Recent communications from the U.S. Securities and Exchange Commission (SEC) indicate that the SEC is again considering registration of advisers located in the UK. The SEC had delayed approving UK and European Union (EU) investment managers’ applications for registration since the adoption of the EU’s General Data Protection Regulation (GDPR), due to concerns that the GDPR would impede the SEC’s ability to collect data from, and supervise, these UK and EU investment managers.
At this time, the SEC is only considering registration of firms located in the UK — not managers located in other EU member states.
The SEC expressed comfort that the GDPR contains broad enough exceptions to allow the SEC to access UK-based registered investment advisers’ books and records. This comfort stems in part from analysis provided to the SEC by the UK’s Information Commissioner’s Office (ICO).1 In a letter to the SEC, the ICO expressed the view that an SEC-regulated UK firm could transfer GDPR-protected information to the SEC on the basis of a GDPR Article 49 exemption for transfers of information “necessary for important reasons of public interest” (the Public Interest Derogation).2 The ICO also addressed the continuity of this interpretation, noting that the UK has left the EU and is currently in a transition period. In the letter, the ICO indicated that it does not anticipate any significant changes to the Public Interest Derogation for the transfer of personal data by SEC-regulated UK firms with the transition from the GDPR under EU law to the UK GDPR that will occur on January 1, 2021.3
What UK-Based Potential Registrants Need to Do
The ICO notes that any UK-based SEC registrant that intends to rely on the Public Interest Derogation must maintain evidence that it both carefully considered and appropriately applied the Public Interest Derogation. Specifically, a UK-based SEC registrant
- must pay particular attention to the necessity principle in determining whether the Public Interest Derogation is available and look to see if there are “precise and particularly solid justifications” that the transfer of information is necessary
- must both duly satisfy any SEC requests that are within the scope of the SEC’s regulatory powers and requirements and keep records demonstrating that it appropriately considered and satisfied the scope of the SEC’s request
Further, UK-based firms must comply with all GDPR requirements, including transparency obligations. For example, a UK firm should
- provide its customers and staff with privacy notices setting out how it will be handling personal data, including potential transfers of any such personal data to the SEC
- keep records of its processing of personal data, including relevant decisions about international transfers
How Sidley Can Help
The SEC has begun contacting UK-based pending registrants with instructions to file an other-than-annual updating amendment to Form ADV both to confirm that the registrant is still requesting registration with the SEC and to update any information that may have become materially inaccurate since the registrant’s initial Form ADV filing.
Sidley would be happy to help you prepare your initial Form ADV or your other-than-annual amendment and to assist you with documenting reliance on the Public Interest Derogation.
¹ Letter re: SEC transfer analysis, from James Dipple-Johnstone (ICO) to Raquel Fox (SEC) (Sept. 11, 2020) (ICO Letter).
²Art 49.1(d) GDPR.
³See ICO Letter at 7.