Comment: Managing privacy concerns surrounding FATCA and CRS compliance

Written by Ed Harris, Louise Crawford and Adela Komorowska of Hogan Lovells

The drive for enhanced cross-border transparency among tax authorities in a bid to tackle the use of foreign accounts for tax evasion has resulted in a number of automatic exchange of information (AEOI) regimes, including the US Foreign Account Taxation Compliance Act (FATCA) which was closely followed by the Common Reporting Standard (CRS), developed by the Organisation for Economic Co-operation and Development (OECD). AEOI involves financial institutions reporting information about accounts held by foreign resident taxpayers to local tax authorities, who then share information with the tax authorities of the jurisdictions in which the individuals are resident.

In the UK, the various intergovernmental agreements entered into under the FATCA and CRS regimes have been implemented into domestic law by way of the International Tax Compliance Regulations 2015 (as amended).

Most investment funds are considered financial institutions for the purposes of the regulations, and are therefore required to conduct due diligence and to report certain information relating to reportable accounts to HMRC. The regulations require financial institutions to collect (and where applicable to report) information relating to accounts held by both individuals and entities, and in the case of entities this includes information relating to controlling persons.

Because reportable account information required under the AEOI regimes includes personal data such as name, address, place of birth and tax identification number, this can give rise to sensitivity for the individuals having to disclose this information.

This time it’s personal

The friction between enhanced transparency among tax authorities and the individual’s right to privacy has underpinned legal challenges of AEOI regimes in a number of jurisdictions. Critics of AEOI argue, for example, that AEOI does not meet the “necessity principle” under the General Data Protection Regulation (GDPR), i.e. that personal data should only be processed to the extent necessary. “Necessity” is a high standard to meet, but determining what is necessary is not always clear cut, and some have argued that the automatic exchange of information without an assessment of whether it is necessary or even relevant to recipient tax authorities is an inherent conflict with this principle; and that individuals’ personal data is at risk of being leaked or hacked in the process of being collected and disclosed by financial institutions and shared among tax authorities, including authorities in countries that have less stringent standards of data protection than the EU and the UK.

Despite these challenges, it is reasonable to assume that AEOI (at least in some form) is here to stay, but that does not mean that data privacy risks should be dismissed or ignored. The implementation of AEOI has been designed with certain protections in place, and steps have been taken to enhance transparency and accountability for personal data exchanged through AEOI. For example, the intergovernmental agreements on which AEOI is based all contain express provisions governing confidentiality of data, the persons and bodies that are allowed to access data, and restrictions on the scope of use of data. The Global Forum (which comprises 160 jurisdictions) have put in place a comprehensive mechanism for assessing and periodically reviewing each participating country’s safeguards against objective international standards, as well as a procedure for dealing with any data breaches. And at a UK level, the HMRC has published a privacy notice which explains what types of personal data are collected, the authorities that HMRC shares the information with, how long information will be retained for (six years plus the current year under their current records retention policy), and what rights the individual has in relation to their personal data under the GDPR. Other jurisdictions have implemented their own measures to adhere to data protection laws at a domestic level.

Under review

Review of measures taken at a national and international level will likely continue. The European Data Protection Board (EDPB), which consists of representatives of each of the national data protection authorities within the EU, issued a statement in January 2019 to say that “due attention” would be paid to calls to review data protection safeguards under FATCA, and in January 2021 the European Commissioner for Justice confirmed that the EDPB would be revisiting the GDPR issues raised in relation to FATCA.

Until we hear further from the EDPB, are there steps that investment funds should take to protect the privacy of individuals whose information they collect for AEOI purposes? Since compliance with regulations implementing FATCA and CRS is mandatory, it is not for the individual fund to assess whether they consider collection and disclosure of the required information to be appropriate or reasonable. However, there are steps that can be taken to enhance the protection of personal data and give comfort to individuals in the processes surrounding AEOI. These include:

Enhancing transparency: Funds should ensure that they are meeting transparency requirements under the GDPR by putting in place a privacy notice that explains to individuals how their personal data is collected, for what purpose, who it will be shared with, and what the individual’s rights are. For individuals that qualify as a “controlling person” and who are unfamiliar with FATCA or CRS, it may come as a surprise to be asked for their personal information, so it can also be helpful to provide a separate notice or FAQ in relation to the collection of personal data for FATCA and CRS purposes.

Putting in place data transfer agreements: Funds disclosing personal data about “controlling persons” to other funds or financial institutions should look to put in place a data transfer agreement or NDA which contains express obligations strictly limiting use of the data, preventing disclosure to anyone else other than to fulfil a reporting obligation, limiting retention of data to whatever retention period is required by law, and notifying the disclosing entity in the event of a breach.

Reviewing security measures: Perhaps most importantly, the technical and organisational security measures used to collect, store and transfer all personal data collected in connection with CRS or FATCA requirements is of critical importance. Encryption of data, in particular, is an effective way of mitigating the impact of a data breach should it occur.