Graham Lovett
4 June 2013
DIFC

 Setting the Scene
 When would you share data with regulators?
 Potential Legal Impediments
 Application of Data Protection Law
 Banking confidentiality
 Practical Considerations
 Obtaining the consent of clients
 Cross-border transfer of data
Sharing Data with Regulators 4 June 2013 2

 By compulsion of law
 AML/CTF
 At the request of local regulators
 Extra-territorial application of foreign laws/regulation
 Voluntary disclosure to an overseas regulator
4 June 2013 3 Sharing Data with Regulators

 Regulator produces a court order enforcing disclosure of information:
 Investigations pursuant to enforcement actions
(criminal/civil)
 Regulator given power by statute/sanctions to require certain information to be provided
Sharing Data with Regulators 4 June 2013 4

 Application to the DIFC Court for an order
 Where the subject of the order contravenes or proposes contravention of a Law or Rules or other legislation administered by the DFSA;
 Where the DFSA investigates acts or omission which may contravene
Law or Rules administered by the DFSA; or
 Where a civil or regulatory proceeding has been instituted by the DFSA or another aggrieved party in relation to an alleged contravention
 Orders include:
– Restraining contravening conduct;
– Ordering that Person to do any act or thing; or
– Any other order as the Court sees fit.
 This may potentially entail information sharing with the regulator within the DIFC or one or more regulators in other jurisdictions.
4 June 2013 5 Sharing Data with Regulators

 Exemption under Federal legislation for disclosures made to the AMLSCU.
 Pursuant to the Anti-Money Laundering Module of the DFSA
Rulebook (“ AML ”) any firm authorised to provide financial services/products in the DIFC (“ Authorised Firms ”) must establish and verify the identity of its customers by reviewing personal data.
 As part of the AML requirements, information about clients engaging in suspicious transactions may need to be disclosed to the Anti-Money Laundering Suspicious Cases Unit.
 Rule 3.2 of AML requires any Authorised Firm to promptly provide the DFSA with any information requested by the
DFSA.
Sharing Data with Regulators 4 June 2013 6

 Regulatory Powers to Obtain Information
 DFSA Regulatory Law: powers of supervision and investigation
 DFSA may require by written notice:
 Procurement of specific information; and/or
 Production of specific documents
In such a manner as the DFSA prescribes
 Information requests under the Regulatory
Law, Notification provisions under GEN
4 June 2013 7 Sharing Data with Regulators

 FATCA
 A contractual agreement between an FFI and IRS
 Requirements:
– Obtain information on account holders to determine if accounts are US accounts
– Compliance with due diligence and verification procedures
– Report information on US accounts
– Deduct and withhold a 30% tax on “passthru” payments paid to account holders not providing relevant information (“recalcitrant account holders”) or non-participating FFIs
 Pursuant to contractual agreement entered into voluntarily, information must be shared with the regulator
4 June 2013 8 Sharing Data with Regulators

 Dodd Frank
 Any covered banking entity that has $1 billion or more in trading assets and liabilities on a worldwide consolidated basis would have to:
 comply with extensive quantitative measurements reporting requirements with respect to each trading unit
 maintain records documenting the preparation of the required reports and information sufficient to verify their accuracy for a period of 5 years
 Extra-territorial application might require data processing be undertaken and may be contrary to banking confidentiality
4 June 2013 9 Sharing Data with Regulators

 Dodd Frank
 Foreign entities that engage in:
– More than a de minimis level of qualifying swap activity with US person would be required to register with the CFTC as a “Swap Dealer”
– A level of qualifying US facing swap activity which has “direct and significant connection with the activities in, or effect on, commerce in the US” would be required to register with the CFTC as a “Major Swap Participant”
 Swaps Dealers/Major Swap Participants have entity level obligations and transaction level obligations
– Entity Level obligations include:
– Swap data recordkeeping
– Swap data reporting
– Transaction Level obligations include
– Real-time public reporting
– Trade confirmation
– Daily trading records
 Extraterritorial obligations may entail information sharing with the regulator contrary to banking confidentiality
4 June 2013 10 Sharing Data with Regulators

 For Example: Firm Head Office in the UK
 In this instance the Financial Conduct Authority may request information stored within a DIFC Branch.
– By court order
– Through the DFSA
– Direct request made pursuant to head office legislation/rules
– Direct request for information to be disclosed on a voluntary basis
Sharing Data with Regulators 4 June 2013 11

 As a result of financial institution transactions that have been called into question by regulators in other jurisdictions, the financial institution may commit to information sharing as part of a leniency programme
 Enforceable undertakings as part of
Enforcement Proceedings
Sharing Data with Regulators 4 June 2013 12

 Pursuant to DIFC Data Protection Law,
Personal Data may only be Processed if:
 Data Subject has given written consent
 Processing is necessary for the performance of a contract or in steps required prior to entering into it
 Processing is necessary for compliance with any legal obligations
 Processing is necessary for performance of a task carried out in the interests of the DIFC
 Processing is necessary to pursue legitimate interests of the firm provided the Data Subjects legitimate interests do not override these
4 June 2013 13 Sharing Data with Regulators

 Transfers out of the DIFC
 May only take place if an adequate level of protection for the personal data is guaranteed by the laws and regulations of the recipient.
 Where an adequate level of protection is not guaranteed additional requirements must be met, which may include obtaining a permit or written authorisation from the Commissioner of Data
Protection or written consent from the Data Subject.
4 June 2013 14 Sharing Data with Regulators

 The firm processing the Personal Data must make information available to the Data
Subject:
 Purposes for which the information is being processed
 Details of the recipients or categories of recipients of the Personal Data
 Existence of Data Subjects right of access to and right to rectify the Personal Data
Sharing Data with Regulators 4 June 2013 15

 Beyond the Data Protection Law, DIFC Law of Obligations imposes a duty of confidentiality of banking business
 Duty of confidentiality to customer not to misuse specific information received from another, directly or indirectly and which can reasonably be regarded as confidential
 Duty lasts beyond the end of the banking relationship
4 June 2013 16 Sharing Data with Regulators

 Sharing through compulsion of Law
 Permitted where Processing is necessary to comply with legal obligation to which the firm is subject
 AML
 Permitted where necessary to comply with legal obligation or where Processing is necessary prior to entering a contract
 At the request of local regulators
 Permitted where Processing is in the interests of the DIFC
4 June 2013 17 Sharing Data with Regulators

 Extra-Territorial Application of Foreign
Laws/Regulation
 Can argue that this is permitted in compliance with legal obligations
 Transfers out of the DIFC to jurisdictions lacking adequate levels of protection are permitted in certain situations including, but not limited to where:
– a permit is obtained from Commissioner of Data Protection;
– written consent is obtained from Data Subject;
– Transfer necessary for performance of contract
– Transfer necessary to protect vital interests of the Data Subject; or
– Transfer necessary to uphold legitimate interests of the Data Processor except where these are overriden by interests of Data Subject
September 08 18

 Voluntary disclosure to a regulator
 More difficult to justify within the scope of the Data
Protection Law
 Not a legal obligation nor necessarily permitted in the interests of the DIFC
 Legitimate interests of the Data Subject may override those of the firm Processing the information
4 June 2013 19 Sharing Data with Regulators

 In all instances, Personal Data may be legitimately
Processed where the Data Subject has provided their written consent
 Terms and Conditions signed by Data Subject when opening account should be reviewed to see if consent granted
 Process of ‘re-papering’ may be required to amend
Terms and Conditions
 Cannot have deemed consent to amend Terms and
Conditions where information sharing is concerned
Sharing Data with Regulators 4 June 2013 20

www.cliffordchance.com
Clifford Chance, 10 Upper Bank Street, London, E14 5JJ
© Clifford Chance 2013
Clifford Chance LLP is a limited liability partnership registered in England and Wales under number
OC323571
Registered office: 10 Upper Bank Street, London, E14 5JJ
We use the word 'partner' to refer to a member of Clifford Chance LLP, or an employee or consultant with equivalent standing and qualifications