Governments are intensifying their transparency obligations as they seek new revenue sources and invest in strengthened enforcement. For example, in the US during September 2023, the IRS has announced an intention to increase focus on high-net-worth individuals (HNWIs) tax debt. At the same time, more regimes are participating in the automatic exchange of some taxpayer information, effectively requiring financial institutions to collect relevant data and provide it to the countries where their clients are tax residents. In addition, HNWI’s geographical mobility has grown. For HNWIs who hold assets in many parts of the world, the issue of data security has increased in importance.
Wealthy individuals are concerned about the risks of tax transparency and reporting requirements, discourse and privacy concerns. No one would dispute that mechanisms to help ensure all taxpayers pay their fair share are to be encouraged. In practice, however, certain levels of transparency can give way to questions about privacy and data security. Both HNWIs and tax authorities should be mindful of the implications. Financial institutions also need to be clear with their customers about what data they are reporting
HNWIs need to be aware of where information is being shared – not only where and how they hold their investments, but their personal financial information too. This responsibility falls not only on HNWIs but the relevant personnel in their family offices and connected enterprises. Data privacy breaches highlight the potential embarrassment of publicizing personal financial data and the private security risks. Rapid technological advancements have revolutionized data collection, storage and analysis. While this has facilitated tax enforcement efforts, it has also exposed vulnerabilities in personal privacy. HNWIs must navigate an increasingly interconnected digital landscape, where their personal information may be susceptible to breaches, hacking or unauthorized access.
The legal and regulatory frameworks governing privacy rights and tax compliance vary across jurisdictions. Navigating these complex and evolving frameworks poses challenges for HNWIs as they strive to protect their privacy without running afoul of tax laws. The cornerstones of this enforcement initiative are the Foreign Account Tax Compliance Act (FATCA), enacted by the US in 2010, and the Common Reporting Standard (CRS), developed by the OECD in 2014. HNWIs face specific challenges in relation to the automatic exchange of information under regulations like FATCA and CRS.
FATCA requires that foreign (non-US) financial institutions and certain other non-financial foreign entities report on the foreign assets held by their US account holders or be subject to withholding on withholdable payments. Following the same principle, CRS calls on countries to collect account information from financial institutions in their jurisdictions and automatically exchange that information with relevant tax authorities. Over 100 countries have implemented it, with more signing up for future implementation.
There are concerns about the security and protection of the information exchanged between financial institutions and tax authorities, as demonstrated by hacking and data breaches. Sensitive information can be bought and sold in certain countries, posing risks such as extortion and kidnapping for wealthy individuals. In 2015, a data breach at the IRS resulted in more than 700,000 social security numbers and other sensitive information being exposed. In 2007, a major data breach at HM Revenue & Customs (HMRC) exposed the personal details of over 25 million people, including names, addresses, and National Insurance numbers. In 2020, HMRC was targeted by a phishing attack that resulted in the theft of login details for over 100,000 accounts.
The public's fascination with the lives of the wealthy often leads to intense scrutiny of HNWIs. Unwanted exposure can lead to invasive media attention, sensationalism and potential reputational damage. Information leaks or unauthorized disclosures can have far-reaching consequences, impacting personal and professional relationships, philanthropic efforts and even business ventures. HNWIs often find themselves under the media spotlight, and even minor missteps can be blown out of proportion. Negative press can tarnish their reputation, create public skepticism and hinder their ability to engage in various ventures or influence public opinion. Ensuring privacy is crucial for preserving personal and professional standing.
Other relevant legislation includes EU directives such as DAC6 (Directive on Administrative Cooperation) and initiatives designed to address tax compliance issues related to crypto assets like DAC8 and the OECD’s Crypto-Asset Reporting Framework. It’s important to note that a wide range of crypto assets, including those issued in a decentralized manner and stablecoins, are now in scope for reporting and automatic exchange of information (AEOI) as tax authorities aim to strengthen administrative cooperation and address these emerging tax challenges.
Such recent developments in Europe have triggered growing concern over AEOI, driven primarily by data privacy issues. In June, the litigation chamber of Belgium's Data Protection Authority (BDPA) deemed the transmission of financial account information of "accidental Americans" under FATCA inconsistent with European Union law. The judgment was influenced by a series of complaints lodged under the EU's General Data Protection Regulation (GDPR), contending that FATCA disclosures subjected compliant account holders to unnecessary and disproportionate risks related to their data security and privacy. The Swiss Federal Court has followed Belgium's lead in expressing reservations regarding FATCA.
Privacy concerns for HNWIs
HNWIs need to have confidence in the accuracy of the information their financial institutions maintain. It is critical that the entities and arrangements that comprise their investment holdings and ownership structures are properly classified and that the reporting is carried out appropriately. Inaccurate reporting can provoke audits, even when the taxpayer is completely compliant, thus reinforcing the importance of verifying reported data. Any discrepancy between the shared information and the tax and financial information declared by the taxpayer can result in significant expenses, including hefty penalties and professional service costs necessary to rectify incorrect reporting. Financial institutions that are non-compliant can face both monetary penalties and reputational damage. As a countermeasure, they are increasingly adopting detailed approaches to guarantee that pertinent data is collected, reported accurately, and submitted seamlessly with appropriate withholding.
Financial institutions are also implicitly required to provide clear explanations to customers regarding the usage of the collected information. A case reported by The Financial Times involving an American-born, UK-based self-employed editor and researcher illustrates this point well. She entered into a legal dispute with HMRC and the Information Commissioner's Office, arguing that FATCA violates her right to privacy and data protection, as she was uninformed about the use of her bank-collected data.
Additionally, I am also aware of a recent case of an individual who was erroneously reported to UK tax authorities under CRS regulations for receiving a trust distribution as a beneficiary when, in reality, the distribution was made to his family's tax-exempt charity. As a result, he received a notice from the Inland Revenue concerning a distribution not reported on his UK tax return. Although the situation was eventually rectified, it involved significant costs and distress. A crucial factor leading to this situation was an oversight by the trustee, highlighting the importance of effective communication between trustees and beneficiaries prior to information exchange.
An action plan for privacy management
Here are four steps to consider:
1. Engage trusted advisors
HNWIs should collaborate with experienced tax and legal advisors who specialize in privacy protection. These professionals can offer valuable insights into local regulations, guide individuals in structuring their affairs to minimize exposure to risk and provide ongoing support in managing privacy risks effectively, while remaining compliant. It is vital the advisor is knowledgeable in all the jurisdictions where their client’s assets are held.
2. Implement robust cybersecurity measures
Protecting personal information from unauthorized access requires implementing robust cybersecurity measures. HNWIs should invest in advanced encryption technologies, multifactor authentication, secure data storage systems and regular security audits. Staying informed about emerging cyber threats and actively adopting best practices are essential in safeguarding privacy.
3. Foster a culture of privacy awareness
Developing a culture of privacy awareness within the HNWI's personal and professional circles is crucial. Educating family members, staff and business partners about the importance of privacy and the associated risks can help ensure everyone remains vigilant. Implementing clear policies, conducting privacy training programs and regularly reviewing privacy practices are steps toward building a privacy-conscious environment.
4. Conduct proactive risk assessment and mitigation
HNWIs should conduct regular privacy risk assessments to identify and mitigate potential vulnerabilities proactively. This includes reviewing privacy policies, assessing third-party relationships and staying informed about emerging privacy risks.
Existing regulations give governments a powerful tool to ensure that taxpayers are compliant everywhere in the world. With that power comes a responsibility to ensure that data remains protected in an environment where a breach can have significant risks. Once power is given to governments, it is rarely taken away. In all likelihood, AEOI is here to stay. HNWIs should ensure compliance but remain aware and vigilant over financial information and how it is exchanged.