Confidentiality Protocol—Protection of Sensitive Information in the Financial Sector Assessment Program

Purpose

• 1. The World Bank (the “Bank”) and the International Monetary Fund (the “Fund”)¹ have agreed to cooperate in the implementation of a Financial Sector Assessment Program (the “FSAP”), designed to assist the authorities of members of the Bank and Fund in determining the condition of their financial sectors, identifying strengths, vulnerabilities and risks in these sectors, assessing the observance and implementation of internationally accepted financial sector standards, and elaborating reforms that would address vulnerabilities and risks, and position the sectors to contribute more effectively to financial stability, economic growth and the reduction of poverty.

• 2. For the FSAP to be effective, it is critical that financial institutions and governmental entities feel comfortable sharing relevant market-sensitive information and documents with the FSAP teams, which will include staff members of the Bank and Fund as well as consultants engaged for the FSAP. To encourage the sharing of such sensitive information and documents, staffs of the Bank and Fund have prepared this Protocol to describe procedures aimed at preventing unauthorized access to and disclosure of sensitive information obtained through the FSAP. This Protocol is an application of the existing policies and guidelines of the Institutions concerning the safeguarding of sensitive information and documents, which are listed in Appendix I, and does not represent the adoption of new policies or guidelines.

Classification and handling of sensitive information

• 3. Three levels of classification will be used for sensitive information provided to the Institutions in connection with the FSAP: (a) STRICTLY CONFIDENTIAL; (b) CONFIDENTIAL; and (c) for OFFICIAL USE ONLY (NOT for PUBLIC USE).²

STRICTLY CONFIDENTIAL

Information and documents that are deemed to be of a highly sensitive nature or to be inadequately protected by the CONFI­DENTIAL classification shall be classified as STRICTLY CONFIDENTIAL and access to them shall be restricted solely to persons with a specific need to know. The staffs of the Institutions shall establish a control and tracking system for documents classified as STRICTLY CONFIDENTIAL, including the maintenance of control logs. Documents classified as STRICTLY CONFIDENTIAL shall be (i) marked with such classification on each page; (ii) kept under lock and key or given equivalent protection when not in use; and (iii) in the case of physical documents, transmitted by an inner sealed envelope indicating the classification marking and an outer envelope indicating no classification, or, in the case of documents in electronic form, transmitted by encrypted or password-secured files.

For purposes of this Protocol, the following individuals are deemed to have a specific need to know: (i) the FSAP team leader and deputy leader; (ii) FSAP team members directly involved with the substance of the sensitive information; (iii) immediate supervisors of FSAP team members who are staff members of the Institutions, who need the information to fulfill their management function; and (iv) the Managing Director of the Fund, the President of the World Bank Group, or their respective designated representatives; and (v) other individuals by agreement between the FSAP team leader or deputy leader and the provider of the sensitive information.

CONFIDENTIAL

Information and Documents that must be restricted to persons with a need to know or a legitimate interest in the information, shall be classified as CONFIDENTIAL. A document classified as CONFIDENTIAL shall be (i) marked with such classification on the cover and first page; (ii) kept out of view of unauthorized individuals when not in use; and (iii) transmitted in appropriately marked envelopes.

For purposes of this Protocol, the following individuals are deemed to have a need to know or a legitimate interest in information and documents classified as CONFIDENTIAL: (i) all FSAP team members; (ii) immediate supervisors and department heads of FSAP team members who are staff members of the Institutions; (iii) the relevant Country Directors and Sector Leaders in the Bank, and the relevant Area Department Mission Chiefs and MAE Country Managers in the Fund;³ (iv) the Managing Director of the Fund, the President of the World Bank Group, or their respective designated representatives; and (v) other individuals by agreement between the FSAP team leader or deputy leader and the provider of the sensitive information. Authorization is not required for further distribution on a need-to-know basis, within a specific office of one of the Institutions, but any such further disclosure must include notice to each additional recipient that the information is CONFIDENTIAL.

FOR OFFICIAL USE ONLY (NOT for PUBLIC USE)

A document classified as “FOR OFFICIAL USE (NOT for PUBLIC USE)” shall be marked with such classification on the cover and first page and no other specific restrictions on the handling or transmission of such documents shall be imposed other than the general requirement to prevent public access.⁴

• 4. In general, the lowest appropriate category of classification should be used, and will be decided by the FSAP team leader in consultation with the provider of the sensitive information. It is expected that the majority of sensitive information will be classified as either NOT for PUBLIC USE or CONFIDENTIAL, and that the STRICTLY CONFIDENTIAL classification will need to be used only sparingly.

Transmitting and referencing sensitive information

• 5. Cover letters or transmittal forms shall bear the classification of the most restricted attached documents. Documents that quote from, or otherwise contain sensitive information from classified documents shall be marked with the same security classification as the original information with the most restricted classification contained in the records, and shall be treated in the same way as the original information. E-mail messages that convey sensitive information from classified records shall have distribution lists reflecting the restrictions of the relevant classification.

Downgrading of security classifications

• 6. At the time of classifying as “STRICTLY CONFIDENTIAL” or “CONFIDENTIAL” sensitive information entrusted to the FSAP team, the recipient will make a good faith effort to reach agreement with the provider on specific downgrading instructions, such as when, in what circumstances or under what conditions it might receive a lower classification.

Participation of staff in FSAP teams

• 7. FSAP team leaders shall be responsible for providing each member of their respective teams a copy of this Protocol and attachments hereto. The policies and guidelines of the Institutions in Appendix 1 provide for procedures and measures in the event of breach by their respective staff members of the applicable policies and guidelines.

Participation of consultants in FSAP teams

• 8. FSAP team leaders shall, prior to fielding the first FSAP mission, consult with the relevant authorities of the country concerned regarding the participation of any consultant, from either the private or public sectors, in the FSAP team. In choosing consultants to be included in such team, FSAP team leaders will take into account concerns expressed by the relevant authorities about the security of sensitive information in connection with the participation of any particular consultant. The same procedure shall apply if a consultant is proposed to be added to the team after the first mission.

• 9. A consultant that participates in an FSAP team shall execute a confidentiality letter in the form of Appendix II (which may be modified from time to time), except when the requisite elements of such letter have been incorporated in the relevant consulting contracts. Such elements are: (i) acknowledgment of receipt of a copy of this Protocol and its attachments; (ii) agreement not to disclose or use to private advantage sensitive information known to the consultant by reason of his participation in the FSAP team; and (iii) agreement that confidentiality obligations undertaken in connection with the FSAP shall survive the termination of the consultant’s contract, unless the obligations refer to sensitive information that have been declassified for public use.

• 10. In the event of a breach of confidentiality by a consultant in connection with the FSAP, the Institution with which the consultant has a contract will address the matter, in accordance with such Institution’s rules and procedures. Sharing of sensitive information and FSAP-related documents between the institutions and with authorities.

• 11. Sensitive information entrusted to the staff and consultants of either Institution, as well as FSAP-related documents generated by the staff and consultants of either Institution, will be shared with identified counterparts in the other institution, subject to the restrictions on access and procedures described or referred to in this Protocol. Nothing in this Protocol shall limit the staffs of the Institutions from sharing sensitive information entrusted to them through the FSAP with the relevant country authorities that are authorized to receive the information.

Disclosure of Protocol

• 12. This Protocol and attachments thereto shall not be classified. Prior to the commencement of the initial FSAP mission, copies will be provided to the appropriate authorities and will be made available on request to representatives of financial institutions participating or proposing to participate in the FSAP.

APPENDIX I

General Policies and Guidelines

The security procedures set forth in this Protocol have been prepared particularly for the FSAP in accordance with the following policies and guidelines of the Institutions (Attachments I(a) to I(i)), as amended from time to time, concerning the safeguarding of confidential information and documents:

• (a) Guidelines for Bank-Fund Collaboration in the Financial Sector (June 1999);

• (b) World Bank Principles of Staff Employment, para­graph 3.1(d);

• (c) World Bank Staff Rule 3.01, Section 4.02, Disclosure and Use of Non-public Information (April 1999);

• (d) World Bank Policy on Disclosure of Information (March 1994);

• (e) World Bank Administrative Manual Statement 10.20, Security of Records (September 1996);

• (f) World Bank Administrative Manual Statement 10.20B, Confidentiality in Financial Sector Work (January 1998);

• (g) International Monetary Fund Staff Regulations N-4, N-5, N–6, and N-11;

• (h) International Monetary Fund Staff Code of Conduct, Section 20, Use and Disclosure of Information (July 1998);

• (i) International Monetary Fund, General Administrative Order No. 26, Rev. 2 and Supplement 1, Records, September 5, 1990; and,

• (j) International Monetary Fund, General Administrative Order No. 35, Information Security (September 1990).

APPENDIX II

[Date]

[International Monetary Fund or World Bank Address]

Re: FSAP—Confidentiality Obligations

In connection with my participation as a [World Bank/IMF] consultant in the Financial Sector Assessment Program for [country], I hereby confirm that I have received and read copies of the Protocol on Protection of Sensitive Information in the Financial Sector Assessment Program and attachments thereto (the “Documents”). I agree to observe the procedures described in the Documents and, in particular, not to disclose or use for private advantage sensitive information known to me by reason of my participation in the FSAP. I also agree that my confidentiality obligations under the FSAP shall survive termination of my FSAP assignment, unless the obligations refer to sensitive information (as defined in the protocol) that have been declassified for public use.

SM/00/54,

March 15, 2000

• ¹ Hereinafter, the World Bank and the Fund are referred to as the “Institutions.”

• ² General Administration Order 35 in the Fund also provides for a classification category of SECRET; however, this classification category is currently under review in the Fund, and it is likely to be abolished in the near future.

• ³ The term “provider” means an individual or entity that retains the right to restrict the disclosure of information or documents entrusted by the provider to the staffs or FSAP consultants of the Institutions.

• ⁴ Documents receiving this classification in the Fund are normally made available to certain international organizations as identified in decisions of the Executive Board.