Those familiar with the US Foreign Account Tax Compliance Act (FATCA)—and in the United States, that's not many people—think of it as either a sledgehammer attempt to curb offshore tax evasion or (more accurately) as a costly, counterproductive, and indiscriminate burden on the global economic system; a compliance nightmare that only benefits tax lawyers, accountants, and software firms; a job-killing disincentive for foreign investment in the United States; a crude overreach in violation of every principle of sovereign legality; an abuse of the US Senate's constitutional treaty authority; a blatant violation of WTO and other trade commitments; and a financial “drone strike” against Americans living abroad.
FATCA is all that and much, much more. But in light of sweeping revelations about the email, telephone, and internet surveillance activities of the US National Security Agency (NSA), it's time to take a look at FATCA's implications for personal electronic privacy and the growing power of the US intelligence agencies' global surveillance state.
Just Hand Over the Information—or Else
FATCA is a US law enacted in 2010 that, beginning in July 2014, would require all foreign (i.e., non-American) financial firms (not just banks but also credit unions, insurance companies, pension funds, stock and investment funds, etc.) to report the accounts of “US Persons” defined so broadly as to include many citizens of other countries, for example perhaps a million Canadian citizens.
How does the US government get jurisdiction to do this? Well, it has no jurisdiction and doesn't claim any. If any of the hundreds of thousands of foreign financial institutions (FFIs) anywhere in the world, whether it does business in the US or not, fails to demonstrate to the US Treasury Department's satisfaction that it has due diligence in place to gather the demanded account information and agrees to hand it over to the IRS in a manner dictated by that agency in 544 pages of mind-numbing regulations, it will be hit with a 30% deduction on any US-sourced revenues, including “pass-thru” payments.
In view of the US role in the global financial system, many if not most FFIs are recipients, at least indirectly, of revenues that can be intercepted by US financial institutions forced to act as withholding agents on the Treasury's behalf. This would amount to confiscation of the FFIs' legitimate assets for being “recalcitrant” under a foreign law that they are under no legal (much less moral) obligation to obey, and which in most countries they can't obey without violating local human rights, data security, and other protection laws.
Thus, FATCA has no legal claim to its breathtaking demand for worldwide submission. Its only claim of authority is the Treasury Department's threat to inflict pain on foreign entities not otherwise subject to US law. In other words: might makes right.
There is much more to it of course, including the fact that even FATCA advocates admit the law is “wholly unachievable” as written and can only be implemented by foreign governments' knuckling under to the threat of economic sanctions and agreeing to sign so-called intergovernmental agreements (IGAs) to act as the IRS's enforcers against their own institutions and citizens under false promises of reciprocity. And it is well established that FATCA would yield at best a meager “recovery” of revenues hidden offshore—less than $1 billion per year (enough to fund the US federal government for about two hours) while inflicting compliance costs worldwide of $1 to 2 trillion. It is increasingly clear that FATCA is cruising towards a catastrophic collision with reality.
Since FATCA doesn't pass the laugh test as an effective tax enforcement tool, one then has to wonder if it serves some other purpose. Why would the US government (or at least some elements of the US government) be so insistent on gathering vast amounts of personal financial data from foreign institutions, without any suspicion of wrongdoing by either the vast majority of account holders or by the institutions themselves?
FATCA-Compliant Banks Would Have No Privacy Expectation from US Security Agencies
If FATCA's sole purpose were to recover tax revenues from assets squirreled away offshore by American fat cats, it seems odd that it targets only individuals and specifically exempts reporting on accounts held by US corporations. On the other hand, targeting individuals makes a lot of sense if FATCA's purpose is directed towards something else: adding to US government agencies' global electronic map of personal information. Americans and the rest of the world are increasingly aware of the vanishing concept of personal privacy, whether supposedly justified by the needs of law enforcement, anti-terrorism, or (as here) recovering tax revenues.
It should be further understood that any data transmitted by foreign financial institutions will not be confined to the IRS but will be handed over (upon request, of course) to other three-letter agencies of the US government. The following is from a 2012 letter from Sen. Carl Levin (D-Michigan), a prominent FATCA supporter, to then-IRS Commissioner Douglas H. Shulman:
Although FATCA is structured to address offshore tax abuse, offshore account information has significance far beyond the tax context, affecting cases involving money laundering, drug trafficking, terrorist financing, acts of corruption, financial fraud, and many other legal violations and crimes. Given the importance of offshore account disclosures, FATCA guidance and implementing rule should create account FATCA forms that are not designated as tax return information but, like FBARs, may be provided to law enforcement, regulatory, and national security communities upon request. FFIs are not, after all, US taxpayers, and will not be supplying tax information on behalf of their US clients; they will instead be providing information about accounts opened by US persons. The US Supreme Court has long held that bank account information is not inherently confidential but is subject to inspection by law enforcement and others in appropriate circumstances. Foreign account information is too important to a wide range of civil and criminal law enforcement and national security efforts to be designated as tax return information bound by Section 6103's severe restrictions on access [emphasis added].
This requires some explanation. Section 6103 refers to United States Code Chapter 26, Section 6103, which according to the Justice Department “generally prohibits the disclosure of 'tax returns' and other 'tax return information'” outside the IRS, unless certain narrow exceptions apply, mainly with respect to specific criminal cases. Here, Senator Levin is saying—correctly, as far as US law goes—that when FFIs sign on to the IRS portal for transmitting data demanded under FATCA, any information received can (and I would say, will) be passed on to other government agencies, including national security (i.e., intelligence) agencies, such as the NSA, the Central Security Service, and the US Cyber Command among others. Not only the US Persons whose account information is forwarded but also the institutions themselves have no expectation of privacy or confidentiality. (“FFIs are not, after all, US taxpayers,” and “bank account information is not inherently confidential.”)
Having established that (a) information received under FATCA may be passed on to these other agencies, (b) there is no legal expectation of privacy or confidentiality, or any limitation on use of any information gathered, and (c) institutions would be required to log onto a portal created and operated by the US government, it is fair to ask, given growing concerns about covert information-gathering by the NSA, whether the motives behind FATCA are limited to tax enforcement and what further use will be made of information supplied to the IRS.
(Editor's note: you can see an instructional YouTube video for FFIs using the IRS portal here.)
So, Why Would Intel Agencies Want Personal Information from Banks?
If information itself, not tax enforcement, is the real underlying value of FATCA for US government agencies, this might also help explain exemption of corporations. Perhaps the law's authors figured that corporations, unlike individuals, might have the means to fight back and risk upsetting the whole applecart. Or perhaps personal information is more useful for intelligence purposes. Either way, targeting individuals' private data appears to be the most plausible reason to impose a mandate that FFIs—including many thousands worldwide that don't do business in the United States and may not be as readily accessible to US agencies as domestic firms—log onto a government-controlled site.
How Might FATCA Compliance by FFIs Facilitate Intelligence Collection?
First, the FATCA data itself, matched with other information available to the relevant agencies, would greatly enhance creation of a global financial social accounting matrix, using US Persons' account information as a kind of marker or human “taggant” for mapping contacts, relationships, and activities of a wide range of persons and institutions well beyond the US Persons themselves. While email, phone records, blog postings, social media ramblings, and other personal data are valuable for the surveillance state, one could argue that capture of personal financial information is a far more valuable payload for intelligence monitoring and management. FATCA data would be an invaluable supplement to intelligence agencies' existing efforts to monitor international finances. (See: “'Follow the Money': NSA Spies on International Payments,” Der Spiegel, September 15, 2013.)
Second, and more ominously, it needs to be asked what additional types of information-gathering on FFI targets other than US Persons may be facilitated by metadata and other transfers incidental to automatic electronic data transmission. There is no reason to suppose the technical capabilities of US agencies would be thwarted by metadata-scrubbing, encryption, or other safeguards FFIs might place on data transfer, whether incidental or anticipated.
Certainly, from a purely technical point of view, it seems the NSA and other intelligence agencies already are doing fine on their own. But consider how much easier it would be to steal keys, crack encryption, or install a worm, a Trojan horse program, or other malware via a drive-by download to provide backdoor access to all the data in a target network when it's unnecessary to phish the target in.
Instead, they can just require the target institution (under threat of FATCA sanctions) to log in at the Black Gate of Mordor and take it from there. As an extra bonus, instead of having to pay for costs incurred by the target firms, as the NSA did for US firms involved in the Prism program, the FFIs themselves would have to bear the costs of providing possible access for US agencies to acquire data even beyond that demanded under FATCA.
Some might consider the suggestion that US agencies would abuse FATCA compliance for intelligence collection purposes speculative, or even offensive. But then one wonders what would be the impediment to such abuse. Technical? Political? Moral? Legal? Given almost daily revelations of what the same agencies already have been doing, it's hard to take such objections seriously. (And if anyone thinks Treasury and the IRS are not already integral elements of the broader spying program, see: Jennifer Stisa Granick and Christopher Jon Sprigman, “NSA, DEA, IRS Lie About Fact That Americans Are Routinely Spied On By Our Government: Time For A Special Prosecutor,” Forbes, 8/14/2013.)
At the very least, it should be expected that the IRS would have the decency to provide a warning on the FATCA log-in and registration portal that every FFI in the world must use to be compliant. It could be something like:
This site is operated by the United States Internal Revenue Service (IRS). Foreign financial institutions are on notice that any information made available to the IRS as a result of logging onto this site may be passed on to other agencies of the government of the United States and that use of such information may not be exclusively for tax purposes.
It's Time to Think of Financial Information as Personal Information
Thus far, media coverage of FATCA has been almost entirely relegated to the finance and tax pages, mainly outside the United States, much of it dominated by compliance-mongers drumming up business. Even FATCA's toxic economic impacts and the Treasury Department's grossly exceeding its legal authority have drawn little notice, especially in US domestic reporting.
Still less attention has been given to what may be the real story of FATCA as a critical, but thus far almost completely ignored, piece of the growing machinery of global surveillance. After all, FATCA is only about offshore tax evasion and has nothing to do with personal privacy, right?
Wrong. First, an individual's financial information is personal information. In terms of intrusive agencies' monitoring of—and perhaps soon, controlling—the lives of people who used to consider themselves free and independent citizens of their respective countries, financial information is far more significant in content than most of the fluff and narcissism on Internet forums, social blogs, wikis, social networks (some with facial recognition capabilities), podcasts, and other electronic content we've gotten used to thinking of as defining “personal”:
Financial privacy isn't typically considered as sexy as other forms of privacy, like our right to private beliefs, health care, property, and communications. Infringement of financial privacy doesn't evoke the kind of outrage as other violations, because most overlook the vital role it plays in preserving human rights and protecting individuals from governmental abuse. Without financial privacy, for instance, law-abiding citizens around the world would be in danger of having all of their financial information shared with corrupt governments or criminal organizations, potentially exposing them to extortion, blackmail, or even kidnapping.
Just as supporters of the police and surveillance state argue that individuals with nothing to hide should be willing to forfeit their right to privacy, those obsessed with collecting taxes think that the vast majority of Americans who do not engage in evasion should be willing to relinquish their financial privacy rights. Recent scandals have exposed these claims as naïve and dangerous. Innocent Americans must zealously guard their privacy against government intrusion and reject invasive laws like FATCA passed under the false pretense of catching criminals. [Andrew F. Quinlan, President, Center for Freedom and Prosperity, “FATCA: The end of financial privacy,” The Daily Caller, September 12, 2013.]
Second, the sheer scope of the data haul that can be accessed if foreign financial firms' data – potentially, all of it – is compromised through FATCA compliance could make the revelations to date about NSA's snooping pale to insignificance. Already, we've seen the willingness of the NSA to require American domestic firms to hand over what their customers thought were private communications, to insert vulnerabilities into commercial encryption systems, and otherwise to flout the rule of law. Such lawlessness achieves a whole new dimension of menace when firms, literally anywhere on the planet can be forced by the one-and-only global sovereign to submit to the same treatment—with their own governments meekly cooperating even as they denounce the latest reports about the NSA.
Will the watchdogs of electronic privacy finally figure out that FATCA is not really about taxes? It's time to find out.
James Jatras is a former US Diplomat and policy adviser to Senate Republicans from 1985 to 2002. He has launched a campaign for the repeal of FATCA and manages of www.RepealFatca.com.