There are concerns about the security and protection of the information exchanged between financial institutions and tax authorities, as demonstrated by hacking and data breaches. Sensitive information can be bought and sold in certain countries, posing risks such as extortion and kidnapping for wealthy individuals. In 2015, a data breach at the IRS resulted in more than 700,000 social security numbers and other sensitive information being exposed. In 2007, a major data breach at HM Revenue & Customs (HMRC) exposed the personal details of over 25 million people, including names, addresses, and National Insurance numbers. In 2020, HMRC was targeted by a phishing attack that resulted in the theft of login details for over 100,000 accounts.
The public's fascination with the lives of the wealthy often leads to intense scrutiny of HNWIs. Unwanted exposure can lead to invasive media attention, sensationalism and potential reputational damage. Information leaks or unauthorized disclosures can have far-reaching consequences, impacting personal and professional relationships, philanthropic efforts and even business ventures. HNWIs often find themselves under the media spotlight, and even minor missteps can be blown out of proportion. Negative press can tarnish their reputation, create public skepticism and hinder their ability to engage in various ventures or influence public opinion. Ensuring privacy is crucial for preserving personal and professional standing.
Other relevant legislation includes EU directives such as DAC6 (Directive on Administrative Cooperation) and initiatives designed to address tax compliance issues related to crypto assets like DAC8 and the OECD’s Crypto-Asset Reporting Framework. It’s important to note that a wide range of crypto assets, including those issued in a decentralized manner and stablecoins, are now in scope for reporting and automatic exchange of information (AEOI) as tax authorities aim to strengthen administrative cooperation and address these emerging tax challenges.
Such recent developments in Europe have triggered growing concern over AEOI, driven primarily by data privacy issues. In June, the litigation chamber of Belgium's Data Protection Authority (BDPA) deemed the transmission of financial account information of "accidental Americans" under FATCA inconsistent with European Union law. The judgment was influenced by a series of complaints lodged under the EU's General Data Protection Regulation (GDPR), contending that FATCA disclosures subjected compliant account holders to unnecessary and disproportionate risks related to their data security and privacy. The Swiss Federal Court has followed Belgium's lead in expressing reservations regarding FATCA.
Privacy concerns for HNWIs
HNWIs need to have confidence in the accuracy of the information their financial institutions maintain. It is critical that the entities and arrangements that comprise their investment holdings and ownership structures are properly classified and that the reporting is carried out appropriately. Inaccurate reporting can provoke audits, even when the taxpayer is completely compliant, thus reinforcing the importance of verifying reported data. Any discrepancy between the shared information and the tax and financial information declared by the taxpayer can result in significant expenses, including hefty penalties and professional service costs necessary to rectify incorrect reporting. Financial institutions that are non-compliant can face both monetary penalties and reputational damage. As a countermeasure, they are increasingly adopting detailed approaches to guarantee that pertinent data is collected, reported accurately, and submitted seamlessly with appropriate withholding.
Financial institutions are also implicitly required to provide clear explanations to customers regarding the usage of the collected information. A case reported by The Financial Times involving an American-born, UK-based self-employed editor and researcher illustrates this point well. She entered into a legal dispute with HMRC and the Information Commissioner's Office, arguing that FATCA violates her right to privacy and data protection, as she was uninformed about the use of her bank-collected data.
Additionally, I am also aware of a recent case of an individual who was erroneously reported to UK tax authorities under CRS regulations for receiving a trust distribution as a beneficiary when, in reality, the distribution was made to his family's tax-exempt charity. As a result, he received a notice from the Inland Revenue concerning a distribution not reported on his UK tax return. Although the situation was eventually rectified, it involved significant costs and distress. A crucial factor leading to this situation was an oversight by the trustee, highlighting the importance of effective communication between trustees and beneficiaries prior to information exchange.
An action plan for privacy management
Here are four steps to consider:
1. Engage trusted advisors
HNWIs should collaborate with experienced tax and legal advisors who specialize in privacy protection. These professionals can offer valuable insights into local regulations, guide individuals in structuring their affairs to minimize exposure to risk and provide ongoing support in managing privacy risks effectively, while remaining compliant. It is vital the advisor is knowledgeable in all the jurisdictions where their client’s assets are held.
2. Implement robust cybersecurity measures
Protecting personal information from unauthorized access requires implementing robust cybersecurity measures. HNWIs should invest in advanced encryption technologies, multifactor authentication, secure data storage systems and regular security audits. Staying informed about emerging cyber threats and actively adopting best practices are essential in safeguarding privacy.
3. Foster a culture of privacy awareness
Developing a culture of privacy awareness within the HNWI's personal and professional circles is crucial. Educating family members, staff and business partners about the importance of privacy and the associated risks can help ensure everyone remains vigilant. Implementing clear policies, conducting privacy training programs and regularly reviewing privacy practices are steps toward building a privacy-conscious environment.
4. Conduct proactive risk assessment and mitigation
HNWIs should conduct regular privacy risk assessments to identify and mitigate potential vulnerabilities proactively. This includes reviewing privacy policies, assessing third-party relationships and staying informed about emerging privacy risks.
Existing regulations give governments a powerful tool to ensure that taxpayers are compliant everywhere in the world. With that power comes a responsibility to ensure that data remains protected in an environment where a breach can have significant risks. Once power is given to governments, it is rarely taken away. In all likelihood, AEOI is here to stay. HNWIs should ensure compliance but remain aware and vigilant over financial information and how it is exchanged.