An excellent guest column by Brian Garst in the Cayman Financial Review reports on the US Government’s “atrocious” mishandling of its citizens’ private information and how inevitable breaches of poorly designed and managed IRS and OECD reporting systems will soon unleash a global torrent of unsecured personal identification and financial data:
http://www.compasscayman.com/cfr/2015/04/22/FATCA-reporting-system-leaves-taxpayer-data-vulnerable/
Here’s an excerpt:
The IRS itself has been accused by government watchdogs of having serious vulnerabilities, and of moving too slowly to fix them.
Every year since 2008, the Government Accounting Office has identified 100 cybersecurity weaknesses at the agency. Specifically, the IRS has been faulted for routinely failing to encrypt data or for using weak methods for doing so, allowing greater access to data than workers require to perform their duties, permitting user passwords that are easily guessed, and being dangerously slow to install crucial software updates and security patches.
This record alone is enough to question the ability of the IRS to secure and protect the sheer breadth of financial records it will receive due to FATCA, but serious concerns are already being raised about IDES’ specific security protocols.
The system’s rules for encryption recommend use of Electronic Codebook (ECB) as its encryption mode. ECB is widely faulted by cryptography experts as being incredibly weak, as it encrypts blocks one at a time and it thus does a poor job of hiding data patterns. Upon discovering the IDES recommendation of ECB in its protocols, prominent security expert Bruce Schneier incredulously asked, “Are they serious?”
Apparently they are not about protecting taxpayer information.
My prediction exactly!
(1). Mistakes will be made,
(2). Lives Will Be Ruined!,
(3). hard drive (Failure) after Congressional Inquiry: IRS watchdog reveals Lois Lerner missing emails now subject of criminal probe http://www.washingtontimes.com/news/2015/feb/26/irs-watchdog-reveals-lois-lerner-missing-emails-no/?page=all
The IRS doesn’t give a damn about us. They just want information to collect taxes. Even when they are not allowed to.
That’s why I don’t have very much money in my bank accounts. I don’t trust them, I invest elsewhere.
As I prepare to file taxes again for the first time in 10+ years, and as I prepare to electronically send off my FBARs with account numbers and personal information, and information on my partner (joint account)… I pause.
Up till now I had factored in: keeping my US passport (I have another), the risk of being found by my banks (and thus having to prove either compliance or renunciaton – for now I can prove neither), the cost, pain and hassle of filing when owing no taxes, risk of travel to the US while non compliant, strategies for relinquishment…
But now I have to figure in the very real risk of sending all my bank account data into cyberspace. It is quite possible that the negative consequences of trying to comply outweigh those of doing nothing. I could save time, money, headache, and keep my data safe… for free!! How? Postponing my plans to file this year.
I’m wondering about an alternative: FBARs with truncated account numbers. In case of IRS audit, full numbers could be handed in easily.
Fred,
What about “typos” in the account number? If you’re audited, you say, “oops, darn them dyslexic fingers of mine”. I considered this last year, when I first encountered online FBARs, but then they wouldn’t have matched the previous years’ paper filings.
@Fred, if you have more than 25 accounts you do not need to provide account information as you check the box 25 plus accounts…..,
I have heard of people creating a master list that included credit balances with utility companies, gift card accounts, multiple savings bond accounts as each little bond is a different account…..
Thanks people!
Barbara: I consider typos to be an essential part of preserving humanity, especially as we evolve towards the dictatorshiop of information technology. It is a policy of mine to introduce grains of sand into the system from time to time. My birth date, phone, and passport number are often mangled when I believe that the entity requiring them has no business asking… But I had not considered account number typos yet! Imagine when they try cross-referencing with data provided by country of residence under the IGA. Thanks!
George: I did not know that. Not only does that utterly pollute and eventual audit, but it simplifies one’s life.
However I wonder if having 25 accounts doesn’t raise a little flag somewhere — “Tax Evading Zillionnaire!” with “over 25 previously undeclared personal accounts”. But I will consider it. Thanks!
These risk people always focus in upon the structural risks, which are known.
They miss the real risks, which are infinite:
The IT administrator who has access to all of the data. Typically a 27 year old introvert.
The IT consultant firm, which has unlimited access without having to sign in any particular name. They can get the names via programming or by accessing the data files.
The FATCA processing team. Gets all the data and performs human work uponthe data.
The top level management. They have the power to get what they ask for. In many (most) countries, the top management is there because of their political connections.
And with IGA’s, add to it the same people, but instead of being connected to the bank they are connected to the government.
Then, multiply the risk of each country by 190 countries.
Then, multiply the risk of each FFI by 200,000 FFI’s.
Kidnapping, targeted crime, IRS refund fraud, credit card attacks, you name it.
@Fred, I had well over 25 accounts each year over the six years I had to file delinquent FBARs when I made my ‘quiet disclosure’ several years back; in theory I could have been hit with over $2 million in penalties but never heard anything back from FINCEN. In a way, I was frankly quite surprised that they didn’t at least enquire about all those ‘offshore accounts!
MarkTwain, I think way people underestimate the security risk you mention. Even those Americans abroad who file every year (returns, FBARS, etc), always have, and plan to continue doing, should hate FATCA for this reason at least.
The IRS will never have proper security without proper funding — they don’t even have enough money to answer the phone! It’s truly bizarre the way Congress cuts off it’s own nose to spite it’s face but that’s their problem.
Mark Twain: interesting analysis, and scary. I think most of us (like me) tend to shrug off these risks. But something will happen to someone, and the chances are much greater that winning a big lottery prize. I guess individuals can take steps to minimize risk.
Yet another Catch 22 in the IRS web. File your F(u)BAR. Read the IRS (non)Privacy Statement.
You know the only safe thing you can do is to close those accounts you just reported and open new ones. However as an American living abroad it is quite possible you cannot find a bank that will allow you to open a new account. Even if you are successful, next years F(u)BAR could trigger a criminal investigation as your wealth has seemingly doubled even though you do not have one penny more in the bank.
And congress can’t figure out why Americans are relinquishing and renouncing at record rates!
@Fred. “It is a policy of mine to introduce grains of sand into the system from time to time”. Now that is a concept I really like.
I tend to be a refusnik when I am asked for information that is none of somebody’s business but your method of dealing with the situation is even better. Instead of giving them no data, give them BAD data and punish them for asking. This avoids an unpleasant situation with the nice person at the teller’s window who is only doing their job while mucking up the system they work for which is the real enemy. I’ve often thought that this is the soft underbelly of FATCA because it depends on so many low level people doing everything perfectly correctly. One bad link and the chain is broken.
And, as you say, one can always blame it on a typo or a slip of a memory cog in the unlikely event the error is ever discovered.
I would never file an FBAR and I suggest everyone to stay away from that form. If you can fly below the radar of FATCA trigger points, the IRS has no way of getting your account(s) information. That is why they threat you with high penalties and jail time, because otherwise nobody would be compelled to play their game.
Why I believe the FBAR is dangerous:
1) Data security
2) Registering your asset with a (now foreign) governement
3) Violation of bank secrecy laws
4) Violation of several US constitution paragraphs – and you have right to remain silent, plead the 5th
Let them work really hard if they want this information. Now that they have FATCA they can get all of it easily 🙂 And that’s why we need to pray the lawsuit will win
Hackers, extortionists and saboteurs. FATCA leaves us vulnerable to all…all because we have to defend our “foreign” bank accounts where we live. The strength in bringing down FATCA is that FATCA collects data without probable cause – something supporters of same country exception are eager to ignore. As matter of fact, SCE proposes to add another form to the entire mess! Any organization that is willing to accommodate FATCA (and yes it’s an accommodation) through SCE is actually undermining our presumption of innocence, and excludes those who deserve equal protection – the non-compliant.
SCE suggests that some Americans deserve more protection than others from a law that presumes guilt – where the collection of tax precedes liberty – in other words, “taxation-based citizenship”.
They’ve got a form for identity theft. Quelle surprise! It’s IRS Form 14039, Identity Theft Affidavit. There’s also an 800 number to call but it probably only works in the USA and I wonder if they do “courtesy disconnects” on that number too?
http://fox6now.com/2015/04/22/im-real-livid-victim-of-identity-theft-gets-notice-from-irs-her-tax-refund-may-be-going-to-someone-else/
A comment by Patricia (appears to work for IRS): “These scammers are now also spoofing valid IRS telephone numbers. Use caution, and remember that an IRS employee will never threaten you, or berate you.”
Well now, isn’t that nice to know?
@RLee
Reason IRS won’t answer call is that its not broke… its to teach the Gov’t a lesson… less money… lot less customer service or work… I read an article about how the IRS used the money for bonuses and conferences, etc… They weren’t watching how they spent… they acted like they had an endless amount of money to spend on themselves…
Bradley Manning given 35-year prison term for passing files to WikiLeaks
This is really very scary. I only have one account that is reportable under the IGA. I tend to flip numbers anyway, so maybe I won’t be so careful this year, particularly with the ones that aren’t reportable anyway.
the IRS requires that you provide SSN’s for children claimed on tax returns
having a SSN makes them vulnerable to identity theft
http://www.nytimes.com/2015/04/18/your-money/a-childs-vulnerability-to-identity-theft.html
Jeez NoFBARGuy!!! Just when I was getting ready to file… After years of procrastinating. I know that filing may be a big step towards trouble.
Patricia: interesting. I was planning on not claiming my children on my returns anyway. It’s not going to change anything, owing no tax. And it keeps them out of that database… Though of course they do have valid US passports. I’m thinking of letting them expire and having the kids travel on their EU passport (with EU birthplace, ha!) next time…
The sad thing is, these simple identifiers are also being used as if they were security passwords. You have to give your social security number when applying for a job in the USA and banksters still ask, “what’s the last four of your social” to identify the person on the telephone as you. You’re supposed to keep your chequing account number a secret but it’s printed on the bottom of every cheque you write. The idea of a social security number was, it distinguishes one John Smith from another and identifies Mary Jones as Mary (Jones) Smith.
@Fred. If you haven’t filed anything for over a decade, consider very carefully before deciding to put yourself back into the system at this point. Your trail is, by now, stone cold and if you wouldn’t owe anything anyway there is no risk of failure to file penalties. That means your only real risk is the FBAR fines which so far haven’t been applied to any benign actors as far as I know.
If I knew then what I know now there is no way I would have panicked and started filing returns a few years ago, and I am now very sorry I did that. Once I figured out what a crock the whole business was I self-relinquished and vanished into the mists again. The only expats who have had a problem are the ones who have voluntarily put themselves in the IRS spotlight. Any FBARs you filed 10 years ago were on paper and are not in the electronic database. If you haven’t filed any FBARs for a decade, you are automatically in violation so why bring it to their attention now? Let sleeping dogs lie.
You said it yourself: “After years of procrastinating. I know that filing may be a big step towards trouble.” If you feel compelled to do something, work on not being a US person anymore.
My $.02.
Maz57: thanks for your input.
Here are my reasons for not filing previously: the country where I live only gives you the final tax bill the following year. After a while, not owing US tax, I just gave up (in 2003?) filing the IRS forms, on which I had previously had to estimate tax paid locally. Plus the IRS never answers or acknowledges you, and they stopped sending paper forms.
Here are my reasons for filing: in 2014 one of my banks detected my US “personness” and threw me out (Deutsche Bank). I then learned of FATCA, FBARs and such.
And I was scared that my other banks (which know me as an EU citizen) would “find me out” by my birthplace (which they have). When they do, they will ask me to either show a CLN or prove compliance. Since I have not renounced, they could send my data, under local IGA, to the local government (data which they usually cannot have, it’s private) which will forward it to the IRS. I was imagining a scenario in which the IRS would then wonder why it was getting this data about me when I was not filing anything.
Therefore I figured I had to become compliant. Which meant filing again. But also filing FBARs. You see my fear is that the IRS finds out about me before I declare stuff. As with many people, I have nothing to hide, no fraud, no tax evasion, high local taxes, and not that much money. No US tax owed, etc.
Perhaps the most rational thing would be to just renounce now. Theoretically if you do that, you should file a form 8938 and be tax compliant for 5 years, right?
It all seems like Catch 22. But of course the “law low” course may very well be the best one. I could just continue to ignore the whole thing. One day my banks will ask me about my USness. I will ignore them as long as possible. And then I can always send my data and “wake up” and file taxes. Then there is the hypothetical of US travel; at some point will the databases all be put together to catch us when travelling. I do like to go to the US every few years.
I’ll stop here, but will continue to ponder.
@Fred – Would you contribute to an IBS version for the EU? I’m assuming you live in Germany with Deutsche Bank? Someone needs to get legal action going in the EU so it can ultimately get to the European Courts.
I think the effort would have to be two pronged. A legal challenge in the UK (if the Tories for a Government in the UK) and the other in another EU state.
Deutsche Bank threw you out on place of birth – nothing more nothing less.
FATCA has to be challenged in the EU.
I’m stuck in the US at present but planning on move back to somewhere in the EU (which I’m an EU citizen as well).
It seems sensible to start banding together ‘US persons’ and other interested parties to get the IGAs struck down.