A risk from the pandemic is that other news stories get obscured. And one such example is how hacking attacks on banks, revenue departments and other entities threaten a network of cross-border account transfer protocols such as FATCA and the Common Reporting Standard. A lawyer campaigning on the issue talks to this news service.

Official bodies worldwide are barely waking up to warnings about privacy threats caused by hackers. These attacks expose serious flaws in cross-border bank account-sharing agreements, an international law firm warns.

Over the past decade or more, the US has enacted the Foreign Account Taxation Compliance Act (FATCA) and dozens of other industrialised countries, such as the UK, Switzerland, Germany and France (excluding the US) have signed up to the Common Reporting Standard. 

FATCA requires foreign financial institutions to prove to US tax authorities that any US expat clients’ affairs are fully accounted for. Otherwise, these institutions will be subject to a US withholding tax. The CRS regime enables countries to swap bank account details on millions of individuals to hunt down tax cheats. (The US is not signed up to the CRS.)

But these agreements come up against a big problem - cybercrime. And there have been scores of data breaches at private and state banks, revenue departments and other organisations. So much so, in fact, that data exchanges are not robust enough and financial privacy is in serious danger, Filippo Noseda, partner at Mishcon de Reya, argues. 

“There is a data leak pandemic in the making,” Noseda told this publication. 

His use of the word “pandemic” is deliberate. The COVID-19 crisis is a sort of biological version of digital viruses and hacking attacks with which the wealth management industry is now wearily familiar. Banks such as JP Morgan and Bank of America have been hit. (In the BoA case, the bank said it may have been breached, according to reports in late May this year.) The US Internal Revenue Service, financial information service Equifax, among others, have been targeted. Cybercrime damage costs are predicted to hit $6 trillion annually by 2021 (source: Cybecrime Magazine, March 29).

Noseda has amassed a dossier of data breaches which he says raise serious doubts on how safe information exchange agreements are. He regularly regales industry groups with his worries about how FATCA and CRS are vulnerable.

There are also other signs that all is not well. 

In October 2018 Switzerland’s federal tax body passed over data to other nations under CRS-driven agreements – but with important exceptions. The Swiss handed information to most European Union (with one exception and a delay) and nine other states: Australia, Canada, Guernsey, Iceland, the Isle of Man, Japan, Jersey, Norway and South Korea. However, the Swiss did not give data to Cyprus and Romania because, in the wording of the release at the time, “they do not yet meet the international requirements on confidentiality and data security”. 

The Swiss comment was particularly damning because Romania is an EU member state. (The CRS in total covers 102 states.)

Noseda said that CRS and FATCA-driven data transfers are like the position of passengers on a train – there is a single entry and departure point, adding to the risks of something going wrong. 

The lawyer said he has spoken to the Paris-based Organisation for Economic Co-operation and Development and the UK’s Information Commissioner’s Office (ICO). The ICO is responsible for enforcing rules such as the recently-enacted General Data Protection Regulation directive of the EU. (WealthBriefing contacted the ICO for comment on the matter, without obtaining a response at the time of going to press. It also emailed the OECD for comment, and may update this article in due course.)

The OECD recently put up a job advert (with a 28 May deadline) seeking a "technical advisor on information security management". The advert said: "The Global Forum is hiring an information security expert to assist jurisdictions participating in the AEOI process." The AEOI acronym refers to Automatic Exchange of Information.

Noseda fears that so much political capital has been sunk into these cross-border data sharing pacts – often in reaction to complaints about tax havens and illicit flows of money – that it is tough for framers of these policies to admit that they have made a mistake.

“I tried to engage with them. This is a huge data protection disaster waiting to happen,” he said, adding: “There has been an unwillingness and inability to engage in discussion about this."

A problem made worse by COVID-19 is that governments are likely to target wealthy people as they try to fill their public coffers. They may not worry about privacy, Noseda said. 

In the past, complaints about FATCA and CRS could be painted as concerns of the super-rich, but a number of cases show that the problem spreads wider. Noseda has worked with an “Accidental American” individual, living in the UK, called “Jenny”, who spent a large chunk of her annual salary on filing US tax returns. Those tax returns confirmed that Jenny does not owe any US tax, because she earns less than the $104,000 'Foreign Earned Income Allowance' for US citizens living and working abroad. In fact she hadn’t worked as an adult in the US. This, and other cases, show that there is a problem, he said. 

Controversy over information-sharing agreements highlights a clash between legitimate financial and data privacy – which is a right – and the desire by governments to catch illicit money flows and criminals. A parallel argument is continuing about the publication of registers of beneficial ownership of companies and trusts. Over a year ago, Crown Dependencies such as Jersey, the Isle of Man and Guernsey started to publish beneficial ownership of companies (but not trusts). 

Critics of “full transparency” over financial matters argue that without privacy, people are at risk of kidnap and robbery, a concern all too real in regions such as South America, Africa, parts of the former Soviet Union and Asia.