Annexes to COM(2022)585 - Review of the implementation of the Agreement with the USA on the transfer of Financial Messaging Data for the purposes of the Terrorist Finance Tracking Program

Please note

This page contains a limited version of this dossier in the EU Monitor.

Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program

{SWD(2022) 357 final}

On 1 August 2010, the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program ('TFTP') entered into force 1 .

Procedural aspects

Article 13 of the Agreement provides for regular joint reviews of the safeguards, controls, and reciprocity provisions to be conducted by review teams from the European Union and the United States, including the European Commission, the U.S. Treasury Department (hereinafter “the Treasury”), and representatives of two data protection authorities from EU Member States, and may also include security and data protection experts and persons with judicial experience.

This report concerns the sixth joint review of the Agreement since it entered into force and covers a period between 1 December 2018 and 30 November 2021. The previous joint reviews of the Agreement were conducted in February 2011 2 , in October 2012 3 , in April 2014 4 , in March 2016 5 and in January 2019 6 . On 27 November 2013, the Commission adopted the Communication on the Joint Report from the Commission and the Treasury regarding the value of TFTP Provided Data pursuant to Article 6 (6) of the Agreement 7 .

In line with Article 13 (3) of the Agreement, for the purposes of the review, the European Commission represented the European Union, and the Treasury represented the United States. The EU review team was headed by a senior Commission official and in total consisted of two members of Commission staff, as well as representatives from two EU national data protection authorities.

The sixth joint review was carried out in two main stages: on 8 March 2022 in The Hague at Europol's premises and on 29 and 30 March 2022 in Washington DC at the Treasury.

This report is based on the information contained in the written replies that the Treasury provided to the EU questionnaire sent prior to the review, information obtained from the discussions with Treasury personnel and members of the US review team, as well as information contained in other publicly available Treasury documents. In addition, the report takes into account information provided by Europol staff during the review, including submissions by Europol’s Data Protection Officer. To complete the information available, the Commission also met with and received information from the Designated Provider and organised a meeting on 24 January 2022 to receive feedback from Member States on the reciprocity provisions of the Agreement.

Recommendations and conclusion

On the basis of the information and explanations received from the Treasury, Europol, the Designated Provider and the independent overseers, verification of relevant documents and of a randomly selected sample of requests of production orders and searches run on the TFTP provided data, the Commission is overall satisfied that the Agreement and its safeguards and controls are properly implemented.

Europol is accomplishing its verification tasks in full compliance with Article 4 on the basis of detailed and regularly updated supporting documentation received from the Treasury. The oversight mechanism is functioning smoothly and is effective in ensuring that the processing of data complies with the conditions laid down in Article 5 including that data has only been searched where there is pre-existing information or evidence which demonstrates a reason to believe that the subject of the search has a nexus to terrorism or its financing. All non-extracted data is deleted at the latest five years from receipt, in accordance with Article 6 (4) of the Agreement.

The TFTP remains a key instrument to provide timely, accurate and reliable information about activities associated with suspected acts of terrorist planning and financing. It helps to identify and track terrorists and their support networks worldwide. During the current review period, the EU has continued to significantly benefit from the TFTP and almost 50% of the leads resulting from all the searches went to Europol and EU Member States. In some cases, the information provided under the Agreement has been instrumental in bringing forward specific investigations relating to terrorist attacks on EU soil.

Though the average number of leads per month decreased from 2 232 to 1 631 during the review period, largely due to the COVID-19 pandemic, it remained at a high level and continued to demonstrate the value of the Agreement. The number of searches per month decreased from 1 115 searches to 828, or by 26% compared with the previous review period.

The mandatory telework in the United States from March to May 2020, did not materially affect the safeguards, controls, or reciprocity provisions set out in the Agreement. The role of overseers, auditors, and the supervision of security measures to safeguard classified information were not affected except in terms of adjusting staffing levels. Even though the Treasury did not send new Article 4 requests to obtain data during this limited period, the Commission is satisfied that the Treasury could respond to urgent and priority requests to make searches through the TFTP during this periods in compliance with the conditions laid down in Article 5 of the Agreement.

In terms of potential for further improvement, the Commission recognises that the Treasury, in the annual evaluation of its Article 4 Requests, assesses the message types and geographic regions that are the most and least responsive to TFTP searches, but suggests that the outcome of such an assessment should be explained in more details in subsequent Article 4 requests . Such more detailed explanations could better demonstrate that the Treasury’s has narrowly tailored its request to minimise the amount of data requested from the designated provider, in line with Article 4 (2).

The Commission further suggests that the Treasury improves its mechanisms to review the necessity of retaining “extracted data” to ensure that this data is only retained for as long as necessary for the specific investigation or prosecution for which they are used (Article 6 (7)). The Commission suggests that the Treasury establish written procedures for the review of such data retention.

In this context, the Commission requests Member States to increase their efforts to inform Europol as a Single Point of Contact (SPoC) when a case has been finally disposed of, for the subsequent provision of such information to the Treasury, which should in principle lead to the deletion of extracted data relating to that case, unless there are other investigations based on the extracted data. Europol and Member States should establish and implement procedures for providing such feedback. Consideration should also be given to extracted data that is viewed by the Treasury analysts but not considered relevant in the context of a specific investigation and therefore not disseminated further in the context of a specific investigation. To the extent such data is extracted and printed, the Commission recommends that the Treasury establish written guidance for document management for TFTP users/analysts, to ensure that such extracted data is retained in accordance with Article 6 (7).

Furthermore, Member States should provide regular feedback to Europol, for onward sharing with the Treasury as appropriate, on the added value of the TFTP leads received from the Treasury, which could further improve the quality and the quantity of information exchanged under Articles 9 and 10. The Commission encourages Europol to continue its efforts to actively promote awareness of the TFTP and to support Member States seeking its advice and experience in devising targeted Article 10 requests. The Commission also encourages Member States to exploit to the full the possibilities available under the TFTP. 

The Commission notes that the procedures to process requests from persons to ensure that their data protection rights have been respected in compliance with the Agreement appear to function efficiently. The Commission also notes that the U.S. Privacy and Civil Liberties Oversight Board, in November 2020, stated in the context of an oversight review of the TFTP that the review indicates that the programme is thoughtfully designed, provides significant value for counter-terrorism, and appropriately protects individual privacy. The Commission underlines the importance that the Privacy Officer of the U.S. Treasury Department, charged with the implementation of Articles 15 and 16 of the Agreement, continues its efforts to make right of access and redress more easily available to persons and that it also consider how procedures can be tested in the absence of specific requests.

The Commission welcomes the continued transparency of the United States’ authorities in sharing information illustrating the value of the TFTP in international counter-terrorism efforts. The detailed information about how the TFTP Provided Data can and is being used and concrete cases thereof provided in the Joint Value Report and in the context of this review clearly explain the functioning and demonstrate the added value of the TFTP for security on both sides of the Atlantic as it remains an essential tool to support counter-terrorism analysts and investigations, for example in identifying previously unknown terrorist operatives and financial supporters.

In the period under review, the EU has been able to benefit relatively more from the TFTP than during the periods considered in previous reviews. The US authorities have extensively made use of the possibility under Article 9 of the Agreement to spontaneously provide information from the TFTP to EU authorities. In addition, Europol has continued to proactively initiate a series of requests under Article 10 of the Agreement in the period under review. This has helped raise awareness of the TFTP among Member State authorities. At the same time, Member State authorities submitted that the leads that are disseminated as physical copies on paper by the Treasury could be more efficiently processed if they were provided digitally. The Commission invites the Treasury and Europol to consider possible ways to facilitate the processing of leads, in compatibility with the security arrangements of the TFTP.

A regular review of the Agreement is essential to ensure its proper implementation, to build up a relationship of trust between the contracting parties and to provide reassurances to interested stakeholders on the usefulness of the TFTP instrument. The Commission and the Treasury agreed to carry out the next joint review according to Article 13 of the Agreement in the beginning of 2024.

The functioning of the Agreement, the joint review process, its outcome and recommendations are described in detail in the Staff Working Document attached to this Report.


     OJ L 195/5 of 27.7. 2010.


     SEC(2011) 438 final.


     SWD(2012) 454 final.


     COM (2014) 513 final and SWD (2014) 264 final of 11.8.2014.


     COM (2017) 31 final and SWD (2017) 17 final of 19.1.2017.


     COM(2019) 342 final, and SWD (2019) 301 final of 22.7.2019


     COM (2013) 843 final of 27.11.2013.