including the April 2009 hijacking of the Belgian vessel MV Pompei; the November 2008 Mumbai attacks; the September 2007 Islamic Jihad Union plot to attack locations in Germany; the 2007 plot to attack New York’s John F. Kennedy airport; the 2006 liquid bomb plot against transatlantic aircraft; the July 2005 bombings in London; the November 2005 Van Gogh terrorist-related murder; the March 2004 Madrid train bombings; and the October 2002 Bali bombings.

The EU and U.S. assessment teams heard from Europol and the U.S. Treasury Department, as well as other authorities, on the value of the TFTP.  Counter terrorism investigators noted that the TFTP contains unique, highly accurate information that is of significant value in tracking terrorist support networks and identifying new methods of terrorist financing.  In cases where little is known about a terrorism suspect beyond the individual’s name or bank account number, TFTP-derived information can reveal critical pieces of information, including locations, financial transactions, and associates.  The unique value of the TFTP lies in the accuracy of the banking information, since the persons concerned have a clear interest in providing accurate information to ensure that the money reaches its destination.

Most counter terrorism investigations rely on the collection, exchange, and analysis of significant quantities of information from multiple sources.  Based on the experience of implementing the Agreement, cooperation with Member State authorities in a high number of counter terrorism investigations, and general competence in matters relating to terrorism and financial intelligence, a very high value is placed on TFTP data as a unique instrument to provide timely, accurate, and reliable information about activities associated with suspected acts of terrorist financing and planning.

U.S. counter terrorism investigators from a variety of agencies benefiting from the TFTP-derived information provided pursuant to the Agreement were interviewed to determine the value of the program to their investigations.  The investigators surveyed agreed that the TFTP provides valuable information that can be used to identify and track terrorists and their support networks.  Furthermore, they noted that the TFTP provides key insight into the financial support networks of some of the world’s most dangerous terrorist organisations, including Al-Qaida, Al-Qaida in the Lands of the Islamic Maghreb (AQIM), Al-Qaida in the Arabian Peninsula (AQAP), Al Shabaab, Islamic Jihad Union (IJU), Islamic Movement of Uzbekistan (IMU), and Iran’s Islamic Revolutionary Guard Corps-Qods Force (IRGC-QF).  Investigators observed that TFTP-derived information allows them to identify new streams of financial support and previously unknown associates, link front entities and aliases with terrorist organisations, evaluate/corroborate existing intelligence, and provide information that can be used to identify new targets for investigation.  Several investigators interviewed noted that financial transaction information derived from the TFTP allows them to fill information gaps and make connections that would not have been seen in other sources. 

Terrorist groups depend on a regular cash flow for a variety of reasons, including the payment of operatives and bribes, arrangement of travel, training and recruitment of members, forging of documents, acquisition of weapons, and staging of attacks.  Counter terrorism investigators rely on multiple datasets to investigate and disrupt these operations.  However, there may be gaps in information that can prevent investigators from fully understanding these networks.  The TFTP provides investigators with accurate financial messaging information that may include account numbers, bank identification codes, names, addresses, transaction amounts, dates, email addresses, and phone numbers.  Using this information, investigators can map terrorist financial support networks, including identifying previously unknown associates.  In one case in 2012, for example, information derived from the TFTP detected that a known suspected terrorist was one of the signatories on an account of an organisation through which several suspicious transactions took place.  Subsequent TFTP checks also identified money flows between this organisation and another company suspected of providing material support to other terrorist entities in the concerned geographical area concerned.

TFTP-derived information may be used to provide leads that assist in identifying and locating persons involved with terrorist networks and providing evidence of financial activities in aid of terrorist attacks.  For example, it is possible to locate a suspect by checking when and where the suspect closed and/or opened a new bank account in a city or country other than his or her last known place of residence.  This is a clear indicator that the person may have moved.  However, even when a suspect does not change bank accounts but rather moves and continues using the ‘old’ account (e.g., through e-banking), it has been possible to detect the change of location by, for example, identifying payments for specific goods or services (e.g., for repairs or maintenance or other activities which are usually carried out where a person lives).  As a result of the precision of the TFTP data, even when suspects are very careful with their bank transactions, it has also been possible to locate them through the payments and purchases of their close associates.  The TFTP can provide key information about the movements of suspected terrorists and the nature of their expenditures.  Even the ‘non-activity’ of one or more bank accounts tied to a suspected terrorist, in terms of transactions, is a useful indicator of the possible departure of a suspect from a certain country.

Based on the TFTP, it has been possible to obtain information on U.S. and EU citizens and residents suspected of terrorism or terrorist financing in third countries where requests for mutual legal assistance were not responded to in a timely manner.  In one case in 2010, the TFTP helped to locate an EU resident suspected of a terrorist offence, who had disappeared from the EU.  The person turned out to be a new account holder in a country in the Middle East.  Further investigations confirmed that the person was indeed residing in this third country, thus allowing the targeting of investigative resources in support of a corresponding international arrest warrant.

In another case, the TFTP was used in the investigation of French national Rachid Benomari, a suspected Al-Qaida and al-Shabaab recruiter and fundraiser. Benomari along with two additional al-Shabaab operatives were arrested for illegally entering Kenya in July 2013. Benomari and his associates are wanted in the EU on terrorism-related charges, and an Interpol Red Notice has been issued for Benomari’s arrest. TFTP-derived information provided investigators with Benomari’s bank account number and identified previously-unknown financial associates. Treasury shared this information with Europol in response to an Article 10 request.

In numerous cases, counter terrorism investigators have used information obtained from the TFTP to provide accurate and timely leads that have advanced terrorism investigations.  For example, TFTP-derived information was used to help identify funding sources used in the 2011 plot to kill the Saudi Arabian Ambassador to the United States by Manssor Arbabsiar and the IRGC-QF.[6] Using the TFTP, investigators were able to identify a $100,000 transaction sent from a non-Iranian foreign bank to a bank in the United States, to an account of the person recruited by Arbabsiar to carry out the assassination.  Arbabsiar was arrested, and has subsequently pleaded guilty and been sentenced to 25 years in prison. 

The TFTP has also assisted in investigations of the al-Nusrah Front (ANF), which has been identified as an alias of Al-Qaida in Iraq by the United Nations Security Council’s Al-Qaida Sanctions Committee, as well as by the United States and the European Union, resulting in a mandatory UN-ordered freezing of any of its assets around the world.  Since September 2011, the ANF has claimed responsibility for over 1,100 terrorist attacks, killing and wounding many hundreds of Syrians. According to TFTP-derived information, a Middle East-based fundraiser for the ANF received the equivalent of more than 1.4 million Euros since 2012, donated in a variety of currencies from donors based in at least 20 different countries, including France, Germany, Ireland, the Netherlands, Spain, Sweden, and the United Kingdom. U.S. counter terrorism investigators have shared this information with global counter terrorism authorities, including authorities in Europe and the Middle East. In at least one case, a third country has requested additional TFTP searches to assist with its continuing investigation.

Treasury continues to use the TFTP to investigate EU-based terrorists training in Syria. Treasury counter terrorism analysts conducted TFTP searches on suspected terrorists Mohommod Hassin Nawaz and Hamaz Nawaz. The Nawaz brothers were arrested in Dover, UK by UK authorities on September 16, 2013 after travelling from Calais, France and were charged with terrorism offenses, including traveling to a terrorist training camp in Syria. TFTP-derived leads provided transaction information including account numbers, amounts, dates, and potential associates, including a suspected terrorist financer.

Terrorist organisations use multiple methods to fund their operations.  These methods may include money laundering, narcotics trafficking, theft, and the use of front organisations to raise funds.  TFTP-derived information can aid counter terrorism investigators in identifying the means employed by terrorists and their supporters to fund their operations.  Terrorist organisations often use front companies to establish a legitimate business presence so that they may evade sanctions and use the global financial system.  TFTP-derived information contains key information – including names, bank identification codes, transaction amounts, and dates – that can be used to link front organisations with terrorist groups.  The details of a transaction between a suspected front company and a known terrorist may contain the information investigators need to confirm that a supposedly legitimate organisation is raising funds on behalf of a terrorist organisation.  Furthermore, TFTP-derived information may identify previously unknown front organisations and individuals leading those organisations who are linked to terrorist groups.  The TFTP was used to provide leads for the investigation of the now-defunct U.S. branch of the Charitable Society for Social Welfare founded by Specially Designated Global Terrorist[7] Abd-al-Majid Al-Zindani.  Deceased AQAP operative Anwar al-Aulaqi served as vice president of the organisation.  The charity was described by U.S. federal prosecutors as a front organisation used to support Al-Qaida and Usama Bin Ladin. TFTP-derived information revealed transactions and associates linked to this organisation.

TFTP-derived information also contributed to the investigation of Iran’s Bank Saderat for its support to terrorism.  Bank Saderat was designated for its illicit activities, resulting in the freezing of its assets in the United States and the European Union, among other jurisdictions.  Bank Saderat, which had approximately 3,200 branch offices, has been used by the Government of Iran to channel funds to Hizballah and Hamas amongst others.  From 2001 to 2006, Bank Saderat transferred $50 million from the Central Bank of Iran through its subsidiary in London to its branch in Beirut for the benefit of Hizballah front organisations in Lebanon that support acts of violence. TFTP-derived information has been crucial to efforts by counter terrorism investigators to track Bank Saderat’s financial transactions to terrorist groups and its affiliations with financial institutions it uses to evade global sanctions.

Terrorist organisations often use deception to mask their illicit funding schemes.  TFTP-derived information helped to identify a funding stream used by Hizballah to launder drug money for its operations.  In this highly complex scheme, Hizballah would sell drugs in Europe and launder the funds with used cars purchased in the United States and subsequently sold in Africa.  The profits from the sale of the used cars and drugs would be sent to Lebanon and specific Lebanese exchange houses.  Treasury determined that the exchange houses were used by Hizballah to transfer funds for operations or back to the U.S. to buy more used cars.  As recently as early 2013, TFTP lead information allowed investigators to identify the movement of money between Hizballah, certain exchange houses, and used car dealerships in the United States.  Treasury continues to be concerned about the potential use of exchange houses to help access the financial system, and is actively pursuing counter terrorism leads and actions to detect and disrupt the use of the financial system to support terrorist activity. 

Financial transactions can also provide counter terrorism investigators with the information needed to identify individuals facilitating terrorist training.  Terrorist organisations require funding to allow associates to travel to training sites.  These transactions often indicate when a suspected terrorist has decided to become operational and affiliate with a group or organisation.  TFTP-derived information can provide investigators with the counter terrorism information they need, including dates of travel, transaction amounts, names, aliases, locations, and contact information, to track these individuals.  For example, the TFTP was used to help provide leads for the investigation of al-Shabaab facilitator Omar Awadh Omar.  Omar facilitated funding to al-Shabaab and is believed to have facilitated the movement of foreign fighters and supplies to Somalia.  Omar was allegedly involved in planning the 11 July 2010 attack against fans watching a World Cup match in Kampala, Uganda.  Al-Shabaab claimed responsibility for this attack, which killed 74 people.  The TFTP provided key lead information that was used to identify individuals in Omar’s support network and identify previously unknown accounts.  Omar is currently under arrest and awaiting trial in Uganda.  Omar was also designated by the U.S. Treasury Department pursuant to Executive Order 13536, which targets threats to the peace, security, and stability of Somalia.

Use of TFTP by the Member States and the EU

While the TFTP was developed by authorities in the United States, the Member States and the EU are permitted to use the TFTP for their own counter terrorism investigations through reciprocity clauses included in the Agreement.  According to Article 10 of the Agreement, the Member States, Europol, and Eurojust can request a search of information obtained through the TFTP, which Treasury will then conduct in accordance with the safeguards of Article 5.  Separately, pursuant to Article 9 of the Agreement, the U.S. Treasury Department spontaneously provides relevant information generated by the TFTP to concerned Member States, Europol, and Eurojust.

Since the entry into force of the Agreement, the Member States have become increasingly aware of the availability of the TFTP as an investigative tool.  Several Member States and Europol benefit on an ongoing basis from TFTP-derived information and the valuable investigative leads which they receive.  Over the last three years, in response to 158 total requests made by the Member States and the EU pursuant to Article 10, 924 investigative leads were obtained from the TFTP.[8]

For example, in the case of Spain, a total number of 11 requests, pursuant to Article 10, generated 93 investigative leads on natural and legal persons suspected of having a nexus to terrorism or its financing.  Out of 11 requests, three concerned domestic, separatist terrorist groups: two related to ETA[9], which generated 25 leads, and one related to Resistência Galega[10], which generated four leads.  As concerns Al-Qaida, Spain sent four requests and obtained 11 leads, whereas two requests related to Hizballah generated as many as 27 leads.  Furthermore, one request related to a separatist group PKK[11] generated 19 investigative leads and one request related a counter terrorism and counter proliferation investigation generated seven investigative leads.

During the same time period, pursuant to Article 9, the U.S. spontaneously provided the Member States and the EU with relevant information on 23 occasions, involving 94 investigative leads.[12]

The following cases,  which have been collected and provided by Europol, are illustrations of how the TFTP has been used by the Member States and of the investigative results triggered by the searches requested pursuant to Article 10 of the Agreement.[13]  They complement the information provided in section 4 of this Report, where some European examples have also been used to explain the role TFTP-derived information plays in counter terrorism investigations.  The choice of examples and the information provided had to respect the limits prescribed by the requirements of confidentiality and security. 

Case 1:  Islamist terrorist activities

Terrorist group/organisation:  Islamist terrorist activities (unknown/unnamed organisation)

Description of the case:  An investigation against a 40-year-old male suspected of being recruited for foreign armed service and membership in a terrorist organisation.  This person is further suspected of preparing and/or conducting terrorist attacks.

Feedback from the Member State:  Following an Article 10 request, the information leads corroborated previously known information, they were considered up-to-date, and the leads contained new links to terrorism/crime.

Timeframe of the leads:  2008-2011

Case 2:  Hamas

Terrorist group/organisation:  Hamas (Harakat al-Muqāwamah al-Islāmiyyah, "Islamic Resistance Movement") is the Palestinian Sunni Islamic or Islamist organisation, with an associated military wing, the Izz ad-Din al-Qassam Brigades, located in the Palestinian territories.  The European Union, Israel, the United States, Canada, and Japan classify Hamas as a terrorist organisation.

Description of the case:  An investigation into a Non Profit Organisation (NPO) sanctioned under the Member State’s legislation.  This NPO is a “sister” organisation of a similar NPO operating in another Member State, which was sanctioned for providing support to Hamas.  It was suspected that the organisation under investigation provided significant funding, via its “sister” entity, to support Hamas financially.

Feedback from the Member State:  Following an Article 10 request, the information leads corroborated known information, and were considered to be current.

Funds from the NPO were frozen prior to the launch of the Article 10 request; however, the TFTP-provided “transactions were reported to the Financial Intelligence Unit because of money laundering indications and these were later identified as funding for a terrorist organisation.”

Timeframe of the leads:  2011

Case 3:  PKK

Terrorist group/organisation:  The Kurdistan Workers’ Party (Partiya Karkerên Kurdistan or Parti Karkerani Kurdistan), commonly known as PKK, also known as KGK and formerly known as KADEK (Freedom and Democracy Congress of Kurdistan) or KONGRA-GEL (Kurdistan People’s Congress), is a Kurdish organisation which has since 1984 been fighting an armed struggle against the Turkish state for an autonomous Kurdistan and cultural and political rights for the Kurds in Turkey.  The group was founded on 27 November 1978 in the village of Fis, near Lice, and was led by Abdullah Öcalan.  The PKK is listed as a terrorist organisation internationally by states and organisations, including the European Union, the United Nations, NATO, and the United States.

Description of the case:  An investigation against an EU citizen who is suspected of being a supporter of Kongra Gel/PKK.  The suspect has extensive international travel habits, including several trips to locations of security interest.  It is suspected that the suspect acts as a fundraiser, financier, or facilitator for the proscribed terrorist organisation Kongra Gel/PKK.

Feedback from the Member State:  Following an Article 10 request, the information leads corroborated known information and also provided previously unknown international links and previously unknown contacts and suspects.

This case continues to be part of an active investigation and, as such, only limited further information can be disclosed for feedback purposes.  However, as a result of information obtained via the TFTP, financial enquiry could be more narrowly focused on previously unknown associates and locations, resulting in significant intelligence gaps being filled and the opening-up of new investigative opportunities.  Specifically, this gave the enquiry an international dimension that was previously suspected but not readily identifiable and therefore corroborated existing intelligence.  This in turn generated significant further enquiry and referrals to other law enforcement agencies with regard to the main subject of interest and financial associates.  It should be highlighted that the information provided via the TFTP would have been highly unlikely to have been discovered through other channels and was therefore of considerable benefit in this case.

Timeframe of the leads:  2004-2011

Case 4:  IJU

Terrorist group/organisation:  The Islamic Jihad Union (IJU), initially known as Islamic Jihad Group (IJG), is a terrorist organisation and has conducted attacks in Uzbekistan and attempted attacks in Germany.  IJU was founded in March 2002 by those separated from the Islamic Movement of Uzbekistan (IMU) in Pakistan’s Tribal Areas.  The organisation was responsible for failed attacks in Uzbekistan in 2004 and early 2005.  Then it changed its name, Islamic Jihad Group, into Islamic Jihad Union.  After this period, it became closer to core al Qaida.  Since its reorientation, the organisation’s focus shifted and it began plotting terror attacks in Pakistan and Western Europe, especially Germany.  Mirali in South Waziristan is the organisation’s base where Western recruits for attacks in the West are trained.

Description of the case:  An investigation against six individuals suspected of being members of the terrorist organisation IJU.  One of the suspects is believed to have travelled or will travel to receive terrorist-related training in a hostile location.  One individual is suspected to be responsible for financing, recruitment, and illegal immigration in the Member States.  This suspect’s current residence is unknown.

Feedback from the Member State:  Following an Article 10 request, the information leads corroborated previously known information.

Furthermore, the leads generated previously unknown information (foreign bank accounts, addresses, telephone numbers, etc.), unidentified international links, and previously unknown additional contacts and suspects.  The leads were considered to be up-to-date.

Timeframe of the leads:  2009-2012

Case 5:  Sikh terrorist activities

Terrorist group/organisation:  Sikh terrorist activities (unknown/unnamed organisation)

Description of the case:  An investigation into Sikh terrorist activities: An individual and the related business structure are suspected of accumulating large sums of cash and performing transfers of funds between multiple accounts and locations.  These monies are suspected of being used to support and even commission acts of terrorism.

Feedback from the Member State:  Following an Article 10 request, the information leads corroborated previously known information.  Furthermore, the leads generated previously unknown information (foreign bank accounts, addresses, telephone numbers, etc.), unidentified international links, and previously unknown contacts and suspects.  The leads were considered to be current.

The intelligence leads enabled a more accurate assessment of financial intelligence obtained earlier in the enquiry to be made.  Specifically, it had been identified that the subject had large sums of money credited to his bank account(s); however, the origin of these funds was not previously known.

No charges have been brought, but due to the sensitive nature of the investigation, limited further information can be disclosed for feedback purposes.  In this case, the TFTP was considered at an early stage due to the suspicion that the subject of interest may have a financial footprint outside the EU.  A swift and detailed response was received from the TFTP enquiry, which resulted in the identification of international financial activity and foreign business interests that proved of significant intelligence value.  In turn, a more informed assessment could be made of the activities of the subject of interest, in the context of the investigative aims and other intelligence held.  Again, the nature of the financial associations and transactions provided via the TFTP would have been unlikely to be discovered through other channels of enquiry and greatly assisted in the progression of the investigation and early assessment of the activity.

Timeframe of the leads:  2007-2012

Value of TFTP Provided Data retained for multiple years

Counter terrorism authorities demonstrated to the EU and U.S. assessment teams that financial data retained over multiple years, known as historical data, are of significant value to counter terrorism investigations.  Historical data allow investigators to identify funding trends, track group affiliations, and analyse methodology.  Due to the accuracy of TFTP data, investigators can use financial transactions to track terrorists and their supporters world-wide over multiple years.  Since the Agreement entered into force in August 2010, 45 percent of all TFTP data viewed by an analyst were three years or older. 

A terrorist may operate in a particular country for multiple years.  At some point, that individual may move to another country to conduct terrorist operations.  The individual may change all of their previous identifiers, including name, address, and phone number.  However, TFTP information retained within the time limits of Article 6 can link the individual to a bank account number that they have previously used.  Even when the terrorist has established new bank accounts, investigators may be able to link the individual with the new account – and any identifying information associated with it – by tracking transactions associated with accounts known to be used by the terrorist’s organisation.  In fact, the investigators surveyed for this report agreed that the reduction of the TFTP data retention period to anything less than five years would result in a significant loss of insight into the funding and operations of terrorist groups.

For example, TFTP-derived information was used to help track transactions of IJU operative Mevlut Kar.  Kar has provided more than 20 detonators to members of the IJU.  In January 2012, Kar was designated as a Specially Designated Global Terrorist by the United States, resulting in the freezing of any of his assets subject to U.S. jurisdiction.  TFTP-derived information retained in excess of four years was used to provide leads and track transactions between Kar and his supporters.  Kar is implicated in the 2007 European bomb plot targeting U.S. military installations and American citizens in Germany.  Kar is currently wanted by the Government of Lebanon, and an Interpol Red Notice has been issued for his arrest and extradition.  The Lebanese government has sentenced him in absentia to 15 years in prison for attempting to establish an Al-Qaida cell in Lebanon.  Without historical data, investigators would not have been able to obtain their significant insight into Kar’s operations. 

The U.S. Treasury Department conducted a review of over a thousand TFTP reports issued between 2005 and 2012.[14]  This analysis revealed that, over that seven-year period, 35 percent of the TFTP-derived leads contained data retained for at least three years. 

In addition to the prevalence of historical data among TFTP-derived leads, the review of TFTP reports from 2005 through 2012 reveals the relative importance of data retained in excess of three years in the reports.  As shown in the graph below, between 2005 and 2012, over 65 percent of reports compiled from TFTP-derived leads contained TFTP data retained in excess of three years.  For nearly 35 percent of reports, historical data comprised at least half of the report’s source material.  Since 2010, fully 10 percent of TFTP reports compiled by analysts pursuant to counter terrorism investigations relied solely on TFTP data retained in excess of three years.

Historical data were crucial to identifying the funding sources and methodology that supported Norwegian terrorist Anders Behring Breivik.  A day after the attacks of 22 July 2011 that killed 77 persons and wounded hundreds more, Europol provided the U.S. Treasury Department an emergency request pursuant to Article 10 of the Agreement related to the events.  On the same day, Treasury responded to Europol with 35 TFTP-derived leads detailing Breivik’s extensive financial activities and network that spanned nearly a dozen countries, most in Europe, but also including the United States and certain off-shore destinations.  Four of the 35 leads involved financial transactions conducted within the two years prior to the attacks, and one additional lead involved financial activity that occurred just over three years prior to the attacks.  The other 30 leads involved financial transactions conducted between four and eight years prior to the attacks[15], as Breivik built his international financial network, set up a company that produced phony educational credentials, also known as a “diploma mill,” established a farming operation that could obtain materials used for explosives, and worked with certain associates in other countries.

As the Norway attacks neared, Breivik apparently reduced his usage of the international financial system, perhaps to avoid detection.  Nevertheless, the older TFTP leads allowed investigators to rapidly identify Breivik’s funding streams and methodology, as well as his contacts and financial holdings in other countries, which was particularly critical at the time, when authorities were trying to determine whether he had acted alone or in concert with other unidentified operatives.   

In one of the other cases surveyed for the purposes of this report, investigators were able to use TFTP-derived information to track over 100 transactions between a suspected terrorist and supporters in multiple countries over the span of four years.  The suspected terrorist used accounts in several countries to solicit funds to support plans for a potential attack.  Further investigation of the transactions identified previously unknown associates and supporters.

In addition, in several cases surveyed for this report, investigators were able to track transactions between terrorist groups, including Al-Qaida, and new sources of funding.  In the majority of these cases, using information derived from TFTP data retained in excess of three years – and, in many instances for searches conducted prior to the July 2012 deletion, in excess of five years – led to separate investigations into previously unknown entities. 

In the illustrative examples of counter terrorism investigations in the EU included in Section 5 of this Report, the investigative leads generated by the TFTP were also several years old.

Retention and deletion of data

The Agreement contains several provisions related to data retention and deletion.  Article 6 (5) stipulates that during the term of the Agreement, the U.S. Treasury Department shall undertake an ongoing and at least annual evaluation to identify non-extracted data that are no longer necessary to combat terrorism or its financing, and, when identified, permanently delete them as soon as technologically feasible.  To this end a large-scale audit and analysis of the extracted data are conducted every year and analyse, on a quantitative and qualitative basis, the types and categories of data, including by geographic region, that have proven helpful for counter terrorism investigations.

The audit and analysis occur in several stages.  First, a comprehensive assessment is conducted of the extracted data to determine the message types and geographic regions that are the most and least responsive to TFTP searches.  Second, those message types and geographic regions from which data have been pulled the fewest times, quantitatively, are scrutinised to determine their qualitative component – namely, whether the relatively few responses returned nevertheless contained high-quality information or were of particular value for the purposes of the prevention, investigation, detection, or prosecution of terrorism or its financing.  Third, those message types and/or geographic regions that, from a quantitative or qualitative standpoint at the time of the evaluation, do not appear necessary to combat terrorism or its financing are removed from the future Article 4 Requests.  Where such message types and/or geographic regions are identified in non-extracted data, Treasury deletes them in accordance with Article 6 (1) of the Agreement. 

Pursuant to Article 6 (5) of the Agreement, the U.S. Treasury Department also conducts an ongoing evaluation to assess that data retention periods continue to be no longer than necessary to combat terrorism or its financing.  A comprehensive assessment consisting of investigator interviews, reviews of counter terrorism investigations, and an evaluation of current terrorist threats and activity is conducted regularly, in conjunction with the aforementioned annual review of the extracted data received, to ensure that TFTP data retention periods are relevant to ongoing counter terrorism efforts.  The three annual evaluations conducted since the Agreement entered into force, as well as the ongoing assessments, have all concluded that the current retention period of five years remains necessary for the investigations for which the TFTP is used.

Article 6 of the Agreement also provides that all non-extracted data (i.e., data that had not been extracted from the TFTP as part of a counter-terrorism investigation) received prior to 20 July 2007 shall be deleted no later than 20 July 2012.  The U.S. Treasury Department completed this deletion prior to the deadline, which was confirmed by independent auditors employed by the provider during the second joint review.[16]

Furthermore, the Agreement also stipulates that non-extracted data received on or after 20 July 2007 shall be deleted not later than five years from receipt.  The U.S. Treasury Department initially had intended to implement this provision via an annual deletion exercise with respect to non-extracted data that would hit the five-year deadline within that year.[17]  Following conversations during the second joint review, and at the recommendation of the EU joint review team, the U.S. Treasury Department revised its procedures to accommodate additional deletion exercises to ensure that all deletions of non-extracted data be fully completed by the five-year mark.  Thus, all non-extracted data received prior to 31 December 2008 already have been deleted.

Conclusion

The information contained in this Report clearly shows the significant value of the TFTP Provided Data in preventing and combatting terrorism and its financing.  The importance of the TFTP data is demonstrated by the insights given into the actual use of the TFTP-derived information in U.S. and European counter terrorism investigations accompanied by a number of concrete examples.  Whilst there are many more cases which strongly support the benefits of the TFTP, their disclosure would be detrimental to the unclosed enquiries.  The TFTP information and its accuracy enable the identification and tracking of terrorists and their support networks across the world.  It sheds light on the existing financial structures of terrorist organisations and allows for the identification of new streams of financial support, previously unknown associates, and new suspected terrorists.  The TFTP information can also help to evaluate and corroborate existing intelligence, confirm a person’s membership in the terrorist organisation, and fill information gaps. 

The Report looked into the value of data retained for multiple years and the intensity of their use.  Historical data may play a key role in the investigations of individuals who would often attempt to conceal their identifying information, including name, address, and phone number.  However, with the TFTP and the data retained in it, the investigators may be able to link an individual to a previously-used bank account number and identify correct personal information and linkages associated with it.  According to the available statistics on the TFTP reports issued between 2005 and 2012, 35 percent of the TFTP-derived leads contained data retained for three years or more.  Taking into account both the unique value of historical data and its prevalence among the TFTP leads, the reduction of the TFTP data retention period to anything less than five years would result in significant loss of insight into the funding and operations of terrorist groups. 

In accordance with the requirements of Article 6 of the Agreement, the U.S. Treasury Department has deleted all non-extracted data received prior to 31 December 2008.  The requests for data are defined on the basis of a regular and extensive evaluation of responsiveness of particular message types and geographic regions.  Moreover, the U.S. Treasury Department also conducts ongoing evaluations to assess that data retention periods continue to be no longer than necessary to combat terrorism or its financing. 

In parallel to the preparation of this Report, on request of the Commission, consultations have been launched under Article 19 of the Agreement with a view of media allegations about a potential breach of the terms of the Agreement by U.S. authorities. The information provided by the U.S. Treasury Department in its letters of 18 September and 8 November 2013 and during high level meetings on 7 October and 18 November 2013 has further clarified the implementation of the EU-U.S. TFTP Agreement and has not revealed any breach of the Agreement. The Commission and the U.S. Treasury have agreed to carry out the next Joint Review according to Article 13 of the Agreement in spring 2014.

[1]  First joint review report SEC(2011) 438 at p. 5.

[2]  Second joint review report SWD(2012) 454 at p. 38, Annex IV.

[3]  Second joint review report at p. 15.

[4]  Second joint review report at p. 17.

[5]  “Reports” have been used to share TFTP-derived information with EU Member States and third-country authorities, beginning long before the TFTP Agreement in 2010.  A TFTP “lead” refers to the summary of a particular financial transaction identified in response to a TFTP search that is relevant to a counter terrorism investigation.  Each TFTP report may contain many TFTP leads.

[6]  IRGC-QF has provided material support to the Taliban, Lebanese Hizballah, Hamas, Palestinian Islamic Jihad, and the Popular Front for the Liberation of Palestine General Command. IRGC-QF has also provided terrorist organisations with lethal support in the form of weapons, training, and funding, and has been responsible for numerous terrorist attacks.

[7]  The term “Specially Designated Global Terrorist” or “SDGT” refers to an individual or entity that is subject to sanctions pursuant to Executive Order 13224, the U.S. Government’s primary counter terrorism sanctions authority.

[8] These numbers are current as of August 20, 2013.

[9] ETA (Euskadi ta Askatasuna) – Basque Fatherland and Liberty.

[10] Resistência Galega – Galician Resistance.

[11] PKK (Partiya Karkerên Kurdistan) – Kurdistan Workers’ Party.

[12] These numbers are current as of August 22, 2013.

[13] The presentation of these examples is based on the descriptions provided by the concerned Member States.

[14]  The reports were randomly selected in order to obtain a representative sample of all TFTP reports produced during the period 2005 through 2012.  As noted earlier, a single TFTP report may contain multiple TFTP leads.

[15] TFTP data older than five years were still available at that time as according to Article 6 of the Agreement all non-extracted data received prior to 20 July 2007 had to be deleted not later than 20 July 2012.

[16]  Second joint review report at p. 10.

[17]  Second joint review report at p. 10.