Concern over FBAR data confidentiality in wake of ‘FinCEN Files’ exposé

So say some tax experts, who report that they’re hearing from clients who are aware that the FBAR data is submitted to the Financial Crimes Enforcement Network (FinCEN), an arm of the U.S. Treasury department.

The reason for their concern is the news, which hit the world’s media last weekend (Sept. 20), of “dirty money” revelations that emerged from data that had been routinely reported to FinCEN by banks and other financial firms between 2011 and 2017.

The concern of their clients, according to the tax preparers interviewed by the American Expat Financial News Journal, isn’t that they fear being also found to have engaged in illegal activity, but that their account details could fall into criminal hands, given FinCEN’s apparently weak defences.

The ICIJ’s FinCEN Files exposé comes as serious questions were already being raised in Europe about whether the U.S. tax evasion law known as FATCA meets the EU’s General Data Protection Regulation (GDPR) standards for protecting the personal data of EU citizens when this data is transferred to the U.S.

The New York Times's publication on Monday of details of what it said were President Trump's tax returns over the past two decades-plus, obtained without the permission of Trump, is being seen by many as further evidence of the ease with which data that is meant to be kept secret can in fact be obtained by those who seek it.

As reported, a ruling by the European Court of Justice in July, which struck down the main mechanism used by the EU to protect the personal data of EU citizens when it's transferred to the U.S., had already been seen by some lawyers and anti-FATCA campaigners as certain to force the European Union to re-negotiate the inter-governmental agreement it has with the U.S., which governs the way EU countries comply with FATCA.

The FinCEN 'hackability' question

Among the tax experts who say they have begun hearing concerns over FinCEN’s apparent “hackability” is David Treitel, founder and head of London-based American Tax Returns Ltd.

“I’m hearing from clients who are genuinely worried that the U.S. government won’t be able to ‘keep private things private’,” Treitel told the AXFNJ, referring to the latest ICIJ revelations, which the investigative journalism organization said had been based on more than 2,100 “Suspicious Activity Reports" filed with FinCEN by banks “and other financial firms,”  and which had originally been leaked to BuzzFeed News.

With respect to the FBARs that Americans with non-U.S. financial accounts are obliged to file every year, Treitel says his clients' concerns are based on the fact that when filling out their FBARs before submitting them to FinCEN, taxpayers are obliged to include all of their relevant non-U.S. bank account data, including their account numbers, as well as their address, the names and addresses of their banks, and the highest value of the money they held in each of the their non-U.S. bank accounts during the previous year.

This is precisely the kind of information that recent data hacks of government and private databases around the world have focused on.

A 2015 cyber hack of the IRS, in fact, was said to have exposed the personal data of more than 700,000 taxpayer accounts.

Mishcon de Reya, the law firm that has been helping a crowd-funded American expat known only as "Jenny" to challenge the data protection problems she claims are at issue in the way the UK forwards her personal data to the U.S. in compliance with FATCA, has posted a 44-page “Mishcon de Reya Hacking and Data Breaches List” that is explained as having been prepared “to support Jenny's claim that FATCA unnecessarily exposes sensitive personal and financial data of compliant citizens to the risk of hacking”.

Katelynn Minott, a managing Certified Public Accountant and partner of Bright!Tax, the online American expat tax specialist firm, agreed that some of Bright!Tax's clients might be asking themselves a similar question, though she hasn't actually heard anyone mention it yet.

Even before the latest ICIJ revelations, “the requirement to file an annual disclosure with an entity known as the Financial Crimes Enforcement Network was in itself intimidating for many U.S. expat clients," Minott, pictured left, noted.

And now, in the wake of reports that confidential U.S. Treasury documents called ‘Suspicious Activity Reports’ were leaked by FinCEN, she says some could experience “personal conflict" about filing their FBARs, similar to what Treitel describes above.

“Suspicious Activity Reports (SARs) are reports from foreign banks which detail potentially suspicious transactions of their account holders, and are used to highlight illegal activity such as money laundering and fraud,” Minott, whose company looks after American clients in some 190 countries around the world, explains.

“It isn't likely that your every day, FBAR-reporting taxpayer would show up in one of these reports, or be impacted by the leak.

“But security breaches involving sensitive taxpayer banking data is obviously going to be a matter of concern for U.S. taxpayers who carry out banking transactions abroad, and whose data is being handled by the same government entity.”

Anthony Parent, founder of the Wallingford, Connecticut-based IRSMedic.com tax firm, admits he's among the least confident of the U.S. government's ability to keep data secure. "There is no doubt that China is attempting to hack into all sensitive databases as we speak – and yet the law requires us to make the database ever bigger," he said, citing one of the worst examples of the government's weak defenses the June, 2015 data breach of the Office of Personnel Management, which is said to have seen as many as 22.1 million people impacted. 

"And with the news that President Trump's tax returns were stolen, every American must ask themselves, if even the president of the United States can't keep his tax returns confidential, what chance do the rest of us have with any of our personal information?" Parent added.

"We have devolved into a truly lose-lose situation: If you don't comply, your lack of compliance will be used against you; but if you do comply, this could also be used against you."