Regulatory DataCorp, Inc., a Moody’s Corporation company of 211 S. Gulph Road #125, King of Prussia, PA 19406, USA, (“RDC”, “we”, “us”, or “our”) respects your privacy. This privacy notice explains in detail how RDC processes Personal Data which we incorporate into our database product Global Risk Information Database “GRID”).
“Personal Data” means information which identifies, or can be used to identify, living individuals.
RDC provides regulatory screening services through GRID to financial institutions and other entities (“Subscribers”) which have legal and regulatory obligations. Such legal and regulatory obligations include know-your-client (“KYC”) and know-your-supplier (“KYS”), sanctions and embargoes screening, counter terrorist financing (“CTF”), anti-money laundering (“AML”), anti-corruption and anti-bribery (“ABC”), fraud prevention, and regulatory dishonesty. Subscribers use GRID in relation to their customers and suppliers or others with whom they are looking to do business, some of which are companies or other legal entities, while others are individuals or sole traders. Subscribers use GRID together with other information, including information provided to them directly by applicants, other third-party sources, and general internet searches.
Subscribers are responsible for ensuring that their use of GRID complies with all applicable laws and regulations. Subscribers are specifically prohibited from using GRID for purposes of determining an individual's eligibility for any credit, insurance, employment or other consumer credit purpose under the U.S. Fair Credit Reporting Act (“FCRA”), or similar legislation outside of the United States.
Where relevant under applicable law, RDC is the “data controller” for the collection, aggregation, curation, and distribution to its Subscribers of Personal Data in GRID, and Subscribers are independent “data controllers” in their use of GRID for legal and regulatory compliance purposes.
GRID contains the following types of Personal Data:
GRID contains copies or links to underlying data sources for Subscribers to review, asses and make their own further enquiries.
Personal Data is collected by both manual and automated means, including programmatic scraping from public lists (such as sanctions lists), automated news aggregation filters, automated search strings using key words, and manual searches and review of public records and publicly available sources. The collected Personal Data is compiled into GRID using both manual and automated means. For example, the “Position” section in GRID profiles is automatically populated using the OFAC list “Position” sections as there is an exact correlation with the “Position” section in OFAC lists and the “Position” section in GRID, whereas other “Position” information in GRID profiles is created using manual research and drafting. RDC may use Artificial Intelligence (“AI”) in some automated processing activities. For example, some of the “Riskography” sections (high-level summary section of the information contained in the GRID profile) in GRID profiles are created using generative AI.
RDC does not always have contact details for individuals. Subscribers, who should hold reliable contact details, are required to notify individuals that they will run checks on them using GRID, if required under applicable law. Given the nature of our services that are used for fraud protection and meeting regulatory requirements relating to unlawful acts and dishonesty, there may be circumstances where providing the information to the individual would make impossible or seriously impair the achievement of the objectives of the processing.
RDC sources the Personal Data in GRID from public records and other publicly available sources, including: government publications, regulatory enforcement actions, justice department information, sanctions lists, litigation releases, and law enforcement lists, such as Interpol Most Wanted and SEC Litigation Releases; insolvency lists; and media sources, including national and regional news reports and industry and specialty publications.
Subscribers use GRID to assist them with their legal and regulatory compliance obligations as described above in the section “Purposes of Processing”.
RDC processes the Personal Data for the purposes of providing GRID services to its Subscribers, including analyzing and modelling the Personal Data to improve its accuracy and to develop and improve services.
Personal Data in GRID is limited to what is necessary for the processing purposes. For example, without name and contact details, Subscribers would be unable to look up individuals. Without year or date of birth, it would be easy to mix up individuals with the same or similar names leading to cases of mistaken identity. Similarly, without nationality, it would be easy to mix up individuals with the same or similar name leading to cases of mistaken identity.
Subscribers are responsible for how they use the results of a check performed using GRID, for example, whether to do business with a customer. RDC does not make decisions for Subscribers about individuals based on the information in GRID, including:
Personal Data in GRID is stored for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure, and the applicable legal, regulatory, tax, accounting or other requirements. We have in place appropriate Personal Data retention policies, procedures and schedules.
If your Personal Data is in GRID you may have rights under applicable data privacy laws. Where applicable, to access your Personal Data contained in GRID and exercise rights of correction, objection, restriction, erasure or digital testament, please email us at privacy@moodys.com.
You may also have the right to complain to your local data protection authority if you have concerns about how we process your Personal Data. However, we hope we can resolve any queries or concerns you may have, so please do not hesitate to contact us directly first.
The relevant legal bases for the use of Personal Data are:
RDC has put in place measures to protect Personal Data which is transferred from Switzerland, the UK and the European Economic Area (“EEA”). To transfer Personal Data outside of the UK, Switzerland and the EEA, RDC has put in place UK, Swiss and EU standard contractual clauses, to ensure that an equivalent level of data protection applies. To request a copy of these clauses, please contact us as specified in the “Contact & Queries” section below. We may also transfer Personal Data to countries for which the EU Commission has issued an adequacy decision.
We take commercially reasonable steps to ensure that Personal Data is reliable, accurate, complete, and current for its intended purpose, primarily by accessing public records and publicly available data from reputable sources.
If you have any questions or comments regarding RDC’s privacy practices, if you wish to exercise applicable rights of access or other privacy rights, or if you have any queries or concerns regarding the data in GRID, you can do this via email at privacy@moodys.com or at:
Legal Department
Moody’s Corporation
7 World Trade Center at 250 Greenwich Street
New York, NY 10007
+1-212-553-1653 or 1-866-995-9659
privacy@moodys.com
The most current version of this Privacy Notice will always be available here. You can check the “Last Updated” date posted at the top to see when this Privacy Notice was last updated.