A risk from the pandemic is that other news stories get obscured. And one such example is how hacking attacks on banks, revenue departments and other entities threaten a network of cross-border account transfer protocols such as FATCA and the Common Reporting Standard. A lawyer campaigning on the issue talks to this news service.

Official bodies worldwide are barely waking up to warnings about privacy threats caused by hackers. These attacks expose serious flaws in cross-border bank account-sharing agreements, an international law firm warns.

Over the past decade or more, the US has enacted the Foreign Account Taxation Compliance Act (FATCA) and dozens of other industrialised countries, such as the UK, Switzerland, Germany and France (excluding the US) have signed up to the Common Reporting Standard. 

FATCA requires foreign financial institutions to prove to US tax authorities that any US expat clients’ affairs are fully accounted for. Otherwise, these institutions will be subject to a US withholding tax. The CRS regime enables countries to swap bank account details on millions of individuals to hunt down tax cheats. (The US is not signed up to the CRS.)

But these agreements come up against a big problem - cybercrime. And there have been scores of data breaches at private and state banks, revenue departments and other organisations. So much so, in fact, that data exchanges are not robust enough and financial privacy is in serious danger, Filippo Noseda, partner at Mishcon de Reya, argues. 

“There is a data leak pandemic in the making,” Noseda told this publication. 

His use of the word “pandemic” is deliberate. The COVID-19 crisis is a sort of biological version of digital viruses and hacking attacks with which the wealth management industry is now wearily familiar. Banks such as JP Morgan and Bank of America have been hit. (In the BoA case, the bank said it may have been breached, according to reports in late May this year.) The US Internal Revenue Service, financial information service Equifax, among others, have been targeted. Cybercrime damage costs are predicted to hit $6 trillion annually by 2021 (source: Cybecrime Magazine, March 29).

Noseda has amassed a dossier of data breaches which he says raise serious doubts on how safe information exchange agreements are. He regularly regales industry groups with his worries about how FATCA and CRS are vulnerable.

There are also other signs that all is not well. 

In October 2018 Switzerland’s federal tax body passed over data to other nations under CRS-driven agreements – but with important exceptions. The Swiss handed information to most European Union (with one exception and a delay) and nine other states: Australia, Canada, Guernsey, Iceland, the Isle of Man, Japan, Jersey, Norway and South Korea. However, the Swiss did not give data to Cyprus and Romania because, in the wording of the release at the time, “they do not yet meet the international requirements on confidentiality and data security”. 

The Swiss comment was particularly damning because Romania is an EU member state. (The CRS in total covers 102 states.)