On 16 December 2014, Curaçao and the U.S. signed an intergovernmental agreement (“Curaçao-IGA”) setting out the information reporting and withholding requirements applicable to banks and other financial institutions resident in Curaçao (“FI’s”) under the Foreign Account Tax Compliance Act (“FATCA”). By virtue of the Curaçao-IGA, FI’s will be required to report certain information about their U.S. account holders (“FATCA-Information”) to the tax authorities in Curaçao (“Tax Authorities”), which will then share that information with the U.S. Internal Revenue Service (the “IRS”).
It may be challenging for FI’s to comply with both the information reporting requirements of FATCA and the requirements of the Curaçao Data Protection Act (“DPA”) and requirements under possible contractual client confidentiality arrangements. In this client memorandum we discuss the data protection and contractual client confidentiality issues FI’s should overcome in order to be able to comply with the Curaçao-IGA.
1. Background of FATCA and Curaçao IGA
FATCA is a U.S. law aimed to combat tax evasion by U.S. citizens using offshore banking facilities. Generally speaking FATCA requires non-U.S. financial institutions to enter into an agreement (“FATCA-Agreement”) with the IRS, by virtue whereof such financial institutions must perform due diligence procedures to determine whether its accountholders are (or in certain cases owned by) specified U.S. persons, report certain information about such accountholders to the IRS and act as withholding agent in certain cases. A non-U.S. financial institution who refuses to enter into a FATCA-Agreement will become subject to a 30% withholding tax on so-called “Withholdable Payments” it receives, which include U.S. source payments of interest, dividends, royalties, and other U.S. source fixed or determinable annual or periodical gains, profits and income.
To facilitate an efficient implementation of FATCA, the U.S. government has developed and entered into so-called intergovernmental agreements with various jurisdictions. On 16 December 2014, Curaçao and the U.S. signed the Curaçao-IGA setting out the information reporting and withholding requirements applicable to FI’s under FATCA. The Curaçao-IGA eliminates the need for FI’s to enter into FATCA-Agreements with the IRS separately. Based on the Curaçao-IGA, FI’s will be required to report certain information about their U.S. account holders to the Tax Authorities, which will then share that information with the IRS. The Curaçao-IGA, is a so-called model 1 A IGA which means that the exchange of information is reciprocal.
2. Relevant data protection restrictions in Curaçao
The DPA imposes obligations and restrictions on so-called data controllers, such as FI’s, that carry out processing activities in respect of personal data.
- Processing is defined broadly in the DPA. Disclosing personal data to the Tax Authorities will fall under the scope of processing.
- Personal data is defined in the DPA as “any information relating to an identified or identifiable natural person”. Much of the FATCA-Information to be reported to the Tax Authorities will constitute personal data (e.g. the name, address and U.S. taxpayer identification number of the accountholder).
- A data controller is the person who (alone or jointly with others) determines the purposes for which and the manner in which personal data are processed. FI’s disclosing data to the Tax Authorities would be data controllers in respect of the FATCA-Information disclosed.
The DPA sets out some rules and principles with which data controllers should comply. Some of these rules and principles are relevant to FATCA compliance.
Fair processing of personal data
The DPA requires data controllers (i.e. FI’s) to be transparent about their reasons for obtaining personal data, and ensure that what they do with that data is in line with the reasonable expectations of the individuals concerned. Personal data should be obtained for only one or more specified and lawful purposes and shall not be further processed in any matter incompatible with that purpose or purposes. The DPA therefore requires controllers to notify their data subjects about the purposes for which personal data are to be processed (“Fair Processing Notice”).
Prior to disclosing FATCA-Information to the Tax Authorities, FI’s should in principle provide a Fair Processing Notice to their customers. There are certain exemptions by virtue whereof it will be possible to disclose personal data to a third party without providing a Fair Processing Notice to the data subject. In the context of disclosing of FATCA-Information to the Tax Authorities in Curaçao, only the exemption where the disclosure is required to comply with a legal obligation to which a controller is subject may be relevant.
We note however that it is doubtful whether currently legislation is in place which obliges FI’s to disclose FATCA Information to the IRS, via the Tax Authorities. We are also not aware of any announcements concerning the drafting of relevant implementing legislation. If no legal basis is present under Curaçao law to comply with the obligations under the Curaçao-IGA, FI’s will, for purposes of the DPA, not have any legal basis in place to disclose FATCA-Information to the Tax Authorities.
Transfer of personal data outside the Kingdom of the Netherlands
The DPA restricts the transfer of personal data outside the Kingdom of the Netherlands, unless the destination country ensures an adequate level of protection for the rights of the data subject in relation to the processing of personal data. The DPA does not lay down rules for determining whether the protection afforded by a country outside the Kingdom of the Netherlands is adequate. This means that FI’s themselves should assess (against the relevant rules and principles of the DPA) whether applicable legislation in the U.S. ensures an adequate level of protection for the rights of the data subject in relation to the processing of personal data.
Ensuring lawfulness; customer consent
In the absence of (a) relevant legislation which legitimises the disclosure of FATCA-Information to the Tax Authorities and also provides measures to adequately protect the data transferred to the IRS or (b) legal certainty that the U.S. ensures an adequate level of protection, it may not be possible for FI’s to lawfully disclose FATCA-Information to the Tax Authorities without the unambiguous consent from their customers. For purposes of the DPA, “consent of a data subject means”, any freely given, specific and informed expression of will whereby data subjects agree to the processing of data relating to them. In view of the sanctions to be imposed (i.e. 30% withholding tax or closure of their account) if customers fail to give their consent, customers may have no other options than to comply with the FI’s request. There however may occur legal discussions between FI’s and their customers on the question whether consent would then be “freely given” as defined in the DPA. The “consent” route may therefore not be a feasible option.
3. Contractual client confidentiality issues
FI’s may (through their general terms and conditions) be subject to contractual client confidentiality arrangements with their customers, which will only allow them to disclose information of their customers (such as FATCA-Information) to a third party, if they are required by law to disclose this information. It will therefore be challenging for FI’s to comply with their contractual client confidentiality arrangements, prior to implementation of legislation in Curaçao which would oblige FI’s to disclose FATCA-Information to the IRS via the Tax Authorities.
To conclude, FATCA gives rise to a number of issues which FI’s need to address. FI’s may need to review (and in some cases amend) existing general terms and conditions in relation to their customers. Furthermore, legal difficulties are likely to present themselves to FI’s as they try to meet the requirements under the Curaçao-IGA.