The GDPR aims to give control to citizens and residents over their personal data and simplifies the regulatory environment for international business by unifying the regulation within EU. It also addresses the export of personal data outside the EU and the EEA.
“If investment managers under local laws are barred from sharing personal information, how will they share it with Indian authorities?” said a person who has a business relationship with FPIs. “Investors may agree to divulge information only if it is directly shared with the regulator, and not if it is passed through local custodians or other agencies.”
Sebi’s current guidelines mandate that if no beneficial owner can be identified based on controlling ownership, a senior managing official (SMO) needs to be identified as a BO. SMOs are designated as BOs merely by virtue of their position as they do not have any ownership in FPIs, said experts.
“SMOs are concerned about having to share personal data, including tax residency number and social security number,” said Mark Austen, CEO, Asia Securities Industry & Financial Markets Association (Asifma), an FPI lobby group that has raised privacy concerns as part of its submission to the HR Khan committee.
“Sebi should differentiate between the data that needs to be collected from BOs that are owners, and from BOs that are SMOs. In the case of SMOs, minimum information like name, business address and nationality should be sufficient as SMOs are merely acting in their professional capacity.” Industry observers reckon that Sebi should not ask for BO details from all and sundry and instead take an undertaking that data will be provided when demanded.
Currently, FPIs are subject to a KYC review as and when there is any change in material information or disclosure. Going forward, a comprehensive KYC review of FPIs will be done periodically.
For instance, for high risk clients, the KYC check will be done yearly; for others it would be once every three years. Sebi is also reportedly mulling greater scrutiny for high-risk jurisdictions that could include six-monthly KYC and monthly or three-monthly reporting beneficial ownership.
At present, high-risk clients have to comply with the KYC requirement applicable to category-III foreign portfolio investors. This includes providing information such as an audited annual financial statement or a certificate from auditor certifying net worth.
Mauritius, Cyprus, Cayman Islands, UAE and China were among 25 high-risk jurisdictions identified by global banks that act as custodians for offshore funds. However, this list may be under review as there is disagreement on the names that need to be included.