Information & Ethics Committee on April 14th, 2016

There is an administrative threshold of $50,000 Canadian in aggregate, I believe, from all accounts—chequing, savings, and so on. If somebody were below that threshold, the bank would have the option not to transmit the information.

The threshold I'm familiar with is $50,000.

I'm not sure I have an answer to the question. We'll take it back and then try to get you a written response.

Merci, monsieur le président.

Ladies and gentlemen of the committee, thank you for inviting me to provide my views on certain aspects of the tax information exchange agreement between the Canada Revenue Agency and the IRS in the United States.

The minister explained a little about the legal framework under which this transfer is made. I do not want to repeat what she said, except to remind you that there are two important documents in this matter. We have an intergovernmental agreement, an agreement between the two governments, and we have the provisions of the Income Tax Act that were passed in 2014.

Under the IGA, the Canadian government agrees to collect certain information on accounts held by Americans in Canadian financial institutions and report that information to the United States.

This happens in two steps. First the Income Tax Act sets out requirements for Canadian financial institutions to report information with respect to those accounts to the CRA. In turn, the CRA shares this information with the IRS. The IGA is reciprocal in that the CRA also receives information from the IRS.

In previous appearances before Parliament on FATCA, my office has recognized the long-established practice of information-sharing between nations for purposes of taxation enforcement. For example, the Convention between Canada and the United States of America with Respect to Taxes on Income and on Capital, which lays the foundation to exchange information under the IGA, was signed in 1980. In more recent years, there have been international efforts by the OECD for the automatic exchange of tax information. However, we also conveyed our expectations that information-sharing activities be undertaken in a way that respects privacy rights of individuals. This holds true both for the CRA and for financial institutions

As we said in our appearance on Bill C-31, which amended the Income Tax Act, as well as in our review of the privacy impact assessment submitted to us by the CRA, we expect there to be limits to the collection, use, and disclosure of personal information, defined retention periods, and appropriate safeguards. For example, all parties involved must limit the collection of personal information to what is necessary and not collect data elements that are not required. This applies not only to the CRA, but also to reporting institutions governed by PIPEDA.

The use and disclosure of personal information must likewise be limited. The IGA specifically notes that information received under the IGA is subject to protections provided for under the Convention between Canada and the United States of America with Respect to Taxes on Income and on Capital, which limit the use and disclosure to only the collection, administration and enforcement of taxes.

With respect to retention, as we understand it, the CRA retains its records for seven years, which is consistent with CRA's retention of individual returns.

With respect to safeguards, we note that the IGA states that exchanges are subject to confidentiality and protections under the Convention between Canada and the United States of America with Respect to Taxes on Income and on Capital. The convention mentions that information received shall be treated as secret in the same manner as information obtained under the taxation laws of that state.

The CRA is expected to protect personal information from unauthorized uses and disclosures of personal information, especially considering the sensitivity of financial information and the reasonable expectation of individuals that it generally be kept confidential.

My office received a privacy impact assessment from the CRA in August 2015.

We are pleased that the CRA has adopted all our recommendations: first, reducing its retention period from 11 to seven years; second, educating financial reporting institutions to guard against the risk of over-collection; third, committing to safeguarding information, including the use of specific measures to mitigate risks identified through its threat risk assessment; fourth, updating the privacy impact assessment to reflect all proposed uses and disclosures of personal information and ensuring that these are strictly limited to purposes of tax administration.

While my office acknowledges the need to combat tax evasion, it is important for the enabling legislation to be clear in the obligations it imposes on all reporting entities, including the CRA and organizations that have FATCA reporting obligations, such as financial institutions.

For example, the IGA states that unless a reporting institution elects otherwise, accounts under certain thresholds, such as deposit accounts under $50,000—U.S., I believe, although perhaps Canadian—are not required to be reviewed, identified, or reported. However, part XVIII of the Income Tax Act seems to require reporting on all U.S. reportable accounts unless the financial institution specifically designates an account to not be a U.S. reportable account. This leads to a concern: given the apparent discretionary nature of the threshold exemptions, it may not be clear when accounts under $50,000 will be reported to the CRA.

My office has written to the CRA with follow-up questions following their response to our earlier comments of December 2015. These questions included the number of accounts under $50,000 U.S. they have received and transferred, clarification on how threshold exemptions are applied, clarification with regard to the level of review the CRA performs on records that are transferred to the IRS, and notification of how many records it received from the IRS about Canadian persons. We've also requested clarification as to why the first round of records sent to the IRS was larger than originally estimated.

In conclusion, FATCA reporting requirements are an example of co-operation among states on tax enforcement. In that respect, FATCA is neither unusual nor objectionable. That said, privacy principles have to be respected and provide balance in the implementation of the arrangement. The IGA and implementing legislation create legal effects vis-à-vis privacy law by creating an obligation to share information without the consent of the individual under the Privacy Act or PIPEDA, the private sector legislation.

There's also some lack of clarity around questions on reporting threshold exemptions. To this extent, we are again following up with the CRA. We wrote to them earlier this week on these issues as part of our privacy impact assessment review process. Protecting the privacy rights of individuals and advising on improving protections under information-sharing agreements are key parts of my mandate. Given that Parliament has chosen to pass implementing legislation to support FATCA reporting requirements, we continue to strongly recommend that these obligations not be over-broadly applied but appropriately balanced against privacy rights.

I'll be glad to take your questions.

The short answer is yes. I would start from the fact that agreements between states to avoid tax evasion are obviously desirable and necessary. A certain amount of information will have to be shared between states to prevent tax evasion. However, the type of information, the clarity of the criteria for sharing of information, the measures that should be taken to guard against privacy breaches—all of these are the privacy conditions under which what is a reasonable agreement in principle would properly balance tax information purposes and privacy purposes.

Here, the threshold is presumably an accommodation that Canada was able to negotiate with the U.S. government in terms of exemptions to reporting, so the threshold of $50,000 exists. However, point one is that it's not clear how it's applied. There seems to be a discrepancy, in that the IGA, according to our reading, appears to say accounts under $50,000 need not be transferred, while the Canadian federal Income Tax Act seems to require that all accounts be provided except as determined by the reporting institutions.

Therefore, how firm the $50,000 threshold is and how it's applied is not clear. That leads to ambiguity and the risk of over-reporting of information.

Do you mean sent from or to other states?

Under this arrangement, the information that is sent to another state is sent to the U.S. There may be other arrangements whereby Canada sends tax information to other states in order to gain reciprocity. In terms of the information sent to other states, the guarantees are the guarantees that would be offered by the CRA, I would assume.

In terms of the adequacy of the information received by Canada from other states, the official from the CRA told you that this information is then checked to determine whether or not—and the answer may be not—there's a tax assessment against the Canadian. As to what kind of information the CRA receives in return from the U.S., or, to your question, potentially from other states, that's a question we've actually asked of the CRA: what kind of information do you receive, and is there over-collection of information in relation to tax agreements that Canada may have with either the U.S. or other states?

We don't have that information at this point, but it's a question we have asked of the CRA: what measures do you take to ensure that the information you receive in return from other states is not over-collection?

There are no formal international rules on these questions. All institutions, public and private, have an interest. To the extent that there's legislation in these countries and in the countries you have mentioned, there are legal requirements to protect information. It's a question of the legal regime that's in place. In the U.S. there are provisions that require institutions to protect information properly.

It certainly could be part of an agreement between Canada and another state to ensure that once the data is sent to the other state, it is properly safeguarded. It's a question of either national laws or potentially the content of an agreement reached between Canada and another state.

The sequence of the correspondence is that the CRA sent us their privacy impact assessment in August of 2015, and we responded in December. They adjusted their rules about two weeks ago. We received that letter two weeks ago, and we wrote earlier this week to ask these questions. Among the questions are clarification around accounts below $50,000.

On the other point you were mentioning, when we were having earlier discussions with the CRA on their estimate of how many accounts would be sent by Canada to the U.S. under this regime, the estimate of the CRA was for slightly under 100,000 records. The number of records actually transferred was more in the order of 150,000, so we have no way of knowing what are the reasons for this and whether they're accurate, legitimate, or incorrect. Among the questions of clarification, we've asked them to please explain why their estimate did not turn out to be true—was it simply because they were underestimating, or are there other reasons to explain the difference between their estimate and what actually happened in practice?

Yes.