In one of the most comprehensive studies seen for some time, the law firm argues that the Common Reporting Standard puts legitimate client privacy at risk, and is at odds with a new-found realisation that data needs to protected.

The Common Reporting Standard (CRS) regime - covering 102 countries but not the US - raises serious risks for financial privacy and creates the danger that information will fall into the wrong hands, a prominent law firm has recently warned.

The report, The Big Debate: Transparency Versus Privacy - Common Reporting Standard and Beneficial Ownership Registers, by Filippo Noseda, and published by Mishcon de Reya, argues that the CRS could see millions of individuals with cross-border financial lives have their data put at risk.

“Privacy and data protection are not a luxury. They are an integral part of any democratic society,” Noseda writes in a section of the report entitled “A Disaster Waiting To Happen". Noseda said the rules are so complex that it is unlikely politicians understand it. The CRS regime is democratically unaccountable, he said.

But cracks are opening up in the consensus around demands for ever more data to be passed around, he said. Edward Snowden’s shock revelations in 2013 of US domestic spying, and the recent explosion of cyber-security attacks on banks and governments is starting to drive political calls for data privacy. He notes, for example, that European groups, and the UK’s tax authority, have warned about data security risks around the CRS. 

Such comments are not unique, but the law firm's report is one of the most comprehensive attacks on the CRS in recent months and years. Similar complaints about the assault on financial privacy were heard late last year at a breakfast briefing hosted by this publication in London in association with law firm Druces. At the heart of the issue is a worry that governments, desperate for revenue and trying to stamp out tax evasion and terrorism financing, are trampling over legitimate client privacy and due process of law. The issue of financial privacy is scheduled to be a major theme at the forthcoming STEP conference in Switzerland at the end of January that this publication is covering and supporting.

Problems
A central problem, Noseda's report says, is that data exchanges that are designed, so the CRS framers hope, to combat tax evasion are a recipe for trouble because some of the CRS countries score poorly on measures for governance, corruption and the rule of law.

“A number of European data protection agencies have raised concerns about the broad nature of the new rules and the fact that they require a generalised registration/exchange of information which is automatic and independent of the existence of any actual risk of tax evasion, raising the question of proportionality,” the author writes. “In addition, the nature of the information exchanged under the CRS (name, date and place of birth, bank account details) or captured by central registers has the potential of exposing millions of individuals to the risk of hacking and data theft,” he continued.

“Once one cuts across the drafting complexities of the CRS, its underlying problem is extremely simple – the CRS requires the exchange of sensitive personal and financial information to foreign tax authorities on a generalised basis without any limitations and, in particular, without considering any actual risk of tax evasion. If you have an account in a foreign country, you will be subject to reporting, probably via more or less secure electronic communication between governments,” he said. 

“The CRS has been designed as a global automatic information exchange system. Although some countries are considering the reporting position in relation to high-risk countries, there is no consensus in this area. The issue is not academic: the extent of the problem is evident if one compares the list of countries that will exchange and receive information under the CRS with well-known corruption indexes, such as the Corruption Perception Index published by Transparency International (ironically, a big supporter of the CRS) or the CronyCapitalism Index published by The Economist,” it said. 
Noseda said the CRS and the EU Anti-Money Laundering rules “contradict the most fundamental principles of data protection and privacy”.

“The right to privacy and data protection is even more necessary at a time when cyber-attacks are becoming increasingly prevalent across the world. The National Cyber Security Centre (NCSC), part of GCHQ and the UK’s authority on cyber-security, released its first annual review on cyber-security revealing that since it opened last year, they had received 1,131 incident reports, with 590 classed as 'significant'. Whilst this is a large number, the reality is that these are the tip of the iceberg,” it said. 

“The foreword to the CRS makes it abundantly clear that the new global system of automatic information exchange has been devised by unelected officials with input from ministers and central bank governors and then submitted to the European Parliament as well as national parliaments for adoption and implementation. Given the phenomenally complex nature of the provisions contained in the CRS, it is unlikely that many parliamentarians will have grasped the underlying data protection issues,” it said.