Transparency statement

How we collect information

Direct collection

Much of the information we collect is provided directly by individuals or entities (or an authorised representative). We may collect this information on a voluntary basis, or because it is required to meet statutory obligations or in response to the exercise of our powers as a regulator (for example, financial reporting or applying for a licence under the Financial Markets Conduct Act 2013).

Our legislation empowers us to request or require information we need to perform or exercise our powers, functions and duties. Where we require information that is relevant to considering and investigating compliance breaches and complaints, or initiating our own investigations or inquiries, we may gather information using our statutory powers (for example, issuing a notice for information or documents under the Financial Markets Authority Act 2011).

We collect information from a variety of sources, both physical and digital. Where appropriate, we collect information directly from people and organisations we deal with (or their authorised representatives).

Direct sources can include:

• information you provide to us in emails, letters, phone calls or meetings;
• applications, regulatory returns and other information submitted to us (for example, in connection with licensing or ongoing compliance obligations);
• responses to requests for information, including responses to statutory notices where we use our powers to require information or documents; and
• information provided through our website contact or subscription pages and customer satisfaction surveys (where applicable).

Indirect collection

Sometimes we collect personal information about you from another person or organisation (for example, from a financial market participant, another agency, an overseas regulator, a complainant, or from publicly available sources such as websites or registers). When we collect personal information about you in that way, we will take reasonable steps to let you know, as soon as reasonably practicable, unless an exception in the Privacy Act 2020 or any other law applies (for example, where telling you would be likely to prejudice the purpose of collection or is not reasonably practicable).

Key things to know

• Who is collecting and holding your information: the Financial Markets Authority (FMA), PO Box 106 672, Auckland 1143, New Zealand.
• That we have collected it and what we collect: the type of information depends on the situation and can include identifying and contact details and information relevant to our regulatory work (for example, a report, complaint, inquiry or investigation). 
• Why we collect it: to carry out our role as New Zealand’s financial markets regulator. Further information about the FMA and our role is available here.
• Our authority to collect it: we collect information under the Financial Markets Authority Act 2011 and other relevant laws (including other financial markets legislation). Sometimes information is provided voluntarily; while some information must be provided by law.
• Who we may share it with: where necessary and permitted by law, we may share information to carry out our statutory functions. We may share information with other agencies (including overseas regulators), law enforcement, and service providers who support our work, with appropriate safeguards.
• Your rights: you can ask for access to personal information we hold about you and ask for it to be corrected. To do that, contact us at [email protected], 0800 803 804, or Financial Markets Authority, PO Box 106 672, Auckland 1143, New Zealand. 

Indirect sources can include:

• other people (for example, complainants, whistleblowers, tipsters, witnesses, or 
  authorised representatives);
• other agencies or entities (e.g. financial market participants such as issuers and financial adviser organisations, financial product providers, banks, auditors, statutory supervisors, NZ government agencies, overseas regulators); 
• online sources (e.g. websites, social media and public registers); and
• physical sources and locations (e.g. paper records and site visits).

As part of the use of our statutory powers and to gather and preserve information and evidence, we may: 

• require an original copy of a document to be provided to us;
• record a compulsory or voluntary interview conducted in person or by telephone;
• take screenshots of public websites and registers; 
• request written information in response to questions; 
• clone electronic devices when conducting search warrants; or 
• take photographs and/or notes during site visits. 

We may request the assistance of another agency in relation to the exercising of our statutory powers (e.g. the New Zealand Police). 

On occasion, where information gathering requires specialist capability that we don’t have within our organisation, we may engage a third party to collect information for us (e.g. having a computer forensics expert clone and analyse computer devices).

Information gathering by third parties (including about individuals) is subject to standard legal limits relating to privacy, access to private property, and the privacy/security of communications by individuals, among other things.

We take care to ensure third parties gather information lawfully and appropriately, and meet our obligations under the Privacy Act 2020, Search and Surveillance Act 2012, Bill of Rights Act 1990, FMA Code of Conduct, and the SSC Code of Conduct.

How we use it

In order to carry out our functions, we may use the information we hold as evidence, and for analysis, risk assessment, audit and/or monitoring purposes.

Where we identify the need to use the information further, for example, to consider or investigate compliance breaches or complaints, or initiate our own investigations or inquiries, we will only do so if required or permitted by law, or with your consent.

We may use information we gather to inform our wider compliance and regulatory strategies. In doing so we will comply with our obligations under the Privacy Act 2020.

How we protect it

Information is stored, accessed and retained in accordance with our Privacy Policy, Information Disclosure Policy, Knowledge Management Policy, ICT Acceptable Use Policy, and the SCC Code of Conduct, the FMA Act, the Privacy Act 2020 and the Public Records Act 2005. 

The FMA has a contract with Microsoft to store our business applications and data on cloud based external servers. We are satisfied that Microsoft’s Azure and Office 365 services meet our needs while protecting individual privacy and the confidentiality of our information generally.  Our assessment of the security of personal information held in this way is consistent with the Privacy Commissioner’s evaluation in undertaking its own transfer of applications and data to Microsoft servers.

We store the FMA’s data in Microsoft’s data centres in Australia. The Privacy Commissioner has confirmed that he is satisfied that the privacy laws in Australia provide an equivalent level of protection to New Zealand law.

Microsoft’s terms of service, along with local and overseas privacy regulations, make sure that we have control over the data while we store it in Microsoft’s data centres. Microsoft also undergoes regular independent audits of its compliance with international standards

Our move to an externally hosted environment is consistent with Government direction to Government agencies to accelerate the adoption of cloud services in preference to traditional IT systems, to become more cost-effective, agile and secure. 

We undertake periodic reviews to ensure we comply with our information-gathering obligations as part of our internal assurance activities.

When we share it

We may share information where necessary in order to properly carry out our functions or to assist another agency or overseas regulator in fulfilling its functions. This may include when we are considering and investigating compliance breaches or complaints or initiating our own investigations or inquiries. 

Information is only shared in accordance with our statutory powers, with appropriate caveats and/or controls, and in compliance with the relevant legislation and any information sharing agreements with other agencies or overseas regulators. 

The FMA is subject to the Official Information Act 1982. This means that information will be made available to a requestor unless there is a good reason to withhold it. There are a number of reasons information may be withheld, including personal privacy and protecting information that has been received in confidence. Section 59 of the FMA Act also requires us to maintain confidentiality of information and documents received, other than in specified circumstances.

If you have any questions about our information-gathering activities, please contact us at [email protected], 0800 803 804, or Financial Markets Authority, PO Box 106 672, Auckland 1143, New Zealand.

If you believe we have not acted lawfully or in accordance with this statement, please contact 
us. Alternatively, you may wish to complain to the Privacy Commissioner or Ombudsman if applicable.