21
Sharing Data with Regulators Graham Lovett 4 June 2013 DIFC

Sharing Data with Regulators

Embed Size (px)

DESCRIPTION

Sharing Data with Regulators. Graham Lovett. 4 June 2013. DIFC. Introduction. Setting the Scene When would you share data with regulators? Potential Legal Impediments Application of Data Protection Law Banking confidentiality Practical Considerations Obtaining the consent of clients - PowerPoint PPT Presentation

Citation preview

Page 1: Sharing Data with Regulators

Sharing Data with Regulators

Graham Lovett

4 June 2013

DIFC

Page 2: Sharing Data with Regulators

2Sharing Data with Regulators

Introduction

Setting the SceneWhen would you share data with regulators?

Potential Legal ImpedimentsApplication of Data Protection LawBanking confidentiality

Practical ConsiderationsObtaining the consent of clientsCross-border transfer of data

4 June 2013

Page 3: Sharing Data with Regulators

3Sharing Data with Regulators

When would you share information with the Regulator? By compulsion of law

AML/CTF

At the request of local regulators

Extra-territorial application of foreign laws/regulation

Voluntary disclosure to an overseas regulator4 June 2013

Page 4: Sharing Data with Regulators

4Sharing Data with Regulators

By compulsion of law:Regulator produces a court order enforcing

disclosure of information:

Investigations pursuant to enforcement actions (criminal/civil)

Regulator given power by statute/sanctions to require certain information to be provided

4 June 2013

Page 5: Sharing Data with Regulators

5Sharing Data with Regulators

By compulsion of law: Application to the DIFC Court for an order

Where the subject of the order contravenes or proposes contravention of a Law or Rules or other legislation administered by the DFSA;

Where the DFSA investigates acts or omission which may contravene Law or Rules administered by the DFSA; or

Where a civil or regulatory proceeding has been instituted by the DFSA or another aggrieved party in relation to an alleged contravention

Orders include:– Restraining contravening conduct;– Ordering that Person to do any act or thing; or– Any other order as the Court sees fit.

This may potentially entail information sharing with the regulator within the DIFC or one or more regulators in other jurisdictions.

4 June 2013

Page 6: Sharing Data with Regulators

6Sharing Data with Regulators

AML/CTFExemption under Federal legislation for disclosures made to

the AMLSCU.

Pursuant to the Anti-Money Laundering Module of the DFSA Rulebook (“AML”) any firm authorised to provide financial services/products in the DIFC (“Authorised Firms”) must establish and verify the identity of its customers by reviewing personal data.

As part of the AML requirements, information about clients engaging in suspicious transactions may need to be disclosed to the Anti-Money Laundering Suspicious Cases Unit.

Rule 3.2 of AML requires any Authorised Firm to promptly provide the DFSA with any information requested by the DFSA.

4 June 2013

Page 7: Sharing Data with Regulators

7Sharing Data with Regulators

At the request of local regulators

Regulatory Powers to Obtain Information DFSA Regulatory Law: powers of supervision and investigation

DFSA may require by written notice:

Procurement of specific information; and/or

Production of specific documents

In such a manner as the DFSA prescribes

Information requests under the Regulatory Law, Notification provisions under GEN

4 June 2013

Page 8: Sharing Data with Regulators

8Sharing Data with Regulators

Extra-territorial application of foreign laws / regulation

FATCAA contractual agreement between an FFI and IRSRequirements:

– Obtain information on account holders to determine if accounts are US accounts

– Compliance with due diligence and verification procedures– Report information on US accounts– Deduct and withhold a 30% tax on “passthru” payments paid to

account holders not providing relevant information (“recalcitrant account holders”) or non-participating FFIs

Pursuant to contractual agreement entered into voluntarily, information must be shared with the regulator

4 June 2013

Page 9: Sharing Data with Regulators

9Sharing Data with Regulators

Extra-territorial application of foreign laws / regulation

Dodd Frank

Any covered banking entity that has $1 billion or more in trading assets and liabilities on a worldwide consolidated basis would have to: comply with extensive quantitative measurements reporting

requirements with respect to each trading unit

maintain records documenting the preparation of the required reports and information sufficient to verify their accuracy for a period of 5 years

Extra-territorial application might require data processing be undertaken and may be contrary to banking confidentiality

4 June 2013

Page 10: Sharing Data with Regulators

10Sharing Data with Regulators

Extra-territorial application of foreign laws / regulation Dodd Frank

Foreign entities that engage in:

– More than a de minimis level of qualifying swap activity with US person would be required to register with the CFTC as a “Swap Dealer”

– A level of qualifying US facing swap activity which has “direct and significant connection with the activities in, or effect on, commerce in the US” would be required to register with the CFTC as a “Major Swap Participant”

Swaps Dealers/Major Swap Participants have entity level obligations and transaction level obligations

– Entity Level obligations include:– Swap data recordkeeping– Swap data reporting

– Transaction Level obligations include– Real-time public reporting– Trade confirmation– Daily trading records

Extraterritorial obligations may entail information sharing with the regulator contrary to banking confidentiality

4 June 2013

Page 11: Sharing Data with Regulators

11Sharing Data with Regulators

When information required by a regulator elsewhere in a group of companies

For Example: Firm Head Office in the UK

In this instance the Financial Conduct Authority may request information stored within a DIFC Branch.

– By court order– Through the DFSA– Direct request made pursuant to head office legislation/rules– Direct request for information to be disclosed on a voluntary

basis

4 June 2013

Page 12: Sharing Data with Regulators

12Sharing Data with Regulators

Voluntary Disclosure to RegulatorAs a result of financial institution transactions

that have been called into question by regulators in other jurisdictions, the financial institution may commit to information sharing as part of a leniency programme

Enforceable undertakings as part of Enforcement Proceedings

4 June 2013

Page 13: Sharing Data with Regulators

13Sharing Data with Regulators

Potential Legal Impediments

Pursuant to DIFC Data Protection Law, Personal Data may only be Processed if:Data Subject has given written consentProcessing is necessary for the performance of a

contract or in steps required prior to entering into itProcessing is necessary for compliance with any

legal obligationsProcessing is necessary for performance of a task

carried out in the interests of the DIFCProcessing is necessary to pursue legitimate

interests of the firm provided the Data Subjects legitimate interests do not override these

4 June 2013

Page 14: Sharing Data with Regulators

14Sharing Data with Regulators

Application of Data Protection LawTransfers out of the DIFC

May only take place if an adequate level of protection for the personal data is guaranteed by the laws and regulations of the recipient.

Where an adequate level of protection is not guaranteed additional requirements must be met, which may include obtaining a permit or written authorisation from the Commissioner of Data Protection or written consent from the Data Subject.

4 June 2013

Page 15: Sharing Data with Regulators

15Sharing Data with Regulators

Application of Data Protection LawThe firm processing the Personal Data must

make information available to the Data Subject:Purposes for which the information is being

processedDetails of the recipients or categories of recipients

of the Personal DataExistence of Data Subjects right of access to and

right to rectify the Personal Data

4 June 2013

Page 16: Sharing Data with Regulators

16Sharing Data with Regulators

Banking ConfidentialityBeyond the Data Protection Law, DIFC Law

of Obligations imposes a duty of confidentiality of banking business

Duty of confidentiality to customer not to misuse specific information received from another, directly or indirectly and which can reasonably be regarded as confidential

Duty lasts beyond the end of the banking relationship

4 June 2013

Page 17: Sharing Data with Regulators

17Sharing Data with Regulators

Practical ConsiderationsSharing through compulsion of Law

Permitted where Processing is necessary to comply with legal obligation to which the firm is subject

AMLPermitted where necessary to comply with legal

obligation or where Processing is necessary prior to entering a contract

At the request of local regulatorsPermitted where Processing is in the interests of

the DIFC4 June 2013

Page 18: Sharing Data with Regulators

18

Practical Considerations Extra-Territorial Application of Foreign

Laws/Regulation

Can argue that this is permitted in compliance with legal obligations

Transfers out of the DIFC to jurisdictions lacking adequate levels of protection are permitted in certain situations including, but not limited to where:

– a permit is obtained from Commissioner of Data Protection;– written consent is obtained from Data Subject;– Transfer necessary for performance of contract– Transfer necessary to protect vital interests of the Data Subject; or– Transfer necessary to uphold legitimate interests of the Data Processor

except where these are overriden by interests of Data Subject

September 08

Page 19: Sharing Data with Regulators

19Sharing Data with Regulators

Practical ConsiderationsVoluntary disclosure to a regulator

More difficult to justify within the scope of the Data Protection Law

Not a legal obligation nor necessarily permitted in the interests of the DIFC

Legitimate interests of the Data Subject may override those of the firm Processing the information

4 June 2013

Page 20: Sharing Data with Regulators

20Sharing Data with Regulators

Consent of the Data SubjectIn all instances, Personal Data may be legitimately

Processed where the Data Subject has provided their written consent

Terms and Conditions signed by Data Subject when opening account should be reviewed to see if consent granted

Process of ‘re-papering’ may be required to amend Terms and Conditions

Cannot have deemed consent to amend Terms and Conditions where information sharing is concerned

4 June 2013

Page 21: Sharing Data with Regulators

Clifford Chance, 10 Upper Bank Street, London, E14 5JJ© Clifford Chance 2013Clifford Chance LLP is a limited liability partnership registered in England and Wales under number OC323571Registered office: 10 Upper Bank Street, London, E14 5JJWe use the word 'partner' to refer to a member of Clifford Chance LLP, or an employee or consultant with equivalent standing and qualifications

www.cliffordchance.com

Sharing Data with Regulators