Date post: | 28-Mar-2015 |
Category: |
Documents |
Upload: | wilson-donn |
View: | 219 times |
Download: | 0 times |
Sharing Data with Regulators
Graham Lovett
4 June 2013
DIFC
2Sharing Data with Regulators
Introduction
Setting the SceneWhen would you share data with regulators?
Potential Legal ImpedimentsApplication of Data Protection LawBanking confidentiality
Practical ConsiderationsObtaining the consent of clientsCross-border transfer of data
4 June 2013
3Sharing Data with Regulators
When would you share information with the Regulator? By compulsion of law
AML/CTF
At the request of local regulators
Extra-territorial application of foreign laws/regulation
Voluntary disclosure to an overseas regulator4 June 2013
4Sharing Data with Regulators
By compulsion of law:Regulator produces a court order enforcing
disclosure of information:
Investigations pursuant to enforcement actions (criminal/civil)
Regulator given power by statute/sanctions to require certain information to be provided
4 June 2013
5Sharing Data with Regulators
By compulsion of law: Application to the DIFC Court for an order
Where the subject of the order contravenes or proposes contravention of a Law or Rules or other legislation administered by the DFSA;
Where the DFSA investigates acts or omission which may contravene Law or Rules administered by the DFSA; or
Where a civil or regulatory proceeding has been instituted by the DFSA or another aggrieved party in relation to an alleged contravention
Orders include:– Restraining contravening conduct;– Ordering that Person to do any act or thing; or– Any other order as the Court sees fit.
This may potentially entail information sharing with the regulator within the DIFC or one or more regulators in other jurisdictions.
4 June 2013
6Sharing Data with Regulators
AML/CTFExemption under Federal legislation for disclosures made to
the AMLSCU.
Pursuant to the Anti-Money Laundering Module of the DFSA Rulebook (“AML”) any firm authorised to provide financial services/products in the DIFC (“Authorised Firms”) must establish and verify the identity of its customers by reviewing personal data.
As part of the AML requirements, information about clients engaging in suspicious transactions may need to be disclosed to the Anti-Money Laundering Suspicious Cases Unit.
Rule 3.2 of AML requires any Authorised Firm to promptly provide the DFSA with any information requested by the DFSA.
4 June 2013
7Sharing Data with Regulators
At the request of local regulators
Regulatory Powers to Obtain Information DFSA Regulatory Law: powers of supervision and investigation
DFSA may require by written notice:
Procurement of specific information; and/or
Production of specific documents
In such a manner as the DFSA prescribes
Information requests under the Regulatory Law, Notification provisions under GEN
4 June 2013
8Sharing Data with Regulators
Extra-territorial application of foreign laws / regulation
FATCAA contractual agreement between an FFI and IRSRequirements:
– Obtain information on account holders to determine if accounts are US accounts
– Compliance with due diligence and verification procedures– Report information on US accounts– Deduct and withhold a 30% tax on “passthru” payments paid to
account holders not providing relevant information (“recalcitrant account holders”) or non-participating FFIs
Pursuant to contractual agreement entered into voluntarily, information must be shared with the regulator
4 June 2013
9Sharing Data with Regulators
Extra-territorial application of foreign laws / regulation
Dodd Frank
Any covered banking entity that has $1 billion or more in trading assets and liabilities on a worldwide consolidated basis would have to: comply with extensive quantitative measurements reporting
requirements with respect to each trading unit
maintain records documenting the preparation of the required reports and information sufficient to verify their accuracy for a period of 5 years
Extra-territorial application might require data processing be undertaken and may be contrary to banking confidentiality
4 June 2013
10Sharing Data with Regulators
Extra-territorial application of foreign laws / regulation Dodd Frank
Foreign entities that engage in:
– More than a de minimis level of qualifying swap activity with US person would be required to register with the CFTC as a “Swap Dealer”
– A level of qualifying US facing swap activity which has “direct and significant connection with the activities in, or effect on, commerce in the US” would be required to register with the CFTC as a “Major Swap Participant”
Swaps Dealers/Major Swap Participants have entity level obligations and transaction level obligations
– Entity Level obligations include:– Swap data recordkeeping– Swap data reporting
– Transaction Level obligations include– Real-time public reporting– Trade confirmation– Daily trading records
Extraterritorial obligations may entail information sharing with the regulator contrary to banking confidentiality
4 June 2013
11Sharing Data with Regulators
When information required by a regulator elsewhere in a group of companies
For Example: Firm Head Office in the UK
In this instance the Financial Conduct Authority may request information stored within a DIFC Branch.
– By court order– Through the DFSA– Direct request made pursuant to head office legislation/rules– Direct request for information to be disclosed on a voluntary
basis
4 June 2013
12Sharing Data with Regulators
Voluntary Disclosure to RegulatorAs a result of financial institution transactions
that have been called into question by regulators in other jurisdictions, the financial institution may commit to information sharing as part of a leniency programme
Enforceable undertakings as part of Enforcement Proceedings
4 June 2013
13Sharing Data with Regulators
Potential Legal Impediments
Pursuant to DIFC Data Protection Law, Personal Data may only be Processed if:Data Subject has given written consentProcessing is necessary for the performance of a
contract or in steps required prior to entering into itProcessing is necessary for compliance with any
legal obligationsProcessing is necessary for performance of a task
carried out in the interests of the DIFCProcessing is necessary to pursue legitimate
interests of the firm provided the Data Subjects legitimate interests do not override these
4 June 2013
14Sharing Data with Regulators
Application of Data Protection LawTransfers out of the DIFC
May only take place if an adequate level of protection for the personal data is guaranteed by the laws and regulations of the recipient.
Where an adequate level of protection is not guaranteed additional requirements must be met, which may include obtaining a permit or written authorisation from the Commissioner of Data Protection or written consent from the Data Subject.
4 June 2013
15Sharing Data with Regulators
Application of Data Protection LawThe firm processing the Personal Data must
make information available to the Data Subject:Purposes for which the information is being
processedDetails of the recipients or categories of recipients
of the Personal DataExistence of Data Subjects right of access to and
right to rectify the Personal Data
4 June 2013
16Sharing Data with Regulators
Banking ConfidentialityBeyond the Data Protection Law, DIFC Law
of Obligations imposes a duty of confidentiality of banking business
Duty of confidentiality to customer not to misuse specific information received from another, directly or indirectly and which can reasonably be regarded as confidential
Duty lasts beyond the end of the banking relationship
4 June 2013
17Sharing Data with Regulators
Practical ConsiderationsSharing through compulsion of Law
Permitted where Processing is necessary to comply with legal obligation to which the firm is subject
AMLPermitted where necessary to comply with legal
obligation or where Processing is necessary prior to entering a contract
At the request of local regulatorsPermitted where Processing is in the interests of
the DIFC4 June 2013
18
Practical Considerations Extra-Territorial Application of Foreign
Laws/Regulation
Can argue that this is permitted in compliance with legal obligations
Transfers out of the DIFC to jurisdictions lacking adequate levels of protection are permitted in certain situations including, but not limited to where:
– a permit is obtained from Commissioner of Data Protection;– written consent is obtained from Data Subject;– Transfer necessary for performance of contract– Transfer necessary to protect vital interests of the Data Subject; or– Transfer necessary to uphold legitimate interests of the Data Processor
except where these are overriden by interests of Data Subject
September 08
19Sharing Data with Regulators
Practical ConsiderationsVoluntary disclosure to a regulator
More difficult to justify within the scope of the Data Protection Law
Not a legal obligation nor necessarily permitted in the interests of the DIFC
Legitimate interests of the Data Subject may override those of the firm Processing the information
4 June 2013
20Sharing Data with Regulators
Consent of the Data SubjectIn all instances, Personal Data may be legitimately
Processed where the Data Subject has provided their written consent
Terms and Conditions signed by Data Subject when opening account should be reviewed to see if consent granted
Process of ‘re-papering’ may be required to amend Terms and Conditions
Cannot have deemed consent to amend Terms and Conditions where information sharing is concerned
4 June 2013
Clifford Chance, 10 Upper Bank Street, London, E14 5JJ© Clifford Chance 2013Clifford Chance LLP is a limited liability partnership registered in England and Wales under number OC323571Registered office: 10 Upper Bank Street, London, E14 5JJWe use the word 'partner' to refer to a member of Clifford Chance LLP, or an employee or consultant with equivalent standing and qualifications
www.cliffordchance.com
Sharing Data with Regulators