I was reading an older article (“Getting Ahead of Privacy Risk” by Matt Kelly) in Compliance Week today and it led me to wonder what FFI’s and the IRS will do with FATCA data once our privacy laws as well as our personal data, have been breached. The article is more about how to handle issues within a corporation but it seemed some of the ideas in the summary would transfer easily to concerns we should have once this data is collected. Given IRS’ notorious lack of ability to deal with identity theft, I wonder what nightmares will appear once the process begins. The bulleted items are from the article with possible concerns underneath in italics.
- Do you have a means to know when your business is creating a new pile of data?
Will there be a time lapse between collection of the data by the FFI and the transmission of it to the IRS? Will the data “sit”, waiting to be evaluated in the inevitable backlog of files to be examined at IRS? Will hackers be able to gain access and befoul the process further?
- Do you have a process to bring privacy concerns to the creator of that pile of data? And not just what specific laws and regulations apply to this person’s new project; do you have a way to inculcate a concern and urgency about privacy overall?
Will bank employees be tempted to sell info to hackers and others? How will the info be protected within the institution itself? How will be the data be centralized so it cannot be mishandled , lost or end up on mobile devices?
- Do you have a process to classify the data created (“this is a credit card number,” “this is a drug history”) so everyone knows what it is and how sensitive it is—even if they can’t see what it actually is?
US Persons have joint accounts with their foreign spouses. Will data that involves non-US persons be equally vulnerable? Could non-US persons sue over any breach of their info? Can the FFI tag this in some way to protect it?
- Do you have a process to protect the data? That means monitoring, because you’ll need a way to assure that outsiders don’t touch it, and insiders don’t touch it in inappropriate ways?
Will the FFI’s have appropriate internal controls set up? How many departments will be involved? Will hard copy W8BENs be permanently on file? What kind of controls will exist to keep this data separate from other operations?
- Do you have a way to destroy the data once it no longer needs to exist?
Will the FFI’s be able to truly destroy the records or will there be endless anxiety about other issues; identity theft, etc.
It seems the more you look at what is involved in FATCA, the more problems arise. All this for what is likely unsubstantial amounts of money collected by IRS. The article stresses the real issue is developing a unified strategy to protect the data as opposed to privacy. How diverse are the different privacy laws and regulations of all the countries involved? How can US persons demand their data be protected? I don’t work in a big corporation and perhaps there are established ways of implementing practices to protect data but the possibilities of how much could go wrong is something I am concerned about.