Privacy for Consumers at Citigroup

Declaration of Protection of Personal Information (by Citibank Japan Ltd.)

We, Citibank Japan Ltd., are aware that the personal information of our customers is the important property of each customer and its appropriate protection and use is one of our most important considerations.

We hereby declare that we comply with the following and make efforts at all times to accomplish appropriate protection and use of customers' personal information.

Handling of Personal Information by Citibank

1. [1]We will comply with all applicable laws, regulations and guidelines in relation to customers' personal information, and safeguard, according to strict standards of security and confidentiality, any information our customers share with us.
2. [2]We will collect customers' personal information in a lawful and fair manner. The main methods of collection are collection through applications to open accounts, loan applications and requests for remittance into accounts. If we collect personal information indirectly, we will ensure that the provider of the information has taken the legal steps (such as acquisition of the principal's consent or opt-out) required for the provision to a third party. Opt-out is a situation where the purpose of use of the person's personal information includes disclosure to third parties and such disclosure will be terminated upon such person's request.
3. [3]Unless the customers' consent is obtained or other exceptions apply, we will limit the use of personal information of our customers to the minimum we require for implementing the purpose of use preliminarily disclosed to customers.If we change such purpose of use, we will promptly notify the customers of such change. For details of the disclosed purposes of use, please refer to purpose of use for general bank product and other services.
   We will specifically define the purpose of use so that it will be clear to customers and try to limit the purpose of use according to each situation where personal information is obtained.For example, we will limit the use of the responses to various questionnaires to the collection of questionnaires.
4. [4]We will permit only authorized employees, who are trained in the proper handling of customer information, to have access to that information.
5. [5]We will not provide the customers' information to outside parties unless one of the following applies:
   • the customer agrees to such provision
   • such provision is required by applicable laws and regulations
   • such provision is required for the protection of human life, physical health or property
   • support services are outsourced to other organizations
   • we co-use with the co-users as mentioned
   • any other special reason applies
6. [6]Whenever we hire other organizations to provide support services, we will choose them conforming to our internal rules regarding safeguarding of personal information and supervise them as necessary and appropriate, including auditing them for compliance with our internal rules. Such organizations include, without limitation, our group companies overseas and domestic and other service providers overseas and domestic.
   We use service providers to handle personal information in the following cases,
   for example:
   • Administration regarding sending transaction statements;
   • Administration regarding sending direct mail;
   • Business regarding operations and maintenance of systems.
7. [7]For purposes of credit reporting, verification and risk management, we will co-use the clearing houses, etc. and receive personal information from third-parties including private credit information institutions ("PCIIs").
8. [8]If customers so request, we will cease to use the customers' personal information for purposes of direct marketing (sending direct mail, telemarketing, etc.).
9. [9]We will take all possible measures to keep customer files complete, up-to-date and accurate. We will tell our customers how and where to conveniently access their account information handled by us, such as name and home address. If there is a request for disclosure, correction and suspension of use of the personal information which we deal with, upon confirmation that such request is made by the customer himself/herself or the proxy authorized by the customer, we will take such measures for disclosure, correction and suspension of use unless there is any special reason not to do so.
10. [10]We will establish measures as necessary to prevent leakage, loss or destruction of, or safeguarding of, personal information and implement such measures strictly. We will also establish a system and manual to deal with emergency situations.
11. [11]We will sincerely receive, strictly investigate, and appropriately and promptly deal with customers' complaints.
12. [12]Please contact the following number for any questions regarding our handling of personal information, requests for disclosure, etc., complaints or any other questions regarding the personal information.
13. [13]We will review our efforts for the protection of personal information for improvement on a continuous basis.

(Contact for Questions regarding Customers' Personal Information)

Citibank Japan Ltd. CitiPhone Center, Tel: 0120-110-330, 9:00 AM to 5:00 PM (Weekdays)

Scope of Business Operations

< Bank Name > : Citibank Japan Ltd.

1. [1]Accepting deposits, dealing with domestic exchange, money-changing, providing loans, dealing with foreign exchange and other operations incidental thereto;
2. [2]Such sales of mutual funds, insurance, brokerage of financial products, business that a bank can operate under the laws and other operations incidental thereto;
3. [3]Other business operations which a bank can operate and other operations incidental thereto (including those which a bank will come to operate).

Purpose of Use for general bank product and other services

1. [1]To deal with opening accounts for various financial products, transactions, applications of the financial products and services with customers;
2. [2]To confirm the identity of customers pursuant to the Law for Prevention of Transfer of Criminal Proceeds or to confirm the eligibility of customers for the financial products and services;
3. [3]To manage continuous transactions, such as controlling the date of depositing or foreign exchange;
4. [4]To make decisions on or manage applications for loans or other continuous transactions;
5. [5]To make decisions on the appropriateness of the financial products and services, in light of the principles of suitability, etc;
6. [6]To disclose to third parties to the extent necessary for proper operation of the business, such as disclosing the personal information to private credit information institutions in relation to providing credit;
7. [7]To properly handle the personal information entrusted by other business entities when any part or all of the handling is entrusted;
8. [8]To exercise the rights or implement the obligations under agreements with customers or laws;
9. [9]To research and develop financial products and services by conducting market research, data analysis and questionnaires;
10. [10]To propose financial products and services, such as sending direct mail;
11. [11]To propose the products and services of allied companies;
12. [12]To deal with termination of transactions or management after the termination;
13. [13]To send notices regarding opening accounts, products, seminars, etc, or to conduct data analysis, based on the information given at the time of the various information requests or applications for opening accounts, products, seminar, etc.
14. [14]To contact a pre-notified number in case of emergency;
15. [15]To maintain and safeguard the office and ATMs;
16. [16]To ensure that telephone banking transactions will be duly consummated or that inquiries from customers will be duly handled;
17. [17]To properly and smoothly implement the transactions with customers.

Co-Use of Personal Data

1. [1]Co-Use of Dishonor Information

   Items of Personal Data to be Co-Used

   The information regarding the drawer of dishonored note/check (or accepter of bill of exchange. This shall apply hereinafter) and applicant for opening a current account as follows:

   1. (1)Name of the relevant drawer (in case of a corporation, its name, name of representative and title of representative);
   2. (2)Trade name of the relevant drawer if any;
   3. (3)Address (in case of a corporation, place where it is located) (including the zip code);
   4. (4)Name of applicant for opening a current account (in case of a corporation, name, name of representative, title of representative and trade name (if any));
   5. (5)Date of birth;
   6. (6)Occupation;
   7. (7)Capital (only in case of a corporation);
   8. (8)Category and face value of the relevant note or check;
   9. (9)Distinction between a report of dishonor (the first dishonor) and report of suspension of transactions (disposition of suspension of transactions);
   10. (10)Date of exchange (Date of presentation);
   11. (11)Paying Bank (including the name of department or branch);
   12. (12)Out-clearing Bank (including the name of department or branch);
   13. (13)Reason for dishonor;
   14. (14)Date of disposition of suspension of transactions;
   15. (15)Clearing house in which the paying bank (branch) of the dishonored note/check is participating and the bankers association to which the relevant clearing house belongs.
   • (Note) If the information regarding 1 through 3 above described in the dishonored note/check is different from the information that has been filed with the paying bank, the information described in the relevant note/check shall be included.

   Scope of Co-Users

   1. (1)Local clearing houses;
   2. (2)Financial institutions participating in local clearing houses;
   3. (3)Personal Credit Information Center established and operated by Japanese Bankers Association;
   4. (4)Each local bankers' association which is a special member of Japanese Bankers Association (including Reference Center to Persons Whose Transactions Are Suspended of each local bankers association). A list of co-users may be found on the website of Japanese Bankers Association.

   http://www.zenginkyo.or.jp/abstract/clearing/index.html

   Purpose of Use

   Securement of smooth distribution of notes and checks and judgments by financial institutions in credit transactions of their own.

   Name of Person Responsible for Management of Personal Data

   Bankers association to which the clearing house belongs in which the paying bank of the dishonored note/check is participating.

2. [2]Co-Use with Group Companies and Affiliated Joint Ventures

   A. Internal controls, credit risk management, etc.

   1. (1)Citibank Japan Ltd. co-uses personal information with the group companies and affiliated joint ventures described in A.3 for the purposes described in A.4 to the extent otherwise permissible under applicable laws and regulations.
   2. (2)Items of co-use: name, address, phone number, e-mail address, account information, transaction details, etc.
   3. (3)Group companies: Citigroup Inc. and its consolidated subsidiaries identified in its public financial statements (Exhibit 21.01 of Form 10-K, available at the website of the U.S. Securities & Exchange Commission ( http://www.sec.gov/)).
      Affiliated joint ventures: the Japan-based joint ventures identified in Citigroup's Japan website ( http://www.citigroup.jp).
   4. (4)Purposes of co-use:
      • → To confirm the identity of customers pursuant to the Law for Prevention of Transfer of Criminal Proceeds;
      • → To coordinate compliance, risk management, audit and other internal control activities among group companies and affiliated joint ventures;
      • → To coordinate management and oversight activities among group companies and affiliated joint ventures;and
      • → To screen and detect fraudulent activities and to prevent of related customer losses.
   5. (5)Name of entity responsible for personal information: Citibank Japan Ltd..

   B. Market research, data analysis, etc.

   1. (1)Citibank Japan Ltd. co-uses personal information with the group company described in B.3 for the purposes described in B.4 to the extent otherwise permissible under applicable laws and regulations.
   2. (2)Items of co-use: name, address, phone number, transaction details, etc.
   3. (3)Group company: Citi Cards Japan Inc.
   4. (4)Purposes of co-use:
      • → To research and develop financial products and services by conducting market research, data analysis and questionnaires;
      • → To propose financial products and services by sending direct mail, etc.;and
      • → To propose the products and services of group companies.
   5. (5)Name of entity responsible for personal information: Citibank Japan Ltd..

   C. Delivery of global products and services to institutional clients, transaction parties, etc.

   1. (1)Citibank Japan Ltd. co-uses personal information with the group companies and affiliated joint ventures described in C.3 for the purpose described in C.4 to the extent otherwise permissible under applicable laws and regulations.
   2. (2)Items of co-use: information of personnel at institutional clients and transaction parties, etc., shareholders, investors and other concerned individuals (names, addresses, phone numbers, e-mail addresses, etc.)
   3. (3)Group companies: Citigroup Inc. and its consolidated subsidiaries identified in its public financial statements (Exhibit 21.01 of Form 10-K, available at the website of the U.S. Securities and Exchange Commission ( http://www.sec.gov/)).
      Affiliated joint ventures: the Japan-based joint ventures identified in Citigroup's Japan website ( http://www.citigroup.jp).
   4. (4)Purposes of co-use:
      • → To propose and coordinate delivery of products and services of domestic and overseas group companies to institutional clients, transaction parties, etc.;
      • → To research and develop financial products and services by conducting market research, data analysis and questionnaires;and
      • → To propose the products and services of group companies by sending direct mail, etc.
   5. (5)Name of entity responsible for personal information: Citibank Japan Ltd..

Procedure of Disclosure Request

Contact information of complaint for handling personal information

All Banks Personal Data Protection Council, Japan Securities Dealers Association

Citibank Japan Ltd. is a member of All Banks Personal Data Protection Council that is an Authorized Personal Information Protection Institution for the financial sector and Japan Securities Dealers Association. Contact office for complaint and consultation of All Banks Personal Data Protection Council (JBA Customer Relations Center and Consumer Relations Office) and Personal Information Consultation Office of Japan Securities Dealers Association accept complaint and consultation about the handling of personal information by members.

All Banks Personal Data Protection Council

http://www.abpdpc.gr.jp/

[For complaint and consultation]
Tel. : 03-5222-1700 or Japanese Bankers Association Customer Relations Office nearby

Personal Information Consultation Office, Japan Securities Dealers Association

http://www.jsda.or.jp

[For complaint and consultation]
Tel. : 03-3667-8427

Regarding Handling of the Sensitive Information

In accordance with the Guidelines Regarding Protection of Personal Information in the Finance Sector (Notification No. 67 of the Financial Services Agency, 2004), we do not acquire, use or disclose to third parties the sensitive information, except as set forth in the Guidelines. Sensitive information means the information concerning political opinions, religious beliefs (religion, thought and creed), affiliation with labor unions, race, family origins, the locality where one's family register is kept, medical health treatment, sex life and criminal background. Further, since the purpose of use of the sensitive information is limited under the Enforcement Regulations of the Banking Law, we do not use the sensitive information for any purpose other than those provided under such Regulations.

Disclosure and Use of Personal Information to and by the Private Credit Information Institutions and Their Members

1. [1]We are obtaining customers' consent to the following concerning disclosure and use of personal information to and by PCIIs and their members (including our bank) by application forms or agreements, etc. as required under Article 23.1 of the Personal Information Protection Law:
   1. (1)If customers' personal information (including the content of agreements and the situation of repayment put on record by members, and dishonored checks and the information listed in the official gazette such as information on bankruptcy put on record by PCIIs) is put on record with the PCIIs to which we are a member or other PCIIs allied therewith, we will use it for the purpose of determining whether to provide credit (i.e., research on capacity for repayment and new address; provided that research on capacity for repayment shall be limited to investigations of capacity for repayment); and
   2. (2)The following personal information (including the changes thereto) which the PCIIs to which we are a member will be put on record with themselves, and the members of such PCIIs and other PCIIs allied therewith will use it for the purpose of determining creditworthiness:

      Information Put on Record	Period to Be on Record
      Personal information such as name, birth date, sex, address (including information on whether mails are delivered), telephone number, office	As long as any of the following information is put on record.
      Contents of agreement such as amount of debt, date of borrowing, and the status of repayment (any delinquency, subrogation, enforced collecting procedures, termination, full repayment, etc.)	During the term of the agreement and for five years or less after the termination date (in case of non-full repayment, the date of full repayment)
      Date on which the PCIIs are referred, contents of agreements or applications in respect thereof	For one year or less after the date of use
      Dishonoring of check	For six months or less after the date of dishonoring for the first time dishonoring;for five years or less after the date of suspension of payment in case of suspension of payment
      Information on the official gazette	For ten years or less after the date of adjudication of bankruptcy
      Fact that investigation is pending due to complaints regarding the recorded information	During the period of investigation
      Information reported by customers, such as loss or theft of ID documents	For five years or less after the report from the customers

2. [2]We are co-using the personal data as follows pursuant to Article 23.4.3 of the Private Information Protection Law with the PCIIs to which we are a member. However, with regard to agreements entered into after the full enactment of the Private Information Protection Law (April 1, 2005), we are obtaining customers' consent as mentioned in the preceding paragraph:
   1. (1)Items of personal data to be co-used:
      information listed in the official gazette (name, address, any adjudication of bankruptcy, date, etc.);
   2. (2)Scope of co-users:
      members to the Japan Bankers Personal Credit Information Center "JBPCIC") and the Japanese Bankers' Association (the "JBA"):
      • N.B.:JBPCIC is a PCII established and managed by the JBA to which the following members belong:
        (a) Regular members of the JBA;
        (b) Other banks except as mentioned in (a) above and financial institutions treated like banks under the laws and regulations;
        (c) Governmental financial institutions or their equivalents;
        (d) Credit guarantee associations as established pursuant to the Credit Guarantee Associations Law (Law No. 196 of August 10, 1953, as amended);and
        (e) Entities dealing with providing credit to individuals on the recommendation of members falling into any of categories (a) through (c) above.
   3. (3)Purpose of Use:
      determination of creditworthiness by members to the JBPCIC;
   4. (4)Name of the Entity Responsible for Safeguarding the Personal Data:
      the JBA.
3. [3]In addition to the purposes mentioned above, the personal information will be mutually disclosed and used to and by the PCIIs and their members to the extent necessary for the purposes of safeguarding and securing the proper use of the personal information, such as maintenance of its accuracy and updating, dealing with complaints, and monitoring by the PCIIs of compliance with regulations by the members.
4. [4]The names and contacts of the PCIIs referred to above are as follows. Eligibility for membership in the PCIIs, names of the members, etc. are listed on their websites.Please note that disclosure to customers of the information put on record with the PCIIs will be made by such PCIIs (we will not deal with such disclosure).
   1. (1)PCIIs to which we are member:

      JBPCIC

      http://www.zenginkyo.or.jp/en/personal_credit/

      1-3-1, Marunouchi, Chiyoda-ku, Tokyo 100-8216
      Tel: 03-3214-5020
      PCII the main members of which are financial institutions and their affiliates

   2. (2)PCIIs allied with the JBPCIC

      Japan Credit Information Reference Center Corp.

      http://www.jicc.co.jp/
      

      41-1, Kanda Higashimatsushitacho,
      Chiyoda-ku, Tokyo 101-0042
      Tel: 0120-441-481

      PCII the main members of which are companies dealing with providing credit, such as money lending, credit business, leasing business, guarantee business, financial institutions' businesses, etc.

      Credit Information Center Corp.

      http://www.cic.co.jp

      Shinjuku First West 15F, 1-23-7, Nishi-Shinjuku, Shinjuku-ku, Tokyo 160-8375
      Tel: 0120-810-414
      PCII the main members of which are companies dealing with providing credit through installment sales, etc.

As of December 2012