Moody’s Analytics, Inc., a Moody’s Corporation company (“Moody’s”, “we”, “us”, or “our”) respects your privacy. This privacy notice explains in detail how Moody’s processes Personal Data in our database Global Risk Information Database (“GRID”) and related compliance screening solutions we provide to financial institutions, corporations, government agencies and other entities (“Authorized Subscribers”).

“Personal Data” means information which identifies, or can be used to identify, living individuals. 

• Purposes of Processing

• Personal Data Collected

• Sources of Personal Data

• Uses & Disclosures of Personal Data

• Accuracy, Security & Retention of Personal Data

• Privacy Rights & Choices

• Supplementary Information for the European Union, Switzerland and the UK

• Contact & Queries

• Updates to this Privacy Notice

• FAQs

Moody’s provides regulatory screening services through GRID to Authorized Subscribers for them to perform due diligence and other screening activities in accordance with their legal and regulatory obligations. Such legal and regulatory obligations include know-your-client and know-your-supplier, sanctions and embargoes, counter terrorist financing, anti-money laundering, anti-corruption and anti-bribery, fraud prevention, regulatory dishonesty, and criminal or unlawful activity (such as modern slavery or human trafficking) checks (together “Compliance Checks”). Authorized Subscribers use GRID in relation to their customers and suppliers or others with whom they are looking to do business, some of which are companies or other legal entities, while others are individuals or sole traders. Authorized Subscribers use GRID together with other information, including information provided to them directly by applicants, other third-party sources, as well as general internet searches.

Authorized Subscribers are responsible for ensuring that their use of GRID complies with all applicable laws and regulations. Authorized Subscribers are specifically prohibited from using GRID for purposes of determining an individual's eligibility for any credit, insurance, employment or other consumer credit purpose under the U.S. Fair Credit Reporting Act (“FCRA”), or similar legislation outside of the United States.

Where relevant under applicable law, Moody’s is the “data controller” for the collection, aggregation, curation, and distribution to its Authorized Subscribers of Personal Data in GRID. Moody’s acts as a “data processor” on behalf of its Authorized Subscribers in its provision of compliance screening solutions, which include software platforms to store audit trails of their conducted Compliance Checks. Authorized Subscribers are independent “data controllers” in their use of GRID for Compliance Checks. 

GRID contains Personal Data of individuals who are:

• politically exposed persons (“PEPs”), as defined under anti-money laundering, anti-bribery and anti-corruption, counter-terrorist financing, and other global laws and regulations; for example, current and former politicians, government and cabinet ministers, diplomats, or members of the military or judiciary;

• close associates of PEPs, such as their children and dependents;

• listed in governmental, regulatory, law enforcement or similar official publications in connection with sanctions, money laundering, terrorist financing, bribery, corruption, or similar activities;

• linked to, or accused, investigated, arrested, charged, or convicted of, terrorist or financial crime-related offences and predicate offences; or

• disqualified or prohibited from holding certain regulated positions of responsibility.

• name

• title, position, company affiliations

• country, address

• date/year of birth

• nationality, national ID number

• photograph

• height/weight (from OFAC lists)

• information relating to: political affiliations and political exposure, religious belief affiliations, sanctions, and unlawful activities, including terrorism and other criminal activities.

GRID contains copies or links to underlying data sources for Authorized Subscribers to review, asses and make their own further enquiries.

Personal Data in GRID is limited to what is necessary for the processing purposes. For example, without name, Authorized Subscribers would be unable to look up individuals. Without year or date of birth, or country of location or nationality, it would be easy to confuse individuals with the same or similar name, leading to cases of mistaken identity. 

In the limited circumstances where we include Personal Data about children (for example, because they are the children of PEPs), we comply with industry guidelines and applicable laws.

Due to the nature of the sources of Personal Data, Moody’s seldom has contact details for individuals whose Personal Data may be in GRID in order to contact them directly. Moody’s does not have a direct relationship or nexus with the individuals. Authorized Subscribers, who do hold reliable contact details, are required to notify individuals that they will run Compliance Checks using GRID, as required by applicable law. Note that, given the nature of Compliance Checks, there may be circumstances where Authorized Subscribers are exempt under applicable law from providing notice to affected individuals, on the basis that the provision of the information would make impossible or seriously impair the achievement of the objectives of the processing.

Moody’s sources the Personal Data in GRID from public records and publicly available sources, including: government publications; regulatory enforcement actions; justice department information; sanctions lists; litigation releases; law enforcement lists, such as Interpol Most Wanted and SEC Litigation Releases; insolvency lists; and media sources, including national and regional news reports and industry and specialty publications.

Personal Data is collected by both manual and automated means, including programmatic scraping from public lists (such as sanctions lists), automated news aggregation filters, automated search strings using key words, and manual searches and review of public records and publicly available sources. 

Moody’s processes the Personal Data for the purposes of providing compliance screening services to its Authorized Subscribers, including analyzing and modelling the Personal Data to improve its accuracy and to develop and improve services. 

The collected Personal Data is compiled into GRID using both manual and automated means. For example, the “Position” section in GRID profiles is automatically populated using the OFAC list “Position” section as there is an exact correlation with the “Position” section in OFAC lists, whereas other “Position” information in GRID profiles is created using manual research and drafting.

Moody’s aggregates and consolidates the publicly-available information into structured profiles including tags for screening purposes. For example, sanctions data is coded “SAN” to enable Authorized Subscribers to conduct sanctions-specific Compliance Checks.

Moody’s uses Artificial Intelligence (“AI”) in some automated processing activities. For example, some of the “Riskography” sections (high-level summary section of the information contained in the GRID profile) in GRID profiles are created using generative AI.

Authorized Subscribers use GRID to assist them with their Compliance Checks, as described above in the section  “Purposes of Processing”. Authorized Subscribers are responsible for how they use the results of a Compliance Check performed using GRID, for example, whether to do business with a customer. Moody’s does not make decisions for Authorized Subscribers about individuals based on the information in GRID, including: decisions on whether alerts through GRID screening services are or are not matches to Authorized Subscriber’s GRID searches. Authorized Subscribers must use further information in their possession to assess whether a GRID alert is a false positive or probable match to their GRID search enquiry. 

• decisions on whether alerts through GRID screening services are or are not matches to Authorized Subscriber’s GRID searches. Authorized Subscribers must use further information in their possession to assess whether a GRID alert is a false positive or probable match to their GRID search enquiry. 

• decisions or recommendations to Authorized Subscribers whether to do business with an individual or entity, or any other decision or recommendation with legal or similar significant effect on individuals. Authorized Subscribers make decisions based on information provided to them directly by applicants, other third-party sources, and in accordance with law and regulation, for example, which may prohibit them from doing business with a sanctioned individual.

We may disclose Personal Data for the following purposes:

• Affiliates. We share Personal Data with our affiliates, as reasonably necessary to operate our business, to perform services for our Authorized Subscribers, for data analysis purposes, and to improve and develop products and services.

• Service Providers. We share Personal Data with our service providers who perform services on our behalf for the purposes described in this Privacy Policy. For example, we use third parties to help us collect and analyze data. We contractually require Service Providers to only process Personal Data in accordance with our instructions and as necessary to perform services on our behalf or comply with legal requirements.

• Business Partners. We share Personal Data with our business partners (such as third parties who resell Moody’s services) as reasonably necessary to operate our business and to perform services for our Authorized Subscribers, our business partners, or their customers.

• Compliance with Law. We may disclose Personal Data to third parties to comply with the law, respond to lawful requests by public authorities, respond to valid legal process, establish, assert or defend our legal rights, or prevent fraud or abuse of our services.

• Business Transfers. If we are involved in a reorganization, merger, acquisition or sale of any or all of our company, business or assets, Personal Data may be transferred as part of that deal or disclosed in connection with due diligence. We will put in place contractual provisions requiring parties to keep Personal Data confidential and to only use it for the purpose of the relevant transaction or other purposes consistent with those outlined in this Privacy Policy.

We implement appropriate data accuracy measures to manage the accuracy and integrity of Personal Data in GRID, including using official government and regulatory data sources, and providing the ability to affected individuals to access and correct (if required) their Personal Data.

We implement appropriate data security safeguards to protect the Personal Data, including physical security measures, system hardening, patch management, vulnerability management, access controls, and implementing anti-virus and anti-malware protections, data incident policies and procedures.

Personal Data in GRID is stored for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. To determine the appropriate retention period for Personal Data, we consider the source, amount, nature and sensitivity of the Personal Data, the purposes of processing, the potential risk of harm from unauthorized use or disclosure, and the applicable legal, regulatory, tax, accounting or other requirements. We have in place appropriate Personal Data retention policies and procedures.

Individuals whose Personal Data is in GRID may have rights under applicable data privacy laws. Where applicable, to request to access, correct, restrict, erase or otherwise limit our use of Personal Data, contact us using the information provided in the “Contacts & Queries” section below.

Individuals may also have the right to complain to the local data protection authority with concerns about we process Personal Data. However, we hope we can resolve any queries or concerns individuals may have, so please contact us directly first.

The relevant legal basis for the collection and processing of Personal Data is the legitimate interests basis:

• We or a third party (business partner or Authorized Subscriber) have a legitimate interest in using the Personal Data. Our Authorized Subscribers have a legitimate interest to process Personal Data for meeting compliance and regulatory obligations, managing financial risk, protection against fraud, and knowing who they are doing business with.

• The Personal Data is limited, relevant, proportionate and necessary for the processing purposes.

• The processing is within the reasonable expectations of the affected individuals who seek to do business with Authorized Subscribers, and they would reasonably expect financial institutions, government agencies, and other entities to conduct compliance screening checks in the normal course of business.

• GRID is used by Authorized Subscribers for the important and legally recognized purpose of complying with law and regulation, including know-your-customer and know-your-supplier checks; sanctions and embargoes screening; counter-terrorist financing, anti-money laundering, and anti-bribery and corruption checks; fraud prevention; and, regulatory dishonesty checks. These uses have wider public benefits in supporting economic stability and reducing financial crime.

• The Personal Data is sourced from publicly-available information, such as government publications; regulatory enforcement actions; justice department information; sanctions lists; litigation releases; and law enforcement lists, such as Interpol Most Wanted and SEC Litigation Releases; insolvency lists; and media sources, including national and regional news reports and industry and specialty publications.

• We implement appropriate data accuracy measures to manage the accuracy and integrity of  Personal Data in GRID, including using official government and regulatory sources, and providing the ability to affected individuals to access and correct (if required) their Personal Data.

• We implement appropriate data security safeguards to protect the personal data, including physical security measures, system hardening, patch management, vulnerability management, access controls, and implementing anti-virus and anti-malware protections, data breach policies and procedures.

• In relation to special category Personal Data (political or religious affiliation or criminal offence data), this is processed only where necessary to comply with, or assist our Authorized Subscribers to comply with, a legal or regulatory requirement.

Moody’s has put in place measures to protect Personal Data which is transferred from Switzerland, the UK and the European Economic Area (“EEA”). To transfer Personal Data outside of the UK, Switzerland and the EEA, Moody’s has put in place UK, Swiss and EU standard contractual clauses, to provide an equivalent level of data protection. To request a copy of these clauses, please contact us as specified in the “Contact & Queries” section below. 

If you have any questions or comments regarding Moody’s privacy practices, if you wish to exercise applicable rights of access or other privacy rights, or if you have any queries or concerns regarding the data in GRID, you can do this via email at privacy@moodys.com or at:

Legal Department
Moody’s Corporation
7 World Trade Center at 250 Greenwich Street
New York, NY 10007
+1-212-553-1653 or 1-866-995-9659
privacy@moodys.com

The most current version of this Privacy Notice will always be available here. You can check the “Last Updated” date posted at the top to see when this Privacy Notice was last updated.

How can individuals whose Personal Data is in GRID access a copy?

Please contact privacy@moodys.com or use the address or telephone number listed in the “Contacts & Queries” section above for requests to access Personal Data, and for any other requests to correct, update, or object to processing of Personal Data, to the extent that such rights apply under applicable law. Moody’s does not charge for such requests, but may request further information as necessary to identify individuals and locate their Personal Data. Moody’s reserves the right to deny unreasonable or unwarranted requests, as permitted under applicable law.

Is Personal Data in GRID available to the general public?

No, Moody’s does not distribute GRID data to the general public. Access is only permitted to Authorized Subscribers, who are subject to contractual obligations, including of security, confidentiality and appropriate use.

What steps does Moody’s take regarding the accuracy of Personal Data in GRID?

Moody’s implements appropriate data accuracy measures to manage the accuracy and integrity of Personal Data in GRID, including using official government and regulatory data sources, and providing the ability to affected individuals to access and correct (if required) their Personal Data. Further, note that all information in GRID is provided to Authorized Subscribers on an informational basis only. Authorized Subscribers are contractually required to make their own further enquiries and cannot rely solely upon information in GRID when making any decisions. GRID also contains copies or links to underlying data sources for Authorized Subscribers to access and directly review and asses those sources, and make their own further enquiries.

Does Moody’s provide direct notice to individuals whose Personal Data is in GRID?

No, as explained above in the section “Sources of Personal Data”, the Personal Data is collected from public sources (such as government and regulatory lists) and those sources generally do not provide contact details such as email. Further, Moody’s does not have a direct relationship or nexus with the individuals whose Personal Data is in GRID. Authorized Subscribers, who do hold reliable contact details and have a direct nexus with the individuals they look up in GRID, are required to notify affected individuals of processing their Personal Data, as required under applicable law. Given the nature of Compliance Checks, there may be circumstances where Authorized Subscribers are exempt under applicable law from providing notice to affected individuals, on the basis that the provision of the information would make impossible or seriously impair the achievement of the objectives of the processing.

Does Moody’s obtain the prior explicit consent from affected individuals whose Personal Data is in GRID?

No, as explained above in the section “Sources of Personal Data”, the Personal Data is collected from public sources (such as government and regulatory lists) and those sources generally do not provide contact details such as email, in order for Moody’s to contact affected individuals directly. Further, Moody’s does not rely on consent as the legal basis to process Personal Data in GRID. As explained above in the section “Supplementary Information for the European Union, Switzerland and the UK”, Moody’s relies on the legitimate interests basis, and for special category Personal Data, public interest exemptions of compliance with law and obligation.