Transparency statement on information gathering

How we collect information

Our legislation empowers us to request or require information we need to perform or exercise our powers, functions and duties.

Information may be gathered on a voluntary or a mandatory basis. We collect information from a variety of sources, both physical and digital. These sources include:

• individuals (e.g. in-person interviews, phone calls and emails);
• other agencies or entities (e.g. financial market participants such as issuers and financial adviser organisations, financial product providers, banks, auditors, statutory supervisors, NZ government agencies, overseas regulators);
• online sources (e.g. websites, social media and public registers); and
• physical sources and locations (e.g. paper records and site visits).

Much of the information we collect is provided directly by individuals or entities, or an authorised representative, as a requirement to fulfil statutory obligations and according to our powers as a regulator (e.g. financial reporting, or making an application for a licence under the FMC Act).

Where we require information that is relevant to us for considering and investigating compliance breaches and complaints, and initiating our own investigations or inquiries, we may gather information from individuals or entities using our statutory powers (e.g. issuing a notice for information or documents under the FMA Act).

As part of the use of our statutory powers and to gather and preserve information and evidence, we may:

• require an original copy of a document to be provided to us;
• record a compulsory or voluntary interview conducted in person or by telephone;
• take screenshots of public websites and registers;
• request written information in response to questions;
• clone electronic devices when conducting search warrants; or
• take photographs and/or notes during site visits.

We may request the assistance of another agency in relation to the exercising of our statutory powers (e.g. the New Zealand Police).

We may also receive or request information about an individual or entity from other individuals, entities, agencies or regulators. Any such information will be gathered in accordance with our statutory powers or other lawful authority and in compliance with the relevant legislation and any information-sharing agreements, memoranda of understanding or similar.

We may also collect publicly available information (e.g. websites, social media, registers and news reporting). We do this to assist us in carrying out any of our powers, functions or duties. When building our knowledge of an entity or individual using publicly available information, we take it in context of other information we hold about the entity or individual.

On occasion, where information gathering requires specialist capability that we don’t have within our organisation, we may engage a third party to collect information for us (e.g. having a computer forensics expert clone and analyse computer devices).

Information gathering by third parties (including about individuals) is subject to standard legal limits relating to privacy, access to private property, and the privacy/security of communications by individuals, among other things.

We take care to ensure third parties gather information lawfully and appropriately, and meet our obligations under the Privacy Act 2020, Search and Surveillance Act 2012, Bill of Rights Act 1990, FMA Code of Conduct, and the SSC Code of Conduct.

How we use it

In order to carry out our functions, we may use the information we hold as evidence, and for analysis, risk assessment, audit and/or monitoring purposes.

Where we identify the need to use the information further, for example, to consider or investigate compliance breaches or complaints, or initiate our own investigations or inquiries, we will only do so if required or permitted by law, or with your consent.

We may use information we gather to inform our wider compliance and regulatory strategies. In doing so we will comply with our obligations under the Privacy Act 2020.

How we protect it

Information is stored, accessed and retained in accordance with our Privacy Policies, Information Disclosure Policy, Knowledge Management Policy, ICT Acceptable Use Policy, and the SCC Code of Conduct, the FMA Act, the Privacy Act 2020 and the Public Records Act 2005.

In 2018 , the Financial Markets Authority entered into a contract with Microsoft to store our business applications and data on cloud based external servers. We are satisfied that Microsoft’s Azure and Office 365 services will meet our needs while protecting individual privacy and the confidentiality of our information generally.  Our assessment of the security of personal information held in this way is consistent with the Privacy Commissioner’s evaluation in undertaking its own transfer of applications and data to Microsoft servers.

We will store the FMA’s data in Microsoft’s data centres in Australia. The Privacy Commissioner has confirmed that he is satisfied that the privacy laws in Australia provide an equivalent level of protection to New Zealand law.

Microsoft’s terms of service, along with local and overseas privacy regulations, will make sure that we have control over the data while we store it in Microsoft’s data centres. Microsoft also undergoes regular independent audits of its compliance with international standards.

Our move to an externally hosted environment is consistent with Government direction to Government agencies to accelerate the adoption of cloud services in preference to traditional IT systems, to become more cost-effective, agile and secure.

We undertake periodic reviews to ensure we comply with our information-gathering obligations as part of our internal assurance activities. 

When we share it

We may share information where necessary in order to properly carry out our functions or to assist another agency or overseas regulator in fulfilling its functions. This may include when we are considering and investigating compliance breaches or complaints, or initiating our own investigations or inquiries.

Information is only shared in accordance with our statutory powers, with appropriate caveats and/or controls, and in compliance with the relevant legislation and any information sharing-agreements with other agencies or overseas regulators.

The FMA is subject to the Official Information Act 1982. This means that information will be made available to a requestor unless there is a good reason to withhold it. There are a number of reasons information may be withheld, including personal privacy and protecting information that has been received in confidence. Section 59 of the FMA Act also requires us to maintain confidentiality of information and documents received, other than in specified circumstances.

If you have any questions about our information-gathering activities, please contact us.

If you believe we have not acted lawfully or in accordance with this statement, please contact us. Alternatively, you may wish to complain to the Privacy Commissioner or Ombudsman if applicable.