| 1. |
VASPs shall take all reasonable steps to protect the ongoing confidentiality of all information related to their clients and all related properties and records. Such steps shall include implementing and enforcing appropriate policies, procedures and mechanisms to protect the confidential nature of any information shared with them, whether under the terms of a confidentiality agreement or otherwise. |
| 2. |
Such policies, procedures and mechanisms shall require that use of any information related to a VASP’s clients is only made for the purposes for which the information is provided and in compliance with relevant confidentiality agreements which shall be consistent with applicable laws and regulatory requirements, including with respect to acceptance of such agreements. |
| 3. |
VASPs shall—
|
| |
a. |
familiarise Staff with—
|
| |
|
i. |
their internal policies on the collection and processing of confidential information; and |
| |
|
ii. |
requirements in this Part III of this Technology and Information Rulebook as applicable to relevant Staff; and
|
| |
b. |
periodically certify their Staffs’ compliance with such internal policies.
|
| 4. |
Staff must not share confidential information within the VASP or with any other Entities unless it is absolutely necessary for the purposes of conducting VA Activities related to such confidential information. |
| 5. |
Neither VASPs nor their Staff shall use or share confidential information for the purpose of the trading of Virtual Assets by any Entity.
|