FOI Take 2

Just over a week ago, I received a message through this website from someone who had submitted an FOI request to the ATO. “Sam” expected that one of his accounts had been reported because the bank had identified him as a US Person and the balance was above the bank’s reporting threshold. The response from the ATO puzzled Sam, and it puzzled me as well. The ATO response stated that they needed to consult with a “foreign government” about whether Sam’s FATCA records were exempt from FOI under Section 33 of the FOI Act:

A document is an exempt document if disclosure of the document under this Act:

(a)  would, or could reasonably be expected to, cause damage to:

(i)  the security of the Commonwealth;

(ii)  the defence of the Commonwealth; or

(iii)  the international relations of the Commonwealth; or

(b)  would divulge any information or matter communicated in confidence by or on behalf of a foreign government, an authority of a foreign government or an international organization to the Government of the Commonwealth, to an authority of the Commonwealth or to a person receiving the communication on behalf of the Commonwealth or of an authority of the Commonwealth.

Paragraph (b) doesn’t seem to apply as the direction of transmission of FATCA data is from Australia to the US, not the other way around. So, would telling Sam what data the ATO had sent to the IRS “cause damage to the international relations of the Commonwealth”?

On further communication with the ATO, Sam was told that, in consulting with the IRS on whether Sam’s own personal data could be released to him, the IRS would be given his personal details. There aren’t many people who would want to tempt fate in this way, even if they believed they were fully compliant with their US filings – there are just too many complex rules and unusual information returns for “international” taxpayers to be 100% confident that they’ve done everything right. Understandably, Sam withdrew his FOI request.

Reading the additional information provided by the ATO clarified their thought process. They quoted Article 2, paragraph 1 of the FATCA IGA:

Subject to the provisions of Article 3 of this Agreement, each Party shall obtain the information specified in paragraph 2 of this Article with respect to all Reportable Accounts and shall annually exchange this information with the other Party on an automatic basis pursuant to the provisions of Article 25 of the Convention.

This paragraph establishes that any information exchanged under FATCA is actually being exchanged under Article 25 of the tax treaty which states in part:

(2) Any information so exchanged shall be treated as secret and shall not be disclosed to any persons other than those (including a Court or administrative body) concerned with the assessment, collection, administration or enforcement of, or with litigation with respect to, the taxes to which this Convention applies.

Apparently, the ATO are reading paragraph 2 as requiring them to keep Sam’s data secret from Sam himself!

So, how does an account holder find out what data has been reported about them? My understanding of Australian privacy law (admittedly not an area I know a lot about), is that your bank must tell you what information they hold about you, which would include a record of what they reported to the ATO under FATCA. Having to ask the bank every year is unsatisfactory. The threshold as measured in AUD changes with the exchange rate and furthermore, many banks are ignoring the threshold and reporting all accounts, so you may have an account that you believe is NOT reportable which is actually reported.

Many “US Persons” with previously existing accounts are unsure whether their bank has identified them as having US indicia. If your financial institution identifies you as a potential US Person, they are required by the Australian Privacy Principles to notify you that previously collected information may be disclosed to the ATO (and ultimately the IRS) under FATCA. Therefore, if your bank hasn’t asked you to confirm US status, your data should not be included with the FATCA data.

Several privacy concerns were noted by the Privacy Commissioner in his 2014 submission to Treasury regarding FATCA. In particular, he noted a “Risk of unnecessary personal information being collected, used and disclosed”:

55. The threshold for exhibiting US indicia under the FATCA arrangements is very low. As any US indicia are enough to trigger the reporting obligation and place an onus on an account holder to positively prove that they are not a US citizen or resident for tax purposes, the OAIC is concerned at the scope for the disclosure of unnecessary personal information. That is, personal information of account holders who may exhibit some US indicia, but are not US citizens or residents for tax purposes, would be disclosed.

Reporting of accounts under the USD50,000 threshold would also be disclosure of unnecessary information. Those who are NOT expecting their data to be reported under FATCA are unlikely to request this information from their financial institution.

For these reasons, reporting to account holders, either by the bank or the ATO should be automatic. Furthermore, automatic reporting should apply to data sent under both FATCA and CRS (which starts this year). Data normally reported to the ATO (interest income, dividends, etc.) are automatically available both from the ATO portal on the my.gov.au website, and from the paying institution (printed on your bank statement or dividend statement). The additional data reported under FATCA should be available just as easily.

In the Privacy Commissioner’s submission to Treasury on the FATCA IGA he suggested that Treasury conduct a Privacy Impact Assessment (see items 26-29). We have been unable to determine whether this was ever completed.

Where to from here? I plan to consult with experts in Australian privacy law and ATO procedures to determine whether a more satisfactory solution is available under current law. I will report back if I learn anything new.