Permitted Receivers - OneNDA Provision

Revision as of 10:29, 29 August 2023 by Amwelladmin (talk | contribs)

The kinds of people you’ll want to allow access to the confidential information under a confidentiality agreement.

NDA Anatomy™
JC’s guide to non-standard confidentiality agreements.
For the OneNDA, see the OneNDA Anatomy

The OneNDA clause
Who can I share it with?

  1. The Receiver may share the Confidential Information with its Permitted Receivers, but only if they:
    1. need to know it, and only use it, for the Purpose, and
    2. have agreed to keep it confidential and restrict its use to the same extent that the Receiver has.
  2. The Receiver is liable for its breach of this Agreement and any act or omission by a Permitted Receiver which would constitute a breach of this Agreement if it were a party to it.
  3. The Receiver may share the Confidential Information if required by law or regulation but must promptly notify the Discloser of the requirement if allowed by law or regulation.

view template

Tell me more
Sign up for our newsletter — or just get in touch: for ½ a weekly 🍺 you get to consult JC. Ask about it here.

Who’s in

The anal amongst you — what? Oh, come on guys you know you are — anyway, you anal folk may like to define those individuals to whom one may pass Confidential Information to carry out the Purpose as “Necessary Persons” or something equally tedious. Those people may be:

  • Professional advisers: Not usually controversial because they are by nature bound by professional protocol and fiduciary duties to respect confidentiality and may even buy you legal privilege for whatever that is worth these days.
  • Employees: The corporate veil may be impermeable but you do need someone with a head, any kind of head, and a beating heart to read and deal with the confidential information on the limited company’s behalf — but more fearful types may try to restrict which of your employees are in the gang (see below).
  • Regulators — compulsory disclosure to competent regulatory bodies, courts, and so on. Marginally more controversial is the obligation to disclose at polite but non-binding request of regulators. In any case, don’t agree to notify your counterparty of any regulatory requests. They may hotly insist they need to right to challenge the disclosure or take out an injunction or something but — well, yeah. Sure. For a better reason, see below.

Who’s out

  • Employees who don’t have a need to know: Especially those employed in front office trading capacities. The agent lending market has developed sophisticated masking strategies so that borrower’s books and records don’t carry the identities of their principals. If you are in the business of bringing in new clients don’t be alarmed at requests to restrict disclosure to KYC, credit, compliance and onboarding teams.

Affiliates, qua affiliates

It is a kind of obsession amongst a certain kind of legal eagle — usually, the same sort that will hotly insist on a counterparts clause — that one specify in elaborate detail which, or which sorts of, affiliate may have possession of the discloser’s innermost secrets.

The JC has never really understood this. A degree of control over another legal entity is surely an arbitrary marker which has nothing at all to do with one’s “purpose”, which one will have spent some time and intellectual energy explaining. Let that be your guide. For why should it make a difference that the person to whom you want to share the discloser’s good oil happens to be employed by a >51% related, or co-controlled, or parent or child — go on, shoot me — company?

If you sensibly contain the “purpose” and get your “permitted disclosees” right — namely those with a legitimate need-to-know the confidential information and who accept it with an equivalent degree of confidence, and for whom the contracting principle remains responsible, should they violate that confidence — then it really doesn’t matter if they are affiliates or not.

Direct contractual liability against disclosees

A nonce. Don’t go there: your very first lecture in the law of contract, or agency, should tell you why. The downstream disclosees are not parties to the contract. The contracting party therefore must certainly be liable for their breach of confidence, as if it had breached it directly. That is implied by the chain of contract – since recipients aren’t privy to the contract, the discloser can’t sue them, so it must surely be the contracting party’s responsibility to ensure that persons to whom it gives the information do not misuse it, and accept liability for their actions if they do.

A fundamental truth, alas not recognised by many in-house legal eagles: you can’t absolve yourself of your own contractual obligations just by delegating them to someone else.

Conditions

Obligation to notify provider of regulator requests

This is a common and oft accepted provision: where you are obliged to disclose to a regulator, you must first notify the provider of the information, to allow them to make representations, or try to get an injunction, to prevent disclosure. However excitable your counterparty is on this point — and junior lawyers at real money firms can be quite exciteable — resist this. It is potty. When you step through it, it is hard to see any real-world cases where your counterparty could or would actually try to stop disclosure to a regulator, and plenty of benign circumstances where disclosure is a matter of course. To wit:

Trade/transaction reporting: Brokers will be obliged to disclose a lot of trade-specific client information to regulators and exchanges every day on account of MiFID/EMIR trade and trade reporting. We are not going to repeatedly tell the client that.

Ad-hoc general information requests: Outside trade/transaction reporting, when regulators ask for ad hoc information from a broker, it is usually for a wide-ranging data set across whole trading books and sectors, covering multiple clients. It is unrealistic to accept Brokers to monitor which clients within that population have confis, much less a right to be specifically notified beforehand. Nor will they want to go to the trouble of getting all those consents. Why? BECAUSE LIFE IS TOO SHORT.

Ad-hoc client-specific information requests: Where a regulator specifically asks for data on a single client, it is likely the regulator will also have made equivalent disclosure requests to the client at the same time (or copied the client on those requests to the broker) — if the request is benign — and if it has not, the investigation is likely to be one where the regulator would not allow the broker to alert the client anyway, and indeed where such notification could be a criminal offence (market abuse, etc). Even where the notification clause carves out where “notification being illegal” this leaves the empty set of circumstances where the broker would have to give info about a specific client and the client doesn’t, but was entitled to know about it.

Commercial sensitivity: Lastly, the legitimate point of a confi is to respect the client’s legitimate interest in protecting the commercial value of non-public information. It is not to keep silent about behavioural turpitude; indeed a broker’s regulatory obligations may oblige it to report, without invitation, bad acts it observes, whether the client likes it or not and whether there is a confidentiality agreement or not. Generally, client information a broker holds is not legally or professionally privileged. Since, by definition, passing information to a regulator should not[1] prejudice the commercial value of that information, it is hard to see when client would have a valid reason to seek injunctive relief to prevent disclosure of information to a competent regulator.

And that is borne out by the JC’s tawdry personal experience (anecdotal though it may be, it does span 22 years and three different investment banks): the JC has never ever, ever seen anyone even try to get an injunction to stop disclosure of confidential information to a regulator.

Cut-out-and-keep response

Try sending your counterpart something like this (put “dear —”, and “kind regards” around it, of course):


Disclosure to regulators

There are three main reasons a regulator might require confidential information from us relating to a client:

Trade/transaction reporting: Brokers will be obliged to disclose a lot of trade-specific client information to regulators and exchanges every day on account of Dodd Frank and other regulatory reporting regimes (for example MiFID/EMIR trade and trade reporting). You should assume we will do that.

Ad-hoc general information requests: Outside trade/transaction reporting, when regulators ask for ad hoc information from us, it is usually for a wide-ranging data set across whole trading books and sectors, covering multiple clients. Given the benign nature of these requests, it is not practicable to obtain consents or make disclosures to all affected clients beforehand.

Ad-hoc client-specific information requests: Where a regulator specifically asks for data on a single client, either:

  • if the request is benign, the regulator is likely to have made equivalent disclosure requests to the client at the same time (or copied the client on those requests to the broker), or
  • if the request is not — that is, the investigation is one where the regulator would not allow us to alert the client anyway, we would not be able to, and such notification could be a criminal offence.

Thus, even where the notification clause carves out where “notification being illegal” this leaves the empty set of circumstances where we would have to give info about a specific client and the client doesn’t, but was entitled to know about it.

Lastly, a confidentiality agreement is designed to respect the client’s legitimate interest in protecting the commercial value of non-public information. It is not meant to be a tool to prevent regulatory disclosure. Generally, we will not be in a position to make demands as to how a regulator treats that information when we disclose it. Since passing information to a regulator should not generally prejudice the commercial value of that information, it is hard to see when client would have a valid reason to seek injunctive relief to prevent disclosure of information to a competent regulator, and our experience is that no client has ever in fact attempted to do so.


See also

References

  1. Absent a severe dereliction of the regulator’s duty, and in that case there’s not really much the broker can be expected to do about it, is there?