Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sharing Data with Regulators Graham Lovett 4 June 2013 DIFC.

Similar presentations


Presentation on theme: "Sharing Data with Regulators Graham Lovett 4 June 2013 DIFC."— Presentation transcript:

1 Sharing Data with Regulators Graham Lovett 4 June 2013 DIFC

2 Introduction Setting the Scene When would you share data with regulators? Potential Legal Impediments Application of Data Protection Law Banking confidentiality Practical Considerations Obtaining the consent of clients Cross-border transfer of data 4 June Sharing Data with Regulators

3 When would you share information with the Regulator? By compulsion of law AML/CTF At the request of local regulators Extra-territorial application of foreign laws/regulation Voluntary disclosure to an overseas regulator 4 June Sharing Data with Regulators

4 By compulsion of law: Regulator produces a court order enforcing disclosure of information: Investigations pursuant to enforcement actions (criminal/civil) Regulator given power by statute/sanctions to require certain information to be provided 4 June Sharing Data with Regulators

5 By compulsion of law: Application to the DIFC Court for an order Where the subject of the order contravenes or proposes contravention of a Law or Rules or other legislation administered by the DFSA; Where the DFSA investigates acts or omission which may contravene Law or Rules administered by the DFSA; or Where a civil or regulatory proceeding has been instituted by the DFSA or another aggrieved party in relation to an alleged contravention Orders include: –Restraining contravening conduct; –Ordering that Person to do any act or thing; or –Any other order as the Court sees fit. This may potentially entail information sharing with the regulator within the DIFC or one or more regulators in other jurisdictions. 4 June Sharing Data with Regulators

6 AML/CTF Exemption under Federal legislation for disclosures made to the AMLSCU. Pursuant to the Anti-Money Laundering Module of the DFSA Rulebook (AML) any firm authorised to provide financial services/products in the DIFC (Authorised Firms) must establish and verify the identity of its customers by reviewing personal data. As part of the AML requirements, information about clients engaging in suspicious transactions may need to be disclosed to the Anti-Money Laundering Suspicious Cases Unit. Rule 3.2 of AML requires any Authorised Firm to promptly provide the DFSA with any information requested by the DFSA. 4 June Sharing Data with Regulators

7 At the request of local regulators Regulatory Powers to Obtain Information DFSA Regulatory Law: powers of supervision and investigation DFSA may require by written notice: Procurement of specific information; and/or Production of specific documents In such a manner as the DFSA prescribes Information requests under the Regulatory Law, Notification provisions under GEN 4 June Sharing Data with Regulators

8 Extra-territorial application of foreign laws / regulation FATCA A contractual agreement between an FFI and IRS Requirements: –Obtain information on account holders to determine if accounts are US accounts –Compliance with due diligence and verification procedures –Report information on US accounts –Deduct and withhold a 30% tax on passthru payments paid to account holders not providing relevant information (recalcitrant account holders) or non-participating FFIs Pursuant to contractual agreement entered into voluntarily, information must be shared with the regulator 4 June Sharing Data with Regulators

9 Extra-territorial application of foreign laws / regulation Dodd Frank Any covered banking entity that has $1 billion or more in trading assets and liabilities on a worldwide consolidated basis would have to: comply with extensive quantitative measurements reporting requirements with respect to each trading unit maintain records documenting the preparation of the required reports and information sufficient to verify their accuracy for a period of 5 years Extra-territorial application might require data processing be undertaken and may be contrary to banking confidentiality 4 June Sharing Data with Regulators

10 Extra-territorial application of foreign laws / regulation Dodd Frank Foreign entities that engage in: –More than a de minimis level of qualifying swap activity with US person would be required to register with the CFTC as a Swap Dealer –A level of qualifying US facing swap activity which has direct and significant connection with the activities in, or effect on, commerce in the US would be required to register with the CFTC as a Major Swap Participant Swaps Dealers/Major Swap Participants have entity level obligations and transaction level obligations –Entity Level obligations include: –Swap data recordkeeping –Swap data reporting –Transaction Level obligations include –Real-time public reporting –Trade confirmation –Daily trading records Extraterritorial obligations may entail information sharing with the regulator contrary to banking confidentiality 4 June Sharing Data with Regulators

11 When information required by a regulator elsewhere in a group of companies For Example: Firm Head Office in the UK In this instance the Financial Conduct Authority may request information stored within a DIFC Branch. –By court order –Through the DFSA –Direct request made pursuant to head office legislation/rules –Direct request for information to be disclosed on a voluntary basis 4 June Sharing Data with Regulators

12 Voluntary Disclosure to Regulator As a result of financial institution transactions that have been called into question by regulators in other jurisdictions, the financial institution may commit to information sharing as part of a leniency programme Enforceable undertakings as part of Enforcement Proceedings 4 June Sharing Data with Regulators

13 Potential Legal Impediments Pursuant to DIFC Data Protection Law, Personal Data may only be Processed if: Data Subject has given written consent Processing is necessary for the performance of a contract or in steps required prior to entering into it Processing is necessary for compliance with any legal obligations Processing is necessary for performance of a task carried out in the interests of the DIFC Processing is necessary to pursue legitimate interests of the firm provided the Data Subjects legitimate interests do not override these 4 June Sharing Data with Regulators

14 Application of Data Protection Law Transfers out of the DIFC May only take place if an adequate level of protection for the personal data is guaranteed by the laws and regulations of the recipient. Where an adequate level of protection is not guaranteed additional requirements must be met, which may include obtaining a permit or written authorisation from the Commissioner of Data Protection or written consent from the Data Subject. 4 June Sharing Data with Regulators

15 Application of Data Protection Law The firm processing the Personal Data must make information available to the Data Subject: Purposes for which the information is being processed Details of the recipients or categories of recipients of the Personal Data Existence of Data Subjects right of access to and right to rectify the Personal Data 4 June Sharing Data with Regulators

16 Banking Confidentiality Beyond the Data Protection Law, DIFC Law of Obligations imposes a duty of confidentiality of banking business Duty of confidentiality to customer not to misuse specific information received from another, directly or indirectly and which can reasonably be regarded as confidential Duty lasts beyond the end of the banking relationship 4 June Sharing Data with Regulators

17 Practical Considerations Sharing through compulsion of Law Permitted where Processing is necessary to comply with legal obligation to which the firm is subject AML Permitted where necessary to comply with legal obligation or where Processing is necessary prior to entering a contract At the request of local regulators Permitted where Processing is in the interests of the DIFC 4 June Sharing Data with Regulators

18 Practical Considerations Extra-Territorial Application of Foreign Laws/Regulation Can argue that this is permitted in compliance with legal obligations Transfers out of the DIFC to jurisdictions lacking adequate levels of protection are permitted in certain situations including, but not limited to where: –a permit is obtained from Commissioner of Data Protection; –written consent is obtained from Data Subject; –Transfer necessary for performance of contract –Transfer necessary to protect vital interests of the Data Subject; or –Transfer necessary to uphold legitimate interests of the Data Processor except where these are overriden by interests of Data Subject September 08 18

19 Practical Considerations Voluntary disclosure to a regulator More difficult to justify within the scope of the Data Protection Law Not a legal obligation nor necessarily permitted in the interests of the DIFC Legitimate interests of the Data Subject may override those of the firm Processing the information 4 June Sharing Data with Regulators

20 Consent of the Data Subject In all instances, Personal Data may be legitimately Processed where the Data Subject has provided their written consent Terms and Conditions signed by Data Subject when opening account should be reviewed to see if consent granted Process of re-papering may be required to amend Terms and Conditions Cannot have deemed consent to amend Terms and Conditions where information sharing is concerned 4 June Sharing Data with Regulators

21 Clifford Chance, 10 Upper Bank Street, London, E14 5JJ © Clifford Chance 2013 Clifford Chance LLP is a limited liability partnership registered in England and Wales under number OC Registered office: 10 Upper Bank Street, London, E14 5JJ We use the word 'partner' to refer to a member of Clifford Chance LLP, or an employee or consultant with equivalent standing and qualifications Sharing Data with Regulators


Download ppt "Sharing Data with Regulators Graham Lovett 4 June 2013 DIFC."

Similar presentations


Ads by Google