HM Revenue & Customs (HMRC) has published guidance (2-page / 17KB PDF) on the issue of data protection and compliance with an agreement the UK has formed with the US to implement a new tax avoidance regime.
Under the US Foreign Account Tax Compliance Act (FATCA) financial institutions based in non-US countries are required to provide US tax authorities with details of accounts belonging to US taxpayers. The legislation, due to take effect from 30 June this year, is part of a US crackdown on US citizens using foreign financial institutions to avoid paying tax in the country.
FATCA imposes a 30% withholding tax on payments of US source income made to non-US financial institutions unless they enter into an agreement with the US Internal Revenue Service (IRS) and disclose information about their US account holders.
FATCA compliance presents a number of problems for UK financial institutions because the information disclosure requirements of FATCA will not necessarily be permitted under data protection, confidentiality and bank secrecy laws. To counter some of these issues, the UK Government, along with those of Germany, Spain, France and Italy (the G5 countries), agreed to enter into bilateral arrangements with the US to allow FATCA compliance to take place at national level.
In its document, which sets out answers to 'frequently asked questions' on the issue of data protection and FATCA, HMRC said that financial institutions could face claims for compensation from US nationals if they provide inaccurate information to the US authorities.
"In addition to any rights you may have to claim compensation from the US authorities, the DPA (Data Protection Act) gives individuals the right to claim compensation from a data controller where they have suffered damage because of a breach of the DPA," HMRC said in its guidance. "As both HMRC and the financial institutions are data controllers for the FATCA information, you can make a claim for compensation to either (or both)."
Under section 13 of the DPA a person is generally entitled to compensation if they suffer damage as a result of violations of a section of the DPA by organisations that hold their personal data. Individuals are also generally entitled to compensation from those data controllers if they suffer distress that causes damage.
Organisations do have a defence to this right to compensation if they can "prove that [they] had taken such care as in all the circumstances was reasonably required to comply with the requirement [that it is alleged to have breached]." The DPA requires organisations that store or process personal data to ensure that the information is "accurate and, where necessary, kept up to date".
Recently, financial services software provider Fenergo raised concerns about disjointed data storage practices that some financial institutions adopt and warned that this could cause difficulties to those organisations in their attempts to comply with FATCA.
In its guidance HMRC said that individuals that file a 'subject access request' to UK financial institutions will have the right to view the information sent about them to the US tax authorities and that, in addition to the exercising their right to compensation, will be able to require any inaccuracies in those records to be corrected.
HMRC also clarified that financial institutions would not need to obtain individuals' consent in order to send on personal data to the US tax authorities under their FATCA obligations.
"To meet the fairness requirements of the DPA, [individuals] should be made aware that [their] account details have been (or may be) transferred to the US authorities," HMRC said. "However, as the transfer is being made to comply with a legal obligation (created by a Statutory Instrument (currently published in draft form on 18 December 2012) the consent of account holders is not required."
Data protection concerns were raised by some respondents to HMRC's consultation (24-page / 106KB PDF) on how to implement the UK-US FATCA agreement. Some respondents said that the UK should do away with the financial "thresholds" that trigger the requirement to report to US tax authorities because they felt this may cause them to have to "modify account opening platforms, systems and processes to accommodate the self certification processes". HMRC said it would consider whether to make such a change to its initial proposals.
"HMRC has some concerns about requiring a broader set of information to be reported than that required under the terms of the IGA (the UK's Intergovernmental Agreement with the US) but recognises that many respondents wish to have the option of reporting all US Accounts regardless of the thresholds as this may actually reduce business costs in some circumstances," it said. "The draft regulations contain a provision that would allow for this to happen. HMRC will continue to give consideration to the respective cost to business and HMRC of allowing such a provision."