Information | Process | Technology

EU e-Privacy Directive

This website uses cookies to manage authentication, navigation, and other functions. By using our website, you agree that we can place these types of cookies on your device.

You have declined cookies. This decision can be reversed.

You have allowed cookies to be placed on your computer. This decision can be reversed.

What Does FATCA Mean for Data and IT?

FATCA (foreign account tax compliance act) is a US law that comes into effect on 1st January 2013. It affects all financial institutions worldwide which manage US investments or have US citizens as clients; for the purposes of FATCA non-US financial institutions are Foreign Financial Institutions (FFIs). FATCA permits the US to apply 30% witholding tax on any payments by US institutions to FFIs who do not cooperate with FATCA, either through non-participation or non-compliance - in short it is in the interests of almost all financial institutions worldwide to register for FACTA participation.

FATCA has enormous legal and technical implications for the data handling processes and IT systems in financial institutions.


Data Protection

Registration for FATCA means that the FFI commits to pass data to the US Inland Revenue Service (IRS) about all payments made to US citizens, or withold 30% tax on behalf of IRS to recalcitrant account holders - these being customers who fail to provide information to the FFI necessary for its FATCA compliance, thus the IRS is passing on to all financial institutions a duty to gather data from their customers to establish whether they are potential US taxpayers or not, and to pass information about those potential taxpayers, including whatever payments have been made to them, to the US government.

This raises an interesting and complex problem for all EU institutions and any other institutions resident in countries where the law requires compliance with the EU Data Protection Directive.

The USA data protection law is much weaker than EU data protection law. As a consequence it is normally unlawful for any EU organisation to pass personal data (information about a living person) to a US organisation - unless the EU institution has registered its need and purpose for doing so to its national data protection regulator, and the regulator has accepted that registration, and the data subjects have been made aware that their data may be passed to US based organisations for specific purposes (in this case to the US government for tax compliance). Unless each of these conditions have been met it will be unlawful for a EU based FFI to comply (or even register) with FATCA. Very simply, for many EU financial institutions registration with FATCA as a compliant FFI will mean breaking EU law unless they have their data protection and data in order, including having gained specific consent from their customers to pass data to the US government for the purpose of FATCA compliance.

In some EU countries the Financial Services industry has attempted to broker a national arrangement with their national government such that the government is the conduit passing personal information to the US authorities, thereby allowing the financial institutions to bypass their data protection obligations. This will not work, the national governments within the EU have no more right to violate the EU Data Protection Directive that the financial institutions. Some governments have apparently discussed an agreement to act as a data conduit for financial institutions based on one of the few get-outs of the directive, that the data is for taxation purposes. This approach will generally fail as the permitted exceptions to the Data Protection Directive normally apply to requirements of national law, or national obligations under international treaties, and the requirements of FATCA compliance are that the institution registers and is compliant, not the nation state - FATCA does not address and imposes no obligations upon nation states.

What all this comes down to is fairly simple. Financial Institutions must comply with FATCA if they handle US investments or have US taxpayers as (ultimate) customers. FATCA compliance will require Financial Institutions to breach EU data protection law unless they have made adequate preparations. As a minimum these preparations will include KYC (Know Your Customer) process which clearly identifies for each and every customer whether they are or are not likely to be a US taxpayer, gaining the permission of all candidate US taxpayers to pass their personal data to the US IRS, and registering this data collection and processing with the national data protection regulator. In addition to achieving this compliance for FATCA registration Financial Institutions will also need to introduce processes which ensure that appropriate KYC and data processing permission is gained for all new customers as they are taken on in the future. For the purposes of their annual declarations to the US IRS institutions will also need to be able to report all payments made to each US taxpayer, but avoid reporting any payments or personal data about non-US taxpayers.

It is also conceivable, though not explicit, that it may be necessary in the future to gain permission from non-US citizens & taxpayers to pass their information to the US authorities in order to evidence that funds received from US institutions are not being paid to US taxpayers.

Information About Payments

As an aside, a separate and equally massive problem arises from FATCA without any obvious data protection implications. Institutions will need to know the source and purpose of payments - whether money comes from a US source, and whether it represents a taxable payment or not, e.g. whether it is for example proceeds from the sale of an asset, income, or is a “passthru” payment to another financial institution. They will need to be able to deduct the 30% witholding tax on behalf of IRS as appropriate, and they will need to be capable of passing the source and purpose of payments onto other financial institutions for their FATCA compliance purposes. This will require institutions to collect, process and supply data which they have never previously needed and for which their systems are not equipped, meaning that most Financial Institutions will need to enhance or replace their transaction handling systems to achieve FATCA compliance.


The Data Protection and IT systems implications of FATCA are enormous, massive. FATCA has crept in under the radar for many institutions, but ultimately all financial institutions are going to have to decide whether they are to be FATCA compliant, with all the additional process and systems it implies, or not, in which case they will exclude themselves from having any US taxpayers as customers, and from receiving any payments from the US unless they are prepared to accept those payments minus 30% witholding tax.

FATCA has the potential to create a new data and IT burden upon financial institutions which will make the Millenium Bug, Sarbanes-Oxley compliance and other recent regulatory demands seem trivial by comparison. All financial institutions should be preparing now - either to create systems and processes that are FATCA compliant, or to shed all involvement with US customers and US-sourced money.

This “heads-up” briefing is far from comprehensive, it merely scratches the surface of the data and IT implications of FATCA, but it should help the reader to understand that FATCA is a massive IT issue, and it needs to be acted upon now.



If you would like to discuss the data and IT implications of FATCA with one of our consultants please call us on 07624 319477 or email This email address is being protected from spambots. You need JavaScript enabled to view it.. We can assist you in reviewing your current situation and readiness, and in planning and implementing your project to achieve FATCA compliance.

You are here: Home Thinking(s) Information What Does FATCA Mean for Data and IT?