Privacy Policy

Sterling Custody Bank Limited ("Sterling Custody," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our institutional custody services, digital platform, and related financial services.

1. Information We Collect

1.1 Personal Information

We collect personal information necessary to provide our institutional custody services, including:

• Identity Information: Full legal name, date of birth, nationality, passport or government-issued ID details
• Contact Information: Business and residential addresses, email addresses, telephone numbers
• Financial Information: Bank account details, investment portfolio information, transaction history, assets under custody
• Professional Information: Employment details, business registration information, authorized signatories, beneficial ownership structures
• Verification Documents: Proof of identity, proof of address, corporate formation documents, regulatory licenses

1.2 Technical Information

When you access our digital platform, we automatically collect:

• IP addresses and device identifiers
• Browser type and operating system
• Access times and referring website addresses
• Platform usage patterns and navigation paths
• Login credentials and authentication data

1.3 Transaction Information

We collect detailed information about all custody and settlement transactions, including:

• Securities holdings and movements
• Cash transactions and currency exchanges
• Corporate actions and dividend payments
• Settlement instructions and confirmations
• Regulatory reporting data

2. How We Use Your Information

2.1 Service Provision

We use your information to:

• Provide custody, settlement, and fund administration services
• Process transactions and manage your custody accounts
• Execute corporate actions and distribute income payments
• Provide access to our digital platform and mobile applications
• Deliver client reporting and portfolio analytics
• Respond to your inquiries and provide customer support

2.2 Legal and Regulatory Compliance

We process your information to comply with legal obligations, including:

• Know Your Customer (KYC) and Customer Due Diligence (CDD) requirements
• Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) regulations
• Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) requirements
• Tax reporting obligations (FATCA, CRS, DAC6)
• AIFMD, UCITS, and MiFID II regulatory reporting
• Court orders, legal processes, and regulatory investigations

2.3 Risk Management and Security

We use your information to:

• Verify your identity and prevent fraud
• Monitor and detect suspicious activities
• Conduct sanctions screening and politically exposed persons (PEP) checks
• Maintain the security and integrity of our systems
• Manage operational, credit, and market risks

3. Legal Basis for Processing

Under the UK General Data Protection Regulation (UK GDPR), we process your personal information based on the following legal grounds:

• Contractual Necessity: Processing required to perform our custody services agreement with you
• Legal Obligation: Compliance with AML, KYC, regulatory reporting, and other legal requirements
• Legitimate Interests: Risk management, fraud prevention, system security, and business operations
• Consent: Where explicitly provided for specific processing activities

4. Information Sharing and Disclosure

4.1 Service Providers and Third Parties

We may share your information with:

• Sub-custodians: Our network of global sub-custodians for securities safekeeping
• Central Securities Depositories: Euroclear, Clearstream, CREST, and other CSDs
• Payment Systems: SWIFT, CHAPS, and other payment networks
• Technology Providers: Platform infrastructure, cloud services, and data analytics
• Professional Advisors: Legal counsel, auditors, and consultants
• Identity Verification Services: KYC and AML screening providers

4.2 Regulatory Authorities

We disclose information to regulatory bodies as required, including:

• Financial Conduct Authority (FCA)
• Prudential Regulation Authority (PRA)
• HM Revenue & Customs (HMRC)
• European Securities and Markets Authority (ESMA)
• Other relevant financial regulators in jurisdictions where we operate

4.3 Corporate Transactions

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to equivalent privacy protections.

5. International Data Transfers

As a global custody bank, we may transfer your personal information outside the United Kingdom to:

• Sub-custodians in jurisdictions where your securities are held
• International payment and settlement systems
• Cloud infrastructure providers in secure data centers
• Regulatory authorities in relevant jurisdictions

We ensure all international transfers comply with UK GDPR requirements through:

• European Commission adequacy decisions
• Standard Contractual Clauses (SCCs)
• Binding Corporate Rules
• Other approved transfer mechanisms

6. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this policy and comply with legal obligations:

• Active Client Relationships: Throughout the duration of our service agreement
• Transaction Records: Minimum 7 years after transaction date (regulatory requirement)
• KYC/AML Records: Minimum 5 years after relationship termination
• Regulatory Filings: As required by applicable regulations (typically 7-10 years)
• Legal Claims: Until expiration of applicable limitation periods

After the retention period expires, we securely delete or anonymize your information in accordance with our data destruction policies.

7. Your Rights

Under UK GDPR, you have the following rights regarding your personal information:

• Right of Access: Request a copy of the personal information we hold about you
• Right to Rectification: Correct inaccurate or incomplete information
• Right to Erasure: Request deletion of your information (subject to legal retention requirements)
• Right to Restriction: Limit how we use your information in certain circumstances
• Right to Data Portability: Receive your information in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Where processing is based on consent
• Right to Lodge a Complaint: File a complaint with the Information Commissioner's Office (ICO)

Important Note: Some rights may be limited where we have overriding legal obligations to retain or process your information (e.g., AML, regulatory reporting requirements).

8. Security Measures

We implement comprehensive security measures to protect your information:

8.1 Technical Security

• AES-256 encryption for data at rest and TLS 1.3 for data in transit
• Multi-factor authentication and hardware token support
• Regular security audits and penetration testing
• 24/7 Security Operations Center (SOC) monitoring
• Intrusion detection and prevention systems

8.2 Organizational Security

• Role-based access controls and least privilege principles
• Background checks for all employees with data access
• Annual security awareness training
• ISO 27001 certification and SOC 2 Type II compliance
• Incident response and business continuity plans

8.3 Physical Security

• Secure data centers with controlled access
• 24/7 surveillance and security personnel
• Environmental controls and redundant power systems

9. Cookies and Tracking Technologies

Our digital platform uses cookies and similar technologies to:

• Maintain your login session
• Remember your preferences and settings
• Analyze platform usage and performance
• Enhance security and prevent fraud

You can control cookie preferences through your browser settings. However, disabling certain cookies may limit platform functionality.

10. Children's Privacy

Our services are designed exclusively for institutional and professional clients. We do not knowingly collect information from individuals under 18 years of age. Our platform is not intended for use by minors.

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, services, or legal requirements. Material changes will be communicated through:

• Email notification to registered contacts
• Prominent notice on our digital platform
• Updated "Last Modified" date at the top of this policy

Continued use of our services after notification constitutes acceptance of the updated policy.

12. Contact Information