Friday, 5 October 2012

Bahamas - Private Trust Companies and Family Office

Families need dynamic and professional advisors to help them manage their wealth. PTC and the Family Office structures can be used as vehicles to help families achieve their goals, while dealing with complex tax, legal and regulatory issues.

Published:
Date:
Updated: 		Investor Resources
October 15, 2010
January 25, 2012

Source: Bahamas Financial Services Board © 2010

Snapshot: The Private Trust Company (PTC) was established to provide trusteeship to a defined class of trusts. In The Bahamas, this class of trust is defined by reference to the designated person(s). The designated person(s) is identified at the establishment of the PTC and with whom all other settlors of trusts, for whom the PTC acts as trustee, must be related. With this requirement, the PTC can act as trustee for an unlimited number of trusts and can benefit anyone (subject to due diligence requirements) from the assets of the trusts. PTCs in The Bahamas were enhanced by legislation in the form of the Banks and Trust Companies Regulation (Amendment) Act, 2006, followed by the Banks and Trust Companies (Private Trust Companies) Regulations, 2007.
Features:

Incorporation:

• can be incorporated under Companies Act, 1992, or International Business Companies Act, 2000
• minimum share capital $5,000

Designated person:
• individual named in designating instrument
• if more than one designated person named, then each designated person must be a blood relative or related by some other family relationship to the other designated person(s)
• can be deceased and trust established by testamentary disposition

Designating instrument:
• names designated person(s)
• kept at office of registered representative

Form of acknowledgement:
• settlor acknowledges awareness that PTCs do not require:
• directors to possess expertise in trust administration
• a fidelity bond
• capital exceeding $5,000
• an annual audit

Special director:
• except where an officer of a licensee serves as registered representative, there must be at least one special director
• special director must possess at least five years experience in discipline relevant to trust administration (law, finance, commerce, investment management, or accountancy) and be of good repute
• need not be resident in The Bahamas

Registered representative:
• must be separate legal entity
• shall be either a licensee of The Central Bank of The Bahamas (the Central Bank) or a Financial and Corporate 

Services Provider approved by the Central Bank
• must be resident in The Bahamas
• provides the services of a secretary, director, or Bahamas agent
• ensures PTC is established for lawful purpose and that it operates as a PTC
• must have minimum share capital of $50,000
• must retain copies of certain documents in relation to the PTC
• required to verify and maintain in The Bahamas records of such verification relating to the identities of:
• settlor and any person providing funds or assets subject to trust(s) administered by the PTC
• designated person(s)
• protector of trust(s) of which the PTC is trustee
• any person with a vested interest under trust(s) of which the PTC is trustee
• shall report suspicious transactions to Financial Intelligence Unit

Penalties:
• if a PTC fails to comply with directions from the governor of the Central Bank or engages in illegal conduct, then the PTC or its registered representative is subject to sanctions including a fine of no more that $5,000; a Supreme Court Order compelling compliance; amending or varying conditions of the license; requiring substitution of any director or officer; appointing a person to advise a receiver to assume control of the PTC or registered representative’s affairs; or such other action as the governor deems necessary.
• governor of the Central Bank has discretion to petition court to transfer trusteeship to a new trustee

Sidebar:
 
Family office evolves, with The Bahamas at the forefront
Families need dynamic partnerships and advisors who will help them manage their wealth. The family office helps families achieve their goals while dealing with increased regulations, and complex issues of taxation, distribution planning and charitable giving. An important tool used by the family office is the trust. Assets will often be transferred to trusts (with underlying corporations to facilitate separation of various assets) as a means of facilitating the smooth transition from one generation to the next. Other essential services of the family office include: evaluating life insurance needs; active coordination of legal/tax/accounting matters of business interests; financial reporting and audits; coordinating the purchase of non-financial assets; and corporate governance reporting. The Bahamas is an ideal location for the establishment of family offices, scoring high marks on all the following requisites:
• Infrastructure (airports, communications, high-end services);
• Nature of assets and issues of control, such as where main tangible assets are held, whether business interests are involved and whether they are mobile or fixed;
• Tax neutrality and tax treaties;
• Regulatory and compliance obligations;
• Exchange of information and access to information, and confidentiality; and
• Financial environment.
Posted by at No comments:

BAHAMAS | DATA PROTECTION AND PRIVACY OF PERSONAL INFORMATION



Data protection laws exist to strike a balance between the rights of individuals to privacy and the ability of organisations to use data for the purposes of their business. The Data Protection Act 2003 introduced basic rules of registration for users of data and rights of access to that data for the individuals to which it related. These rules and rights were revised and superseded by the Data Protection Act 2003 which came into force on 2nd April 2007. This Guide explains what you should know about data protection under the Data Protection Act 2003 ('the Act').

When does data protection law apply?
Data protection law applies whenever a data controller processes personal data. These words are given special meanings by the Act.

Data controllers
A data controller is the person who determines the purposes for which, and the manner in which, any personal data is, or is likely to be, processed. In other words, you will be a data controller if the processing of personal data is undertaken for your benefit and you decide what personal data should be processed and why. A typical example of a data controller is an employer. 

Personal data
Personal data means data which relates to a living individual who can be identified from that data or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller. For example, most organisations will process personal data relating to employees, customers, suppliers and business contacts. These individuals are referred to in the Act as 'data subjects'.

Processing
The Act applies when personal data is processed or is to be processed and “processing” under the Act means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:

(a)     organisation, adaptation or alteration of the information or data;
(b)     retrieval, consultation or use of the information or data;
(c)     transmission of data;
(d)    dissemination or otherwise making available; or
(e)     alignment, combination, blocking, erasure or destruction of the information or data;

The term 'processing' therefore covers virtually any use which can be made of personal data, from collecting the data, storing it and using it to destroying it.

What are the obligations?

The data protection principles
In order to comply with the Act, a data controller must comply with the following principles:
  1. The data should be processed fairly and lawfully and may not be processed unless the data controller can satisfy one of the conditions for processing set out in the Act.
  2. Data or the information constituting the data should be collected by means which are both lawful and fair in the circumstances of the case.
  3. Data should be adequate, relevant and not excessive.
  4. Data should be accurate and, where necessary, kept up to date.
  5. Data should not be kept longer than is necessary for the purposes for which it is processed except in the case of personal data kept for historical, statistical or research purposes.
  6. Data should not be used or disclosed in any manner incompatible with that purpose or those purposes
  7. Data should be processed in accordance with the rights of the data subject under the Act.
  8. Appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction.
  9. Data should not be transferred to a country or territory outside the Commonwealth of The Bahamas  unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Other requirements for data controllers
Under the first data protection principle, a data controller must justify its processing of personal data under one of the following conditions:
  • the data subject has given his consent to the processing;
  • the processing is necessary for the performance of a contract or the entering into of a contract to which the data subject is a party;
  • the processing is necessary for compliance with any legal obligation to which the data controller is subject;
  • the processing is necessary in order to protect the vital interests of the data subject;
  • the processing is necessary for the administration of justice;
  • the processing is necessary for the purposes of legitimate interests pursued by the data controller provided such processing does not harm the rights and freedoms or legitimate interests of data subjects; or
  • the particular circumstances fall under one of the exceptions in the Act.
The data controller must also register with the Data Protection Commissioner ('the Commissioner').

Sensitive personal data
Where the data controller intends to process sensitive personal data, there are further conditions. Sensitive personal data consists of information relating to the racial or ethnic origin of a data subject, his political opinions, religious beliefs, trade union membership, sexual life, physical or mental health or condition, or criminal offences or record. Of these further conditions, the most useful to most businesses will be:
  • where the data subject has given his explicit consent;
  • where the processing is required for the purposes of complying with employment law;
  • where it is necessary to establish, exercise or defend legal rights.
If none of the conditions can be met, processing cannot legally continue.

Purposes of processing
Data subjects must be given information about the purposes of the processing. This information is generally provided in the form of a data protection notice, which can be given in application forms, terms and conditions, by telephone or on a website. The information to be set out in a data protection notice must include a description of:
  • details of the data controller;
  • the purposes for the processing, including any non-obvious purposes (e.g. cross-mailing, host mailing);
  • details of any recipients of the personal data (e.g. other companies within the group) and their purposes;
  • an opt-out / opt-in to marketing, as appropriate;
  • a description of the methods to be used for contacting individuals for marketing purposes (e.g. telephone, fax, SMS, email and/or mail); and
  • any other information that is necessary to make the processing fair (e.g. whether it is obligatory to provide all the information requested or whether provision of some of that information is optional).
By using an appropriately worded data protection notice, an online business can ensure that there is consent from visitors to its web site to allow the business to build a valuable contacts database and market its services to the visitors.

Security requirements
Data controllers must put in place adequate technical and organisational measures to safeguard personal data which they are processing from destruction, adequate loss, unauthorised access or disclosure. This would include, for example, using a secure server when payments are made online.

Furthermore, all data controllers must put in place processing contracts with their 'data processors'. A data processor is a third party appointed by the data controller to process personal data on its behalf, although it will still be the data controller who ultimately decides what happens to the data. These processing contracts must be in writing and must set out what the data processor may or may not do with the personal data, including what security measures should be taken to safeguard the data. Data controllers should reserve for themselves the right to audit data processors to ensure compliance with the contract.

To give a practical example, if a website collects e-mail addresses, this could constitute personal data – so the data controller not only has to register with the Commissioner but ensure that security be put in place to guard against hacking. If the website is actually hosted by a third party on behalf of the data controller, then the data controller will have to contractually oblige that third party to put the relevant security in place.  Of course, the data controller will also have to comply with other principles.

Transfer of data overseas
If personal data is disclosed or made available to a person overseas, that is considered a transfer for the purposes of the eighth data protection principle above. In the context of the internet, if the information is placed on a website without specific consent from the individual, this may be in breach of the Act since the data can be accessed in countries with less stringent data protection laws.

Rights of individuals
Data controllers must give the following rights to data subjects:
  • the right of access to his or her personal data;
  • the right to object to certain processing causing substantial damage or distress;
  • the right to object to automated decision taking; and
  • the right to object to direct marketing.
The most important of these rights is the right to access personal data. An individual may request access to all personal data of which he or she is the subject and which is being processed by the data controller. The Minister Responsible for Data Protection may prescribe a fee for data controllers to charge data subjects, for making the request in writing and for the data controller complying with the request. There are exemptions from these access rules in certain limited circumstances.

Another right which will be of importance to any organisation which markets to individuals, is the right given to data subjects to object to direct marketing. There are no exemptions to this right.

What are the consequences of non-compliance?
Compliance with the Act should not be taken lightly, as the Commissioner has been given extensive powers of enforcement. Data controllers could, for example, find these powers used against them by disgruntled employees or customers, who contact the Commissioner to complain that there has been a breach of the rules.

The Commissioner can now serve a data controller with an 'information notice' requiring the data controller to provide certain information within set time limits. Failure to comply with such notice, or providing deliberately false information, is a criminal offence. If the Commissioner concludes that there has been a breach of the Act, he may then serve a data controller with an 'enforcement notice'. This could force a data controller to cease processing personal data, or cease processing data in a particular way. Failure to comply with an enforcement notice is a criminal offence.

Criminal liability does not lie just with the data controller. It is possible for officers of a company, such as its directors, officers or managers, to be personally criminally liable if the offence has been committed with their consent, connivance or neglect. Employees may also incur criminal liability in certain limited circumstances if they disclose or obtain personal data without authority of the data controller.

Although the commission of a criminal offence under the Act will not result in a prison sentence, it will result in fines which, depending on the circumstances, may be up to $100,000.  It is also increasingly the case that industry regulators are looking at matters of data security which are similar to those addressed by the Act.
However, the fines are unlikely to be the reason why most data controllers will want to comply. Few data controllers will be able to continue with business as usual if they are prevented from processing personal data as a result of an enforcement notice and no data controller will want the bad publicity which is attached to the unfair processing of personal data. 

Conclusion
The increasing use of information technology and the internet ensures that data protection has become one of the most important and relevant laws that online businesses are required to comply with.  The internet is all about the transfer of information.  Not only is the internet used to disseminate information, but also to collect it.  Organisations must look now at how they collect, store and use personal data and ask themselves whether they comply with the Act. This may involve amending employment and marketing practices in addition to internal training.

This post is for your information only and is not intended to constitute a legal opinion.  If you require detailed legal advice you should contact a Bahamian e-commerce attorney.  You can contact a Bahamian e-commerce attorney by clicking here.

W. A. Brenford Christie is the managing partner of the Bahamas-based business law firm Lord Ellor & Co.  He is a qualified commercial lawyer admitted to the Bahamas Bar and the Bar of England & Wales.   He also offers consultant services with respect to E-commerce regulatory compliance and data protection.

Email: brenford@lordellor.com

Posted by at No comments:

BAHAMAS | Ten rules for data protection compliance





1. Consent

Wherever possible obtain consent before acquiring, holding or using personal data. Any forms, whether paper or web-based, which are designed to gather personal data should contain a statement explaining what the information is to be used for and who it may be disclosed to.

2. Sensitive data

Be particularly careful with sensitive personal data (i.e. information relating to race, political opinion, physical or mental health, religious belief, trade union membership, sexuality, criminal offences etc).  Such information should only be held and used where strictly necessary.  Always obtain the consent of the individual concerned and notify them of their likely use(s) of such data.

3. Individual rights

Wherever possible, be open with individuals concerning the information being held about them. When preparing reports or appending notes to official documents, bear in mind that individuals have the right to see all personal data and could therefore read any 'informal' comments made about them.  Also be aware that this includes e-mails containing personal data and so the same caution should be used when sending e-mails.

4. Review files

Only create and retain personal data where absolutely necessary. Securely dispose of or delete any personal data which is out of date, irrelevant or no longer required.  Hold regular reviews of files and discard unnecessary or obsolete data systematically.

5. Disposal of records

When discarding paper records that contain personal data treat them confidentially (i.e. shred such files rather than disposing of them as waste paper). Similarly any unnecessary or out-of-date electronic records should be deleted.  Computers should not be given away or sold unless you have ensured that all information stored on it has been removed or deleted.

6. Accuracy

Keep all personal data up to date and accurate. Note any changes of address and other amendments.  If there is any doubt about the accuracy of personal data then it should not be used.

7. Security

Keep all personal data as secure as possible (e.g. in lockable filing cabinets or in rooms that can be locked when unoccupied).  Do not leave records containing personal data unattended in offices or areas accessible to the members of the public. Ensure that personal data is not displayed on computers screens visible to passers-by.  Be aware that these security considerations also apply to records taken away from the University e.g. for work at home or for an external meeting.  Also bear in mind that e-mail is not necessarily confidential or secure so should not be used for potentially sensitive communications.

8. Disclosing data

Never reveal personal data to third parties without the consent of the individual concerned or without reasonable justification.  This includes parents, guardians, relatives and friends of the data subject who have no right to access information without the data subject's consent.  Personal data can only be legitimately disclosed to third parties for purposes connected with the purpose for which the information is kept or to meet statutory requirements but only where you are satisfied to the enquirers' identity and the legitimacy of the request.

Requests for personal information are received from time to time from organisations such as the police or the Valuation Department of the Ministry of Finance for real property tax purposes. You should endeavour to co-operate with these organizations, but steps should first be taken to ensure that requests are genuine and legitimate.

9. Worldwide transfer

Always obtain consent from the individual’s concerned before placing information about them on the Internet and before sending any personal data outside of your jurisdiction.

10. Third party processors

Be aware that if you are using a third party data processor e.g. for bulk mailings or database management and are giving them access to personal data, then you must have a written contract in place with them to ensure that they treat such information confidentially, securely and in compliance with the Data Protection Act 2003.

This post is for your information only and nothing contained in this post is intended to constitute a legal opinion.  If you require any detailed advice you should contact a Bahamian e-commerce attorney.  You can contact a Bahamian attorney specializingin Bahamian e-commerce law by clicking here.

Posted by at No comments:
Subscribe to: Posts (Atom)