# **ALLEN & OVERY**

#### Allen & Overy LLP

#### **MEMORANDUM**

To Nomura International Plc

1 Angel Lane

London, EC4R 3AB United Kingdom

With a copy to:

United States Securities and Exchange Commission

SEC Headquarters

100 F Street

NE Washington, DC 20549-1090

United States of America

From Allen & Overy LLP, Singapore

Our ref 0012391-0003100/SHUK/ANGYU/UKO1: 2005697716.5

Date 28 October 2021

Subject SEC registration as a non-resident security-based swap dealer

#### 1. BACKGROUND

- 1.1 We understand that Nomura International plc (NIP), a bank regulated in UK by the Financial Conduct Authority and Prudential Regulation Authority, is seeking to register with the United States (US) Securities and Exchange Commission (SEC) as a non-resident security-based swap (SBS) dealer (SBSD).
- 1.2 To register as an SBSD with the SEC, a non-resident SBSD<sup>1</sup> such as NIP must attach an opinion of counsel to Form SBSE, SBSE-A or SBSE-BD affirming that the SBSD can, as a matter of law:
  - (a) provide the SEC with prompt access to relevant records as defined in this paragraph (**Covered Records**); and
  - (b) submit to on-site inspection and examination of its Covered Records by the SEC (**On-Site Inspection**).

Allen & Overy LLP is registered in Singapore with Unique Entity Number T04FC6518D.

Allen & Overy LLP is a limited liability partnership registered in England and Wales with registered number OC306763. It is authorised and regulated by the Solicitors Regulation Authority of England and Wales, The term partner is used in relation to Allen & Overy LLP to refer to a member of Allen & Overy LLP or an employee or counsel with equivalent standing and qualifications. A list of the members of Allen & Overy LLP and of the non-members who are designated as partners is open to inspection at its registered office, One Bishops Square, London E1 6AD and at the above address.

Allen & Overy LLP or an affiliated undertaking has an office in each of: Abu Dhabi, Amsterdam, Antwerp, Bangkok, Beijing, Belfast, Bratislava, Brussels, Budapest, Casablanca, Dubai, Düsseldorf, Frankfurt, Hamburg, Hanoi, Ho Chi Minh City, Hong Kong, Istanbul, Jakarta (associated office), Johannesburg, London, Los Angeles, Luxembourg, Madrid, Milan, Moscow, Munich, New York, Paris, Perth, Prague, Rome, São Paulo, Seoul, Shanghai, Silicon Valley, Singapore, Sydney, Tokyo, Warsaw, Washington, D.C. and Yangon.

In the case of a corporation, an SBSD will be "non-resident" if it is incorporated in or has its principal place of business in any place not in the United States (see 17 Code of Federal Regulations (CFR) § 240.15Fb2-4(a)(2)). As NIP is incorporated in the UK, NIP fulfils this definition of a "non-resident" SBSD.

- "Covered Records" comprise only telephone recordings which relate to conversations between each Nomura Singapore Affiliate and their clients.
- 1.3 The Nomura group utilises certain cross-border trading/booking models that will result in personnel from other entities being involved in certain trades where NIP ultimately faces the counterparty. In this regard, NIP may maintain certain Covered Records with its affiliates in Singapore, namely Nomura Singapore Limited (licensed as a merchant bank in Singapore) (NSL), Nomura Investments (Singapore) Pte. Ltd and Nomura Special Investments Singapore Pte. Ltd (the latter two, collectively, the Nomura Singapore Unregulated Affiliates and together with NSL collectively, the Nomura Singapore Affiliates).
- 1.4 You have asked us to issue an opinion affirming that the Nomura Singapore Affiliates will be able to provide the SEC with prompt access to its Covered Records and submit to On-Site Inspection by the SEC in accordance with paragraph 1.2 above.
- 1.5 For the purposes of this opinion, the legal or natural person imparting the information subject to the relevant banking secrecy or data protection requirements will be the **Rights Holder** and the person receiving that information, in this case each Nomura Singapore Affiliate, will be the **Recipient**.
- 1.6 This opinion relates solely to access provided to the SEC of Covered Records held by Nomura Singapore Affiliates in Singapore and On-Site Inspection of Nomura Singapore Affiliates by the SEC in Singapore. This opinion excludes records held in the US. Where matters considered in this opinion are not governed by laws applying to Singapore, this opinion relates solely to matters of Singapore law.
- 1.7 This opinion has been prepared in accordance with NIP's specific instructions as to the scope of the opinion. For this purpose you have issued us with guidance from a third party law firm which we have used to inform the scope of our opinion.
- 1.8 The issues addressed in this opinion apply equally across all Covered Records based upon the information actually contained in each of the relevant Covered Records. We have not examined any such records.
- 1.9 The opinions expressed herein are rendered on and as of the date hereof, and we assume no obligation to advise you (or any other person who may rely on this opinion letter), or undertake any investigations, as to any legal developments or factual matters arising subsequent to the date hereof that might affect the opinions expressed herein. To that end, we acknowledge that SEC rules require a non-resident SBSD to re-certify within ninety days after any changes in the legal or regulatory framework that would impact the ability of the SBSD to provide, or the manner in which it would provide, prompt access to its books and records, or would impact the ability of the SEC to inspect and examine the SBSD. Upon such change of law, the SBSD is required to submit a revised opinion describing how the SBSD will continue to meet its obligations.
- 1.10 The opinion statements to the effect that the Nomura Singapore Affiliates "can", as a matter of Singapore law, take certain actions is not an expression of any opinion or a confirmation that it may (lawfully) do so in any given instance where the opportunity, or request, or requirement to do so arises. It is a fundamental part of this opinion that the banking secrecy or data protection regulations stipulate certain legal bases on which such action may be taken, but the lawfulness of actually taking such action is subject to the scope and qualifications of the relevant legal basis and other applicable provisions of the banking secrecy or data protection regulations, as set out in this opinion. The justification for whether such legal basis has been made out, and the extent of (and qualifications to) its application to the relevant data to which the relevant action relates, must be determined on a case-by-case basis by the Nomura Singapore Affiliates (as and when the SEC requires disclosure of or access to Covered Records that may contain customer information or personal data) after due and careful consideration.

- 1.11 In giving this opinion, we have made the further assumptions set out in Section 2 below.
- 1.12 No opinion is expressed on matters of fact.

### 2. ASSUMPTIONS

This opinion relies on the following assumptions:

- 2.1 This opinion relates solely to the laws of Singapore in force as at the date of this opinion. We have no obligation to notify any addressee of any change in any applicable law or its application after the date of this opinion.
- 2.2 NIP, including the Nomura Singapore Affiliates, has a "prudential regulator" as defined by Section 3 of the US Securities Exchange Act of 1934. As such, the Covered Records considered in this opinion are limited to what a prudentially regulated SBSD must be able to share with the SEC.
- 2.3 Additionally, in accordance with SEC Guidance at 85 FR 6297, records pertaining to SBS transactions entered into prior to the date that NIP submits an application for registration are not Covered Records.
- 2.4 Subject to the matters addressed in this opinion, the Nomura Singapore Affiliates have reached the conclusion that remote access from the US to Covered Records held in Singapore is permissible under the laws of Singapore. Necessary access to the records can be supported in the United States.
- 2.5 Where NIP keeps its records in the United States, it does so in accordance with SEC rules.
- 2.6 The Nomura Singapore Affiliates have obtained any necessary prior consent of the persons (e.g., counterparties, clients) whose information is or will be included in Covered Records in order to provide the SEC with access to its Covered Records or to allow On-Site Inspections, to the extent, as considered in this opinion, such consent would constitute valid consent and such consent has not been withdrawn. Where personal data is to be provided to the SEC, the individual to whom the personal data relates was, before giving his or her consent, given a reasonable summary in writing of the extent to which the personal data to be transferred to the SEC in the US will be protected to a standard comparable to the protection under the Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA).
- 2.7 Where the Nomura Singapore Affiliates require an individual to consent to the transfer of personal data as a condition of providing a product or service relating to its role as an SBSD, the transfer is reasonably necessary to provide the product or service to the individual, this being a condition imposed by the SEC as a requirement for the Nomura Singapore Affiliates conducting business as an SBSD.
- 2.8 There are no licence conditions in NSL's merchant bank licence or directives issued by the Monetary Authority of Singapore (MAS) to NSL which would restrict NSL from submitting to On-Site Inspection by the SEC.
- 2.9 Neither the contractual arrangements with its customers or within its own organisation (including any standard contractual clauses or other intragroup data transfer mechanism or protocol) nor any orders by, or other arrangements with, its regulators or other supervisory authorities (including the MAS) prohibit the Nomura Singapore Affiliates from providing the SEC with prompt access to the Covered Records or to submit to On-Site Inspection and examination of the Covered Records by the SEC.
- 2.10 The SEC will restrict its information requests for, and use of, any information pursuant to its access to Covered Records and On-Site Inspections to only the information that it requires for the legitimate and specific purpose of assisting the SEC in fulfilling its regulatory mandate and responsibilities by evaluating compliance with legal obligations designed to ensure the proper legal administration of SEC-regulated Singapore firms (which includes regulating, administering, supervising, enforcing and

- securing compliance with the securities or derivatives laws in its jurisdiction) and to prevent and/or enforce against potential illegal behaviour such as money laundering, fraud or sanction evasion.
- 2.11 Similarly, the Nomura Singapore Affiliates will ensure that their disclosures are compliant with the data protection principles set out in the PDPA. We understand that the Nomura Singapore Affiliates' general experience in responding to information requests from the SEC (or other US and non-US regulators) leads it to maintain a belief, which it considers to be reasonable, that the Nomura Singapore Affiliates can and (subject to any changes in applicable law) will continue to be able to comply with these data protection principles in the course of making disclosures of the sort required when providing access to Covered Records and submitting to On-Site Inspection.
- 2.12 It is the SEC's practice to limit the type and amount of personal data it requests during examinations to targeted requests based on risk and related to specific clients and accounts. We understand that this aligns with the Nomura Singapore Affiliates' general experience in responding to information requests from the SEC, leading it to maintain a belief, which it considers to be reasonable, that this assumption is, and will remain, accurate (subject to any changes in applicable law and regulation and/or the approach of relevant regulators).
- 2.13 Information, data and documents received by the SEC are maintained in a secure manner and, under strict US laws of confidentiality, information about individuals cannot be onward shared save for certain uses publicly disclosed by the SEC, including in an enforcement proceeding, pursuant to a valid and non-exempt US Freedom of Information Act (FOIA) request,<sup>2</sup> pursuant to a lawful request of the US Congress or a properly issued subpoena, or to other regulators who have demonstrated a need for the information and provide assurances of confidentiality.
- 2.14 The MoU is in full force and effect and no notice of termination has been sent pursuant to Article 24 thereof.

### 3. OPINION STATEMENTS

Subject to the assumptions and qualifications above it is our opinion that:

- 3.1 The Nomura Singapore Unregulated Affiliates can, as a matter of applicable Singapore law, submit to On-Site Inspection by the SEC. NSL can, as a matter of applicable Singapore law, submit to On-Site Inspection by the SEC, provided the MAS' prior approval is obtained. The remainder of this opinion focuses on the Nomura Singapore Affiliates' ability to disclose information contained in Covered Records to the SEC in the course of On-Site Inspection and the ability to provide the SEC with prompt access to Covered Records.
- 3.2 The Nomura Singapore Affiliates can, as a matter of applicable Singapore law, provide the SEC with access to Covered Records held by each entity in Singapore.<sup>3</sup>

0012391-0003100 UKO1: 2005697716.5

4

We do not give any views in the opinion to matters of US law, though we understand that information can be made public pursuant to requests under the US FOIA, and that certain information is exempt from such requests, including (among others): (1) a trade secret or privileged or confidential commercial or financial information obtained from a person; (2) a personnel, medical, or similar file the release of which would constitute a clearly unwarranted invasion of personal privacy; (3) information compiled for law enforcement purposes, the release of which (a) could reasonably be expected to interfere with law enforcement proceedings; (b) would deprive a person of a right to a fair trial or an impartial adjudication; (c) could reasonably be expected to constitute an unwarranted invasion of personal privacy; (d) could reasonably be expected to disclose the identity of a confidential source; (e) would disclose techniques, procedures, or guidelines for investigations or prosecutions; or (f) could reasonably be expected to endanger an individual's life or physical safety; (4) contained in or related to examination, operating, or condition reports about financial institutions that the SEC regulates or supervises.

Where a restriction on the ability to disclose personal data, confidential information or customer information applies, consent from the Rights Holder, validly given in accordance with the relevant standard for consent under each applicable legal obligation, would allow for such information to be lawfully transferred to the SEC or disclosed to the SEC during On-Site Inspection. The obligations arising under statute in relation to banking secrecy and data protection and the common law duty of confidentiality are separate and distinct. However, where both banking secrecy and data protection requirements apply, the requirements in relation to banking secrecy must be met. Please note that valid consent is assumed in Assumption 2.6.

# **Banking Secrecy**

- 3.3 The banking secrecy obligations under the Banking Act only applies to NSL as a licensed merchant bank. Customer information can only be disclosed by NSL pursuant to legal bases expressly provided in the Banking Act. Disclosure of customer information is permitted with consent, or under another exception under the Banking Act.
- 3.4 The banking secrecy obligations will not apply to any information contained in the Covered Records or to On-Site Inspection insofar as the information does not constitute "customer information" i.e. where the information relates to NSL itself, rather than its customers.
- 3.5 Absent consent, we consider that it may be difficult for NSL to rely on any other exception under the Banking Act for disclosure.

## **Duty of Confidentiality**

- 3.6 The general duty of confidentiality applies to non-public information held or controlled by the Nomura Singapore Affiliates that relates to any person. Disclosure with consent would not amount to a breach of these legal duties.
- 3.7 These duties of confidentiality will not apply to any information contained in the Covered Records or to On-Site Inspection insofar as information made available to the SEC is owned by or relates to each Nomura Singapore Affiliate itself, rather than by or to their clients.

### **Data Protection**

- 3.8 Disclosures of personal data relating to the Nomura Singapore Affiliates' clients are subject to certain restrictions under the PDPA. However, there are certain legal bases for making disclosures that would be available to the Nomura Singapore Affiliates if they were required by the SEC to make available personal data.
- 3.9 Apart from obtaining consent, the legitimate interests exception is likely to be the most applicable ground under the PDPA to enable disclosure of Covered Records to the SEC and to permit On-Site Inspection.
- 3.10 Further, we consider that the Nomura Singapore Affiliates could make transfers of personal data to the SEC in the US. Unless valid consent is obtained, the Nomura Singapore Affiliates would need to satisfy themselves that the SEC is bound by laws to provide the transferred personal data a standard of protection that is at least comparable to the protection under the PDPA<sup>4</sup>.

This summary opinion is not a substitute for the full expression of our views set out in Section 4.

### 4. DISCUSSION

# **Banking Secrecy**

4.1 Section 47(1) of the Banking Act (Cap. 19) (**Banking Act**) provides that "customer information" shall not, in any way, be disclosed by a bank in Singapore or any of its officers to any other person except as expressly provided in the Banking Act. Any person who contravenes section 47(1) of the Banking Act will be guilty of an offence and will be liable on conviction (a in the case of an individual, to a fine not exceeding \$\$125,000 or to imprisonment for a term not exceeding 3 years or to both; or (b) in any other case, to a fine not exceeding \$\$250,000.

Please note that valid consent is assumed in Assumptions 2.6 and 2.7.

- 4.2 Section 55ZI of the Banking Act states that subject to certain modifications, section 47 and the Third Schedule to the Banking Act apply to or in relation to a merchant bank in Singapore as they apply to or in relation to a bank in Singapore.
- 4.3 As NSL is a merchant bank in Singapore, the restriction on the disclosure of information under the Banking Act would apply to NSL insofar as the Covered Records contain "customer information". The discussion that follows below does not apply to the Nomura Singapore Unregulated Affiliates.
- 4.4 The Singapore Court of Appeal has held<sup>5</sup> that in light of the plain wording of section 47 of the Banking Act, our current statutory regime is the exclusive regime governing banking secrecy in Singapore, and the general common law exceptions expounded in *Tournier*<sup>6</sup> do not apply.<sup>7</sup>
- 4.5 In relation to a bank, a "customer" as defined under the Banking Act does not include any company which carries on banking business or such other financial institution as may be designated by MAS by notice in writing. In addition, the definition of "customer" excludes any company carrying on merchant banking business or investment banking business<sup>8</sup>. A "customer" may include the MAS or any monetary authority or central bank of any other country or territory.
- 4.6 The term "customer information", in relation to a bank, means:
  - (a) any information relating to, or any particulars of, an account of a customer of the bank, whether the account is in respect of a loan, investment or any other type of transaction, but does not include any information that is not referable to any named customer or group of named customers; or
  - (b) deposit information.
- 4.7 The term "deposit information", is defined under the Banking Act as information relating to the following matters:
  - (a) any deposit of a customer of the bank;
  - (b) funds of a customer under management by the bank; or
  - (c) any safe deposit box maintained by, or any safe custody arrangements made by, a customer with the bank,

but does not include any information that is not referable to any named person or group of named persons.

# Permitted disclosure of customer information

4.8 Section 47(2) of the Banking Act provides that customer information may be disclosed for such purposes and to such persons or class of persons as specified in the Third Schedule to the Banking Act (Banking Secrecy Exceptions). We discuss the Banking Secrecy Exceptions that are relevant to NSL in the current situation below.

Susilawati v American Express Bank Ltd [2009] 2 SLR(R) 737

<sup>6</sup> Tournier v National Provincial and Union Bank of England [1924] 1 KB 461

Singapore's legal system, based on common law, was inherited from Britain, and UK case law would generally be instructive. In the seminal case of *Tournier*, the English Court of Appeal held that a banker came under an implied duty to keep the affairs of a customer confidential, subject to four general exceptions under which disclosure could be made by the bank. The Singapore Court of Appeal in *Susilawati* wanted to make it clear that *Tournier* is no longer applicable in Singapore, and the general exceptions to a banker's implied duty to keep the affairs of a customer confidential stated therein do not run parallel to the statutory exceptions provided for under section 47 of our Banking Act. In light of the plain wording of section 47, our current statutory regime on banking secrecy leaves no room for the four general common law exceptions expounded in *Tournier* to co-exist. They have been embraced within the framework of section 47 of the Banking Act, which is now the exclusive regime governing banking secrecy in Singapore.

MAS Notice 631 – Meaning of Customer Under Section 40A

#### Consent

4.9 Under Paragraph 1 of Part I of the Third Schedule to the Banking Act, disclosure of customer information to any person is permitted where the customer has given their consent to the disclosure in writing.

## Compliance with specified law

- 4.10 Customer information may be disclosed when permitted by a specified statutory provision.
- 4.11 Under Paragraph 5 of Part I of the Third Schedule to the Banking Act, customer information may be disclosed to any police officer or public officer duly authorised under the specified written law to carry out the investigation or prosecution or to receive the complaint or report, or any court, if the disclosure is necessary for (a) compliance with an order or request made under any specified written law to furnish information, for the purposes of an investigation or prosecution, of an offence alleged or suspected to have been committed under any written law; or (b) the making of a complaint or report under any specified written law for an offence alleged or suspected to have been committed under any written law.
- 4.12 This exception relates to disclosure pursuant to Singapore legislation, and a provision of US law, such as an SEC Rule, will not be sufficient for this purpose. Equally, a US court order will not be sufficient for this purpose.
- 4.13 The MAS has signed a tripartite Memorandum of Understanding with the SEC and Commodity Futures Trading Commission (**CFTC**) in May 2000 (**MoU**)<sup>10</sup>. Under the MoU, MAS, SEC and CFTC agree to provide mutual assistance and exchange information necessary for investigations into offences or fraudulent practices regarding securities and futures transactions, as well as to facilitate the effective performance of their supervisory functions and enforcement of laws and regulations.
- 4.14 However, given that the MoU lacks the authority of statute, it should not be relied upon by NSL for the purpose of this exception.

### Request from parent supervisory authority

- 4.15 Under Paragraph 8 of Part I of the Third Schedule to the Banking Act, customer information may be disclosed to the "parent supervisory authority" of a foreign-owned bank incorporated in Singapore, where the disclosure is strictly necessary for compliance with a request made by its parent supervisory authority.
- 4.16 The term "parent supervisory authority" means, in relation to a foreign-owned merchant bank incorporated in Singapore<sup>11</sup>, a supervisory authority that has consolidated supervision authority over the merchant bank.
- 4.17 As NSL's sole shareholder is Nomura Asia Pacific Holdings Co., Ltd incorporated in Japan, this exception would likely apply to requests made by the Japanese regulatory authorities e.g. the Japan Financial Services Agency, and requests from the SEC will unlikely be sufficient for NSL to rely on this exception.

The term "specified written law" means the Companies Act (Cap. 50), the Criminal Procedure Code (Cap. 68), the Goods and Services Tax Act (Cap. 117A), the Hostage-Taking Act 2010, the Income Tax Act (Cap. 134), the Internal Security Act (Cap. 143), the Kidnapping Act (Cap. 151), the Moneylenders Act 2008 (Act 31 of 2008) and the Prevention of Corruption Act (Cap. 241).

Available at: <a href="https://www.sec.gov/about/offices/oia/oia">https://www.sec.gov/about/offices/oia/oia</a> bilateral/singapore.pdf

The term "foreign-owned merchant bank incorporated in Singapore" means a merchant bank incorporated in Singapore, the parent bank of which is incorporated, formed or established outside Singapore.

- 4.18 Specifically in relation to inspections, under section 45 of the Banking Act, a parent supervisory authority may, with the prior written approval of the MAS and under conditions of secrecy, conduct an inspection in Singapore of the books of NSL if the following conditions are satisfied:
  - (a) the inspection is required by the parent supervisory authority for the sole purpose of carrying out its supervisory functions;
  - (b) the parent supervisory authority:
    - (i) is prohibited by the laws applicable to the parent supervisory authority from disclosing information obtained by it in the course of the inspection to any other person; or
    - (ii) has given to the MAS such written undertaking, as to the confidentiality of the information obtained, as the MAS may determine; and
  - (c) the parent supervisory authority has given a written undertaking to the MAS to comply with the provisions of the Banking Act and such conditions as the MAS may impose.
- 4.19 However, the requirement for approval and the restrictions under section 45 of the Banking Act do not apply to any inspection by a parent supervisory authority of the books of any office of a bank in Singapore, if the parent supervisory authority is an AML/CFT authority<sup>12</sup> and exercises consolidated supervision<sup>13</sup> authority over that bank; and the inspection is solely for the purpose of such consolidated supervision.
- 4.20 As discussed above, section 45 of the Banking Act will not be applicable as the SEC is unlikely to be regarded as NSL's parent supervisory authority.

## **Restrictions on On-Site Inspections**

- 4.21 Separate and distinct from the banking secrecy requirements, NSL, as a person exempt under section 99(1)(b) of the Securities and Futures Act (Cap. 289) (SFA) (known otherwise as a relevant person), is also subject to section 150B of the SFA. The discussion that follows below does not apply to the Nomura Singapore Unregulated Affiliates.
- 4.22 Section 150B of the SFA provides that a foreign regulatory authority<sup>14</sup> of a country or territory other than Singapore may conduct an inspection **in Singapore** of the books<sup>15</sup> of a relevant person with the prior written approval of the MAS and under conditions of secrecy (emphasis added ours). It should be noted that unlike under section 45 of the Banking Act, the definition of "foreign regulatory authority" is wider than that in the Banking Act (where the specific terminology is "parent supervisory authority"). The Covered Books and Records in this case would constitute "books", given the latter term's wide definition in the SFA. Read together, the foregoing means that insofar as the SEC wishes to conduct an On-Site Inspection in Singapore on the Covered Books and Records held by NSL, prior approval of the MAS must be obtained.
- 4.23 In deciding whether to grant approval to a foreign regulatory authority, the MAS will have regard to (amongst others) the following factors:

0012391-0003100 UKO1: 2005697716.5

The term "AML/CFT authority" means a public authority of a foreign country which is responsible for the supervision of foreign financial institutions in that foreign country.

In relation to an AML/CFT authority of a foreign country, this means the supervision by the AML/CFT authority of foreign financial institutions carrying on any financial activities in that country for compliance with the AML/CFT requirements of that country applicable to those institutions.

This is defined as an authority of a country or territory other than Singapore, exercising any function that corresponds to a regulatory function of the MAS under the MAS Act (Cap. 186).

Under the SFA, the term "book" refers to includes any record, register, document or other record of information, and any account or accounting record, however compiled, recorded or stored, whether in written or printed form or on microfilm or in any other electronic form or otherwise.

- (a) whether the inspection, and the information obtained in the course of the inspection, is required by the foreign regulatory authority for the sole purpose of enabling the foreign regulatory authority to carry out its regulatory functions;
- (b) whether the foreign regulatory authority has regulatory oversight in its jurisdiction over the relevant person;
- (c) whether the foreign regulatory authority is prohibited by the laws applicable to it from disclosing information obtained by it in the course of the inspection to any other person; and
- (d) whether the foreign regulatory authority has provided or is willing to provide similar assistance to the MAS.
- 4.24 Under section 150B(3) of the SFA, the MAS may impose conditions or restrictions on the foreign regulatory authority relating to:
  - (a) the classes of information to which the foreign regulatory authority shall or shall not have access in the course of the inspection;
  - (b) the conduct of the inspection;
  - (c) the use or disclosure of any information obtained in the course of the inspection; and
  - (d) such other matters as the MAS may determine.
- 4.25 The MAS' Responses to the Consultation Paper on Proposed Amendments to the Securities and Futures Act, Financial Advisers Act and Trust Companies Act issued in July 2018 suggest that the primary rationale of section 150B of the SFA is to safeguard the confidentiality of information relating to the Singapore businesses of such entities<sup>16</sup>.
- 4.26 We are not aware of the MAS having denied consent to an on-site inspection in Singapore under section 150B of the SFA or more generally having acted in a way which is contrary to the terms of the MoU.
- 4.27 In the current context, it would appear to us that the MAS would likely take into account the assumptions set out in paragraphs 2.10, 2.12, 2.13 and the existence of the MoU (subject to the assumption in paragraph 2.14)<sup>17</sup> when determining whether it would provide the necessary approval or impose relevant conditions or restrictions.

## **Duty of Confidentiality**

4.28 Even where the Covered Records to be disclosed to the SEC do not comprise "customer information" for the purposes of the Banking Act, NSL must also be aware of its potential obligations and exposures arising under a common law duty of confidentiality. This duty is separate and distinct from the statutory banking secrecy obligations described above, and applies to all Nomura Singapore Affiliates.

There is, to our knowledge, no suggestion that the MoU has been terminated.

0012391-0003100 UKO1: 2005697716.5

The MAS' Responses to the Consultation Paper on Proposed Legislative Amendments to Authorise Inspections by Foreign Regulatory Authorities under the Financial Advisers Act further suggest that the MAS may impose any necessary conditions relating to confidentiality of information to be set out via a written undertaking to be signed by the foreign regulatory authority. It should be noted that this was stated in respect of the Financial Advisers' Act, but the provisions in question are *in pari materia* with that set out in section 150B of the SFA.

- 4.29 In the case of *Invenpro (M) Sdn Bhd v JCS Automation Pte Ltd* [2014] 2 SLR 1045, George Wei JC (as he then was) recapped the well established position <sup>18</sup> that in order for a breach of the duty of confidentiality to be established, the following elements must be met:
  - (a) the information must possess the necessary quality of confidentiality.
  - (b) the information must have been imparted (or received) in circumstances such as to import an obligation of confidentiality.
  - (c) there must be unauthorised use of the information and detriment.
- 4.30 In the English case of *Thomas Marshall v Guinle* [1979] 1 Ch 227, Megarry VC framed the elements in the following terms:
  - (a) the owner of the information must believe that release of the information would be injurious to the owner of it or of advantage to rivals;
  - (b) the owner must believe that the information is confidential, i.e. not in the public domain;
  - (c) the owner's belief in relation to (a) and (b) above must be reasonable; and
  - (d) the disclosure of information must be judged in the light of the usage and practices of the industry concerned.
- 4.31 We next examine each limb of the general test as stated in the *Invenpro* case in the paragraphs that follow.

### Quality of confidentiality

4.32 First, information will possess the necessary quality of confidence if it remains relatively secret or relatively inaccessible to the public as contrasted to information already in the public domain. Information may be considered as confidential as a whole even if parts of that information are already in the public domain. In the current instance, as the information contained in the Covered Records are not publicly available, they will likely possess this necessary quality of confidence insofar as that information relates to the Nomura Singapore Affiliates' clients and is not information owned by or relating to Nomura itself.

## **Circumstances of confidence**

4.33 Next, we turn to the obligation of confidence. In *Coco v Clark*, where the parties had dealt with each other in the course of negotiations which failed to result in a contract, the English Court held that the conscience of the defendant was implicated since any reasonable person in the shoes of the recipient would have known on reasonable grounds that the information was confidential and given in confidence. Where, and to the extent that, the Covered Records concern information provided by the customer (that is not "customer information"), this would likely satisfy the requirement that the Recipient, in this case being the Nomura Singapore Affiliates, knew or ought to have known that the information was to be treated confidentially.

### Unauthorised use

4.34 Finally, to establish a breach of the duty of confidence, the person who has disclosed the information must be shown to have made an unauthorised use of the confidential information imparted/received

Citing Saltman Engineering Co v Campbell Engineering Co (1948) 65 RPC 203 and Coco v A N Clark (Engineers) Ltd [1969] RPC 41. Singapore cases following this approach include: X Pte Ltd v CDE [1992] 2 SLR(R) 575, Chiarapurk Jack v Haw Par Brothers International Ltd [1993] 2 SLR(R) 620 and Stratech Systems Limited v Guthrie Properties (S) Pte Ltd [2001] SGHC 77.

- under a duty of confidence. This is largely a question of fact and (in relation to the present case) requires consideration of the issue of what (if any) was permitted by the Rights Holder.
- 4.35 If the fact of disclosure was made known to, or consented by the Rights Holder, then this would avoid or at least substantially mitigate the concern regarding breach of confidence.

### **Data Protection**

- 4.36 The PDPA will apply to the Nomura Singapore Affiliates' disclosure of Covered Records to the SEC to the extent that these comprise or contain personal data.
- 4.37 Under section 4(6) of the PDPA, the provisions of other written laws will prevail to the extent that any provision of the PDPA is inconsistent with the provisions of that other written law (such as the Banking Act). As such, only in respect of NSL, the application of the provisions under the Banking Act would prevail over the provisions in the PDPA, insofar as customer information is involved.
- 4.38 The PDPA governs the collection, use and disclosure of personal data by organisations. The term "personal data" means data, whether true or not, about an individual who can be identified:
  - (a) from that data; or
  - (b) from that data and other information to which the organisation has or is likely to have access.
- 4.39 However, the provisions under the PDPA generally do not apply to "business contact information" i.e. an individual's name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his personal purposes.
- 4.40 Key restrictions in the PDPA relating to the Nomura Singapore Affiliates' ability to disclose personal data to the SEC are set out below.

### Legal basis for the disclosure

#### Express consent

- 4.41 Disclosure of personal data by the Nomura Singapore Affiliates to the SEC is permitted where the Rights Holder has given their consent to the disclosure and has been informed of the purposes for the disclosure of the personal data.
- 4.42 Under section 13 of the PDPA, an organisation must not collect, use or disclose personal data about an individual unless:
  - (a) the individual gives, or is deemed to have given, his consent under the PDPA to the collection, use or disclosure; or
  - (b) the collection, use or disclosure, without the consent of the individual is required or authorised under the PDPA or any other written law.
- 4.43 Under section 14 of the PDPA, an individual will not be considered to have given consent unless the individual has been informed of the purposes for the collection, use or disclosure of the personal data, as the case may be, on or before collecting the personal data; and the individual provided his consent for that purpose in accordance with the PDPA. Under section 18 of the PDPA, organisations may only collect, use or disclose personal data about an individual for purposes that a reasonable person would consider appropriate in the circumstances; and that the individual has been informed of.

- 4.44 An organisation must also not:
  - (a) as a condition of providing a product or service, require an individual to consent to the collection, use or disclosure of personal data about the individual beyond what is reasonable to provide the product or service to that individual; or
  - (b) obtain or attempt to obtain consent for collecting, using or disclosing personal data by providing false or misleading information with respect to the collection, use or disclosure of the personal data, or using deceptive or misleading practices.

## Legitimate interests

- 4.45 The Nomura Singapore Affiliates may disclose personal data about an individual without the consent of the individual, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 3 of the Second Schedule to the PDPA. However, the Legitimate Interests Exception is likely to be the most appropriate ground on which the Nomura Singapore Affiliates could rely in relation to their disclosure of Covered Records to the SEC and to permit On-Site Inspection.
- 4.46 Under Part 3 of the First Schedule to the PDPA, an organisation may disclose personal data without consent if the disclosure of personal data about an individual is in the legitimate interests of the organisation or another person; and the legitimate interests of the organisation or other person outweigh any adverse effect on the individual (**Legitimate Interests Exception**).
- 4.47 In order to rely on the Legitimate Interests Exception, the Nomura Singapore Affiliates must (a) conduct an assessment before disclosing the personal data; and (b) provide the individual with reasonable access to information about the organisation's disclosure of personal data.
- 4.48 The Nomura Singapore Affiliates must, in respect of the assessment:
  - (a) identify any adverse effect<sup>19</sup> that the proposed disclosure of personal data about an individual is likely to have on the individual; and
  - (b) identify and implement reasonable measures to:
    - (i) eliminate the adverse effect;
    - (ii) reduce the likelihood that the adverse effect will occur; or
    - (iii) mitigate the adverse effect.
- 4.49 Under Reg 15 of the Personal Data Protection Regulations 2021 (PDPR), the assessment must:
  - (a) specify:
    - (i) the types and volume of personal data to be disclosed;
    - (ii) the purpose or purposes for which the personal data will be disclosed; and
    - (iii) the method or methods by which the personal data will be disclosed;

In determining the likely adverse effect on the individual, the organisation should consider the following:

<sup>(</sup>a) The impact of the disclosure of the personal data on the individual;

<sup>(</sup>b) The nature and type of personal data and whether the individuals belong to a vulnerable segment of the population;

<sup>(</sup>c) The extent of the disclosure of personal data and how the personal data will be processed and protected;

<sup>(</sup>d) Reasonableness of the purpose of disclosure of personal data; and

<sup>(</sup>e) Whether the predictions or decisions that may arise from the disclosure of the personal data are likely to cause physical harm, harassment, serious alarm or distress to the individual

- (b) identify any residual adverse effect on any individual after implementing any reasonable measures mentioned in (b) above;
- (c) identify the legitimate interests that justify the disclosure by the Nomura Singapore Affiliates of personal data about the individual;
- (d) where the legitimate interests identified under sub-paragraph (c) relate to a person other than the Nomura Singapore Affiliates, identify that other person by name or description; and
- (e) set out the reasons for the Nomura Singapore Affiliates' conclusion that the legitimate interests identified under sub-paragraph (c) outweigh any adverse effect on the individual.
- 4.50 The Nomura Singapore Affiliates must also retain a copy of the assessment throughout the period that they disclose personal data about the individual in reliance on the Legitimate Interests Exception. However, the assessment need not be made available to the public or to individuals.
- 4.51 The Legitimate Interests Exception was introduced in the PDPA in February 2021, and there are currently no precedents or cases on its application. However, the Advisory Guidelines on Key Concepts in the PDPA (Advisory Guidelines) issued by the Personal Data Protection Commission contains an Assessment Checklist for the Legitimate Interests Exception that organisations may use. In addition, the Advisory Guidelines provide further guidance on how organisations may identify legitimate interests examples of legitimate interests include the purposes of detecting or preventing illegal activities (e.g. fraud, money laundering) or threats to physical safety and security, IT and network security; preventing misuse of services; and carrying out other necessary corporate due diligence.
- 4.52 Organisations that rely on the Legitimate Interests Exception to disclose personal data must make it known to individuals that they are relying on this exception to collect, use and disclose personal data without consent. For example, an organisation could state in its public data protection policy that it is relying on the Legitimate Interests Exception to collect, use or disclose personal data for purposes of security and prevention of misuse of services.

## **Cross-border transfers**

- 4.53 Section 26 of the PDPA provides that an organisation must not transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under the PDPA.
- 4.54 Reg 10(1) of the PDPR provides that before transferring personal data to a country outside Singapore, the organization must take appropriate steps to comply with the PDPA while the personal data remains in possession or under the control of the organization. Also, the organization must take appropriate steps to ascertain whether, and to ensure that, the recipient of the personal data is bound by legally enforceable obligations (in accordance with Reg 11) to provide to the transferred personal data a standard of protection that is at least comparable to the protection under the PDPA<sup>20</sup>.
- 4.55 Under Reg 10(2) of the PDPR, a transferring organisation is taken to have satisfied the requirements of Reg10(1) in respect of an individual's personal data which it transfers to a recipient in a country or territory outside Singapore if, amongst others, the individual consents to the transfer of the individual's personal data to that recipient in that country or territory. However, an individual is not taken to have

0012391-0003100 UKO1: 2005697716.5

In addition, organisations exporting data outside Singapore may do so to organisations certified under the Asia Pacific Economic Cooperation Cross Border Privacy Rules System. A recipient of an individual's personal data in a country or territory outside Singapore is taken to be bound by legally enforceable obligations to provide a standard of protection for the transferred personal data that is at least comparable to the protection under the PDPA if the recipient holds the abovementioned specified certification.

consented to the transfer of the individual's personal data to a country or territory outside Singapore if:

- (a) the individual was not, before giving his or her consent, given a reasonable summary in writing of the extent to which the personal data to be transferred to that country or territory will be protected to a standard comparable to the protection under the PDPA;
- (b) the transferring organisation required the individual to consent to the transfer as a condition of providing a product or service, unless the transfer is reasonably necessary to provide the product or service to the individual; or
- (c) the transferring organisation obtained or attempted to obtain the individual's consent for the transfer by providing false or misleading information about the transfer, or by using other deceptive or misleading practices.
- 4.56 As such, it will not be sufficient if the Rights Holder is merely informed that his or her personal data will be transferred to another country outside Singapore. A "reasonable summary" in writing of the extent of protection available in comparison to the PDPA will have to be provided. We have assumed, at Assumption 2.6, that the Nomura Singapore Affiliates have obtained the necessary consent from each relevant individual, and that a "reasonable summary" as described in this paragraph has been provided to that individual. We have also assumed, at Assumption 2.7, that where the Nomura Singapore Affiliates require an individual to consent to the transfer of personal data as a condition of providing a product or service relating to its role as an SBSD, the transfer is reasonably necessary to provide the product or service to the individual.
- 4.57 Apart from consent, under Reg 11 of the PDPR, legally enforceable obligations include obligations imposed on a recipient of personal data (i.e. the SEC) under (a) any law; (b) a contract which requires the recipient to provide a standard of protection for the personal data transferred to the recipient that is at least comparable to the protection under the PDPA and specify the countries and territories to which the personal data may be transferred under the contract; or (c) any other legally binding instrument.
- 4.58 If valid consent is not obtained from the Rights Holders in accordance with the requirements discussed above, the Nomura Singapore Affiliates should satisfy themselves that the SEC is bound by laws to provide the transferred personal data a standard of protection that is at least comparable to the protection under the PDPA prior to the transfer of any personal data to the SEC.

### 5. RELIANCE

- 5.1 This opinion is given for the sole benefit of the addressee. It may not be relied upon by anyone else without our prior written consent.
- 5.2 This opinion is not to be disclosed to any person outside of NIP's group or used, circulated, quoted or otherwise referred to for any other purpose. However, we agree that a copy of this opinion letter may be disclosed:
  - (a) where disclosure is required or requested by any governmental, banking, taxation or other regulatory authority or similar body having jurisdiction over NIP (including to the SEC as part of NIP's SBSD registration application) or by the rules of any relevant stock exchange or pursuant to any applicable law or regulation; and
  - (b) to NIP's affiliates, and any of their officers, directors, employees, auditors, insurers, reinsurers, insurance brokers and professional advisors (in their capacity as such).

- 5.3 Any such disclosure must be made on the basis that it is for information purposes only, no recipient may rely on this advice, no client-lawyer relationship between us and the recipient arises following, or as a result of, any such disclosure. We assume no duty or liability to any recipient, and any recipient under paragraph 5.2(b) above will be subject to the same restrictions on disclosure as set out above.
- 5.4 We assume no obligation to advise you or any other person or to make any investigations as to any legal developments or factual matters arising subsequent to the date hereof that might affect the opinions expressed herein.

Yours faithfully,

Allen & Overy LLP