

# Memo

To HSBC Bank plc From Simmons &

Simmons LLP

Copy to Date 01 November 2021

Our ref 044211-00334

**HSBC** 

Subject Legal opinion as to HSBC Bank plc's ability to provide Client

the SEC with prompt access to its covered books and records and submit to onsite inspection and examination by the SEC as part of its SBSD registration ("Opinion")

# 1. Background and Basis of Opinion

- 1.1 HSBC Bank plc ("<u>HBEU</u>"), which is a member of the group of companies owned by HSBC Holdings plc, its subsidiaries and associated companies ("<u>HSBC Group</u>"), is registering as a security-based swap ("<u>SBS</u>") dealer ("<u>SBSD</u>") with the U.S. Securities and Exchange Commission (the "<u>SEC</u>"). HBEU is a company incorporated under the laws of England and Wales and is authorised by the Prudential Regulation Authority of the Bank of England ("<u>PRA</u>") and regulated by the Financial Conduct Authority ("<u>FCA</u>") and PRA, in the United Kingdom (the "<u>UK</u>"). HBEU is a "*non-resident*" SBSD for the purpose of the SEC's SBSD registration rules (i.e. a corporate SBSD that is incorporated in any place outside the United States ("<u>US</u>"))<sup>1</sup>.
- 1.2 To register as a non-resident SBSD, HBEU must: (i) certify on Schedule F of Form SBSE, SBSE-A, or SBSE-BD that it can, as a matter of law, and will provide the SEC with prompt access to its books and records and submit to onsite inspection and examination by the SEC; and (ii) attach an opinion of counsel that it can, as a matter of law, provide the SEC with prompt access to its books and records and can, as a matter of law, submit to onsite inspection and examination by the SEC (altogether, the "SEC Certification and Opinion of Counsel Requirement").<sup>2</sup>
- 1.3 This Opinion has been produced by Simmons & Simmons LLP on the basis of the information provided to Simmons & Simmons LLP by HBEU in relation to the relevant recordkeeping systems that will be maintained by or on behalf of HBEU (the "Relevant Systems") which HBEU has confirmed contain the "books and records" required to be covered by the SEC Certification and Opinion of Counsel Requirement (the "Covered Books and Records").
- 1.4 This Opinion is provided by Simmons & Simmons LLP to HBEU and is legally privileged and confidential. No other person may rely on this advice for any purpose without Simmons & Simmons LLP's prior written consent. However, this advice may be provided by HBEU to the SEC as part of its application for registration by the SEC as a SBSD, on the basis that such disclosure is not intended to operate as a more general waiver of legal privilege and Simmons & Simmons LLP assumes no liability or responsibility to the SEC or any other third party as a result, or otherwise.

PUBLIC L\_LIVE\_EMEA1:51824119v6

<sup>&</sup>lt;sup>1</sup> See 17 C.F.R. § 240.15Fb2-4(a)(2), available at https://ecfr.io/Title-17/Section-240.15Fb2-4.

<sup>&</sup>lt;sup>2</sup> See 17 C.F.R. § 240.15Fb2-4(c)(1), available at https://ecfr.io/Title-17/Section-240.15Fb2-4.

- 1.5 This Opinion addresses matters of the law of England and Wales and, where expressly stated, UK-wide laws and regulations as at the date it is given. We give no opinion as to the law of any other jurisdiction.
- 1.6 The SEC rules require HBEU to re-certify within 90 days after any changes in the legal or regulatory framework that would impact the ability of HBEU to provide, or the manner in which it would provide, prompt access to its books and records, or would impact the ability of the SEC to inspect and examine HBEU. Upon such change of law, HBEU is required to submit a revised Opinion describing how, as a matter of foreign law, HBEU will continue to meet its obligations.

# 2. **Opinion**

#### **Executive Summary**

- 2.1 As a matter of English law, there is no general restriction on HBEU providing access to information maintained in the Covered Books and Records to an overseas regulator such as the SEC. However, as regards certain of the Covered Books and Records, there are restrictions in the following areas which fall to be considered and are addressed in this Opinion:
  - **Data Protection Law** information that is covered by the law relating to data protection;
  - **Duty of Confidentiality** information that relates to customers of HBEU and may be subject to obligations of confidentiality owed by HBEU to those customers;
  - Regulatory Communications information that may be subject to obligations of confidentiality in respect of regulators in the UK.
- 2.2 In our opinion, on the basis of the facts and matters set out below, despite these restrictions HBEU can, as a matter of law, provide the SEC with prompt access to the Covered Books and Records and can, as a matter of law, submit to onsite inspection and examination by the SEC for the reasons set out below.

#### **Data Protection Law**

- 2.3 Since HBEU is established in the UK (e.g., as a company incorporated in England and Wales that carries out business in the UK), all personal data processing which it carries out (regardless of the location of the relevant individuals, i.e. "data subjects") will be subject to the General Data Protection Regulation (EU) 2016/679 as incorporated into UK law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR") and the UK's Data Protection Act 2018 (the "DPA 2018"), together referred to as "UK Data Protection Law". Since the Covered Books and Records are held and maintained by or on behalf of HBEU for its own purposes such that HBEU is a controller of the Relevant Data, sharing of the Relevant Data with the SEC will be subject to the UK GDPR and, as such, the transfer to or access by the SEC of any personal data will be considered a processing activity, and so require a lawful basis.
- 2.4 Based on our review of the type of information that we understand will be contained in the Covered Books and Records on the Relevant Systems, such information will comprise of the following categories of "personal data" under UK Data Protection Law:

PUBLIC L\_LIVE\_EMEA1:45921626v1

- "Ordinary Personal Data", including contact details, trading activity (including related communications) and basic HR details;
- "Criminal Conviction Data", primarily collected through client screening and employee certifications; and
- "Special Category Personal Data" for US citizens and residents only, namely political opinion data

(collectively, the "Relevant Data"). We also understand the Relevant Data will relate to individuals (i.e. "data subjects") comprising of HSBC workers (e.g., officers, directors, employees, contractors, secondees, interns and agents of the HSBC Group) and connected persons of either such HSBC workers (e.g. family members or other connected persons for AML/sanctions compliance) or of corporate clients, trading counterparties and third-party service providers to the HSBC Group (such as officers, directors, employees, contractors, secondees, interns and agents, or investors, guarantors or other controlling persons, of such corporate entities). In these circumstances, in our view, HBEU can provide the SEC with prompt access to the Covered Books and Records and submit to onsite inspection and examination in compliance with UK Data Protection Laws.

2.5 This is on the basis that, in our opinion, there is both a lawful basis for, and a mechanism to legitimise, the transfer of Relevant Data to the SEC outside of the UK (where applicable) under UK Data Protection Law, as further described below.

#### a) Lawful Bases

- Article 6(1)(f) of the UK GDPR (i.e. that the processing is necessary for the purpose of the legitimate interests pursued by HBEU and / or the SEC as recipient of the data) can be relied upon as a lawful basis for the transfer of the Relevant Data to, or access of it by, the SEC.
- ii. Criminal Conviction Data: HBEU will also be able to rely on Paragraph 12 of Schedule 1 to the DPA 2018 as its lawful basis for the transfer of the Criminal Conviction Data to, or access of it, by the SEC.
- iii. **Special Category Personal Data:** Assuming that the SEC requests any Relevant Data only for the purposes of fulfilling its regulatory powers, for its transfer of the Special Category Personal Data HBEU will also be able to rely on:
  - Article 9(2) of the UK GDPR as the legal basis; together with
  - paragraph 12 of Schedule 1 of the DPA 2018 as the basis for it having a "substantial public interest" based on domestic (i.e. UK) law.

### b) Legitimising the transfer of personal data from within the UK to the United States

As noted by the SEC in its statement on 19 January 2021<sup>3</sup>, the Information Commissioner's Office (ICO) has provided clarity regarding the transfers of personal data from the UK to the SEC. In summary, the ICO's letter (the "ICO Letter") <sup>4</sup> concluded that the UK GDPR does not impose legal barriers to the transfer of personal data directly to the SEC for regulatory or enforcement purposes from UK-based firms or branches that are registered, required to be registered or otherwise regulated by the SEC, including SBSDs. The ICO Letter explains how UK firms with regulatory obligations to the SEC can rely on the "public interest" derogation of the UK GDPR when directly transferring personal data to the SEC set out in Article 49(1)(d) – i.e. that the transfer is necessary for important reasons of public interest.

PUBLIC

L\_LIVE\_EMEA1:45921626v1

<sup>&</sup>lt;sup>3</sup> See the public statement from the Acting Chairman of the SEC, Elad L. Roisman, on the 19 January 2021, here: https://www.sec.gov/news/public-statement/roisman-uk-ico-personal-data-transfers-data-sec

<sup>&</sup>lt;sup>4</sup> See the letter published by the ICO setting out the ICO's analysis on SEC transfer, dated 11 September 2020, here: https://ico.org.uk/media/2619110/sec-letter-20200911.pdf

Since HBEU is a UK domiciled firm and is progressing its application with the SEC with a view to becoming registered with the SEC as a SBSD, it will clearly be in-scope of the ICO Letter.

# **Duty of Confidentiality**

2.6 We understand that the relationship between HBEU and each SBS counterparty will be subject to contractual terms that establish a general duty of confidentiality but then provide a limited number of exceptions/waiver of confidentiality to allow HBEU to disclose any relevant information for the purpose of meeting its compliance obligations in any applicable jurisdiction, including to the SEC in the US ("Confidentiality Provisions"). As a result, despite its general duty of confidentiality, HBEU will be able to provide all relevant information contained in the Covered Books and Records to the SEC as required under the applicable U.S. laws in compliance with these Confidentiality Provisions.

#### Regulatory communications

- 2.7 We understand it is unlikely the Covered Books and Records would include any communications between HBEU and its UK regulators.
- 2.8 Nevertheless, to the extent any Covered Books and Records could include communications with, or documents prepared for, HBEU's UK regulators, such as the FCA or PRA, the consent to such disclosure of the relevant UK authority should ordinarily be obtained. However, given that the FCA and the PRA have entered into a Memorandum of Understanding with the SEC which expressly refers to the provision of information and onsite visits in the context of being registered as a SBSD<sup>5</sup>, we would expect that this consent would readily be given.

\_

<sup>&</sup>lt;sup>5</sup> See FCA, PRA and SEC, *Memorandum of Understanding Concerning Consultation, Cooperation and the Exchange of Information Related to the Supervision and Oversight of Certain Cross-Border Over-the-Counter Derivatives Entities In Connection with the Use of Substituted Compliance by Such Entities* (30 July 2021), available at: https://www.sec.gov/page/exchange-act-substituted-compliance-and-listed-jurisdiction-applications-security-based-swap.