210 likes | 336 Views
Sharing Data with Regulators. Graham Lovett. 4 June 2013. DIFC. Introduction. Setting the Scene When would you share data with regulators? Potential Legal Impediments Application of Data Protection Law Banking confidentiality Practical Considerations Obtaining the consent of clients
E N D
Sharing Data with Regulators Graham Lovett 4 June 2013 DIFC
Introduction • Setting the Scene • When would you share data with regulators? • Potential Legal Impediments • Application of Data Protection Law • Banking confidentiality • Practical Considerations • Obtaining the consent of clients • Cross-border transfer of data Sharing Data with Regulators
When would you share information with the Regulator? • By compulsion of law • AML/CTF • At the request of local regulators • Extra-territorial application of foreign laws/regulation • Voluntary disclosure to an overseas regulator Sharing Data with Regulators
By compulsion of law: • Regulator produces a court order enforcing disclosure of information: • Investigations pursuant to enforcement actions (criminal/civil) • Regulator given power by statute/sanctions to require certain information to be provided Sharing Data with Regulators
By compulsion of law: • Application to the DIFC Court for an order • Where the subject of the order contravenes or proposes contravention of a Law or Rules or other legislation administered by the DFSA; • Where the DFSA investigates acts or omission which may contravene Law or Rules administered by the DFSA; or • Where a civil or regulatory proceeding has been instituted by the DFSA or another aggrieved party in relation to an alleged contravention • Orders include: • Restraining contravening conduct; • Ordering that Person to do any act or thing; or • Any other order as the Court sees fit. • This may potentially entail information sharing with the regulator within the DIFC or one or more regulators in other jurisdictions. Sharing Data with Regulators
AML/CTF • Exemption under Federal legislation for disclosures made to the AMLSCU. • Pursuant to the Anti-Money Laundering Module of the DFSA Rulebook (“AML”) any firm authorised to provide financial services/products in the DIFC (“Authorised Firms”) must establish and verify the identity of its customers by reviewing personal data. • As part of the AML requirements, information about clients engaging in suspicious transactions may need to be disclosed to the Anti-Money Laundering Suspicious Cases Unit. • Rule 3.2 of AML requires any Authorised Firm to promptly provide the DFSA with any information requested by the DFSA. Sharing Data with Regulators
At the request of local regulators • Regulatory Powers to Obtain Information • DFSA Regulatory Law: powers of supervision and investigation • DFSA may require by written notice: • Procurement of specific information; and/or • Production of specific documents In such a manner as the DFSA prescribes • Information requests under the Regulatory Law, Notification provisions under GEN Sharing Data with Regulators
Extra-territorial application of foreign laws / regulation • FATCA • A contractual agreement between an FFI and IRS • Requirements: • Obtain information on account holders to determine if accounts are US accounts • Compliance with due diligence and verification procedures • Report information on US accounts • Deduct and withhold a 30% tax on “passthru” payments paid to account holders not providing relevant information (“recalcitrant account holders”) or non-participating FFIs • Pursuant to contractual agreement entered into voluntarily, information must be shared with the regulator Sharing Data with Regulators
Extra-territorial application of foreign laws / regulation • Dodd Frank • Any covered banking entity that has $1 billion or more in trading assets and liabilities on a worldwide consolidated basis would have to: • comply with extensive quantitative measurements reporting requirements with respect to each trading unit • maintain records documenting the preparation of the required reports and information sufficient to verify their accuracy for a period of 5 years • Extra-territorial application might require data processing be undertaken and may be contrary to banking confidentiality Sharing Data with Regulators
Extra-territorial application of foreign laws / regulation • Dodd Frank • Foreign entities that engage in: • More than a de minimis level of qualifying swap activity with US person would be required to register with the CFTC as a “Swap Dealer” • A level of qualifying US facing swap activity which has “direct and significant connection with the activities in, or effect on, commerce in the US” would be required to register with the CFTC as a “Major Swap Participant” • Swaps Dealers/Major Swap Participants have entity level obligations and transaction level obligations • Entity Level obligations include: • Swap data recordkeeping • Swap data reporting • Transaction Level obligations include • Real-time public reporting • Trade confirmation • Daily trading records • Extraterritorial obligations may entail information sharing with the regulator contrary to banking confidentiality Sharing Data with Regulators
When information required by a regulator elsewhere in a group of companies • For Example: Firm Head Office in the UK • In this instance the Financial Conduct Authority may request information stored within a DIFC Branch. • By court order • Through the DFSA • Direct request made pursuant to head office legislation/rules • Direct request for information to be disclosed on a voluntary basis Sharing Data with Regulators
Voluntary Disclosure to Regulator • As a result of financial institution transactions that have been called into question by regulators in other jurisdictions, the financial institution may commit to information sharing as part of a leniency programme • Enforceable undertakings as part of Enforcement Proceedings Sharing Data with Regulators
Potential Legal Impediments • Pursuant to DIFC Data Protection Law, Personal Data may only be Processed if: • Data Subject has given written consent • Processing is necessary for the performance of a contract or in steps required prior to entering into it • Processing is necessary for compliance with any legal obligations • Processing is necessary for performance of a task carried out in the interests of the DIFC • Processing is necessary to pursue legitimate interests of the firm provided the Data Subjects legitimate interests do not override these Sharing Data with Regulators
Application of Data Protection Law • Transfers out of the DIFC • May only take place if an adequate level of protection for the personal data is guaranteed by the laws and regulations of the recipient. • Where an adequate level of protection is not guaranteed additional requirements must be met, which may include obtaining a permit or written authorisation from the Commissioner of Data Protection or written consent from the Data Subject. Sharing Data with Regulators
Application of Data Protection Law • The firm processing the Personal Data must make information available to the Data Subject: • Purposes for which the information is being processed • Details of the recipients or categories of recipients of the Personal Data • Existence of Data Subjects right of access to and right to rectify the Personal Data Sharing Data with Regulators
Banking Confidentiality • Beyond the Data Protection Law, DIFC Law of Obligations imposes a duty of confidentiality of banking business • Duty of confidentiality to customer not to misuse specific information received from another, directly or indirectly and which can reasonably be regarded as confidential • Duty lasts beyond the end of the banking relationship Sharing Data with Regulators
Practical Considerations • Sharing through compulsion of Law • Permitted where Processing is necessary to comply with legal obligation to which the firm is subject • AML • Permitted where necessary to comply with legal obligation or where Processing is necessary prior to entering a contract • At the request of local regulators • Permitted where Processing is in the interests of the DIFC Sharing Data with Regulators
Practical Considerations • Extra-Territorial Application of Foreign Laws/Regulation • Can argue that this is permitted in compliance with legal obligations • Transfers out of the DIFC to jurisdictions lacking adequate levels of protection are permitted in certain situations including, but not limited to where: • a permit is obtained from Commissioner of Data Protection; • written consent is obtained from Data Subject; • Transfer necessary for performance of contract • Transfer necessary to protect vital interests of the Data Subject; or • Transfer necessary to uphold legitimate interests of the Data Processor except where these are overriden by interests of Data Subject
Practical Considerations • Voluntary disclosure to a regulator • More difficult to justify within the scope of the Data Protection Law • Not a legal obligation nor necessarily permitted in the interests of the DIFC • Legitimate interests of the Data Subject may override those of the firm Processing the information Sharing Data with Regulators
Consent of the Data Subject • In all instances, Personal Data may be legitimately Processed where the Data Subject has provided their written consent • Terms and Conditions signed by Data Subject when opening account should be reviewed to see if consent granted • Process of ‘re-papering’ may be required to amend Terms and Conditions • Cannot have deemed consent to amend Terms and Conditions where information sharing is concerned Sharing Data with Regulators