European Parliament Votes to Adopt the Securitisation and CRR Amendment Regulations

by Cadwalader, Wickersham & Taft LLP
Contact

Cadwalader, Wickersham & Taft LLP

Introduction

On 26 October 2017, the European Parliament voted in plenary session to adopt the EU regulation intended to lay down common rules on securitisation and to create a European framework for “simple, transparent and standardised” (“STS”) securitisation (the “Securitisation Regulation”).[1] The European Parliament also voted to adopt the EU regulation amending the Capital Requirements Regulation[2] (the “CRR”) (the “CRR Amendment Regulation”)[3] (together, the “Regulations”).

The adopted texts are substantially the same as the draft texts published in June 2017, upon which we commented in our Clients and Friends memorandum dated 27 June 2017.[4]

Legislative Background

It is now over two years since the European Commission originally published its proposals for the two Regulations in September 2015. The Council of the European Union, which comprises representatives of the Member States, adopted its agreed position on amendments to the Commission’s proposals in December 2015.

After lengthy deliberations throughout 2016, the European Parliament proposed significant amendments to the Commission’s proposals, especially to the Securitisation Regulation. There was widespread concern in the European securitisation market about the likely effects of many of Parliament’s proposed amendments.

However, following a series of meetings between representatives of Parliament, the Council and the Commission, in a procedure known as trilogue, a common position was agreed in June 2017, in which many of the Parliament’s more controversial amendments were withdrawn. Compromise texts of the draft Regulations were published soon afterwards. These texts consisted of the Commission’s proposals, together with the amendments agreed by Parliament and Council. Whilst there are still concerns about aspects of the Regulations, the compromise texts were generally viewed as being more supportive of the European securitisation market, than Parliament’s original position.

The Regulations then went through a “Jurist-Linguist” process in which the texts were revised again. Most of the changes to the Regulations resulting from this process are designed to improve the wording of the legislation and to tidy up the texts for grammar, clarity, terminological consistency and references to other EU legislation. The changes were not intended to change the substance of the compromises agreed (although substantive changes were made to the criteria for credit-granting provisions – please see below). Following this process, the European Parliament published revised versions of the Regulations on 19 October 2017[5] in readiness for the final vote in its plenary session on 26 October 2017.

In this memorandum, we have summarised the key provisions and commented further on the obligations that will arise under the Securitisation Regulation. In addition, we have noted some of the points in the June 2017 compromise texts that have caused concern in the industry and the developments since June in that regard.

When will the Regulations Apply and when will the Full Details of the Regime be Known?

Once formally adopted by the Parliament and Council, the Regulations will be published in the Official Journal of the European Union and will enter into force 20 days later. This is likely to be in early 2018. The Regulations will be direct law applicable across the EU (without the need for national laws to implement, unlike EU Directives) and will apply from 1 January 2019.

The Securitisation Regulation will apply to securitisations, the securities of which are issued (or where no securities are issued, the securitisation positions of which are created) on or after the application date of 1 January 2019. The new regime will therefore apply to re-financings and additional note issuances on or after 1 January 2019. Securitisations which have closed prior to 1 January 2019 will not be subject to the Securitisation Regulation unless new securities are issued (or new securitisation positions are created) on or after 1 January 2019. However, pre-1 January 2019 securitisations in respect of which there is a refinancing or an additional note issuance on or after 1 January 2019 will become subject to the new regime upon such refinancing or additional note issuance.

Detailed rules in respect of certain aspects of the Securitisation Regulation are to be contained in Regulatory Technical Standards (“RTS”), together with formal Guidelines. The RTS and Guidelines will be drafted by the specified European Supervisory Authorities[6]: in certain cases, the European Securities and Markets Authority (“ESMA”); and in other cases, the European Banking Authority (“EBA”).[7] The RTS will then need to be adopted by the Commission by way of delegated acts.

The RTS may be published before 1 January 2019, but there is no guarantee that they will apply from that date – there may be uncertainty and complexity in the interim period until they finally become applicable, which could be later in 2019.

The Securitisation Regulation

Risk Retention

Minimum Risk Retention Levels

The current minimum risk retention level of 5% for each mode of risk retention has been maintained in the Securitisation Regulation[8], notwithstanding previous proposals in Parliament to increase this level for some methods of risk retention.

Risk Retention: Role of the ESRB and the Potential for a Revision of Minimum Risk Retention Levels

The Securitisation Regulation contains provisions empowering the European Systemic Risk Board, where material financial stability risks are observed, to provide warnings and, where appropriate, issue recommendations for remedial action, including on the appropriateness of modifying the risk-retention levels. It is therefore possible that the minimum risk retention levels could increase in the future, but this appears unlikely.

Risk Retention: “Originator” Definition

The CRR definition of originator has been narrowed in the context of risk retention. An entity shall not, for the purposes of the article on risk retention, be considered to be an originator where it has been established or operates for the “sole” purpose of securitising exposures. This is to avoid the possibility of an “originator” being created for risk retention purposes that met the legal definition, but was not an entity of real substance. The meaning of “sole” purpose may be clarified in risk retention RTS.

Risk Retention: Selection of Assets

The Securitisation Regulation provides that originators will not be permitted to select assets to be securitised with the aim of rendering losses on such assets measured over the life of the transaction (or a maximum of 4 years where the life of the transaction is longer than 4 years), higher than the losses over the same period on comparable assets held on the balance sheet of the originator. This is intended to prevent originators from taking advantage of the fact that they could hold more information than investors on the assets. The Recitals to the Securitisation Regulation note that this is intended to catch an intentional (rather than a negligent) transfer of assets with a higher credit risk profile. This may however create difficulties for originators who do not have assets on their balance sheets to compare against those assets which they securitise.

However, the Recitals also provide another important clarification in that the assets being securitised can have a higher than average credit risk profile compared to the average credit risk profile of comparable assets that remain on the balance sheet of the originator, as long as the higher credit risk profile of the assets is “clearly communicated” to the investors or potential investors. These points may be further clarified in risk retention RTS.

Risk Retention: Direct and Indirect Approaches and Jurisdictional Scope

The CRR currently places the onus on the EU investing institution to ensure that the risk retention obligations have been met. This is referred to as the “indirect” approach, which is also contained in the due diligence requirements in the Securitisation Regulation (please see below). However, this approach is supplemented by a “direct” obligation on one of the originator, sponsor or original lender to comply with the risk retention requirements.

The provisions of the Securitisation Regulation do not explicitly set out the jurisdictional scope of the direct approach, but it appears from a comment in the Explanatory Memorandum to the original Commission proposal that the intention is that where none of the originator, sponsor or original lender is “established in the EU”, the direct approach will not apply.

The scope of the application of the direct risk retention obligation is likely to have practical implications for EU banks operating in non-EU countries, and could affect whether they operate through branches or subsidiaries. Since the country in which a legal entity is “established” normally refers to that in which the legal entity is incorporated or has its registered office, there could be a difference in the application of the direct retention obligation according to whether an EU bank operates in a non-EU country through a subsidiary (which is a separate legal entity) or through a branch (which is not).

Nevertheless, this direct obligation may apply on a consolidated basis to non-EU subsidiaries of EU regulated institutions as a result of the consolidation provisions in the CRR (please see below).

Definition of Sponsor

The definition of “sponsor” has been widened from that in the CRR to include “credit institutions” (i.e., banks), whether or not located in the EU, and “investment firms” as defined in MiFID II.[9] The reference to the MiFID II definition of investment firm is welcome, since it will allow a wider category of entities to act as sponsor retention holder.[10] The MIFID II definition of investment firm is not limited by jurisdiction and so, it appears that non-EU asset managers can also act as sponsors, although it is not clear that this was the legislators’ intention.

To be eligible as a sponsor the credit institution or investment firm must “establish and manage” a securitisation and purchase exposures from third parties, as is currently the case under the CRR, or it must “establish” a securitisation that purchases exposures from third parties and delegate the “day-to-day active portfolio management” involved in that securitisation to an entity authorised to perform such activity in accordance with MIFID II, the UCITS Directive[11] or the AIFMD.[12] So the sponsor will be allowed to delegate day-to-day portfolio management to an EU regulated entity authorised to perform such an activity.

Due Diligence Requirements for Institutional Investors

Before investing in a securitisation position, an institutional investor (i.e. a specified type of EU regulated entity) must carry out due diligence[13] to: (i) ensure compliance with the risk retention requirements;[14] (ii) ensure, where the originator or original lender is not an EU established credit institution or CRR investment firm, that it “grants all the credits giving rise to the underlying exposures on the basis of sound and well-defined criteria”; and (iii) assess the risks involved in the securitisation, including: (a) risks of the securitisation position and the underlying exposures; (b) structural features, such as “priorities of payment and priority of payment-related triggers, credit enhancements, liquidity enhancements, market value triggers, and transaction-specific definitions of default”; and (c) in respect of STS securitisations, whether the securitisation meets the STS requirements.

In addition, institutional investors who hold a securitisation position must establish appropriate written procedures to monitor, on an ongoing basis, compliance with the due diligence requirements, and the performance of the securitisation and the underlying exposures.[15] These provisions also include stress testing and internal reporting obligations.[16]

Transparency Obligations

Transparency Obligations – Securitisation Repositories

Securitisation repositories are to be established to which prescribed information relating to the securitisation is to be provided by the originator, sponsor and Securitisation Special Purpose Entity (“SSPE”) of a securitisation (these entities will designate one of them to fulfil these reporting requirements). The repositories, which are to be registered with ESMA, will collect details of the securitisation and will provide direct and immediate access free of charge to the EU supervisory authorities, to investors and to potential investors.

ESMA will develop draft RTS specifying the details of the securitisation that one of the originator, sponsor or SSPE will provide, and the standardised templates by which they will provide the information. Where no securitisation repository is registered, the reporting entity shall make the information available by means of a website (that meets prescribed conditions).

There is an exemption from reporting to the repository (but not from the rest of the reporting requirements) for private transactions (i.e., those where a Prospectus Directive compliant prospectus has not been drawn up). The prescribed information still needs to be made available to holders of a securitisation position, to the national regulators and, upon request, to potential investors (please see below).

Transparency Obligations – Information to be Provided

The information to be made available to investors, potential investors and national regulators relating to the securitisation[17] includes: (i) asset level disclosure (i.e. information on the underlying exposures) on a quarterly basis;[18] (ii) documentation disclosure (i.e. prescribed transaction documentation); (iii) a transaction summary where a Prospectus Directive compliant prospectus has not been drawn up (i.e. for private transactions); and (iv) in the case of STS securitisations, the STS notification.

The transaction documentation (together with the transaction summary and the STS notification, each where applicable) shall be made available before pricing. The timing of this transaction documentation disclosure obligation will potentially be problematic given that documents are typically still in draft form, and often incomplete, at the time of pricing.

The ongoing reporting obligations include: (i) quarterly investor reports[19] containing prescribed information such as data on the credit quality and performance of underlying exposures;[20] (ii) any inside information relating to the securitisation that the originator, sponsor or SSPE is obliged to make public; and (iii) even where it is not inside information, any material breach of the obligations laid down in the documents and any material change in the securitisation, or material amendment to transaction documents.

Transparency Obligations and Jurisdiction

The transparency obligations are not stated to be restricted to EU-established originators, sponsors and SSPEs – and so appear to have a potential extra-territorial effect (in that they could apply to non-EU established originators, sponsors and SSPEs). Furthermore, these obligations may apply on a consolidated basis to non-EU subsidiaries as a result of the consolidation provisions in the CRR (please see below).

Sale of Securitisations to Retail Investors

The Securitisation Regulation permits the sale of securitisation positions to certain types of sophisticated retail investor[21]. The seller must first perform a suitability test on the “retail client” in accordance with MiFID II. Where the suitability test has been satisfied and where the retail client’s investment portfolio does not exceed €500,000, the retail client will be able to invest up to 10% of that portfolio in securitisation positions (the initial minimum amount invested in securitisation positions will need to be at least €10,000).

Ban on Re-securitisation

The Securitisation Regulation includes a ban on re-securitisation[22] (i.e. the underlying exposures used in a securitisation will not be able to include securitisations), subject to exceptions for: (a) any securitisation the securities of which were issued before the date of application of the Securitisation Regulation; (b) any securitisation to be used for specified “legitimate purposes” (such as winding-up scenarios) subject to approval by the relevant national regulator; and (c) fully supported ABCP programmes.

Criteria for Credit-Granting

Criteria for Credit-Granting - Self Certified mortgages

One point in the June 2017 compromise text that has caused considerable debate is the Article in the Securitisation Regulation on the criteria for credit-granting. An issue that caused significant controversy was the scope of the proposed ban on the inclusion of self-certified mortgages in a securitisation[23].

Following intensive lobbying, this wording was changed in the Jurist-Linguist process so that the ban now applies in respect of loans made from 20 March 2014, the date of entry into force of the Mortgage Credit Directive (which effectively prohibited self-certified residential mortgages). The provision now states that where the underlying exposures of securitisations are residential loans made after 20 March 2014, the pool of those loans shall not include any loan that is marketed and underwritten on the premise that the borrower was made aware that the information it provided might not be verified by the lender.

This new wording is an improvement on the previous version, but still contains a number of problems, not least that, although the Mortgage Credit Directive entered into force on 20 March 2014, its provisions did not have to be transposed into national law, and so did not apply, until 21 March 2016. This would have been a more sensible date to use.

Criteria for Credit-Granting – Acquired Portfolios

Another problematic provision has related to the circumstances in which an originator purchases a third party’s exposures for its own account and then securitises them, and how that originator is to verify that the entity which was involved in the original agreement that created the obligations to be securitised, fulfilled the credit granting requirements. This has particular implications for purchasers who wish to securitise acquired portfolios containing non-performing loans, where there would be significant difficulties in verifying that the credit granting criteria had been satisfied.

Again, during the Jurist-Linguist process, changes were made to the scope of this requirement. A new paragraph was added[24] stating that this verification obligation does not apply if: (a) the original agreement, which created the obligations, was entered into before 20 March 2014 (the date of entry into force of the Mortgage Credit Directive); and (b) the originator that purchases a third party’s exposures for its own account and then securitises them meets the obligations that originator institutions are required to meet under the relevant provisions of the current CRR risk retention RTS[25] before 1 January 2019. These current CRR risk retention RTS provide that where sponsor and originator institutions have not been engaged in the original credit-granting of exposures to be securitised, they “shall obtain all the necessary information to assess whether the criteria applied in the credit-granting for those exposures are as sound and well-defined as the criteria applied to non-securitised exposures”. There are a number of issues arising from these provisions, given that loan assets typically require a purchaser to perform its own credit analysis. It is also unclear why the date of entry into force of the Mortgage Credit Directive is relevant to the position as regards non-mortgage loans in acquired portfolios.

STS Securitisations

The CRR Amendment Regulation includes amendments to the CRR designed to result in the regulatory capital requirements for institutions’ exposures to STS securitisations generally being more favourable than those for exposures to non-STS securitisations. The Securitisation Regulation sets out the criteria for “simplicity”, “transparency” and “standardisation” that must be fulfilled in order to satisfy the “STS” classification[26]. There are two types of STS requirements depending on whether or not the securitisation is an ABCP securitisation.[27]

We have not detailed in this memorandum the requirements needed to satisfy each of the “simplicity”, “transparency” and “standardisation” criteria. However, we would note some of the general restrictions on the scope of STS securitisations. To qualify for the STS designation, the underlying exposures that are securitised must meet eligibility criteria which do not allow for active portfolio management of those exposures on a discretionary basis. This exclusion of active portfolio management prevents managed CLOs from being STS securitisations. Synthetic securitisations are also not eligible to be STS, although the Securitisation Regulation provides that the EBA will publish a report on the feasibility of a specific framework for STS synthetic securitisation (but limited to balance-sheet synthetic securitisation).

Sanctions – Negligence or Intentional Infringement

The articles permitting Member States to impose sanctions for specified breaches of the Securitisation Regulation are limited to cases of “negligence or intentional infringement”, in order to avoid punishing non-negligent inadvertent breaches[28].

Consolidated Application of the CRR and Jurisdictional Consequences

One issue that has caused concern is the jurisdiction of the risk retention, due diligence, transparency and “criteria for credit-granting” obligations under the Securitisation Regulation as a result of changes to the CRR. Article 1(11) of the CRR Amendment Regulation has the effect that Article 14 of the CRR applies the risk retention, due diligence, transparency and “criteria for credit-granting” obligations under the Securitisation Regulation to EU institutions subject to the CRR, on a consolidated basis.

The direct risk retention obligation discussed above could apply on a consolidated basis to a non-EU subsidiary. Such a subsidiary would have to comply both with the EU risk retention rules and any locally applicable rules. It does not appear that this was the intention of the legislators. Similar issues arise as regards applying the transparency requirements on a consolidated basis to non-EU subsidiaries. These issues could have significant implications for EU banks operating in third countries through subsidiaries.

The CRR Amendment Regulation

CRR Amendment Regulation: the Hierarchy of Approaches

The CRR Amendment Regulation sets out a hierarchy of approaches for calculating regulatory capital to be held with respect to securitisation exposures in the banking book. In common with the Basel framework, the CRR Amendment Regulation puts the Securitisation Internal Ratings-Based Approach at the top of the hierarchy. However, where this approach may not be used, and subject to specified exceptions[29], the CRR Amendment Regulation requires the Securitisation Standardised Approach to be used before the Securitisation External Ratings-Based Approach. This reverses the order in relation to these two approaches from that in the Basel framework. In the trilogue negotiations, Germany and the UK did not want to deviate from Basel, but eventually agreed to this inversion.

CRR Amendment Regulation: Capital Treatment for STS Securitisations

The CRR Amendment Regulation also provides that positions in an STS securitisation that meet prescribed conditions will benefit from more favourable regulatory capital treatment.

CRR Amendment Regulation: Application and Transitionals

The CRR Amendment Regulation will apply from 1 January 2019. However, in respect of securitisations the securities of which are issued before 1 January 2019, institutions shall continue to apply the current CRR rules until 31 December 2019.[30]

The way forward

Next Steps in the Legislative Process

The Regulations will enter into force 20 days after being published in the Official Journal of the European Union, which is likely to be in early 2018, and will apply from 1 January 2019. Being EU regulations, they will be directly applicable law across the EU, and will not need transposition into national law by EU Member States. However, the full details of the new regime will only be known once the various RTS have been finalised.

Conclusion

The passage of the Regulations, in particular the Securitisation Regulation, through the EU legislative procedures has been lengthy and controversial. Some of the amendments proposed earlier in the process could have had a major adverse impact on the European securitisation market, which was contrary to the stated aim of the proposals. The final form of the Securitisation Regulation is by no means ideal, and will result in increased compliance costs for market participants, but it is to be hoped that the industry will be able to live with the new regime. Whether the Regulations achieve their original objective of encouraging the revival of the EU securitisation market is another matter.

Cadwalader has raised many of the issues discussed in this memorandum with the Commission and the relevant European regulators, often through its work with industry groups such as the Loan Market Association. Cadwalader attorneys will continue to engage with the relevant bodies as regards the interpretation of the Regulations and in relation to the contents of the accompanying RTS. We would encourage anyone interested in commenting to make their views known to the various industry bodies.

 

[1]     Proposal for a Regulation of the European Parliament and of the Council laying down common rules on securitisation and creating a European framework for simple, transparent and standardised securitisation and amending Directives 2009/65/EC, 2009/138/EC, 2011/61/EU and Regulations (EC) No 1060/2009 and (EU) No 648/2012.

[2]     Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012.

[3]     Proposal for a regulation of the European Parliament and of the Council amending Regulation (EU) No 575/2013 on prudential requirements for credit institutions and investment firms.

[4]     http://www.cadwalader.com/resources/clients-friends-memos/agreement-reached-on-form-of-new-eu-securitisation-regulation-and-on-amendments-to-the-capital-requirements-regulation.

[5]     This memorandum is based on these 19 October 2017 texts.

[6]     The Regulations require the relevant European Supervisory Authority (“ESA”) to submit the draft RTS to the Commission within a fixed period from the date of entry into force of the Regulation – which is either six or twelve months, depending on the RTS.

[7]     Some RTS are specified to be developed by the specified ESA in close cooperation with other ESAs. For example, under Article 6 of the Securitisation Regulation, the EBA, in close cooperation with the ESMA and the European Insurance and Occupational Pensions Authority (“EIOPA”) shall develop draft RTS to specify in greater detail the risk retention requirement. Some RTS to be developed under legislation amended by the Securitisation Regulation will be developed by EIOPA.

[8]     Article 6 of the Securitisation Regulation.

[9]     Article 4(1) of Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU under which “investment firm” means “any legal person whose regular occupation or business is the provision of one or more investment services to third parties and/or the performance of one or more investment activities on a professional basis.”

[10]   The current definition of sponsor in the CRR allows only investment firms within the scope of the CRR to act as sponsors (which is a narrower category than all MiFID II investment firms).

[11]   Directive 2009/65/EC of the European Parliament and of the Council of 13 July 2009 on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS).

[12]   Directive 2011/61/EU of the European Parliament and of the Council of 8 June 2011 on Alternative Investment Fund Managers and amending Directives 2003/41/EC and 2009/65/EC and Regulations (EC) No 1060/2009 and (EU) No 1095/2010.

[13]   Article 5 of the Securitisation Regulation.

[14]   The institutional investor must verify that: (a) if established in the EU, the originator, sponsor or original lender retains a material net economic interest in accordance with the risk retention requirements set out in the Securitisation Regulation and that the risk retention is disclosed to the institutional investor; and (b) if established in a non-EU country, the originator, sponsor or original lender retains a material net economic interest of not less than 5% determined in line with the risk retention methodology in the Securitisation Regulation and discloses the risk retention to institutional investors.

[15]   Where relevant with respect to the securitisation and the underlying exposures, those written procedures shall include monitoring of the exposure type, the percentage of loans more than 30, 60 and 90 days past due, default rates, prepayment rates, loans in foreclosure, recovery rates, repurchases, loan modifications, payment holidays, collateral type etc.

[16]   Institutional investors must: (i) regularly perform stress tests on the cash flows and collateral values supporting the underlying exposures (or, in the absence of sufficient data, stress tests on loss assumptions) (ii) ensure internal reporting to their management body so that it is aware of the material risks arising from the securitisation position and that those risks are adequately managed. Stress testing may be difficult, in practice, for smaller investors to undertake.

[17]   Article 7 of the Securitisation Regulation.

[18]     In the case of Asset Backed Commercial Paper (“ABCP”), the information is on the underlying receivables or credit claims on a monthly basis. ESMA will draft RTS to specify the information to be provided.

[19]     In the case of ABCP, monthly investor reports

[20]     ESMA will draft RTS to specify the information to be provided.

[21]   Article 3 of the Securitisation Regulation.

[22]   Article 8 of the Securitisation Regulation.

[23]   Article 9(2) of the Securitisation Regulation

[24]   Article 9(4) of the Securitisation Regulation

[25]   Article 21(2) of Commission Delegated Regulation (EU) No 625/2014 of 13 March 2014 supplementing Regulation (EU) No 575/2013 of the European Parliament and of the Council by way of regulatory technical standards specifying the requirements for investor, sponsor, original lenders and originator institutions relating to exposures to transferred credit risk.

[26]   Articles 18 to 28 of the Securitisation Regulation.

[27]   An ‘ABCP programme’ is defined as a programme of securitisations the securities issued by which predominantly take the form of asset-backed commercial paper with an original maturity of one year or less and an 'ABCP transaction’ as a securitisation within an ABCP programme.

[28]   Article 32 of the Securitisation Regulation.

[29]   For rated positions or positions in respect of which an inferred rating may be used, an institution shall use the Securitisation External Ratings-Based Approach (the “SEC-ERBA”) instead of the Securitisation Standardised Approach (“SEC-SA”) in each of the following cases: (a) where the application of the SEC-SA would result in a risk weight higher than 25 % for positions qualifying as positions in an STS securitisation; (b) where the application of the SEC-SA would result in a risk weight higher than 25 % or the application of the SEC-ERBA would result in a risk weight higher than 75 % for positions not qualifying as positions in an STS securitisation; and (c) for securitisation transactions backed by pools of auto loans, auto leases and equipment leases.

[30]   In the case of securitisations which do not involve the issuance of securities, the reference to “securitisations the securities of which were issued” is deemed to mean “securitisations the initial securitisation positions of which were created”

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cadwalader, Wickersham & Taft LLP | Attorney Advertising

Written by:

Cadwalader, Wickersham & Taft LLP
Contact
more
less

Cadwalader, Wickersham & Taft LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at www.jdsupra.com) (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at privacy@jdsupra.com.

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to privacy@jdsupra.com. We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to privacy@jdsupra.com.

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at: privacy@jdsupra.com.

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at www.jdsupra.com) (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit legal.hubspot.com/privacy-policy.
  • New Relic - For more information on New Relic cookies, please visit www.newrelic.com/privacy.
  • Google Analytics - For more information on Google Analytics cookies, visit www.google.com/policies. To opt-out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout. This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit http://www.aboutcookies.org which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at: privacy@jdsupra.com.

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.