Enhanced Financial Account Information Reporting

Privacy Impact Assessment (PIA) summary - Individual Returns Directorate, Assessment, Benefit, and Service Branch and International and Large Business Directorate, Compliance Programs Branch

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government officials responsible for the PIA

Frank Vermaeten
Assistant Commissioner, Assessment, Benefit, and Service Branch

and

Richard Montroy
Assistant Commissioner, Compliance Programs Branch

Head of the government institution or delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Individual Returns and Payment Processing and International and Large Business 

Description of the class of record and personal information bank

Standard or institution-specific class of record:

• Individual Returns and  Payment Processing Program (CRA ABSB 217) 
• Competent Authority Program Administration (CRA ILBIB 261) - previously (CRA CPB 261)

Standard or institution-specific personal information bank:

• Individual Returns and Payment Processing (CRA PPU 005)
• Competent Authority Program Administration (CRA PPU 085)

Legal authority for program or activity

• Canada–United States Enhanced Tax Information Exchange Agreement Implementation Act
• Part XVIII of the Income Tax Act 

Summary of the project / initiative / change

In 2010, the United States of America enacted the Foreign Account Tax Compliance Act (FATCA). This act was created to protect the U.S tax base by preventing the use of offshore accounts to evade tax. The FATCA does this by requiring non-American financial institutions to enter into an agreement with the U.S. Internal Revenue Service and report on all accounts held by U.S. persons and non-U.S. entities (passive and non-financial entities) controlled by one or more U.S. persons. Under the FATCA, a U.S. person includes the following:

• a citizen or resident of the United States
• a U.S. entity (for example, a corporation, trust, or partnership)

If a non-U.S. financial institution does not comply with the FATCA, payers making certain payments of sourced income to the non-compliant financial institution would have to withhold 30% of the payment. The 30% FATCA withholding tax can also be levied on account holders at a compliant non-U.S. Financial Institutions, who fail to provide documentation as to whether they are U.S. persons, and on non-U.S. entities that fail to identify its U.S. controlling persons.

In July 2012, the United States issued a model agreement called a Model 1 reciprocal agreement (Model 1 IGA). Under the Model 1 IGA, a partner country agrees to impose obligations on its financial institutions to identify the financial accounts of U.S. persons, as well as non-U.S. entities with U.S. controlling persons and report certain information on these accounts to the partner’s tax authority. The partner’s tax authority then sends that information to the U.S. Internal Revenue Service. In return, the United States agrees to not apply the FATCA to the financial institutions operating in the partner country. The United States also agrees to collect and provide certain information to the partner country on financial accounts held by residents of that country at U.S financial institutions.

On February 5, 2014, Canada and the United States signed an agreement based on the Model 1 IGA (the Canada–U. S. IGA). Canada and the United States agreed to automatically and annually exchange certain information under Article XXVII (Exchange of Information) of the Convention between Canada and the United States of America with Respect to Taxes on Income and on Capital.

Risk identification and categorization

A) Type of program or activity

Compliance/regulatory investigations and enforcement

Level of risk to privacy: 3

Details: Implementing legislation (the Canada–United States Enhanced Tax Information Exchange Agreement Implementation Act and Part XVIII of the Income Tax Act) for the Canada-U.S. IGA was stated in Part 5 of Bill C-31. That bill received royal assent on June 19, 2014, and became law on June 27 of that year. The provisions of the legislation are generally effective as of July 1, 2014. Under the new Part XVIII of the Income Tax Act, Canadian financial institutions each year have to file an annual Part XVIII information return with the Canada Revenue Agency (CRA) to report information about financial accounts held by U.S. persons and by non-U.S. entities that are controlled by one or more U.S. persons.

Using the Part XVIII information returns, each year the CRA will collect from financial institutions, personal information related to financial accounts. The CRA will transmit this information annually to the Internal Revenue Service.

Each year, the CRA will receive from the Internal Revenue Service, personal information related to financial accounts held at U.S. financial institutions. The CRA will store the information collected on the Part XVIII information returns and the information received from the Internal Revenue Service. The usual compliance activities for information returns will apply to the Part XVIII information returns. The compliance work that has been done for information previously received from the Internal Revenue Service will be done for the information received electronically from that organization. Uses for the data will be evident in other program level privacy impact assessments.

B) Type of personal information involved and context

Personal information—including identity data such as social insurance number and address—and financial information about accounts.

Level of risk to privacy: 3

Details: Name, address, Canadian tax identification number (for example, social insurance number and business number) and U.S. tax identification number, account number, account balance/value, interest, dividends and other income paid or credited to the account, amount of sales/redemption proceeds paid or credited to the account, and other amounts paid or credited to the account holder regarding the account

C) Program or activity partners and private sector involvement

Private-sector organizations, international organizations or foreign governments

Level of risk to privacy: 4

Details:

Southbound - For each financial account held at a Canadian financial institution by a U.S. person or a non-U.S. entity with one or more U.S. controlling persons, the information will be collected by the institution and reported to the CRA, who in turn will transmit the information to the Internal Revenue Service.

Northbound - For each financial account held by a Canadian resident at a U.S. financial institution, the information will be collected by the Internal Revenue Service and sent then transmitted to the CRA.

D) Duration of the program or activity

Indefinite

Level of risk to privacy: 3

Details: This is a new program with no end date.

E) Program population

The program affects certain individuals (U.S. residents or citizens) for administrative purposes external to Canada.

Level of risk to privacy: 3

Details:

Southbound - The program will affect U.S. persons and non-U.S. entities with U.S. controlling persons, who hold financial accounts at financial institutions operating in Canada.

Northbound - The program will affect Canadian residents who hold financial accounts at financial institutions operating in the United States.

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software, or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection, or handling of personal information?

Risk to privacy: Yes

Does the new or modified program or activity require any modifications to established information technology systems or services?

Risk to privacy: Yes

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods – This includes biometric technology (for example, facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, and radio frequency identification), as well as easy-pass technology, new identification cards, including magnetic stripe cards and smart cards—identification cards that are embedded with an antenna or a contact pad that is connected to a microprocessor and a memory chip or a memory chip with non-programmable logic.

Risk to privacy: No

Details: N/A

Use of surveillance – This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, radio frequency identification, surreptitious surveillance/interception, and computer-aided monitoring that includes audit trails, satellite surveillance, etc.

Risk to privacy: No

Details: This initiative does not involve the use of surveillance on the program population.

However, as part of CRA security programs, CRA employees who will have access to personal taxpayer information will be monitored by the use of the Online Audit Tracking System. This system records information such as user logon ID, date and time of logon, logout, user location, terminal identity, and name and ID of client records accessed including edits or changes made during each user session.

The information is used to verify that only an authorized user accesses personal information and to make sure access can be linked to the user to support the investigation of suspected or alleged misuse.

Every time CRA employees log onto their computers, a notice pops up requiring them to acknowledge their awareness that all access to CRA networks is monitored and that access is on a need-to-know basis. This information is described in the standard personal information bank Electronic Network Monitoring Logs PSU 905.

Use of automated personal information analysis, personal information matching, and knowledge discovery techniques – Regarding the directive on the privacy impact assessment, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify, or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, and knowledge discovery, as well as information filtering and analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns, and to predict behaviour.

Risk to privacy: Yes

Details:

Southbound - A data-matching process will be used to verify the accuracy of filers (Canadian financial institutions) against a reliable source within the CRA:

• Filer identification data (a business number) will be validated with the business number database. This validation is similarly performed on other information returns.
• The provision of identification numbers is required under the Income Tax Act and the Canada–U. S. IGA. A data-matching process will be used to make sure Part XVIII information returns are filed under a valid account number (business number).
• The information (tax identification number and name) provided by Canadian financial institutions to identify account holders will not be validated at the CRA.
• The CRA performs compliance work on information returns using identification numbers (for example, social insurance numbers) in its matching program.

Northbound - Information received from the IRS is referred to CRA special compliance program areas (such as Offshore Compliance) or reviewed in the Competent Authority Services Division. In the latter scenario, the data is manually worked (including manually matching the data to information on hand) and where potential is identified, the case is then referred to the appropriate CRA compliance areas such as Headquarters, specialized audit areas, or the related tax services office.

G) Personal information transmission

The personal information is used in a system that has connections to at least one other system.

Level of risk to privacy: 2

Details: Filers can use two services, available on the CRA website, to file their Part XVIII information returns. One service is Internet File Transfer. Filers can use this to send their return in an XML format. The other service is Web Forms. Filers can use this to manually create and file their return. Electronically submitted returns are processed and stored on the CRA’s InfoDec mainframe database.

Southbound - Financial institutions will send Part XVIII information returns in XML format on the Internet with the use of the CRA’s Internet File Transfer or Web Forms services. These services are now used by financial institutions to file other information returns. Through an automated process, this data will then be stored in the InfoDec Returns master database. However, there is no direct connectivity between the Internet application and the database on the mainframe.

Neither the business process nor the new application allows for taking data and storing it on a universal serial bus (USB) device.

Northbound - The information received from the Internal Revenue Service will be in XML format and sent through an encrypted channel using the same tools as in the southbound information flow.

H) Risk impact to the individual or employee

Details: If personal information is compromised it could cause financial harm and embarrassment to an individual

I) Risk impact to the institution

Details: If this information is accidentally or deliberately disclosed or compromised, it could cause the CRA embarrassment, as well as the loss of credibility and public trust.