1

UBS AG Australia Branch

The Chifley Tower 

2 Chifley Square

Sydney

NSW 2000

Allen & Overy

Level 25

85 Castlereagh Street

Sydney NSW 2000

Australia

PO Box A2498

Sydney South NSW 1235 

Australia

Tel

+61 (0)2 9373 7700

Fax

+61 (0)2 9373 7710

One Bishops Square

London E1 6AD United Kingdom

Tel

+44 (0)20 3088 0000

Fax

+44 (0)20 3088 0088

Janna.Tay@allenovery.com

Our ref

0036335

-

0000808

20 October 2021

Dear Sir or Madam

UBS Australia Branch SEC registration as a non-resident security-based swap dealer

1.

BACKGROUND

1.1

We understand that UBS AG (

UBS

), a bank authorised in Switzerland, is seeking to register with the

United States (

US

) Securities and Exchange Commission (

SEC

) as a non-resident security-based swap

(

SBS

) dealer (

SBSD

).

1.2

To register as an SBSD with the SEC, a non-resident SBSD

1

 such as UBS must attach an opinion of

counsel to Form SBSE, SBSE-A or SBSE-BD affirming that the SBSD can, as a matter of law:

(a)

provide the SEC with prompt access to the relevant books and records as defined in

paragraphs 3.3 and 3.4 (

Covered Books and Records

); and 

(b)

submit to on-site inspection and examination of its Covered Books and Records by the SEC

(

On-Site Inspection

).

1.3

UBS will maintain certain Covered Books and Records in its Australia Branch (

UBSAB

), which is

authorised in Australia.

1.4

You have asked us to issue an opinion affirming that UBSAB will be able to provide the SEC with

prompt access to its books and records and submit to On-Site Inspection by the SEC in accordance

with paragraph 1.2 above.

1

In the case of a corporation, an SBSD will be “non

-

resident” if it is incorporated in or has its principal place of business in any place not in

the United States (see 17 Code of Federal Regulations (

CFR

) § 240.15Fb2-4(a)(2)). As UBS is incorporated in Switzerland, UBS fulfils this

definition of a “non-resident” SBSD.

Allen & Overy is affiliated with Allen & Overy LLP, a limited liability partnership registered in England and Wales with registered office at One Bishops Square London E1 6AD. Allen

& Overy LLP or an affiliated undertaking has an office in each of: Abu Dhabi, Amsterdam, Antwerp, Bangkok, Beijing, Belfast, Bratislava, Brussels, Budapest, Casablanca, Dubai,

Düsseldorf, Frankfurt, Hamburg, Hanoi, Ho Chi Minh City, Hong Kong, Istanbul, Jakarta (associated office), Johannesburg, London, Los Angeles, Luxembourg, Madrid, Milan, Moscow,

Munich, New York, Paris, Perth, Prague, Rome, São Paulo, Seoul, Shanghai, Silicon Valley, Singapore, Sydney, Tokyo, Warsaw, Washington, D.C. and Yangon.

2

1.5

This opinion is structured as follows:

(a)

Section 2: summary of opinion; 

(b)

Section 3: scope, assumptions and qualifications; 

(c)

Section 4: revisions to applicable law;

(d)

Section 5: reliance and confidentiality;

(e)

Annex 1: Opinion; and

(f)

Annex 2: Assumptions.

1.6

For the purposes of this opinion, the legal or natural person imparting the information subject to the

duty of confidentiality will be the

Rights Holder

and the person receiving that information, in this

case UBSAB, will be the

Recipient.

2.

SUMMARY OF OPINION

Subject to the assumptions and qualifications below it is our opinion that:

2.1

UBSAB can, as a matter of applicable Australian law, submit to On-Site Inspection by the SEC. There

is no restriction on UBSAB submitting to On-Site Inspection by the SEC. The remainder of this

opinion focuses on UBSAB’s ability to disclose information contained in Covered Books and Records

to the SEC in the course of On-Site Inspection in Australia and the ability to provide the SEC with

prompt access to Covered Books and Records.

2.2

UBSAB can, as a matter of applicable Australian law, provide the SEC with prompt access to Covered

Books and Records held by UBSAB in Australia

2

.

Disclosure of personal information

3

2.3

Disclosures of personal information (particularly sensitive information) relating to UBSAB’s clients

and staff are subject to certain restrictions under the

Privacy Act 1988

 (Cth) (

Privacy Act

) and the

Australian Privacy Principles (

APPs

) (collectively, the

Australian privacy framework

), particularly

where this involves a cross-border transfer of personal information to a jurisdiction outside of

Australia.

2.4

We anticipate that UBSAB may have to obtain the consent of individuals to enable disclosure of the

Covered Books and Records to the SEC and to permit On-Site Inspection, and our view in this regard

is that the UBSAB Privacy and Credit Reporting Policy – Australia dated 2 April 2020

4

 (

UBS

Australian Privacy Policy

) already enables UBSAB to obtain that consent in accordance with the

Australian privacy framework, and there should not be any issues in disclosing any personal

information that may be contained in the Covered Books and Records to the SEC (also see paragraph

1.14 of Annex 1). Alternatively, if this is not possible, UBSAB may have to fall within exceptions

under the APPs. It is also likely that Australian law will require an employer, such as UBSAB, to

obtain the consent of its employees to disclose any of their personal information to the SEC.

2

Where a restriction on the ability to transfer personal data or to disclose confidential information applies, consent from th

e Rights Holder,

validly given in accordance with the relevant standard for consent under each applicable legal obligation, would allow for such information

to be lawfully transferred to the SEC or disclosed to the SEC during On-Site Inspection. Please note that valid consent is assumed in

Assumption

3

Please refer to section

 of

 for definitions of the Privacy Act, the APPs, personal information, and sensitive information.

4

The

UBS Privacy and Credit Reporting Policy

–

Australia da

ted 2 April 2020

that can be accessed at

https://www.ubs.com/global/en/legal/privacy/australia/_jcr_content/mainpar/toplevelgrid/col1/linklist/link_658648610.1183479955.file/b

Gluay9wYXRoPS9jb250ZW50L2RhbS9hc3NldHMvY2MvZ2xvYmFsL2xlZ2FsL2RvYy9wcml2YWN5LW5vdGljZS9jbGllbnQtcHJpdm

FjeS1ub3RpY2UtZW4tYXVzdHJhbGlhLnBkZg==/client-privacy-notice-en-australia.pdf

.

0036335-0000808 UKO1: 2005347595.6

3

2.5

As disclosure to the SEC involves a cross-border transfer, UBSAB will also have to satisfy the

requirements for overseas disclosure of the personal information. UBSAB may have to take reasonable

steps to ensure that the SEC does not breach the APPs in relation to that information. This is typically

satisfied by way of a contractual arrangement entered into by USBAB and the SEC which requires the

SEC to handle the personal information in accordance with the APPs. However, this will not be

necessary if UBSAB can rely on independent legal advice that establishes that the SEC is subject to a

law or binding scheme similar to the APPs, or if it obtains the consent of individuals in accordance

with the Australian privacy framework (see our analysis in paragraph 2.4 above and paragraph 1.14 of

Annex 1). 

Common law duties of confidentiality

2.6

The general duty of confidentiality applies to information communicated in circumstances indicating

it is confidential. The banker’s duty of confidentiality arises due to the nature of the relationship

between a banker and his or her customer (and this duty does not apply to information held or

controlled by UBSAB that relates to any person other than its customers). 

2.7

Disclosure with consent, or under another recognised exception, would not amount to a breach of these

legal duties. For example, confidential information can be disclosed with the express consent of the

person to whom such information relates.

2.8

We note that there are other exceptions to the duty of confidentiality such as where disclosure is in the

public interest. However, there must be compelling public interest reasons for the disclosure as the

threshold is generally understood to be very high. It may also be possible, where the information held

regards clients, to rely on the bank’s own interest exception to the banker’s (but not the general) duty

of confidentiality, though this requires a case-by-case balancing of the competing factors in favour of

each of the bank and the Rights Holder. Considering the uncertainty and high bar to meet for disclosure

in the public interest or bank’s own interest, it is advisable to seek express consent to disclosure as this

would establish a greater degree of certainty that the disclosure is made in accordance with the duties

of confidentiality.

2.9

These duties of confidentiality will not apply to any information contained in the Covered Books and

Records or to On-Site Inspection insofar as information made available to the SEC is owned by or

relates to UBSAB itself, rather than by or to UBSAB’s clients or, in the case of the general duty only,

third parties or its staff.

2.10

There is generally no legal duty of mutual confidence implied into contracts of employment within

Australia.

Privacy and Human Rights

2.11

Australia does not have a statutory or constitutional framework of human rights, and most civil and

political rights of individuals under Australian law are found within the common law as well as specific

pieces of legislation. In this regard, the Australian privacy framework, which sets out a framework for

the processing of the personal information of individuals within Australia, can also be taken to be the

framework that provides individuals in Australia with a “right” to privacy. 

2.12

Although Australia has signed, ratified, and supports a number of international treaties containing

rights against unlawful interference to privacy, these have no direct bearing on Australian domestic

law in respect of privacy. 

This summary opinion is not a substitute for the full expression of our views set out in Annex 1.

0036335

-

0000808 UKO1: 2005347595.6

4

3.

SCOPE, ASSUMPTIONS AND QUALIFICATIONS

3.1

This opinion relates solely to access provided to the SEC of Covered Books and Records held by

UBSAB in Australia and On-Site Inspection of UBSAB by the SEC in Australia. This opinion applies

equally to remote access from the US to Covered Books and Records held in Australia. This opinion

excludes books and records held in the US.

3.2

This opinion has been prepared in accordance with UBS’s specific instructions as to the scope of the

opinion. For this purpose you have issued us with guidance from a third party US law firm which we

have used to inform the scope of our opinion.

3.3

This opinion only covers access to and the On-site Inspection of Covered Books and Records. We are

instructed that Covered Books and Records include only those books and records which:

(a)

relate to the US business

5

 of the non-resident SBSD.

6

 These are the records that relate to an

SBS that is either:

(i)

entered into, or offered to be entered into, by or on behalf of the non-resident SBSD,

with a “U.S. Person” as defined in 17 CFR § 240.3a71-3(a)(4)

7

 (

US Person

) (other

than an SBS conducted through a foreign branch of such US Person);

8

 or

(ii)

arranged, negotiated, or executed by personnel of the non-resident SBSD located in a

branch in the US (

US branch

) or office or by personnel of an agent of the non-resident

SBSD located in a US branch or office;

9

 or

(b)

constitute financial records necessary for the SEC to assess the non-resident SBSD’s

compliance with the SEC’s margin and capital requirements, if applicable.

10

3.4

Further to Assumption 1, this opinion is limited to those types of records that are relevant to

prudentially regulated SBSDs, which excludes financial records as noted in paragraph 3.3(b) above.

For this opinion, the term “Covered Books and Records” extends to these record types alone.

3.5

The issues addressed in this opinion apply equally across the different document types which constitute

the Covered Books and Records based upon the information actually contained in each of the relevant

Covered Books and Records. We have not examined any such documents or records.

3.6

In giving this opinion, we have made the further assumptions set out in Annex 2. 

3.7

No opinion is expressed on matters of fact. 

5

As defined in 1

7 CFR §240.3a71

-

3(a)(8).

6

Cross

-

Border Application of Certain [SBS] Requirements, 85 Fed. Reg. 6270, 6296 (Feb. 4, 2020) (the

SEC Guidance

). 

7

A “U.S. person” means any person that is “(i) a natural person resident in the U.S.; (ii) a

partnership, corporation, trust, investment vehicle,

or other legal person organized, incorporated, or established under the laws of the United States or having its principal place of business in

the United States; (iii) an account (whether discretionary or non-discretionary) of a U.S. person; or (iv) an estate of a decedent who was a

resident of the United States at the time of death.” 17 CFR § 240.3a71-3(a)(4).

8

A “foreign branch” means “any branch of a U.S. bank if: (i) the branch is located

outside of the United States; (ii) the branch operates for

valid business reasons; and (iii) the branch is engaged in the business of banking and is subject to substantive banking regulation in the

jurisdiction where located” (17 CFR § 240.3a71-3(a)(2)). An “SBS conducted through a foreign branch” means an SBS that is “arranged,

negotiated, and executed by a U.S. person through a foreign branch of such U.S. person if: (A) the foreign branch is the counterparty to such

security-based swap transaction; and (B) the security-based swap transaction is arranged, negotiated, and executed on behalf of the foreign

branch solely by persons located outside the United States” (17 CFR § 240.3a71-3(a)(3)(i)).

9

17 CFR § 240.3a71

-

3(a)(8)(i)(B).

10

The requirement set out

in this paragraph

 does not apply to UBSAB because it is not subject to the SEC’s margin and capital

requirements as it is assumed that UBSAB has a prudential regulator – please see the assumptions set out in

0036335-0000808 UKO1: 2005347595.6

5

4.

REVISIONS TO APPLICABLE LAW 

4.1

We are instructed that the SEC rules

11

 require a non-resident SBSD to re-certify within 90 days after

any changes in the legal or regulatory framework that would:

(a)

impact the ability of the SBSD to provide prompt access to its Covered Books and Records; 

(b)

impact the manner in which it would provide prompt access to its Covered Books and Records;

or

(c)

impact the ability of the SEC to conduct On-Site Inspections.

4.2

Upon a change in law or regulatory framework of the sort outlined in paragraph 4.1 above, we are

instructed that the SBSD is required to submit a revised opinion describing how, as a matter of law,

the SBSD will continue to meet its obligations. 

4.3

This opinion relates solely to the laws of Australia in force as at the date of this opinion. We have no

obligation to notify any addressee of any change in any applicable law or its application after the date

of this opinion.

5.

RELIANCE AND CONFIDENTIALITY

5.1

This opinion is given for the sole benefit of the addressee. It may not be relied upon by anyone else

without our prior written consent.

5.2

This opinion is not to be disclosed to any person outside of UBS AG’s group or used, circulated,

quoted or otherwise referred to for any other purpose. However, we agree that a copy of this opinion

letter may be disclosed: 

(a)

where disclosure is required or requested by any governmental, banking, taxation or other

regulatory authority or similar body having jurisdiction over UBS AG (including to the SEC

as part of UBS AG’s SBSD registration application) or by the rules of any relevant stock

exchange or pursuant to any applicable law or regulation; and 

(b)

to UBS AG’s affiliates, and any of their officers, directors, employees, auditors, insurers,

reinsurers, insurance brokers and professional advisers (in their capacity as such).

5.3

Any such disclosure must be made on the basis that it is for information purposes only, no recipient

may rely on this advice, no client-lawyer relationship between us and the recipient arises following,

or as a result of, any such disclosure. We assume no duty or liability to any recipient, and any recipient

under paragraph 5.2(b) above will be subject to the same restrictions on disclosure as set out above.

5.4

We assume no obligation to advise you or any other person or to make any investigations as to any

legal developments or factual matters arising subsequent to the date hereof that might affect the

opinions expressed herein.

Yours faithfully, 

Allen & Overy 

11

17 CFR § 240.15Fb2

-

4(c)(2).

0036335-0000808 UKO1: 2005347595.6

6

ANNEX 1

OPINION

1.

DATA PROTECTION

1.1

The Australian privacy framework will apply to UBSAB’s proposed disclosure of the Covered Books

and Records to the SEC to the extent that these comprise or contain personal information, and the

APPs will apply to the extent that UBSAB is an “APP entity”.

12

1.2

Personal information is information or an opinion relating to an identified or a reasonably identifiable

individual, whether the information or opinion is true or not and whether the information or opinion is

recorded in a material form or not.

13

 As such, it may extend to information on UBSAB staff as well as

clients. The Privacy Act explicitly recognises a number of different types of information as personal

information, but information does not require explicit recognition to constitute personal information

under the Privacy Act. 

1.3

Under the Privacy Act, a higher level of protection applies for personal information that is sensitive

information

–

s

ensitive information is

personal information

that reveals

the

racial or ethnic

background, political opinions

or associations

, religiou

s or philosophical beliefs, trade union

membership, genetic data, biometric data when used for ID purposes, health information, data

concerning sex life or sexual orientation, and criminal records of individuals. As sensitive information

is less likely to be relevant in the context of UBSAB’s disclosures to the SEC, the laws applicable to

this data have not been considered in any material detail in this opinion.

1.4

Key restrictions in the Australian privacy framework relating to UBSAB’s ability to disclose personal

data to the SEC are set out below. We further note that data (including personal information) cannot

be disclosed if doing so would breach another legal requirement (e.g. confidentiality – please also see

section 2 below). 

Collection, use and disclosure of personal information under the Australian privacy framework

1.5

UBSAB must comply with the Privacy Act generally, as well as APP 3, APP 6 and APP 8 in particular,

in respect of any proposed disclosure of personal information by UBSAB to the SEC. It should also

be noted that while compliance with APP 3, APP 6 and APP 8 (as well as the Australian privacy

framework generally) is required by UBS if it wishes to disclose personal information to the SEC,

none of the individual APPs on its own is so comprehensive as to cover all disclosures of personal

information (including the disclosure of personal information to the SEC), and UBSAB will need to

consider the most appropriate legal basis to apply to any given situation.

1.6

The APPs are set out in Schedule 1 to the Privacy Act, and they constitute a crucial aspect of the

Australian privacy framework’s data protection principles. The APPs govern the standards, rights, and

obligations regarding: the collection, use, and disclosure of personal information; the governance and

accountability of APP entities; the integrity and correction of personal information; and the rights that

individuals have to access their information. 

1.7

The legal bases of APP 3, APP 6 and APP 8 are as follows:

(a)

APP 3 – an APP entity can only solicit and collect personal information where it is reasonably

necessary for the APP’s functions or activities, and the APP entity must collect that personal

information directly from the individual (subject to exceptions) by lawful and fair means;

12

An APP entity is defined under the Privacy Act to be an agency organisation, including a body corporate, that has an annual t

urnover of over

AUD3,000,000 in a financial year. We have assumed at Assumption

 that UBSAB is an APP entity.

13

Section 6 of the Privacy Act.

0036335-0000808 UKO1: 2005347595.6

7

(b)

APP 6 – an APP entity may use or disclose personal information that it holds only for the

purpose that it was collected, as detailed below, unless an exception applies; and

(c)

APP 8 – an APP entity must take certain steps to protect personal information before it is

disclosed overseas, the intent being that the APP entity must endeavour to ensure that the

personal information will receive a level of protection equivalent to that provided under the

Australian privacy framework. 

1.8

An APP entity like UBSAB can only collect personal information directly from individuals which is

reasonably necessary for one or more of the APP entity’s functions or activities

14

 – in the case of

UBSAB, it is arguable that the compliance with its contractual and regulatory obligations under law

is part of UBSAB’s functions or activities. As such, subject to UBSAB’s compliance with the

Australian privacy framework (including in particular APP 6 and APP 8, as set out in more detail

below), there does not appear to be any issue if UBSAB is collecting personal information from

individuals if it is for regulatory compliance.

1.9

Pursuant to APP 6, an APP entity like UBSAB can only use or disclose personal information about an

individual for the purpose that it was collected (this is also referred to as the

primary purpose

), and

generally, for no other purpose, unless an exception applies – the purpose of APP 6 is intended to

ensure that APP entities will only use and disclose an individual’s personal information for only the

purposes for which an individual would expect his or her personal information to be used or disclosed.

In UBSAB’s case, assuming that UBSAB has a comprehensive privacy policy that sets out that

UBSAB’s regulatory obligations are for a purpose for which an individual’s personal information will

be used and/or disclosed, there does not appear to be any issue with UBSAB’s proposed disclosure of

information in the Covered Books and Records (including personal information) to the SEC. 

1.10

It should also be noted that even if the disclosure of information in the Covered Books and Records

(including personal information) to the SEC is not considered a primary purpose, UBSAB could still

disclose such information to the SEC if an individual consents to such a disclosure – in this regard, the

main elements of establishing valid consent under the Australian privacy framework are that the:

(a)

individual is adequately informed before giving consent; 

(b)

individual gives consent voluntarily; 

(c)

consent is current and specific; and 

(d)

individual has the capacity to understand and communicate his or her consent. 

Specifically, UBSAB must ensure that the consent given is specific to the disclosure of personal

information to a foreign regulator for the purposes of assessing UBSAB for compliance. 

Cross-border transfer of personal information 

1.11

APP 8 requires APP entities such as UBSAB to, prior to disclosure of any personal information to an

overseas recipient, take “reasonable steps” to ensure that the overseas recipient handles the personal

information in accordance with the Australian privacy framework, and does not breach the Australian

privacy framework. It should also be noted that, under the Australian privacy framework, the APP

entity remains accountable for an act or practice of the overseas recipient. 

1.12

The requirement of taking “reasonable steps” under APP 8 typically entails an APP entity entering

into an enforceable contractual arrangement with the overseas recipient that requires the overseas

recipient to handle personal information in accordance with the Australian privacy framework. 

14

APP

3.1.

0036335-0000808 UKO1: 2005347595.6

8

1.13

However, APP 8 also allows for the fact that it may be difficult for an APP entity like UBSAB to enter

into an enforceable contractual arrangement with an entity such as the SEC (especially given that the

SEC is a public regulatory authority in the US) and, as such, APP 8 also provides that if individuals

consent to an APP entity like UBSAB disclosing their personal information to an overseas recipient

like the SEC, then UBSAB will be able to do so without contravening APP 8, noting that in order to

ensure that the consent provided by individuals under APP 8 is valid,

15

 UBSAB will have to: 

(a)

expressly and clearly inform the individual, by providing either an oral or written statement,

that if he or she consents to UBSAB disclosing his or her personal information to the SEC,

UBSAB will not be accountable under the Privacy Act, and that the individual will not be able

to seek redress under the Australian privacy framework; and

(b)

ensure that any such statement: 

(i)

be made at the time consent is sought (and that UBSAB is not relying on assumed

prior knowledge of the individual); and

(ii)

also explains that the practical effect and risks associated with the disclosure of

information to the SEC, including (without limitation) that the:

(A)

SEC is subject to US law that could compel the disclosure of personal

information to a third party, such as an overseas authority;

(B)

SEC may not be subject to any privacy obligations or to any principles similar

to those set out in the Australian privacy framework; and

(C)

individual may not be able to seek redress in the US. 

Consent under the Australian privacy framework

1.14

In respect of the consent outlined in paragraphs 1.10 and 1.13 (and under the Australian privacy

framework generally), we have assumed at Assumption 12 that at the point in time that UBSAB is

engaged by its customers who are individuals, such individuals would have been required to execute

comprehensive UBSAB data protection and privacy documents (including accepting all the terms of

the UBS Australian Privacy Policy):

(a)

within which s

uch individuals

declare that

,

in accordance with the Australian privacy

framework, they consent to UBS, amongst other things, disclosing their personal information

to a foreign regulator like the SEC (as set out in section 7 of the UBS Australian Privacy

Policy); and

(b)

that also broadly ensure that the requirements of the Australian privacy framework are

satisfied

by UBSAB

.

15

Generally, consent must be informed, voluntary, current and specific, and given by an individual with the capacity to give co

nsent. In ad

dition

to express consent as set out in the body of the Opinion, the Australian privacy framework recognises implied consent. An APP entity does

not need express consent from an individual to handle his or her non-sensitive personal information, but it must reasonably believe that it

has his or her implied consent. This is where consent may reasonably be inferred in the circumstances from the conduct of the individual

and the APP entity. This is typically achieved by way of presenting the individual with an opt-out option to the APP entity’s disclosure of

his or her personal information for another purpose, and allowing a period of time for the exercise of that option. The design and conditions

of the option must still ensure that consent given is informed. 

0036335-0000808 UKO1: 2005347595.6

9

Data protection principles

1.15

In addition to establishing a legal basis for the disclosure, UBSAB would need to ensure that its

disclosures are compliant with the other requirements of the Australian privacy framework – for

example, UBSAB should:

(a)

ensure that it only discloses personal information that is adequate, relevant and limited to what

is necessary in relation to the purposes of its regulatory activities; 

(b)

take reasonable steps to ensure that the personal information is accurate, up-to-date, complete,

and relevant;

16

(c)

keep the personal data in a form that enables identification of individuals for no longer than is

necessary for the purposes for which the personal data is processed; and

(d)

take active measures to ensure that the security of the personal information is maintained, and

as such, implement appropriate security measures to protect the personal information from

misuse, interference, loss, unauthorised access, modification, or disclosure.

17

2.

COMMON LAW DUTIES OF CONFIDENTIALITY

2.1

The general and banker’s duties of confidentiality are distinct duties. However, the case law on each

duty informs the approach to the other, with the banker’s duty existing in acknowledgement of the

specific circumstances that arise as between a bank and its customers. Given the common law position

on these duties is largely aligned and noting further that Australian courts may also consider decisions

made in other common law jurisdictions (including England and Wales) in arriving in their decisions,

these are dealt with together here.

2.2

Where the Covered Books and Records do not contain any relevant forms of information which attract

a duty of confidentiality, and it is likely that many aspects of the information required will not

(e.g. transaction data such as volumes and prices), these duties of confidentiality will not apply.

Scope of duties

2.3

The general duty of confidentiality imposes obligations of confidence upon the recipient of

information if the following conditions are satisfied:

18

(a)

the information in question must be identified with specificity and generally, non-specific

ideas are not protected under the general duty of confidentiality;

19

(b)

the information must have the ‘

necessary quality of confidence

’; information that is ‘

public

property and public knowledge

’ cannot be protected;

20

(c)

it must have been received by the recipient in circumstances importing an obligation of

confidence (i.e. the recipient of the information knows or ought to know that the restrictions

have been placed upon the use of the information);

21

 and

16

APP 10.2.

17

APP 11.1.

18

Optus Networks Pty Ltd v Telstra Corporation Ltd

 (2010) 265 ALR 281 at 290.

19

O’Brien v Komesaroff

(1982) 150 CLR 310.

20

Saltman Engineering Co Ltd v Campbell Engineering Co Ltd

(1948) RPC 230 at 215.

21

Smith Kline & French Laboratories (Aust) Ltd v Secretary, Dept of Community Services and Health

 (1990) 22 FCR 73 at 87.

0036335-0000808 UKO1: 2005347595.6

10

(d)

there must be an actual or threatened misuse of the information without the confider’s consent

and the receiver of information will still be liable

even

if the unauthorised use was

unintentional.

22

2.4

As the information contained in the Covered Books and Records is not publicly available, it is likely

to possess this necessary quality of confidence insofar as that information relates to a third party or

UBSAB’s clients or staff and is not information owned by or relating to UBSAB itself. Where, and to

the extent that, the Covered Books and Records concern information of a third party or customer

information, this would likely satisfy the requirement that the Recipient knew or ought to have known

that the information was to be treated confidentially. 

2.5

The common law banker’s duty of banker-customer confidentiality is established by

Tournier v

National Provincial and Union Bank of England

[1924] 1 KB 461 (

Tournier

) which has been widely

referred to in Australia. Under the bank-customer duty of confidentiality, banks, such as UBSAB, must

keep their customers’ affairs private

23

 – in this respect, the general duty is broader than the banker’s

duty as the general duty extends to benefit others, such as UBSAB’s staff. 

(a)

The scope of the duty is wide – as Atkin LJ outlined in the judgment:

“

It

[the duty of confidentiality]

clearly goes beyond the state of the account, that is, whether

there is a debit or credit balance, and the amount of the balance. It must extend at least to all

the transactions that go through the account, and to the securities, if any, given in respect of

the account

”.

24

(b)

The temporal scope of the banker’s duty is also wide. Atkin LJ judged that the banker’s duty

of confidentiality “

extend

[s]

beyond the point when the account is closed, or cease

[s]

 to be an

active account

”,

25

 and this duty also extends to cover disclosures from one banking entity to

another within the same corporate group.

26

2.6

No distinction is drawn in the case law on either of the general or banker’s duties regarding the nature

of the person to whom the duty is owed – i.e. a natural or a legal person – and so we consider that the

duties apply equally to any person irrespective of its legal status. 

Unauthorised disclosure

2.7

A successful claim for breach of confidentiality must demonstrate that there has been an unauthorised

use of confidential information to the Rights Holder.

27

2.8

For those Covered Books and Records that contain customer, which is unlikely to include all Covered

Books and Records, these duties of confidentiality will apply and so UBSAB will only be able to

disclose Covered Books and Records containing confidential information in un-redacted form where

one of the exceptions below is met.

2.9

Tournier

established four exceptions to the banker’s duty of confidentiality,

28

 the first three of which

apply equally to the general duty of confidentiality: 

(a)

where the disclosure is made by the express or implied consent of the customer;

 29

22

Talbot v General Television Corpot Pty Ltd

 [1980] VR 224 at 239.

23

Tournier v National Provincial and Union Bank of England

 [1924] 1 KB 461 at 473;

Smorgon v FCT

 (1976) 134 CLR 475 at 487;

Brighton

v Australia and New Zealand Banking Group Ltd

[2011] NSWCA 152.

24

Tournier v National Provincial and Union Bank of England

[1924] 1 KB 461 at 485.

25

Tournier v National Provincial and Union Bank of England

[1924] 1 KB 461 at 485.

26

Bank of Tokyo Ltd v Karoon

[1987] 1 AC 45 at 54.

27

Megarry J in

Coco v A Clark (Engineers) Ltd

[1968] F.S.R. 415 at 421;

Optus Networks Pty Ltd v Telstra Corporation Ltd

 (2010) 265 ALR

281 at 290.

28

Tournier v National Provincial and Union Bank of England

[1924] 1 KB 461 at 485 at 473.

29

For the general duty of confidentiality:

t

his

was confirmed in

B v Brisbane North Regional Health Authority

 (1994) 1 QAR 279 at 105.

0036335-0000808 UKO1: 2005347595.6

11

(b)

under compulsion of law;

(c)

where the disclosure is in the public interest; or

(d)

for the banker’s duty of confidentiality only, where it is in the interests of the bank to make

disclosure.

Consent

2.10

Disclosure of confidential information is permissible where the Rights Holder

30

 has given its consent

to the disclosure

31

 of its confidential information.

32

Compulsion of law

2.11

Information that would otherwise be confidential may be disclosed when required by a statutory

provision

33

 or court order.

34

2.12

To satisfy this compulsion of law exception it is likely that UBSAB would have to rely on an Australian

statute or court order

35

 – a provision of US law, such as an SEC Rule, is unlikely to be sufficient for

this purpose.

(a)

While there are numerous statutory provisions that require the disclosure of information that

would otherwise be confidential,

36

 none applies directly to this situation.

(b)

We are not aware of any Australian statute or case law which would require disclosure of

information to a foreign regulatory authority.

37

30

Where the banker’s duty of confidentiality applies this will be the customer.

31

Due

to

the over

lap between bank confidentiality,

the Privacy Act,

and other data protection laws (as discussed in paragraph

), it would

be advisable to clarify when obtaining consent that another, separate, legal basis applied to the processing of the personal information under

data protection laws. 

32

While

it is possible to rely on implied consent, there is likely to be a high bar to meet in order to d

o so. In

Turner v Royal Bank of Scotland

Plc

[1999] 2 All E.R, regarding the banker’s duty of confidentiality, it was decided that established market practice of sharing of customer

information between banks (which practice was generally known only to the banks themselves) did not amount to implied consent of the

customer as this practice was not known by the customer. To amount to implied consent, the practice under which disclosure is made must

be “

notorious, certain and reasonable

” (

Turner v Royal Bank of Scotland Plc

[1999] 2 All E.R 664 at 670, Sir Richard Scott VC quoting

from

Chitty on Contracts

 (27th edn, 1994), vol I, para 13-014). It remains unclear how Australian courts will decide on the implied consent

but it is normal practice to reply on the express consent.

The practice of sharing information with local regulators in order to enable banking business to be conducted within the relevant local

jurisdiction is, in our experience, well established such that it might be considered “

notorious, certain and reasonable

”. In this context, it is

possible that much of the information contained in the Covered Books and Records would be information of a sort that customers (and

particularly more sophisticated customers of the kind that would normally be offered services by UBSAB in respect of SBSs) may expect

would be shared with the SEC. 

In part, the ability to rely on implied consent will depend on the information provided to customers when UBSAB provides services in SBSs.

If no information about the jurisdiction or regulators involved is provided then UBSAB would rely on the customer’s own understanding of

regulatory obligations on banks, the US nexus and the SEC’s role in these services. Conversely, if customers are informed that UBSAB’s

activity in SBSs is conducted on a cross-border basis into the US and is subject to oversight by the SEC then the ability to rely on implied

consent increases. Similarly, if customers are informed that detailed information on all aspects of UBSAB’s activity in SBSs is subject to

examination by the SEC then the ability to rely on implied consent increases further still.

33

See the example given by Bankes LJ in

Tournier v National Provincial & Union Bank

 [1924] 1 K.B 461 at 473 of the Bankers’ Books

Evidence Act 1879. 

34

F

or the general duty of confidentiality:

eg

courts may order that confidential documents be provided in the discovery process

, as confirmed

in

Campbell v Tameside Metropolitan Borough Council

[1982] QB 1065. 

For the banker’s duty of confidentiality:

X AG and others v A bank

 [1983] 2 All ER at 475.

35

We think the greater weight of judicial authority supports this view. See for example

FDC Co Ltd v Chase Manhattan Bank NA

 [1990] 1

HKLR 277, 283 (Sir Alan Huggins VP), 292 (Silke JA). See also Sir Lawrence Collins, ‘Choice of Law and Choice of Jurisdiction in

International Securities Transactions’ (2001) 5 Singapore Journal of International and Comparative Law 618. According to the leading

decision in

Joachimson v Swiss Bank Corporation

 [1921] 3 KB 110, a bank account is located at the place where the records of the account

are kept.

36

For example

,

banks as reporting entities under the

Anti-Money Laundering and Counter-Terrorism Financing Act 2006

 (Cth) may be

compelled to disclose information about their customers to the Australian Transaction Reports and Analysis Centre. Disclosure in this

circumstance would be an authorised use and as such would not constitute a breach of confidence.

37

While

various Australian statutes require disclosures and specifical

ly provide for the obligation under these statutes to take priority over the

duty of confidentiality, there is no basis for disclosure of confidential information to be based on compulsion of foreign law. However, the 

Australian Securities & Investments Commission (

ASIC

) works closely with a range of international organisations, foreign regulators and

law enforcement agencies (including the SEC). ASIC makes and receives international requests in relation to investigations, compliance and

surveillance, delegations and licensing/due diligence and general referrals. Many international organisations and foreign regulators make

requests for assistance under international cooperation agreements including the IOSCO Multilateral Memorandum of Understanding and

other bilateral Memoranda of Understanding; where authorised, ASIC uses the

Mutual Assistance In Business Regulation Act 1992

 to

exercise compulsory powers to obtain documents, information or testimony on behalf of foreign regulators.

0036335-0000808 UKO1: 2005347595.6

12

(c)

Equally, a US court order is also unlikely to be sufficient for this purpose: it was held in

X AG

and others v A bank

[1983] 2 All ER at 475 that a subpoena requiring disclosure issued by a

foreign court did not qualify as compulsion by law on the basis that “[t]

he fact is that

confidentiality is not rendered illegal by a subpoena requiring disclosure, which is to be

contrasted with some form of legislation to that end

”.

38

Public interest

2.13

Determining whether the public interest exception applies requires a balance to be struck between the

rights of the Rights Holders and the public interest in the SEC obtaining that information.

39

 The test

to be applied when considering whether confidentiality should be breached in favour of freedom of

expression is whether, in all the circumstances, it is in the public interest that the duty of confidence

should be breached.

40

2.14

Disclosure in the public interest has been narrowly construed by the Australian courts, and the burden

is for UBSAB to justify disclosure of confidential information

41

 (rather than for e.g. a customer to

justify continued confidentiality). The general position is that voluntary disclosure, including in

relation to disclosures to the police in respect of suspicions of criminal activity, would breach the duty

of confidence other than as permitted under statute,

42

 indicating that there is a high bar to be met when

arguing that a disclosure was made lawfully in pursuit of a greater public interest. Bankes LJ suggested

in

Tournier

that national security concerns would meet this criterion,

43

 while Atkin LJ gave the

example of disclosure in the interest of preventing fraud or crime.

44

2.15

There are also cases which draw a distinction between disclosing information to prevent “frauds or

crimes” versus disclosure of past criminal conduct. The courts in Australia have held that the former

case does authorise the disclosure of confidential information, but the latter case does not.

45

 However,

there is some precedent for public interest in effective regulation and supervision of banking

institutions outweighing the public interest in maintaining confidentiality.

46

2.16

We think there is significant uncertainty about the scope of the public interest exception to

confidentiality. While disclosing information to prevent a crime or a fraud does seem to be generally

accepted as overriding the public interest in confidentiality, it is unclear how far the exception extends

beyond this principle. Therefore we think any decision to disclose confidential information in reliance

on the public interest exception is likely to require a specific examination of the facts and

circumstances of each case. Given the narrow and uncertain scope of this exception, we do not think

this exception is likely to provide a consistent basis on which UBSAB may rely in order to disclose

information to the SEC. 

38

While

both

X AG and others v A Bank

[1983] All ER 464 and in

A v B Bank

 Unreported, 13 August 1990 (see Hirst J’s judgment in the

subsequent case

of A and Others v B Bank v (Governor and Company of the Bank of England intervening)

 [1992] 3 WLR 705). While these

are banker’s duty of confidentiality cases, a more general application of the principles can still likely be used. For the general duty of

confidentiality: eg courts may order that confidential documents be provided in the discovery process, as confirmed in

Campbell v Tameside

Metropolitan Borough Council

[1982] QB 1065.

39

Spelman v Express Newspapers

[2012] EWHC 355 (QB) at [44]-[52].

40

Prince of Wales v Associated Newspapers Ltd (CA)

[2007] 3 WLR at 68. In the context of that case, it is relevant that the test is not simply

whether the information is a matter of public interest, as, unlike disclosure to the SEC, that case involves public dissemination of information.

There is High Court dictum supporting that a public interest exception would be available in an action for breach of the general duty of

confidence:

Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd

 (2001) 208 CLR 199, 244 per Gleeson CJ citing with

approval

Hellewell v Chief Constable of Derbyshire

 [1995] 4 AII ER 473, 476 per law J. Furthermore, information concerning matters of

‘iniquity in the sense of a crime, civil wrong or serious misdeed of public importance’ will be treated in Australia as lacking the necessary

quality of confidence required for protection, so that the need for a exception of public interests will not arise:

Corrs Pavey Whiting & Byrne

v Collector of Customs

 (1987) 74 ALR 428, 250 per Gunmmow J).

41

Price Waterhouse v BCCI Holdings (Luxembourg) SA

 [1992] BCLC 583 at 597.

42

Tournier v National Provincial and Union Bank of England

[1924] 1 KB 461 at 474.

43

Tournier v National Provincial and Union Bank of England

[1924] 1 KB 461 at 485 at 473 where Bankes LJ quotes Lord Finlay’s judgment

in

Weld-Blundell v Stephens

[1920] A.C. 956

at 965 where “

danger to the state

” was given as an example where an exception could be made

to the duty of confidentiality.

44

Tournier v National Provincial and Union Bank of England

[1924] 1 KB 461 at 486.

45

Bodnar v Townsend

 (2003) 12 Tas R 232;

Kelly v Hawkesbury Two Pty Ltd (No 3)

 (Unreported, Supreme Court of New South Wales, Young

J, 26 November 1987); see also Brown’s

Trustees v Hay

 (1898) 35 SLR 877, 880.

46

Price Waterhouse v BCCI Holdings (Luxembourg) SA

 [1992] BCLC 583 at 596 and 601.

0036335-0000808 UKO1: 2005347595.6

13

In the interests of the bank

2.17

In limited cases, disclosure of confidential information that is subject to the banker’s duty of

confidentiality may be permissible where it is in the interests of the bank. This exception does not

apply to information that is subject to the general duty of confidentiality. However, we consider that

this exception is available to information that is subject to both such duties, leaving only information

that does not relate to customers (eg information relating to staff) beyond the scope of this exception. 

2.18

It is clearly in the interests of UBSAB to comply with the SEC’s requests. However, the majority of

case law on this exception points to there being a high bar to meet. 

2.19

In

X AG and others v A Bank

[1983] All ER 464 it was held that a bank could not comply with a

subpoena from a New York court without breaching its duty of confidentiality. However, in

considering arguments based on the banker’s own interest, Leggatt J judged that it was not clearly in

the bank’s own interests to comply with the subpoena, as the bank would not, as a matter of fact in

that particular case, face any serious detriment for its failure to comply.

47

 In contrast, Bankes LJ gave

the example in

Tournier

of a bank commencing an action against a customer where the customer’s

overdraft is in arrears, acknowledging that, in that situation, the banker would be able to disclose the

amount of the overdraft in its claim. These cases suggest that the bank’s own interest exception will

be construed narrowly and the court will take a view on whether the bank’s own interests are genuinely

threatened by non-disclosure. In the context of requests by the SEC, it is assumed that failure to comply

could result in enforcement action and potentially even the cessation of UBSAB’s ability to conduct

SBS business in US markets. Accordingly, it is expected that UBSAB may face serious detriment for

a failure to comply with the SEC’s demands, and so this exception may be available to UBSAB.

2.20

However, to rely on this exception, UBSAB must balance its interests in complying with the SEC’s

disclosure request against the competing interest of its customers in the banker’s duty of confidence

being maintained, and UBSAB must satisfy itself that those interests do not outweigh its own. This

would need to be assessed on a case-by-case basis and we think the only clear situation in which a

bank may disclose customer information based on its own interests is to take enforcement action or

participate in litigation where this information is required. Given the narrow and uncertain scope of

this exception, we do not think this exception is likely to provide a consistent basis on which UBSAB

may rely in order to disclose information to the SEC.

Employment law and confidentiality in Australia

2.21

In Australia, there is no legal duty of mutual confidence implied into contracts of employment. While

UK cases such as

Malik v Bank of Credit and Commercial International SA (In Compulsory

Liquidation)

 held there is such a duty (albeit limited to conduct that is calculated to destroy or seriously

damage the relationship of trust and confidence), in 2014 the High Court of Australia reviewed that

decision (among others) and determined that no such duty is exists in Australia. See

Commonwealth

Bank of Australia v Barker

 [2014] HCA 32.

2.22

Employers are, however, required to deal with the personal information of employees in accordance

with the Privacy Act – legislation will not apply if the information is of a certain type and is being

used for a purpose directly related to the employment relationship. This is known as the ‘employee

records exemption’. This exemption is unlikely to apply to employees’ personal information being

provided to a foreign government regulator. Accordingly, it is likely that employees’ consent will be

required. Employers which employ staff in Australia which are also operating in the US will often

obtain that consent by way of an express clause in each employee’s employment contract. 

47

X AG and others v A bank

 [1983] 2 All ER at 475.

0036335-0000808 UKO1: 2005347595.6

14

3.

PRIVACY AND HUMAN RIGHTS

Right to privacy

3.1

Australia does not have a statutory or constitutional framework of human rights, and most civil and

political rights of individuals under Australian law are found within the common law as well as specific

pieces of legislation. The right to privacy in Australia is set out in the Australian privacy framework.

International law 

3.2

Australia is a signatory to, has ratified, and supports a number of international treaties that enshrine

human rights and civil and political rights, including the International Covenant on Civil and Political

Rights (

ICCPR

)

and the Univ

ersal Declaration of Human Rights (

UDHR

), and while these

international treaties do recognise that individuals have a right against unlawful interference with one’s

privacy, it should be noted that:

(a)

the UDHR is not a binding international treaty, and does not have the force of law in Australia;

and

(b)

Australia never formally ratified and adopted the provisions of the ICCPR into the body of

Australian law. 

3.3

In order for the obligations set out in any international treaty to apply in Australia, the Australian

Parliament has to pass legislation that adopts such obligations and give such international obligations

the force of law in Australia, and Australia has not passed any legislation that seeks to give the rights

outlined in international treaties such as the UDHR and the ICCPR the force of law in Australia. 

0036335-0000808 UKO1: 2005347595.6

15

ANNEX 2

ASSUMPTIONS

This opinion relies on the following assumptions:

1.

We are instructed that UBS AG, including UBSAB, has a “prudential regulator” as defined by Section

3 of the US Securities Exchange Act of 1934 (the

Securities Exchange Act

). As such, the Covered

Books and Records considered in this opinion are limited to what a prudentially regulated SBSD must

be able to share with the SEC.

2.

Additionally, we are instructed that in accordance with SEC Guidance at 85 FR 6297, books and

records pertaining to SBS transactions entered into prior to

the date that

UBSAB

submits an

application for registration are not Covered Books and Records. 

3.

UBSAB has obtained any necessary prior consent of the persons (e.g. counterparties, employees)

whose information is or will be included in Covered Books and Records in order to provide the SEC

with access to its Covered Books and Records or to allow On-Site Inspections, to the extent, as

considered in this opinion, such consent would constitute valid consent and such consent has not been

withdrawn. Insofar as Covered Books and Records relate to employees of UBSAB, such employees

are “associated persons” of UBS for purposes of 17 CFR § 240.18a-5(b)(8) who have agreed to sharing

of their personal/employment information with the SEC in the event of a request for information from

the SEC.

4.

The SEC will restrict its information requests for, and use of, any information pursuant to its access to

Covered Books and Records and On-Site Inspections to only the information that it requires for the

legitimate and specific purpose of fulfilling its regulatory mandate and responsibilities by evaluating

compliance with legal obligations designed to ensure the proper legal administration of SEC-regulated

firms (which includes regulating, administering, supervising, enforcing and securing compliance with

the securities or derivatives laws in its jurisdiction) and to prevent and/or enforce against potential

illegal behaviour. 

5.

Similarly, UBSAB will ensure that its disclosures are compliant with the data protection principles as

set out in the Australian privacy framework.

48

 We understand that UBSAB’s general experience in

responding to information requests from the SEC (or other US and non-US regulators) leads it to

maintain a belief, which it considers to be reasonable, that UBSAB can and (subject to any changes in

applicable law and regulation and/or the approach of relevant regulators) will continue to be able to

comply with these data protection principles in the course of making disclosures of the sort required

when providing access to Covered Books and Records and submitting to On-Site Inspection.

49

6.

It is the SEC’s practice to limit the type and amount of personal data it requests during examinations

to targeted requests based on risk and related to specific clients and accounts, and employees. The

requested information may include some sensitive information under the Privacy Act (as described in

paragraph 1.3 of Annex 1 to this opinion). We understand that this aligns with UBSAB’s general

experience in responding to information requests from the SEC, leading it to maintain a belief, which

it considers to be reasonable, that this assumption is, and will remain, accurate (subject to any changes

in applicable law and regulation and/or the approach of relevant regulators).

50

48

These principles are set out in

 at section

49

See the SEC Guidance at 85 FR 6298.

50

See the SEC Guidance at 85 FR 6298.

0036335-0000808 UKO1: 2005347595.6

16

7.

Information, data and documents received by the SEC are maintained in a secure manner and, under

strict US laws of confidentiality, information about individuals cannot be onward-shared save for

certain uses publicly disclosed by the SEC, including in an enforcement proceeding, pursuant to a

valid and non-exempt US Freedom of Information Act (

FOIA

) request,

51

 pursuant to a lawful request

of the US Congress or a properly issued subpoena, or to other regulators who have demonstrated a

need for the information and provide assurances of confidentiality.

8.

UBSAB is an APP entity as defined under the Privacy Act.

9.

UBSAB has a comprehensive privacy policy that sets out that UBSAB’s regulatory obligations are for

a purpose for which an individual’s personal information will be used and/or disclosed.

10.

At each point in time that UBSAB is engaged (i.e. at on-boarding) by its customers who are

individuals, such individuals would have been required to execute comprehensive UBSAB data

protection and privacy documents (including accepting all the terms of the UBS Australian Privacy

Policy): 

(a)

within which such individuals declare that, in accordance with the Australian privacy

framework, they consent to UBS, amongst other things, disclosing their personal information

to a foreign regulator like the SEC (as set out in section 7 of the UBS Australian Privacy

Policy); and

(b)

that also ensure that the requirements of the Australian privacy framework are satisfied by

UBSAB.

51

We do not give any views in the opinion to matters of US law, though we understand that information can be made public pursua

nt to

requests under the US FOIA, and that certain information is exempt from such requests, including (among others): (a) a trade secret or

privileged or confidential commercial or financial information obtained from a person; (b) a personnel, medical, or similar file the release

of which would constitute a clearly unwarranted invasion of personal privacy; (c) information compiled for law enforcement purposes, the

release of which: (i) could reasonably be expected to interfere with law enforcement proceedings; (ii) would deprive a person of a right to a

fair trial or an impartial adjudication; (iii) could reasonably be expected to constitute an unwarranted invasion of personal privacy; (iv) could

reasonably be expected to disclose the identity of a confidential source; (v) would disclose techniques, procedures, or guidelines for

investigations or prosecutions; or (vi) could reasonably be expected to endanger an individual’s life or physical safety; and (d) contained in

or related to examination, operating, or condition reports about financial institutions that the SEC regulates or supervises.

0036335-0000808 UKO1: 2005347595.6