Effective Date: 11 November 2022.

Scope and Applicability

This Global Privacy Notice  applies to personal information processed in our global financial hubs, and to any documentation that refers or links to it.

Our global financial hubs are located in the United States, the European Economic Area, the United KingdomHong Kong and Singapore. We also have Supplemental Provisions that set out protections for cross border products. Please refer to the link relevant to your country of residence.

Country-level privacy notices for on-shored or in-country (domestic) operations, are listed in the Annex, in Section 13. They do not form part of this Global Privacy Notice.

The Institutional Clients Group (ICG), operates banking and market services provided to corporations, financial institutions, public sector organizations, and investment managers. It comprises the following business areas:


  • Global Markets

ICG Markets business comprises all broker/dealer exchange and traded products, including Commodities, Derivatives, Equities, Futures, FX, OTC operations, securities clearing and similar.


  • Securities Services

Security Services comprise agency securities, lending and directed agent investment services, direct custody and clearing, global custody, global fund services; and corporate, compliance and investment monitoring and similar services.


  • Banking, Capital Markets and Advisory

BCMA includes investment and corporate banking, and advisory services in relation to mergers, divestitures and acquisitions. It  organises and provides lending within corporate loan portfolio and corporate brokerage services; and provides capital (debt and equity) markets origination and ancillary services.


  • Citi Issuer Services

Issuer services provide payment and security agency, trust, and depositary receipts.


  • Citi Commercial Bank  

Our global commercial bank provides accounts, products, securities, loans and guarantees and similar core banking services to corporate clients.


  • Treasury and Trade Solutions (TTS) Cash & Trade

TTS provide commercial payment and receivables solutions, digital cash management and trade data, liquidity management services and similar services.


We provide our products and services through offices in 95 countries and territories.

This is a comprehensive document that sets out the principles under which we process personal information in global financial hubs: It does not override your contractual documentation, or any legal rights under the law applicable to you or our product.

This document does not apply to, or modify, on shored or in-country (domestic) operations in any ICG business areas.

Please read:

  1. Your product documentation, for details about our services and how confidentiality applies to our products.
  2. Supplemental Provisions applicable to the country where You reside, or where Your Organization is established (see Section 12.a )
  3. the Digital Platforms supplement for ICG online banking and mobile App platforms (see Section 12.b)

Please Note: The TTS Commercial Cards program operating outside of the United States is not included in this Global Privacy Notice. You may access Non-US commercial cards privacy statements here.

Key Definitions

You and Your Organization

In this global Privacy Notice “You” means any individual person with whom we come into contact in the course of our dealings with “Your Organization”. Your Organization is our corporate client, other institution or business counterparty you are associated with.

Personal Information

Personal Information” is any information:

  • that identifies or can be used to identify you;
  • that relates to, describes, is capable of being associated with, or could reasonably be linked (directly or indirectly) with you; or
  • that can be used to authenticate you or provide access to an account.


US residents: Please note that we  will not process Personal Information from other members of your household.


 “Sensitive Personal Information” or “Special Categories of Personal Informationrefers to Personal Information that requires special handling under applicable law and may include information such as racial and ethnic origin, religion, medical information, , biometric information and in some countries and territories also financial account information. Aggregated and anonymised data  is not considered Personal Information for purposes of this Privacy Notice.

We will only process Sensitive Personal Information after obtaining your consent unless permitted under another basis by the laws of the country where it is collected. In order to prevent its accidental processing please do not include in any communications with Citi any type of Sensitive Personal Information about yourself or anyone else. If we receive such information by accident or happenstance we will let you know and immediately take measures to dispose of sensitive personal data.

Changes to this Privacy Notice


We may change this Privacy Notice to adapt it to our products and services as they change from time to time. If we make any changes, we will post a new version on this page. We may also provide you with an additional notification, in the manner set out in your product documentation.


The ICG legal entity which provides the accounts, products and services you are using or accessing on behalf of Your Organization, is in most cases responsible for determining what Personal Information will be collected, the purposes the information will be collected for, and how it will be processed. That entity is the Data Controller, or Data User under the laws of certain other jurisdictions.

We may act as a Data Processor when we process card payment transactions on behalf of merchants, other banks or card issuers, or when we act as a transfer, payment or security agent. If we act as a Data Processor on behalf of other Data Controllers, we will only collect and use information as described in our contracts, not under this Privacy Notice.

Data Controllers

Please refer to country-Supplements in Section 12 for information on data controllers in each country or region. A global list of Citi entities is available here


We may obtain information directly from you, from Your Organization or from other third parties, for example: financial institutions, government records, credit bureaux, or companies specialised in gathering publicly available information.

We obtain information about you from various sources:

  • Account activities (e.g. bill payments, deposits, withdrawals, investments, other transactions)
  • Applications and forms (e.g. product variation, credit lines and limit increase, signatory names and signature sample forms or , electronic instructions)
  • Written and verbal communications with you, your representatives or our institutional clients (e.g. phone calls to our trading or client service desks, text messages, emails or other communications received direct from you, your employer, institutions you work for or with, or other third parties) for the purposes of obtaining instructions from you, authentication, security and quality assurance.
  • Citi Digital Platforms . Data is not shared or combined between platforms. Please refer to the Digital Platforms Supplemental Provisions for more information
  • We obtain some personal data about you from international sanctions lists, publicly available websites, financial market infrastructures (including settlement service providers, central securities depositories, exchanges, central clearing counterparties and other similar entities) databases and other public data sources
  • Conduct background checks and monitor publicly available information through specialised service providers.

As required and/or permitted by law, we also may monitor and record your telephone, email, instant messaging, and other online communications with us in connection with any banking operation or instruction that results or may result in a banking, financial or corporate transaction.


Personal Information

Citi ICG collects personal information about you, for specified purposes indicated in this Privacy Notice and its Supplemental Provisions.

Types of personal information we process, include:

  • Your identity: name, company, title, job description in relation to Your Organization
  • Your business contact details such as email address, telephone number, business address.
  • Information about your employment and signature authorisations issued by Your Organization, and your current and prior relationships within Your Organization.
  • Information about your relationship with us, preferred methods of services communications, and your marketing preferences
  • Information relating to your personal assets as part of our Know Your Client (KYC) legal and  regulatory obligations, including background and credit checks, and identifying the ultimate beneficial ownership structure of Your Organization and a corporate entity you are associated with.
  • Information relating to your financial and personal background, and residential address, as part of any reference and identity verification checks, in order to open and maintain accounts, products, and services for Your Organization.
  • Information required for other legal or regulatory purposes including AML and/or sanctions and investor screening processes (e.g., copies of your passport or a specimen of your signature) or for transaction management purposes
  • Other details of agreements or arrangements Your Organization made with us.

Where required by law, we will process Social Security, national ID and other protected information. We have systems that compartmentalize such protected personal information, and operational, technical and governance measures, including strict access controls to protect the confidentiality and security of our data.

Sensitive Personal Information

Sensitive personal information is defined differently under the laws of different jurisdictions. We will only collect and process personal information which is necessary for us to provide our products and services and as required for other business, legal, and regulatory purposes. We will always provide you with additional explanatory information and disclosures if we collect or otherwise process sensitive personal data  such as Biometric and behavioural data that we learn from your interactions with our systems and applications, for example your mouse speed and movements, your keyboard usage, voice authentication using telephone banking and by using the built-in biometric authentication technology in your mobile device. When we use device authentication, we will not have access to your biometric data, which remains stored in your mobile device.

Digital Personal Information

Information for Citi ICG public Websites *

(*for banking online and mobile applications please read our Digital Platforms Supplement in  Section 12.b)

Device and Usage Information: We collect technical information about how you access our websites, including data about the device and network you use, such as your hardware model, operating system version, mobile network, IP address (digital identifiers), browser type, and app version. We also collect information about your activity on our Services, such as access times, pages viewed, links clicked, and the page you visited before navigating to our Services, to prevent  fraud and other criminal activities.

Cookies and Similar Tracking Technologies: We collect information about your use of our digital services through technologies such as cookies web beacons and trackers. This includes information such as:

  • Information about your use of the services and about the device you use to access the services
  • The pages you request and visit and any posts you submit
  • Information on your interaction with other pages
  • Information obtained in the course of maintaining or supporting the Services
  • Information about your device, such as MAC  and IMEI numbers, your IP address, and the URLs of sites from which you arrive or leave the Services
  • Your type of browser, your operating system, your mobile or internet service provider, and the make and size of your device (such as for page displays and interoperability)

Cookies are small data files stored on your hard drive or device memory that help us, among other purposes to:

  • Improve our Services and your experience
  • See which areas and features of our Services are popular
  • Count visits

Web beacons are electronic images that may be used in our Services or emails and help among other purposes to:

  • Deliver cookies
  • Count visits
  • Understand usage and campaign effectiveness

Each site has page-specific  Cookie Notices and options.


We use your Personal Information for the following purposes:

  • Communicate with you in relation to banking and financial services provided to Your Organization including:
      • To verify your identity and communicate with you
      • To improve relationships with you and Your Organization
      • To inform you about products and services Your Organization has,  and to offer other services that may be of interest for Your Organization (subject to your marketing preferences).
  • Deliver our services, including:
    • To provide our products and services, including opening and maintaining accounts for your Organization
    • To manage and administer our business
    • For system administration, operation, testing and support of our Digital Platforms
    • To enable third parties to deliver products or services on our behalf, including payment services
    • In communicating with credit reference and information agencies
    • To meet our obligations to and cooperate with stock exchanges, alternative trading systems, clearing and settlement agencies, brokers and similar entities
  • Manage our business, including:
    • For business development activities, analysis and planning purposes
    • To investigate and respond to client issues and complaints
    • To establish, exercise, or defend our, and any third party’s legal claims, including adherence to applicable terms of use
    • For research and other statistical and trend analysis (de-identifying and aggregating or anonymizing source data with that of other clients and institutions in such way that it is not possible to reverse-engineer and re-identify you)
    • To protect and enforce the rights, property or safety of us, our business, any Citi company, Your Organization or others including security and fraud prevention for identification / authentication purposes
  • For our and other financial institutions’ legitimate interests (provided  these are not overridden by yours) and to comply with applicable laws, including:
    • For fraud prevention and investigation and dealing with other criminal activity
    • For internal risk assessment and control, e.g. detect or resolve cyber incidents or fraud
    • To comply with judicial requirements, including to exercise our rights in judicial, administrative or arbitration litigation
    • Some laws will require you to provide us with certain tax information, or complete tax declarations
    • For regulatory reporting requirements, e.g. regulatory reporting, Central Bank reporting

Use and Disclosure Rights

Certain countries and territories require Citi to offer to individuals the options and means to limit their use or disclosure of personal information to third parties. Please refer to the appended Special Provisions for your country or territory for information on these additional rights and how to exercise them.

Citi ICG does not sell nor share your Personal information with third parties for their advertising or other commercial purposes. We also do not sell, share, or use your personal information for third party online targeted advertising,  nor disclose the Personal Information of persons under the age of 16 (see ‘Children’ further below) .

Automated Decision-Making and Profiling

ICG does not make automated decisions based on personal information or sensitive personal information, and does not conduct profiling for commercial purposes based on your personal information or sensitive personal information. You should be aware that we  automatically monitor transaction data for fraud and Anti Money Laundering purposes. All decisions involving personal data are conducted by or checked by our staff. Where we process data automatically (for example in algorithmic investment strategies) all information is de-personalised.


The lawful basis that we rely on, vary depending on the applicable law in the country where we collect data, include:

  • Consent: We will use consent as a lawful basis, subject to conditions applicable in the country where consent is collected, only where
    • We are required by law to obtain consent or
    • Where consent can be assumed or inferred from your conduct
  • Performance or Delivery of a contract
    • We will rely on this lawful basis for processing if:
      • We have a contract with you and need to process your personal information in order to deliver the products and services outlined in that contract. For example, to set up and manage your account with us, or to process your payments.
      • You have asked us to take steps in order to enter into a contract with us. For example, to provide you with a quote or to process your account application.
  • Legitimate interests
    • We will rely on this lawful basis for processing if:
      • We have a legitimate business purpose for processing your personal information; and
      • Processing your personal information is necessary to achieve this purpose; and
      • Our legitimate business interest is not overridden by your individual interests, rights and freedoms
  • Legal obligations
    • We will rely on this lawful basis for processing if we need to process your personal information to comply with a common law or statutory obligation. This may include, but will not be limited to:
      • Providing information on request to government entities / regulatory authorities / markets / brokers / other intermediaries or counterparties
      • Conducting compliance activities such as: audit and reporting / maintenance of accounting and tax records / anti money laundering / sanctions and anti-terrorism laws and regulations / fighting crime / know your customer screening / politically exposed persons screening / sanctions screening / security and fraud prevention

When we collect and process sensitive personal information we will usually do so by obtaining your explicit consent. There are some instances where we may rely on legal exceptions  to such consent to process sensitive personal information. For example:

  • If the need to process data is clearly in your interest, and consent for the collection, use or disclosure cannot be obtained in a timely manner, or where you would not be reasonably expected to withhold consent

If it is for a substantial public interest or in the legitimate interest of another person (including us) provided that processing must not extend to what is reasonable to provide a legitimate outcome and the protected interest outweighs any adverse effects of the processing your personal information.


Your rights over your personal information are protected by applicable law in many countries. Most countries grant 4 basic rights: Access, Rectification, Cancellation and Objection (by their initials, the so-called ARCO rights), Citi extend these and GDPR rights globally to all ICG clients  beyond the requirements of their national law :  

Right to be informed

    • You have the to be informed of sub-processors that receive your data and of certain operational and technical measures we put in place to protect your data. 
  • Right to access your information:
    • You can contact us to request a copy of the personal information we hold about you  This is often known as a ‘subject access request’
  • Right to rectify your information
    • You can contact us to ask us to correct personal information that you believe we hold which may be inaccurate or incomplete
  • Right to erase your information
    • You can contact us to ask us to erase personal information that we hold about you
    • There may be some instances where we are not able to erase your personal information. For example, where it is a legal requirement for us to continue to process your information. If this is the case, we will clearly explain the reason we are unable to stop processing your personal information.
  • Right to transfer your information to another organisation
    • You can contact us to ask us to transfer your personal information to other organisations. This is often known as the ‘right to data portability’
    • There may be some instances where we are not able to transfer your information. For example, if we are relying on a lawful basis other than ‘consent’ or ‘contract’ to process your personal information
  • Right to restrict processing of your personal information
    • You can contact us to ask us to restrict processing of your personal information
    • There may be some instances where we are not able to restrict processing of your personal information. For example, if you do not provide us with a particular reason for wanting the restriction.
  • Right to object to processing
    • You can contact us to object to us processing your information
    • We may not always be able to accept your objection. For example, if we need to continue to process your information for our business, legal and regulatory and other purposes
  • Right to object to the grounds of legitimate interests for processing
    • Where we rely on legitimate interests as the lawful basis for processing your personal information, you can contact us to object to us processing your information on these grounds
    • We will always consider your reasons for objecting to us processing personal information on these grounds, and balance your interests, rights and freedoms with our legitimate business interests
  • Right to withdraw your consent for processing your personal information
    • You can contact us to withdraw your consent for processing your personal information
    • If you withdraw your consent for processing of your personal information and it is necessary for us to process that information for one of our business, legal and regulatory and other purposes, then we may not be able to provide you with the relevant products and / or services
    • There may be situations where we are unable to stop processing your personal information, for example, where it is a legal requirement for us to continue using the information. If this is the case, we will clearly explain the reason we are unable to stop using (and storing) your personal information.

We may not always be able to grant your privacy rights request.

We will always respond to your request within the timeframes provided under applicable law.

We will need to verify your identify before we share any details relating to personal information. If you are making a request on behalf of someone else (e.g., as an attorney or a friend or relative) we may require further information to ensure that you are duly authorised to make the request. In our reply, we will explain clearly whether we accept your request, the rationale for our decision, and what will happen next.


From time to time, we will disclose your personal information to trusted third parties (including Citi legal entities different from the one You or Your Organization have your relationship with). We may disclose your personal information to the following recipients:

  • to Your Organization in connection to the services we provide to them
  • Our affiliates or other ICG business groups, which may receive or have access to personal information about you if you access, request, or otherwise use other ICG  services in connection with your use of our services, including our online portals and apps, and as permissible under applicable law;
  • Our affiliates’ service providers, for services such as application processing, fraud monitoring, call centre and client services, meeting hosting, data analysis, or otherwise assist in the management and execution of business functions;
  • Stock and security exchanges, alternative trading systems, clearing and settlement agencies, brokers, facilities and similar entities, payment infrastructure providers, counterparty banks, and any persons we receive payments or make payment on your behalf;
  • To brokers, custodians, sub-custodians, fund administrators, fund houses, depositaries, trustees, financial market infrastructure service providers (including settlement service providers, central securities depositaries, and
  • To our professional services providers including legal, tax, insurance and audit advisors, and to competent regulatory, tax, governmental or investigation agencies authorities, to central banks and financial regulators and to the courts of any jurisdiction, domestic or foreign

We will only share your information for the purposes outlined in the section Purposes and Use of Personal Information

Where required by domestic law, we shall add to our client documentation details on third parties we share information with, the locations of third parties, and the categories of information that we share.


ICG serves global customers and has offices in 95 countries. Your personal information is stored and processed in the country where Your Organization opens a product ; and in our regional main offices and ‘global service clusters’ for operational, regulatory and management purposes.

ICG and its service providers may transfer your personal information to, or store or access it in, jurisdictions that may not provide the same levels of data protection to those offered in your home jurisdiction. We will take steps to ensure that your personal information receives an adequate level of protection in the jurisdictions in which we process it by using contractual and technical security measures, including (for the EEA and other territories) standard contractual clauses. We will inform you of the transfer of data or obtain consent where required by applicable law.


We retain personal information only for the length of time necessary to carry out the Purposes for which personal data was collected and keep that data during such time Your Organization’s accounts and products are open, or a transaction is active, and for a certain time after their closure in accordance with a country-specific records retention schedule, set in compliance with local law. When the retention of your personal data is no longer necessary, we will securely dispose of it by destroying the data, or we will irreversibly anonymize it, so that it is no longer personal data.


This Privacy Notice is not intended for or directed at persons under the age of 18. In addition, ICG Services are not designed for children and we do not knowingly collect personal information from children under the age of 16. We do not sell, share, use for information society services or targeted advertising personal information of children. We may process information relating to minors with consent from their parents or guardians, where they are named beneficiaries of trusts, wills or insurance policies, and similar uses permitted by law. If you have reason to believe that information about a child has been provided to us in error, please contact us, and we will take appropriate action.


Please use the links provided under Your Rights or refer to the Supplemental Provisions to contact us or our data protection officers and authorities.


Our global privacy notice and its Supplemental Provisions apply to products in our global financial hubs, and to cross-border operations with global entities, and any documents that explicitly refer to these terms.

Our global financial hubs are located in the United States, the European Economic Area, the United Kingdom, Hong Kong and Singapore. We also have Country Supplements that set out protections for cross border products. Please refer to the link relevant to your country of residence.

In the event of conflict,  the terms in the Supplemental Provisions shall govern and take precedence over the terms of the Global Privacy Notice

If you have an on-shored or in-country (domestic) product please refer to your country documentation, including the country-level privacy notice, A list of online privacy notices is available in Section 13 below. Please note that your country privacy notice may only be available in paper format.








US- California





China, PRC

Hong Kong SAR


New Zealand



South Korea




EEA / UK Regional Provision








South Africa (RSA)


United Arab Emirates

  • General
  • DIFC Dubai International Financial Centre
  • ADGM Abu Dhabi Global Market



Please click here to access out Digital Platforms supplement, which apples to online banking and trading portals and mobile Apps.


 Citi Research activities are covered by a separate document, accessible here.



For private bank operations please refer to the following link:



For on-shored or in-country (domestic) operations please refer to the following notices:









Hong Kong







New Zealand





South Africa

South Korea





United States




Please click here to print the document.


If you have any comments, questions or concerns relating to the processing of your personal information as an employee, or former employee, of a Citi Institutional Client, under this Notice, or would like to action a rights request, please click on the “Contact Us” button and fill out the short form. Alternatively you can contact your regular Citi Client Relationship Manager.

If you are a resident of California you may also contact us by visiting our California Privacy Hub