The Foreign Account Tax Compliance Act (“FATCA”) is a U.S. law that seeks to prevent tax evasion by U.S. citizens using offshore banking facilities. It imposes reporting and withholding requirements on non-U.S. financial institutions, with a view to gaining certain information about U.S. account holders of those institutions. Due to its scope and application to non-U.S. institutions, FATCA is a complex and controversial piece of legislation.
Complying with the information reporting requirements of FATCA will require non-U.S. financial institutions to navigate a minefield of restrictions, including data protection and privacy laws, bank confidentiality laws and contractual and common law duties of confidentiality. These restrictions may arise out of multiple applicable laws, depending on the jurisdictions in which the financial institution operates. As things stand, the conflicts that arise between these restrictions and the requirements of FATCA are not always surmountable.
The conflict is not just technical in nature, but reflects a philosophical difference between the EU and the U.S., and specifically between the aims of the U.S. Internal Revenue Service (“IRS”) and data protection regulators in the EU. This has become increasingly marked in recent months in the fallout from Edward Snowden’s revelations and reports that the U.S. has been monitoring German Chancellor Angela Merkel’s telephone conversations. That Merkel, as well as the Vice-President of the European Commission and the European Parliament Committee on Civil Liberties, Justice and Home Affairs, have since vocally championed stronger EU data protection laws suggests that the battle lines may harden further still. This in turn would cast further doubt on the ability of financial institutions operating in the EU to comply with FATCA.
This article focuses on restrictions arising under data protection and bank confidentiality laws in the U.K., and how a financial institution in the U.K. can navigate those restrictions in seeking to comply with FATCA. In particular, it examines how recent legislation in the U.K. significantly reduces the scale of this challenge, and the stark contrast with the obstacles faced by financial institutions operating in EU member states without equivalent legislation.
Intergovernmental Agreements: Overcoming the Challenge?
FATCA aims to prevent tax evasion by U.S. citizens using offshore banking facilities. It seeks to do so by imposing a 30 percent withholding tax on certain payments of U.S. source income made to non-U.S. financial institutions (known as “FFIs”) unless an FFI enters into an agreement with the IRS and discloses to the IRS certain details about its U.S. account holders (including depositors, investors and shareholders). FATCA comes into effect for payments made on or after July 1, 2014.
FATCA compliance presents a number of problems for FFIs operating in the U.K. that wish to avoid paying the 30 percent withholding tax, because compliance with the information disclosure requirements of FATCA may breach U.K. data protection and bank confidentiality laws.
This concern was acknowledged by the IRS from the outset. Following the introduction of FATCA, the IRS entered into negotiations with the U.K. government (along with the governments of France, Germany, Italy and Spain) in an attempt to agree bilateral arrangements that would allow FFIs to comply with FATCA at a national level. The outcome of these negotiations was a “Model 1” model intergovernmental agreement (“IGA”) which would enable FFIs to report information on their U.S. account holders directly to their national tax authorities, which would in turn report that information to the IRS see WDPR, August 2012, page 20. A growing number of countries, including Ireland, Mexico, Japan and Switzerland, have now also agreed to enter into bilateral agreements with the U.S., whether on a “Model 1” basis (disclosure via local tax authority) or a “Model 2” basis (disclosure direct to the IRS under amended local laws).
The U.K. and the U.S. entered into a “Model 1A” IGA (meaning that the exchange of information is reciprocal) on Sept. 12, 2012 see WDPR, September 2012, page 21. This was implemented into U.K. law via the International Tax Compliance (United States of America) Regulations 2013 (the “U.K. Regulations”), which came into effect on Sept. 1, 2013. The U.K. Regulations mean that FFIs that are resident in the U.K. will be able to meet their FATCA reporting obligations without having to enter into an agreement with the IRS, instead by reporting information to Her Majesty’s Revenue & Customs (“HMRC”), which would then pass that information on to the IRS.
The U.K. Regulations have substantially reduced the extent of the data protection challenges for U.K. FFIs seeking to comply with FATCA, by providing legitimate grounds for U.K. FFIs to disclose FATCA information to HMRC. It has become a question of national, rather than extraterritorial, law.
As a practical matter, FFIs in the U.K. will still need to register with the IRS on its FATCA registration portal, and must do so by April 25, 2014, in order to appear on the IRS’s first official FFI list, which is scheduled to be published on June 2, 2014. From a data protection perspective, they will need to assess the compliance steps that may need to be taken to disclose FATCA information to HMRC. Further, those FFIs in the U.K. which have a global presence will need to consider alternative approaches to FATCA compliance for any jurisdictions in which they operate and where the government has not entered into an IGA with the U.S.
The majority of EU member states have yet to enter into an IGA with the U.S. (see table below), and the restrictions under EU data protection laws on the transfer of personal data outside the European Economic Area (“EEA”) could present an insurmountable conflict with the requirements of FATCA in those member states, even if enabling actions are taken (e.g., obtaining client consent).
Relevant Data Protection Restrictions in the U.K.
The U.K. Data Protection Act 1998 (“DPA”) imposes obligations and restrictions on data controllers that carry out processing activities in respect of personal data.
- Processing is defined broadly, and will take place where an FFI discloses personal data to HMRC or the IRS.
- Personal data is any data relating to living individuals who can be identified from that data or from that data along with other information in the possession of, or likely to come into the possession of, the data controller. Much of the information required to be disclosed under FATCA and the U.K. Regulations will constitute personal data (e.g., the name, address and U.S. taxpayer identification number of the account holder).
- A data controller is the person who (alone or jointly with others) determines the purposes for which and the manner in which personal data are processed. An FFI disclosing data to HMRC would be a data controller in respect of the FATCA information it discloses.
The DPA sets out eight principles with which data controllers must comply. Several of these principles are relevant to FATCA compliance.
The first principle requires that processing of personal data is “fair and lawful”. This means that the disclosure of FATCA information to HMRC must not breach any other law (e.g., bank confidentiality), and must also be “fair”. In order for processing to be considered fair, at least one of several “fair processing conditions” set out in the DPA must be met. This is essentially a requirement of legitimacy. Additionally, a “fair processing notice” must be given to data subjects. This is essentially a requirement of transparency.
The second principle supplements, and to some extent overlaps with, the first. It states that personal data should be obtained for only one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. The aim of this principle is to ensure that data controllers are open about their reasons for obtaining personal data and that their use of that data is in line with the data subjects’ reasonable expectations. In the U.K., data controllers are required to notify the Information Commissioner’s Office (“ICO”) of certain information for inclusion on a public register of data controllers, which must include a high level description of the purposes for which personal data are to be processed, including categories of recipients and whether the data will be transferred outside the EEA.
The eighth principle restricts the transfer of personal data outside the EEA unless the destination country ensures an adequate level of protection for the rights of the data subject in relation to the processing of personal data. This principle is less relevant to U.K. FFIs in light of the U.K. Regulations and the U.K.-U.S. IGA, which allows U.K. FFIs to comply with FATCA by transferring the relevant information to HMRC. However, the equivalent principle under EU data protection law will apply to FFIs resident in non-IGA member states and which seek to disclose FATCA information to the IRS.
Ensuring Fairness, Lawfulness and Transparency
Satisfying a Fair Processing Condition
Before the implementation of the U.K. Regulations, it would have been very challenging for an FFI in the U.K. to meet the requirements for legitimacy and transparency when processing personal data for FATCA purposes. This is largely because of a letter sent to the European Commission Director General of Taxation in 2012 by the EU Article 29 Data Protection Working Party
Following the implementation of the U.K. Regulations, however, FFIs in the U.K. can now rely on the “compulsion of law” fair processing condition as a means of legitimising the transfer of FATCA information to HMRC. Broadly, the “compulsion of law” condition will be satisfied where the disclosure of personal data is necessary for compliance with any legal obligation to which the data controller is subject (other than an obligation imposed by contract). Before the U.K. Regulations came into force, a U.K. FFI could not have relied on this condition on the basis of FATCA alone because, under the DPA, the “compulsion of law” condition applies only where a data controller is subject to a legally binding U.K. or EU legal obligation. Now, however, the “compulsion of law” condition will apply to transfers of information that a U.K. FFI is required to undertake pursuant to the U.K. Regulations. Indeed, the Article 29 Working Party has stated that, if a new national or EU law was created to oblige FFIs to disclose personal data to the IRS (either directly or via their national tax authorities), the “compulsion of law” condition would apply and would legitimise the disclosure.
Disclosure and transfer of FATCA information to HMRC must be “necessary” to comply with a legal obligation, so FFIs in the U.K. should be careful not to disclose any more personal data than is required under the U.K. Regulations.
Giving a Fair Processing Notice
The first principle in the DPA requires data controllers to be open about their reasons for obtaining personal data, and ensure that what they do with those data is in line with the reasonable expectations of the individuals concerned. A fair processing notice should include details of the identity of the data controller, the purposes of processing and any other information which is necessary, having regard to the fairness of the specific circumstances in which the data are to be processed.
However, it will be lawful to disclose personal data without providing a fair processing notice to an individual if certain exemptions apply, one of which is where the disclosure is required by or under any enactment, by any rule of law or by the order of the court. As above, the implementation of the U.K. Regulations brings this exemption into play, and will enable FFIs in the U.K. to disclose FATCA information to HMRC without providing a fair processing notice to the relevant account holders.
U.K. Bank Confidentiality Laws
Notwithstanding that a transfer of FATCA information to HMRC may be compliant with the DPA, FFIs are still subject to U.K. bank confidentiality laws.
Bank confidentiality in the U.K. is based on an implied duty of confidence between a bank and its customers, in relation to which there are only four narrowly construed exceptions:
- when a bank is compelled by (national) law to disclose information;
- when a bank has a duty to the public to disclose information;
- when a bank’s own interests require disclosure; and
- when the customer has consented to disclosure.
As with the DPA restrictions, it would have been challenging for U.K. FFIs to meet one of these four tests prior to the implementation of the U.K. Regulations. Following the implementation of the U.K. Regulations, however, FFIs in the U.K. can rely on the first exception listed above.
It is worth noting that many jurisdictions around the world have bank confidentiality laws that may impinge on an FFI’s ability to comply with the FATCA reporting requirements.
What If an EU Member State Has Not Entered into an IGA?
FFIs resident in EU member states that have not entered into an IGA with the U.S. (and implemented national legislation implementing the IGA) will not be able to rely on the “compulsion of law” condition, and, more broadly, will likely find it extremely challenging to comply with the reporting requirements of FATCA as well as the restrictions imposed by EU data protection laws.
On the face of it, the most simple and attractive alternative to the “compulsion of law” condition is to obtain the account holder’s consent to the transfer of his or her personal data to the IRS. However, there are a number of issues with this approach, chief among which is the requirement that, for consent to be valid, it must be “freely given” and capable of being withdrawn. In its June 2012 letter to the European Commission Director General of Taxation, the EU Article 29 Working Party stated that, in relation to FATCA compliance:
… consent … is not a valid criteria for processing given the imbalance between the position of the data subject and the data controller, and the improbability that consent could be withdrawn. Furthermore given the imposition of a sanction such as a 30 percent withholding tax or closure of their account should the account holder fail to comply with such a demand, consent would not be “freely given”….
Although documents issued by the Article 29 Working Party are not legally binding, it is highly likely that national data protection authorities will follow them when enforcing data protection laws in their jurisdiction. FFIs will therefore need to assess whether any other conditions will apply.
FFIs may be able to rely on the “legitimate interests” condition, which would apply where a disclosure is necessary for the purpose of legitimate interests pursued by the FFI or by the IRS, provided that it is not prejudicial to the rights and freedoms of the account holder. This condition has a wide application and, as such, may be more easily satisfied, though the condition is not relevant in all EU member states. Where it is relevant, it is likely that the IRS will be deemed to have a legitimate interest in the disclosure of FATCA information to it. However, the legitimate interests of the IRS must be balanced against the rights of the account holder, and, if there is a risk that the IRS will take any action against the account holder (e.g., because he or she has been avoiding tax), the requirements of the test may be difficult to meet. Further, in February 2009, a document issued by the Article 29 Working Party stated that it would be more difficult to meet this test where the disclosure involves a transfer outside the EEA, and certain extra steps may be required before disclosure could take place (for instance, a stronger “filter” to ensure only the strictly necessary data were transferred out of the EEA).
FFIs in EU member states with no IGA (and national implementing legislation) will, if they elect to comply with the reporting requirements of FATCA, be seeking to transfer personal data directly to the IRS, and will therefore need to consider how they can comply with the restrictions in EU data protection law on the transfer of personal data outside the EEA. EU data protection laws restrict the transfer of personal data to countries lacking adequate protection for personal data, unless adequate safeguards are put in place or one of several (narrowly construed) derogations applies.
In the absence of an IGA and national implementing legislation, it may not be possible to overcome this restriction. This is because the U.S. is not considered by the European Commission as providing “adequate” protection for personal data, and adequate safeguards (such as the European Commission-approved standard contractual clauses for cross-border data transfers) are not likely to be available in relation to transfers to the IRS. FFIs will therefore need to rely on a derogation, and it is unlikely that any of the available derogations will apply. For instance, one derogation is to obtain the consent of the data subject, but, for the reasons outlined above, this consent is unlikely to be considered valid. Another derogation will apply where the transfer of FATCA information is necessary for reasons of “substantial public interest”. However, according to the Article 29 Working Party, only important public interests identified as such by national legislation applicable to data controllers will fall within the ambit of this derogation, and this is unlikely to be the case in the absence of an IGA and national implementing legislation.
The Bigger Picture
It is clear that the U.K.-U.S. IGA and the U.K. Regulations have substantially reduced the scale of the compliance challenge for FFIs resident in the U.K. That said, it is still important for FFIs in the U.K. to carry out an analysis of the data protection laws applicable to transfers of FATCA information to HMRC and, from a practical perspective, create an audit trail showing their deliberations as to how each relevant requirement has been met.
Outside the U.K., the U.S. continues to negotiate IGAs with other governments (recently announcing, to much controversy, that talks have begun with China), but relatively few IGAs have been agreed and signed. Global financial institutions will need to consider how they will tackle the potential conflicts between FATCA and the various data protection and bank confidentiality regimes in the jurisdictions in which they operate.
In the EU, FFIs should also be aware that the data protection regime is likely to undergo substantial change in the coming years, as a proposed regulation to replace the EU Data Protection Directive see analysis at WDPR, February 2012, page 4 works its way through the EU legislative process. If the draft regulation is adopted in its current form, the impact on FFIs both within and outside the EU will be substantial. For example, under the revised version of the draft regulation approved by the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) last October, penalties for breach of the data protection regulation could reach a maximum of the higher of 5 percent of an entity’s annual worldwide turnover or 100 million euros (U.S.$135.2 million) see analysis at WDPR, November 2013, page 4.
One of the consequences of enacting new legislation as a regulation, rather than as a directive, is that a regulation will be uniformly and directly applicable across the EU, making transfers from multiple EU member states easier. However, for FFIs in jurisdictions with no IGA, Article 43a of the revised version of the draft regulation approved by LIBE would restrict transfers of personal data to foreign authorities without first obtaining authorisation from the relevant domestic data protection authority.
Alex Shandro is an Associate at Allen & Overy LLP, London. He may be contacted at alex.shandro@allenovery.com.
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.