FIRMA Foreign Exchange Corporation (UK) Ltd. and its Canadian parent company, FIRMA Foreign Exchange Corporation (together referred to as “Firma”, “we”, “our”, or “us”) is committed to safeguarding the personal and confidential information entrusted to us by you in adherence with the General Data Protection Regulations (“GDPR”).
Personal and confidential information means information about an identifiable individual, and can include an individual’s name, address, phone number, identifying number, financial information, etc.
- 1. The Information that We Collect About You, and Why
- 2. The Security of Your Information
- 3. Disclosure of Your Information to Third Parties
- 4. How Long We Keep Your Information
- 5. Your Individual Rights
- 6. Who to Contact
1. The Information that We Collect About You, and Why
We collect only the information that we need for the purposes of providing you with superior services. In order to collect your information, we will either ask for your permission, or make you aware that the information is required for legal or contractual reasons before providing you with our services. The information we collect includes:
Information from Our Website, Contact Details and Basic Information
You may choose to provide information about yourself by filling in a form on our website. This can include your name, email address, phone number, and address, as well as other information about you or your business.
We may also collect your contact and business information through a third party, a referral, from your website, or directly from a personal meeting with you.
We use your information to determine how you might get the most benefit out of the products and services we have to offer. If we see that our products and services might be a fit for you, we will use your contact details to reach out to you and establish a business relationship.
If the information that we wish to collect is for an individual as opposed to a company, we will collect your express consent prior to collecting and using your information. If at any time, you change your mind and no longer want to hear about our products and services, you can change your contact preferences with us, or remove your consent. More information on this can be found in Sections 5 and 6.
Your Preferences and Opinions
We want to understand your preferences and opinions to help serve you better. We may ask how and when you like to be contacted, the information that you would like to receive from us, your opinions on our products and services, and what you would like to see from us in the future. We will collect this information through direct dealings with you, via anonymous surveys, or through online forms. You can manage your preferences through our email preferences page. More information on this can be found in Sections 5 and 6.
Account Opening Information
In order to use our services, we need to collect and verify information about you in order to satisfy our legal obligations under the Money Laundering Regulations 2017. These regulations include provisions to collect information on both organisations and individuals as well as verify this information using reliable sources.
For businesses, the information we collect can include registration documents, ownership information and general knowledge of your business operations.
The information we collect about you as an individual, will include personal information such as your legal name, home address, and date of birth. We are required to collect your information if you set up an account for yourself, or if you are working on behalf of a business, such as being an owner, director, partner, or contact person for the business.
We may also require documents such as a copy of a valid driving license or passport to verify the information you have provided us.
The information that we collect will be mainly from you, however we will also collect information from other sources, such as from your website and government registries.
As mentioned above, your information is required by us to fulfil a legal obligation. If you want to open an account with us, you will need to supply your information. We will use this information for recordkeeping purposes and to fulfil our legal requirements under the Money Laundering Regulations 2017. We will also use this information to contact you about your account, to send you confirmations and contracts, to notify you if there are security concerns on your account, to resolve disputes, and to give you general information about your account.
Most of the information that we send you will be about the operation of your account and is required for legal or contractual purposes. The exception to this is marketing material, which you can opt in or out of at any time.
In order to process transactions for you, we will require general banking information such as the account owner, bank account number, account owner’s address, bank name, and banking Id (i.e. SWIFT code, Sort code).
When we receive money from you, your bank will include a reference to your name, address, transaction reference and the bank that you used to perform the transaction. We collect this information as confirmation of your payment to us.
As per the Money Laundering Regulations 2017, we are legally required to keep a record of your transaction information as well as a record of your payment instructions through Firma.
When you apply for certain products and services, such as high volume direct debits or zero deposit forward contracts, we will perform a credit check on you. This credit check ensures that we are not exposed to any financial risk when providing the product or service to you.
We may request financial information about your business, or perform a credit search using a reliable credit bureau. We will use this information to decide if these specific products and services can be offered to you. As this information is specific to these products or services, we will let you know before we collect this information so you are aware of our use of your information for these purposes. At that time, you can decide if you want to go forward with your application for these products or services, or choose to stick with our other products and services that do not require credit information.
Incidental Information, Minors, and Special Categories of Information.
We will not ask for information about minors, and we ask that you do not supply information about minors to us. Individuals must be over 18 years of age to do business with Firma.
We will not request special categories of information, defined within the GDPR as information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health information or information concerning a person’s sex life or sexual orientation.
While Firma does not seek to collect the information described above, this information may be inadvertently captured through our interactions with you. For example, you may advise that you are feeling ill in the same email that you provide us with transaction instructions. Because we capture the email for recordkeeping purposes as it includes transaction details, we will have also inadvertently captured information about your health.
In rare cases, we may inadvertently request information that falls under a special category of information. For example, we may require the purpose of your transaction, or an invoice to support your transaction if it involves money going to a certain parts of the world. Let’s say that the purpose of your transaction is to pay for the medical bills for a child family member. If you provide that information to us, we would have collected information on a minor, and a special category of information, that child’s health.
If we make a general request for information, we ask that you advise us that your answer could include a special category of information or information on a minor. We will then assess if we satisfy our contractual or legal requirements in a different way, or if the information is necessary to facilitate your transaction request with us. If the information happens to be necessary, we will inform you. You can then make a choice to either provide us with the consent to process your information specifically for that transaction request, or you may choose to modify your transaction request with us.
2. The Security of Your Information
We protect your information from any accidental or unauthorised access, modification, or loss. This protection includes both physical and IT security measures, including the following:
Regular Risk Assessments
We conduct regular risk assessments, which means that we review the risks that your information could be accessed, modified or lost. A risk assessment will include research on new and emerging fraud and security risks, and how they may affect the security of your information.
Using this risk assessment, we then build security controls to ensure the protection of your information, against both current and future fraud and security risks.
Controls and Monitoring
We use up to date firewalls and IT infrastructure to ensure that your information is protected. These systems are monitored on a regular basis to ensure that if malicious activity or risks to your personal information are found, they are stopped before any damage is done.
Not only are our IT systems tested on a regular basis, but our people are too. Fraud isn’t only about hacking systems. It is also about ‘hacking’ individuals by tricking them into providing access to secure systems.
We regularly test both our systems and people to ensure that the controls that we place to protect your information are sound, and the people that are involved in those controls are well informed and aware of our security measures over your information.
Our employees go through vigorous security checks in order to work for us. We ensure that they do not have any criminal history and can be trusted with your information. As an additional measure, your information can only be viewed by employees who specifically require access to your information in order to provide services to you, or by employees who are in security or regulatory reporting roles.
A few of the ways we control access to your information is through measures such as swipe cards to access our offices, passwords to open our computers, further passwords to open applications on those computers, and limits on access according to job function.
3. Disclosure of Your Information to Third Parties
We will not share your information with any third party, other than what is necessary to perform a service that you have requested or for our own internal business needs. We will share your information in the following circumstances:
To Communicate With You
When we reach out to you for surveys, e-newsletters, or similar emails, we may use a third party provider (software or other service) to facilitate that service. The third parties that we use are under contract so that they do not use your information for their own purposes and do not share your information further. We also do regular checks to make sure that the third party adheres to security protocols designed to protect your information.
To Keep Your Information Up to Date
We may use a third party service to provide us with updates about your business, for example if you have changed addresses, your website, or other business information. In order to do so, we need to provide the third party with your basic details, and they will update our records accordingly, based on public information about your business. When we do so, we ensure that the third party is under contract, and not able to use your information for any other reason.
To Facilitate Your Transactions
If you request a payment through us, we will need to share your information with our banking partners in order to facilitate your request.
When we process your information, we may also use third party software programs to do so. This includes software used for business operations, fraud prevention, client management, customer service, security, and other important functions to make your transactions safe, secure, and timely.
Similar to the services we use to communicate with you, the third parties that we use to facilitate your transactions are also under contract so that they do not use your information for their own purposes, do not share your information further, and hold your information securely.
To Offer Other Services
To Verify Your Identity
We verify the information you provide to us on our set up forms for fraud prevention purposes. We don’t want to open up an account for someone pretending to be you, and relying on false information. We are also obligated to verify your identity by the Money Laundering Regulations 2017.
In order to verify your information as an individual, we will provide your information to a third party credit reporting agency who will use your credit records to tell us if the information we supplied to them is correct or not.
We verify the information about your business by reviewing your business filings and other registry documents. This does not include any sharing of your information with these registries.
Anti-Money Laundering, Sanctions Screening, and Risk Management
The Money Laundering Regulations 2017 require that financial institutions screen all clients and parties to a transaction against known sanctioned individuals, and consider other areas of risk and compliance when processing transactions. In order to fulfil this requirement, we may share your name, date of birth and address information with a third party provider, who specialises in these services.
To Give you Credit
Some of our products and services require us to assess your credit risk to us. If you apply for any of these products or services, we will pull a credit report on your business, which involves us sharing your business and contact details to do so.
You may make a request for us not to pull a credit report on your business, however this may impact the transaction limits that we can supply you with.
For Legal Reasons
We must provide information to law enforcement or regulatory authorities where we are required to do so. We may also share your information with our own lawyers if it is necessary to solve a dispute.
With our Canadian Parent Company
FIRMA Foreign Exchange Corporation (UK) Ltd. is a direct subsidiary of FIRMA Foreign Exchange Corporation based in Canada. We process all of our transactions through our head office based in Edmonton Alberta, Canada. Because of this, we need to share your information between our UK company and the Canadian parent company.
Overseas Transfer of Information
We ensure that if we store your information or share your information, the location of your information is located in either the EU, or in a country deemed to be acceptable for EU Data Protection Purposes, this includes Canada, where our parent company head office is located.
The exception to this is when you request a transaction through us to a country not listed in the GDPR as having adequate privacy laws.
You may have been referred to us by an affiliate. An affiliate is someone who has an agreement with us, where they let us know about companies that would likely benefit from our products and services. In exchange, we may provide them with an incentive for doing so.
If you were referred to us by an affiliate, and they are promised an incentive in return by us, they will get a breakdown of the number of clients that they have referred to us, as well a total number of transactions they have done. This breakdown is not client specific and will not include your name or identifiable details, however if the affiliate only has one referral, they could infer your transaction amounts and frequency through us.
For Our Own Statistics
We may share your information with a third party service provider in order to get statistical data on our client base. We do this to understand what kind of clients appreciate our services, and to determine if we are serving you in the way we intend to. When we do this, we ensure that the service provider is under contract and is not allowed to use your information for other purposes.
Mergers and Acquisitions
It is possible that Firma could buy, merge with, or be bought by another company. Prior to a merger or acquisition, we may need to share your information with the interested party and their advisors. This is done to determine the value of our assets prior to the merger or acquisition.
If the merger or acquisition is successful, your information will be transferred to the new owner/company. Your information will continue to be bound by this privacy agreement until it is updated or amended.
4. How Long We Keep Your Information
If you are our client, we are legally required to retain your information for 5 years from the date of your last transaction with us. If you set up an account but did not conduct a transaction, we keep your information for 5 years from the date your account was set up. In some instances, for example due to a dispute, law enforcement request, or to protect our interests, we may hold your information for longer than 5 years.
If you are not our client, we will have collected your consent to collect and use your information for contact and marketing purposes. You may remove your consent at any time, and we will remove your information from our systems.
You may want to request that we do not use your information for our marketing to you, instead of requesting us to remove your information completely. That way, we can have a record of your contact details, along with a record of your request for no contact. If you ask us to delete your information completely, then we will not have either record and may accidentally contact you in the future if we come across your contact information on the internet or elsewhere.
5. Your Individual Rights
To Update or Correct Your Information
We want to make sure that we have correct information about you. If you see that something is inaccurate, reach out to us through your contact with Firma and let us know. We will then update our records to make sure that your information is corrected.
We may ask for additional documents to verify the information you are supplying. This is part of our obligations under the Money Laundering Regulations 2017 to verify the information that you provide to us. If you are unable to provide the documents we request, we may need to delay the update of your information until you are able to provide us with them.
To Restrict Your Information
You may want to restrict your information. This option is useful if you need to update your information with us, but need a little more time to do so. You can let us know that you don’t want us using your old information and ask us to wait until you get back to us with your new information.
This is also a useful option if you no longer want us to send you marketing information. We will hold your email address and phone number on file so we know not to contact you using those details.
If this is something you want to do, talk to your Firma contact or send us an email at email@example.com.
To Request a Copy of Your Information
We will let you know if we have any of your information and we will provide you with a copy of the information that we have collected about you. You can request all of your information, or you can be specific with your request. You can request this by reaching out to your contact with us, or by sending us an email to firstname.lastname@example.org. If you use our email, we will then reach out to you to explain our process for sending your information.
In short, though, we will first need to verify that the person making the request is you. We don’t want to provide your information to anyone that requests it. We will verify that it is you, by either requesting a copy of an identification document or asking you a series of questions that only you would know.
Once we have verified that it is you, we will need time to process your request. It may take up to 30 days to process your request. If we are having unforeseen issues, and need more time, we will let you know. The maximum time that we will take from your initial request is 90 days.
To Request a Copy to Provide to Someone Else
The GDPR gives you the right to request an electronic copy of your information that can be used to easily move your information for your own recordkeeping or to another provider. The process for this is similar to requesting a copy of your information as described above, except the information will be provided in an electronic format that can be transferred to another system. Through this request, you can also instruct us to provide the information to another person or company.
Limitations on Requesting Your Information
We have no problem with facilitating most requests to provide you with your information, however we reserve the right to charge a reasonable fee for repeated, or excessive requests. For example, if you request for all of your information to be provided once a month, each month, even though your information will not have changed, we will calculate the cost of doing so for the second and subsequent requests and ask that you provide a payment for this service.
To Withdraw Consent and Delete Your Information
You may withdraw your consent for us to use your information at any time. This means that you do not want your information used by us in any way. With that said, we will need to retain records of your information as part of our obligations under the Money Laundering Regulations 2017where applicable.
Withdrawing consent to use your information will mean that we can no longer offer our products and services to you, as your information is contractually and legally required to be able to offer our services.
Where we do not have a legal reason to hold your information, we will then make efforts to remove your information from our records. If we cannot do so for legal reasons, we will let you know, as well as provide you with the date in the future when your information can be deleted.
To Opt Out
As opposed to removing your consent altogether, you have the option of removing your consent from specific products and services that we have to offer. For example, if you no longer want us to email you our newsletter, you can opt out at any time, while continuing to benefit from our other products and services.
To ask about this option, talk to your contact with us, and we will make the effort to provide you with exactly the products and services that you want.
Your Right to Lodge a Complaint
Privacy law adherence in the UK is regulated by the Information Commissioner’s Office (“ICO”). We ask that if you are dissatisfied with our services, you first reach out to us via our information in Section 6. If you are still dissatisfied, you may report a concern with the ICO via the information on their website www.ico.org.uk.
6. Who to Contact
If you have any questions or would like to contact us to make a request about your information, we ask that your first contact be with your regular contact with Firma. Otherwise, you can contact us via the information below
Phone: 0800.008.6200 (freephone)
Attn: Privacy Officer
FIRMA Foreign Exchange Corporation (UK) Ltd.
25 Worship Street
London, EC2A 2DX