News flash! The Internet is not secure. Every day we read new reports of hackers who’ve stolen credit card numbers, medical records, government personnel files, income tax refunds, and myriad other pieces of data. Victims are not limited to naïve individuals who fall for phishing schemes, but include Target, the Pentagon, Blue Cross and Blue Shield, and the U.S. Office of Personnel Management. Security experts remind ordinary users to change passwords frequently, avoid clicking on emails from unknown or suspicious senders, and remain vigilant while using the Net. But no one should believe that they can absolutely prevent unauthorized access to their most private information.
Why is this old news important to government tax administrators, tax professionals, and taxpayers? Mainly because even though governments have been exchanging financial and tax information for decades, the volume, frequency, and regularity of those disclosures has begun to grow exponentially, and will soon grow logarithmically. If past intergovernmental information exchanges reflected the pace of a horse, and current exchanges have begun to approach the speed of a Ferrari, the exchanges on the near-term horizon will resemble the warp-speed travel known to fans of Star Trek. And with the growth of information exchange comes not only the near certainty of illegal access, but also the increased risk to both governments and taxpayers when that illegal access occurs.
The United States took the first bold – some might say overreaching – steps to mandate wholesale information exchanges when it enacted the Foreign Account Tax Compliance Act (FATCA) in 2009. Fully implemented just last year, FATCA requires countries and financial institutions to provide the U.S. with information about foreign financial accounts held or controlled by U.S. persons. While the U.S. has received millions of bits of data under FATCA, that information is constrained in two significant ways: 1. The account holders have some connection to the United States; and 2. The information flows in one direction, to the U.S.
While many countries outside the U.S. first reacted negatively to this massive information grab, some soon began to realize the value of coordinated information exchange. They realized, as the old saying goes, “if you can’t beat ‘em, join ‘em.”
The world tax community has “joined ‘em” with a vengeance, with the OECD developing the CRS for countries to exchange financial information about individual taxpayers. Essentially a global FATCA, the CRS will allow tax administrations in adopting countries to exchange financial information electronically and spontaneously with their counterparts around the world. But unlike FATCA, most of the information exchanged will flow bilaterally among many pairs of participating countries.
The OECD is developing a new reporting platform to enable participating countries to exchange information through a common system. I am certain that the developers will build multiple levels of security into this new global system. But I am also certain that the quantity and quality of data that this new system will carry will prove an irresistible lure not only to hackers who enjoy the challenge of breaking an unbreakable security system, but also to less-than-ethical people that would employ them or buy their hacked data.
As with all other information that flows through the Internet, the data exchanged through the CRS cannot be totally secure. Now is the time, before it opens the data spigot, for the OECD to develop protocols to deal with the inevitable: what they will do when their best laid plans “gang aft agley.”