The United States Government has recently enacted two significant pieces of legislation that will impact on Australian financial institutions – the Foreign Account Tax Compliance Act (FATCA) and the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act).
Both FATCA and the Dodd-Frank Act may require Australian financial institutions to report information about their customers to United States regulators. There are material consequences, particularly under FATCA, for those that fail to report.
The challenge for Australian financial institutions will be complying with these reporting obligations given the current restrictions on disclosure of customer information under Australian privacy laws.
The reporting obligations
The Dodd-Frank Act imposes reporting obligations in relation to swap transactions. Under the Dodd-Frank Act, Australian financial institutions may be required to:
- report information about its swap transactions to a swap data repository;
- if registered as a swap dealer or major swap participant:
- report information about its business to the Securities Exchange Commission or the Commodities Future Trading Commission; and
- provide the Commissions with access to books and records.
The Australian government is also proposing to introduce reporting obligations in relation to over- the-counter derivatives.
FATCA imposes reporting obligations on participating financial institutions in relation to “financial accounts” held by US persons or by entities that have substantial US owners. Under FATCA, participating Australian financial institutions will be required to report the following information to the Internal Revenue Service annually:
- the name, address and taxpayer identification number of the US account holder or substantial US owner;
- the account balance or value;
- the account number;
- the income associated with the account; and
- the gross receipts and withdrawals from or payments to the account.
The reporting obligations under both FATCA and the Dodd-Frank Act apply to both new and existing customers.
Restrictions on complying with the reporting obligations
Australian privacy laws make it difficult for a financial institution to comply with these reporting obligations (particularly in relation to existing customers).
Unless a relevant exemption applies, financial institutions would be prohibited from:
- reporting “personal information” about an individual under National Privacy Principle 2;
- transferring “personal information” about an individual to the relevant US regulator or trade repository under National Privacy Principle 9;
- reporting information to the relevant US regulator or trade repository that is not publicly available and has any bearing on an individual’s credit history, credit capacity, credit worthiness or credit standing (if the financial institution is a “credit provider” for the purposes of the Part IIA of the Privacy Act); and
- reporting “confidential information” about an individual or body corporate to a the relevant US regulator or trade repository under the Banker’s Duty of Confidentiality (and the Code of Banking Practice, if the financial institution was a signatory).
Financial institutions may be able to rely on an exemption to the National Privacy Principles (section 6A of the Privacy Act) if they can establish that reporting is required by US law and that disclosure involves an act “done” or practice “engaged in” outside Australia.
An exemption that is common to all of these restrictions is consent from the individual or body corporate (or in the case of credit information, written authorisation). However relying on consent exposes the financial institution to risk. For example, if consent is required from existing customers the financial institution could be forced to rely on implied consent as it may be impracticable to obtain express consent from all customers. This exposes the financial institution to the risk that customers will not give their consent (in which case they may be forced to close the account or terminate the derivative (if they can)) or that customers will challenge the consent as not effective. To the extent that credit information is disclosed written authorisation would be required and is likely to impose significant costs when considered across a whole book.
Compulsion by law is also an exception to each of the restrictions listed above. However, even if FATCA and the Dodd-Frank Act are laws that compel the relevant customer information to be reported (which we doubt) there would be a significant risk in relying on this to authorise disclosure to the US regulators and trade repositories. This is because it is not clear that the exception applies where the compulsion is under a foreign law.
Despite this, because of the issues associated with obtaining consent, compulsion by law is still the best solution to complying with reporting obligations under US legislation and Australian privacy laws. What is required to implement this solution is an Australian law that compels disclosure.
It is important Australian financial institutions start lobbying the government now to create such a law before the commencement of FATCA and the Dodd-Frank Act. This could be done as part of submissions on the government’s proposal to impose reporting obligations on over-the-counter derivatives.
To minimise the compliance burden on Australian financial institutions it will also be important to ensure that the information that is to be reported under Australian legislation is consistent with reporting obligations under foreign laws and if possible that reporting under the Australian legislation satisfies reporting obligations under those foreign laws (this could be achieved by way of an intergovernmental agreement with the relevant foreign jurisdiction similar to that being proposed between the IRS and several European countries for the purposes of FATCA).