I was reading an older article (“Getting Ahead of Privacy Risk” by Matt Kelly) in Compliance Week today and it led me to wonder what FFI’s and the IRS will do with FATCA data once our privacy laws as well as our personal data, have been breached. The article is more about how to handle issues within a corporation but it seemed some of the ideas in the summary would transfer easily to concerns we should have once this data is collected. Given IRS’ notorious lack of ability to deal with identity theft, I wonder what nightmares will appear once the process begins. The bulleted items are from the article with possible concerns underneath in italics.
- Do you have a means to know when your business is creating a new pile of data?
Will there be a time lapse between collection of the data by the FFI and the transmission of it to the IRS? Will the data “sit”, waiting to be evaluated in the inevitable backlog of files to be examined at IRS? Will hackers be able to gain access and befoul the process further?
- Do you have a process to bring privacy concerns to the creator of that pile of data? And not just what specific laws and regulations apply to this person’s new project; do you have a way to inculcate a concern and urgency about privacy overall?
Will bank employees be tempted to sell info to hackers and others? How will the info be protected within the institution itself? How will be the data be centralized so it cannot be mishandled , lost or end up on mobile devices?
- Do you have a process to classify the data created (“this is a credit card number,” “this is a drug history”) so everyone knows what it is and how sensitive it is—even if they can’t see what it actually is?
US Persons have joint accounts with their foreign spouses. Will data that involves non-US persons be equally vulnerable? Could non-US persons sue over any breach of their info? Can the FFI tag this in some way to protect it?
- Do you have a process to protect the data? That means monitoring, because you’ll need a way to assure that outsiders don’t touch it, and insiders don’t touch it in inappropriate ways?
Will the FFI’s have appropriate internal controls set up? How many departments will be involved? Will hard copy W8BENs be permanently on file? What kind of controls will exist to keep this data separate from other operations?
- Do you have a way to destroy the data once it no longer needs to exist?
Will the FFI’s be able to truly destroy the records or will there be endless anxiety about other issues; identity theft, etc.
http://www.complianceweek.com/getting-ahead-of-privacy-risk/article/254346/
It seems the more you look at what is involved in FATCA, the more problems arise. All this for what is likely unsubstantial amounts of money collected by IRS. The article stresses the real issue is developing a unified strategy to protect the data as opposed to privacy. How diverse are the different privacy laws and regulations of all the countries involved? How can US persons demand their data be protected? I don’t work in a big corporation and perhaps there are established ways of implementing practices to protect data but the possibilities of how much could go wrong is something I am concerned about.
Perfect discussion for Constitution Day, Sept 14.
Constitution Day: The event recognizes the day the U.S. Constitutional Convention ratified the United States Constitution in 1787. Previously, the day had been known as Citizenship Day. Every educational institution receiving federal funds needs to provide educational programming about the Constitution on that day.
Very important topic, nobledreamer!
In doing a search for identity theft and FATCA I came across this interesting commentary by a site called Financial Sense / Applying COMMON SENSE to the Markets. I like anything that talks about common sense (though an advertisement too). http://www.financialsense.com/contributors/mark-nestmann/fatca-big-brother-goes-global
At a FATCA Compliance Solutions conference in Toronto this past May http://www.canadianinstitute.com/2012/373/fatca-compliance-solutions/agenda, this was one of the items of discussion:
Related and of interest was the subject of another session:
As well, Taxpayer Advocate, Nina Olson, addresses Impact of Tax Fraud and Tax-Related Identity Theft as a challenge in her July 2012 Report to Congress: http://blog.ustaxonline.com/2012/07/05/national-taxpayer-advocate-identifies-challenges-and-issues-for-upcoming-year-to-congress/.
@calgary411 I wanted to go to that conference actually but didn’t want to pay (of course). Of concern, I would like to know exactly what they are proposing when they say “In this session you will learn how to effectively comply with FATCA disclosure without sacrificing your domestic privacy obligations.” I am under the impression that it simply is not legal to ask any CDN about their citizenship. How on earth are they going to get around that? It would seem no matter how they do it, it would have to be sneaky, under-handed and still, illegal. Kinda like that Questionaire that determines eligibility for the new stream-lined filing-definitely an example of misrepresentation and utterly reprehensible. And what on earth is the “required by law exception?” I knew there was a reason I didn’t like the idea of cloud computing. :-/
*nobledreamer, my understanding is that it is illegal under US federal law:
Yet, as I am told, it is perfectly acceptable for the US government to practice US federal crimes against American citizens if they live outside of US jurisdiction.
@nobledreamer,
Someone at that conference must have had the solution. The session description didn’t state that they wouldn’t be sneaky, under-handed or, my goodness, against Canadian privacy law — or, as swisspinoy points out, US federal law. When is that the law is the law (was it Mr. Mopsick that discussed this?) and when is it not the law? I don’t get it either.
Thanks swisspinoy, I was unaware that the US also had such laws. I wonder if the argument will be that it is not discrimination when possible violation of US law is the reason for the disclosure?
calgary, yes indeedy, we can expect that it will be a completely unclear and convoluted solution. I don’t know if Mr. Mopsick discussed this, I have missed a huge number of posts.
Perhaps many here already are very familiar with PIPEDA but here’s a basic statement from the Office of the Privacy Commissioner of Canada (my emphases in bold italic):
http://www.priv.gc.ca/information/02_05_d_08_e.asp
“PIPEDA applies to the personal information collected, used or disclosed by organizations engaged in commercial activities, from banks and retail outlets to airlines, communications companies and law firms. It applies equally to small and big businesses, whether they operate out of an actual building or only online.
The law, which has been fully in force since 2004, applies to private enterprises across Canada.”
Further down the page, it emphasizes anyone who believes a business is violating any provision of PIPEDA is entitled to make a complaint; it is not necessary to have any sort of representation/advisor and there is no fee. A possible relevant outcome:”A business may also be urged to change its personal information-handling practices.”
With regard to court actions:
“If the Privacy Commissioner’s report still has not addressed your concerns, you may, under certain circumstances, take your complaint to the Federal Court of Canada.
In cases where the Privacy Commissioner supports your position but has been unable to resolve the dispute, the Commissioner may also choose to take your complaint to court on your behalf.
The court can order an organization to correct practices that do not comply with the law, and to publish notices of the changes it expects to make. It can also award you compensation for damages you suffered, such as humiliation.”
I wonder what “under certain circumstances” means? Sounds like there’s an “out” that is discretionary, so how to protect ourselves?
The Privacy Commissioners have gotten involved in the border perimeter issue:
“Ottawa, Ontario, April 2, 2012 – Canada’s federal government should take all steps necessary to ensure the standards and values behind Canadian privacy laws are not diminished as programs to fulfill the Canada-US perimeter security action plan are developed, say Canada’s privacy guardians.”
It looks like this whole business is going to get very, very messy.
*I want to know how Flaherty is planning to roll-out an end-run on the Charter to allow Canadian banks to capitulate to the U.S. FATCA is coming to Canada – make no mistake about it. Our chartered banks are not hiring FATCA compliance officers, IT specialists etc. right now with the thought that this is just some old NORAD exercise and that the fake Russian bombers will be recalled at the last minute. No, this is for real, folks.
The big question is if we can inform and engage enough ordinary Canadians to fight against the intrusive, costly changes that are coming down the pike. We must find a way to help our fellow citizens understand that the enormous costs of FATCA compliance will be downloaded to ALL Canadians through increased service charges and that privacy breaches threaten our very national sovereignty. Start saving your money now for a few full-page ads.
FATCA, the Charter of Rights and Privacy laws. Educating the Canadian public!
@ nobledreamer,
Re “calgary, yes indeedy, we can expect that it will be a completely unclear and convoluted solution. I don’t know if Mr. Mopsick discussed this, I have missed a huge number of posts.”
I was unclear — what I referred to was a statement from Mr. Mopsick (or maybe not him), way back in time, that the law was the law. My question is “when is it that the law is the law” and when is it the the law won’t be the law? That’s what I don’t understand.