- Elizabeth McMorrow
Does CRS/FATCA Controlling Person Reporting Violate Privacy Law?
Despite the United Kingdom's Information Commissioner’s Office (ICO) recent decision, elements of FATCA and CRS reporting may violate local jurisdiction privacy laws including GDPR.
A dual UK / U.S. citizen brought a case in the UK claiming that HMRC sharing her personal data with the U.S. Internal Revenue Service (IRS) was a breach of the European Union’s (EU’s) General Data Protection Regulation (GDPR). The trail of personal data under FATCA plays out like this:
Customer shares personal information with her financial institution (FI).
FI shares customer’s personal information with the local tax authority (in this case HMRC).
The local tax authority shares the customer’s personal information with the IRS if the customer is classified under FATCA as a U.S. Person.
The ICO found that there were appropriate safeguards in place under the U.S.-UK FATCA Intergovernmental Agreement (IGA):
“[W]hile the FATCA legal framework does not rise to the gold standard set out in the EDPB guidelines, we are of the opinion that it does fall on the spectrum of compliance provided for by those guidelines.”
IGA & Privacy
In many jurisdictions an FI is prohibited from sharing a client’s personal data with a foreign government. When tax authorities around the world decided to participate in FATCA, they needed to permit FIs to share client data directly with the IRS or with the local tax authority who in turn shared the client data with the IRS. A solution was arrived at through the FATCA IGA and local implementing laws.
The tax authorities assumed they were not violating privacy laws in the government to government sharing of information. Jenny’s case and last year’s decision by the French Conseil d-Etat support the tax authorities in their initial assumption.
So, the FIs are safe and the tax authorities are safe, but what about employers? There is a small but important group of individuals who are reportable under FATCA and the Common Reporting Standard (CRS): Controlling Persons. (Under the FATCA regulations the term is Substantial U.S. Person but I will use “Controlling Persons” across regimes in this post).
Who Is a Controlling Person?
FATCA/CRS require that every entity be classified pursuant to FATCA/CRS definitions. Everything from a school to a factory to a bank has to determine its classification. One type of classification is a Passive Non-Financial Entity (Passive NFE or Passive NFFE under FATCA regulations terminology).
A Passive NFE must report Controlling Persons. However, it is not always clear who should be identified as the Controlling Person. The parameters include the following natural persons who exercise control over the Passive NFE:
A natural person who holds, directly or indirectly, more than a certain percentage of the beneficial interests of the entity.
A natural person on whose behalf a transaction is being conducted.
Those persons who exercise ultimate effective control through indirect means.
Each jurisdiction sets out a percentage ownership threshold that is currently in the range of 10% to 25%. If no one individual satisfies the ownership threshold (including after looking up through the Passive NFE’s ownership structure), the next step in the analysis may be to look at who exercises ultimate effective control through indirect means. It is clear under both FATCA and CRS that this individual may be a senior managing official.
W-8 & W-9’s, Self-Certifications and FI Reporting
FATCA requires U.S. Persons to be reported by an FI to the appropriate tax authority. CRS requires FIs to report persons who are resident in Reportable Jurisdictions to the local tax authority. However, even if the Controlling Person is not ultimately reportable by the FI to the tax authority, the Passive NFE must still report personal data about the Controlling Person to the FI through an IRS form or a self-certification.
The personal data under FATCA includes:
US Tin / DOB
The personal data under CRS includes:
Jurisdiction(s) of residence
Tax ID Number
Date of birth
Place of birth
Many jurisdictions around the world have privacy laws at either the federal or state level. The most famous of these privacy laws is GDPR which is an EU legal regime providing rights on personal data. GDPR has extraterritorial reach and should not be disregarded by Passive NFEs without a presence in the EU.
If the tax or legal department determines that a particular employee is the Controlling Person, the next step is likely listing the employee’s personal data on an IRS tax form or self-certification and then sending the document to the FI. Did anyone bother to ask the Chief Executive Officer (CEO), Chief Financial Officer (CFO), Managing Director (MD), or whoever the employee was whose data was shared?
Sharing the personal data without authorization might violate the local privacy law as well as the terms of the employee’s employment agreement.
Cross Functional Communication
There are too many niche subject areas for one company department to be expert in. Thus, it is necessary to ensure knowledge is being shared across functions. In the case of Controlling Persons: tax, legal, compliance and human resources each have a key piece of knowledge to ensure that the Passive NFE does not encounter fines or lawsuits.
Training: At the very least, the individuals working directly with FIs should be trained on FATCA/CRS and privacy laws.
Policies & Procedures: It is imperative that you have FATCA/CRS policies and procedures documents in place now. If you do not, act quickly before a jurisdiction assesses a fine when you cannot hand over a copy on demand. Likewise, if you are subject to GDPR, we are past the two-year mark already.
Tools: As a follow up to training and policies & procedures, empower your employees with tools such as a check list of who they should contact within the Passive NFE before sharing employee data with an FI.
Employment Agreements: Human resources has to be kept in the loop so they can inform the likely Controlling Person that sharing personal data may be part of the terms of employment – and then reflect that requirement in the employment agreement.
For assistance, please contact me via my contact page or at firstname.lastname@example.org.