Guidance on Confidentiality under the Financial Enterprises Act, Securities Trading Act, Securities Funds Act and Alternative Investment Fund Management Act

FINANS TILSYNET Postboks 1187 Sentrum 0107 Oslo Circular Guidance on confidentiality under the Financial Enterprises Act, Securities Trading Act (securities firms), Securities Funds Act and Act on the Management of Alternative Investment Funds CIRCULAR: 3/2019 DATE: 18.03.2019 THE CIRCULAR APPLIES TO: Financial enterprises Securities firms Management companies for securities funds Managers of alternative investment funds

Guidance on confidentiality under the Financial Enterprises Act, Securities Trading Act (securities firms), Securities Funds Act and Act on the Management of Alternative Investment Funds 2 | Finanstilsynet

1. Introduction The guidance addresses certain issues regarding the confidentiality of customers' affairs and replaces Finanstilsynet's circulars 11/2000 and 10/2007. It covers confidentiality under the Financial Enterprises Act, the Securities Trading Act (insofar as it concerns securities firms), the Securities Funds Act and the Act on Alternative Investment Funds. The presentation is limited with regard to obligations arising from the Personal Data Act and other special rules, such as the requirements for proper handling of inside information under the Securities Trading Act, see Finanstilsynet's circular 4/2015.
2. General Starting Point The enterprises have an extensive duty of confidentiality regarding the affairs of customers and others with which they become acquainted in the course of their business. The wording of the statutory provisions on confidentiality is somewhat differently formulated, but the content of the duty of confidentiality is largely the same for the enterprises. Central purposes of the provisions are to protect customers, to prevent misuse of customer information, and to safeguard the overarching interest in the public's trust in the individual enterprise and the financial market as a whole. All information about the personal and business affairs of customers and others (hereinafter referred to as customers) is covered by the duty of confidentiality. For securities firms, management companies and AIF managers, the law further provides that the duty of confidentiality covers knowledge of others' affairs more generally. For financial enterprises licensed to provide investment services etc., the confidentiality provision in the Securities Trading Act will apply to the investment services business. Business affairs include information about the enterprise's economic, technical or administrative affairs, business plans, contracts, inventions and business strategies. The duty to maintain confidentiality covers board members and employees of the enterprise as well as the enterprise's contractors. For securities firms and fund managers, the duty of confidentiality also covers shareholders with decisive influence in the enterprise. Disclosure of confidential information from the enterprise requires consent or legal basis. The duty of confidentiality applies even if the information later becomes publicly available. Examples of this can be: • If it becomes publicly known that a person has used an enterprise's services, the enterprise should not confirm this unless the information originates from the customer. • Even if information about a customer's acquisition of shares becomes generally available in the shareholder register, the enterprise should not comment on the ownership. Statutory duty to disclose takes precedence over the duty of confidentiality where this is stated in or assumed by the disclosure duty provision. Finanstilsynet assumes that this only applies to Norwegian

Guidance on confidentiality under the Financial Enterprises Act, Securities Trading Act (securities firms), Securities Funds Act and Act on the Management of Alternative Investment Funds Finanstilsynet | 3 regulations. In the case of disclosure duties under foreign rules, it must be assessed specifically whether the person claiming the information can be considered "relevant" for the information in question. Section 2 discusses who can be considered non-relevant in relation to the duty of confidentiality. Exceptions to the duty of confidentiality are discussed in section 3. Confidentiality in groups is discussed in section 4, and section 5 contains some comments on contractors. 2. Non-Relevant Persons The duty of confidentiality applies to non-relevant persons. This is explicitly stated in the Financial Enterprises Act, while it must be implied into the other confidentiality provisions. The Financial Enterprises Act further has specific exceptions to the duty of confidentiality, cf. section 3 below. Who is not "non-relevant" must be determined concretely. The issue for assessment is whether the recipient has an objective and naturally justified need for the information. Enterprises must have a conscious relationship to which employees should have access to confidential information at any time, including assessing whether there should be special restrictions regarding which employees should have access to information about certain customers or customer groups. Securities firms must organize themselves and have routines to prevent the spread of confidential information; see the discussion of special rules on information barriers in Finanstilsynet's circular 4/2015. The specific assignment from a customer may involve the disclosure of customer information, for example: • An assignment for payment intermediation implies that the bank discloses and transfers the customer information necessary to carry out the current assignment. • Securities firms that arrange issuances provide, as part of this, information about the customers who subscribe/are allocated, to the issuer of the shares. In bond issuances, information about the securities firm's customers may be given when the issuer has reserved the right to inspect who has subscribed and/or been allocated bonds. Insurance enterprises may disclose information about the injured party to the tortfeasor to the extent necessary for the tortfeasor to take a position on a recourse claim from the enterprise. Heirs who have received a power of attorney for estate administration from the district court (or Oslo City Sheriff's Office) are not considered non-relevant when it comes to information about the deceased's estate. These may be given information about deposits, debt and holdings of financial instruments. Information about transactions carried out before a certificate of inheritance is issued cannot be given. Guarantors are not considered non-relevant for information about the borrower. Which information may be given is stated in the Financial Agreements Act § 62 seq. Disclosure of other information requires consent from the customer.

Guidance on confidentiality under the Financial Enterprises Act, Securities Trading Act (securities firms), Securities Funds Act and Act on the Management of Alternative Investment Funds 4 | Finanstilsynet 3. Exceptions to the Duty of Confidentiality 3.1. Consent The duty of confidentiality does not prevent information from being disclosed with consent from those who have a right to confidentiality. This must be implied into the individual confidentiality provisions, and it is explicitly stated in the Financial Enterprises Act. Active consent is required. When obtaining consent, it must be stated that the customer has a free choice, that the customer can withdraw consent at any time and how this should be done in such a case. A general consent from the customer to disclose customer information cannot be obtained. It must be specified which information the consent will apply to and what the information will be used for. The customer must also be informed to whom the information may be disclosed. When disclosing customer information to other enterprises in the same group, it must be stated which enterprises in the group the consent applies to and the purpose of the disclosure of information. Consent cannot be a condition for obtaining a service. The Financial Enterprises Act requires written consent. Finanstilsynet assumes that the written requirement means that the consent must be documentable. As long as it can be documented, consent can be given via various technical solutions. The same applies in the securities sector. 3.2 Statutory Exceptions for Financial Enterprises Under the Financial Enterprises Act1, the duty of confidentiality does not prevent a financial enterprise from giving another financial enterprise customer information in "special cases" if:

1. the purpose is to detect or prevent economic crime or other serious crime,
2. the purpose is to carry out customer assignments and settlement of claims from or against customers, or other justified safeguarding of the financial enterprise's or its customers' interests, or
3. it is necessary to communicate information about customers' health conditions and other personal data to another financial enterprise, except where otherwise follows from provisions in the Personal Data Act. Disclosure of such information requires a board resolution in the enterprise. The board's competence may be delegated. Finanstilsynet believes that a general delegation resolution in such matters must specify which "special cases" the delegation covers, including which typical cases it will cover. The exception related to crime (point 1) may include information about fraud attempts from a customer that the enterprise expects will attempt the same against other financial enterprises. 1 § 16-2

Guidance on confidentiality under the Financial Enterprises Act, Securities Trading Act (securities firms), Securities Funds Act and Act on the Management of Alternative Investment Funds Finanstilsynet | 5 The exception related to safeguarding the financial enterprise's or its customers' interests (point 2) may cover various situations. The exception where the purpose is "other justified safeguarding of the financial enterprise's or its customers' interests" may cover: • information necessary to safeguard banks' interests in connection with customer exposures at risk of loss • information necessary for consolidation in capital requirement contexts, or in the calculation of the highest exposure with a single customer on a group basis • insurance cases where there is suspicion of fraud (may also be covered by point 1) The right to disclose information about health conditions and other personal data (point 3) applies both when concluding an insurance agreement and in the event of a claims settlement. The purpose of the exception is to counteract insurance fraud. 3.3 Special on Management Companies, AIF Managers and Securities Firms As for financial enterprises, there may be a need, e.g. in a securities firm, to disclose information to other Norwegian enterprises when the purpose is to detect or prevent serious crime. Finanstilsynet assumes that other enterprises in special cases may be non-non-relevant for customer information. This will not, for example, justify the establishment of a "blacklist" of bad payers. The prerequisite is that it must be serious crime. It must otherwise be a condition that the recipient is subject to supervision by Finanstilsynet, is covered by a statutory duty of confidentiality and that the disclosure of information otherwise cannot be considered objectionable. The decision to disclose must require a proper internal processing. Securities firms, management companies and AIF managers may also in other situations have a need for information from other such enterprises or from financial enterprises in connection with safeguarding the enterprises' or customers' interests. This applies, for example, in securities firms' investment advice, where the enterprises have a duty to conduct a test of whether the product is suitable for the customer. Finanstilsynet assumes that in such cases there must be consent from the customer to disclose this information. It must be stated which enterprises and which specific information such consent applies to. 4. Confidentiality in Groups The Financial Enterprises Act § 18-5 has rules on the exchange of customer information between group enterprises. The provision applies a financial enterprise's right to exchange information with another financial enterprise in the group. Information about customer relationships may be disclosed when it is required for the steering, control or reporting requirements for the business in the financial group to be fulfilled.2 Examples of this are banks that use internal models that include exposures with customers who are customers in several group companies. The customer's estimated probability of default (PD) should be the same for all exposures. The group companies may exchange the customer information necessary to ensure this. Financial enterprises have a general right to disclose the following information about a specific customer to another financial enterprise in the group3: • the customer's name and organization number • date of birth for private customers • how the customer can be contacted (covers all contact points the customer has given the enterprise) • what types of financial services or products the enterprise's customer relationship covers The aforementioned customer information may be registered in a joint customer register. The customer register may disclose the same information about a specific customer to other financial enterprises in the group, as well as information about which group enterprises the customer has a customer relationship with. The financial enterprise may only disclose a person customer's national identity number to a joint customer register for the financial group when the purpose of registering the national identity number is the enterprise's administration of the customer relationship. More detailed information about the content of the customer relationship, such as deposits, loans and insurance terms, is covered by the duty of confidentiality and cannot be disclosed to a group customer register without consent from the customer. The customer cannot consent to the enterprise registering health information in insurance relationships in a joint group customer register. Health information must be handled separately according to the General Data Protection Regulation (sensitive information). Even though Finanstilsynet sees that there may be a need to establish a joint customer register in the group, it is assumed that the respective confidentiality provisions do not allow securities firms, management companies and AIF managers to exchange "neutral" customer information with other enterprises in a financial group, which is the basis for a joint customer register. In a joint central customer register, the enterprise must have satisfactory systems for authorization and access control to the register. 5. Special on Contractors All contractors who receive confidential information are covered by the duty of confidentiality. The duty of confidentiality includes, among others, ICT consultants, hired appraisers in connection with claims settlement, external doctors and lawyers. Enterprises must make contractors aware of the duty of confidentiality. Contractors should sign a confidentiality declaration before the assignment begins. If the contractor is an enterprise, the confidentiality declaration must be signed by all the enterprise's employees who are given access to confidential information. 3 § 18-5 second paragraph

Guidance on confidentiality under the Financial Enterprises Act, Securities Trading Act (securities firms), Securities Funds Act and Act on the Management of Alternative Investment Funds Finanstilsynet | 7 Enterprises must control that contractors' duty of confidentiality is observed. Contractors should only have access to information that is necessary for the implementation of the assignment.

FINANSTILSYNET Postboks 1187 Sentrum 0107 Oslo POST@FINANSTILSYNET.NO WWW.FINANSTILSYNET.NO