The Information Commissioner’s Office (ICO) website includes a list of non-EEA countries that the European Commission has determined have an adequate level of protection for personal data. The (short) list includes countries such as the Faroe Islands and Uruguay but the US is conspicuous by its absence.

However based upon a previous European Commission Decision (2000/520), personal data sent to the US under the voluntary ‘Safe Harbor’ scheme is adequately protected. To fall within this, US firms have to (a) sign up to the Safe Harbor arrangement under which it agrees to follow the principles of data handling and (b) be held responsible for keeping those principles by the Federal Trade Commission (or other oversight scheme).

The ‘Safe Harbor Privacy Principles’ and FAQs can be found in Annexes I and II of the Decision. Note from Annex III (‘Section 5 Exceptions’) that certain companies such as US financial institutions are not covered by the Safe Harbor scheme – a list of companies that have signed up to the regime is available on the US Department of Commerce’s website.

On 6 October a press release by the Court of Justice of the European Union (CJEU) declared that Decision 2000/520 was invalid.

In practical terms, not being able to rely on ‘Safe Harbor’ is not the same as being unable to transmit personal data to the US and indeed the message from the ICO (in both an official statement and blog) is ‘don’t panic’. Firms that have relied on ‘Safe Harbor’ when transferring personal data to the US should refer to the ICO guidance on Principle 8 – which includes European Commission model contractual clauses and the assessment of adequacy of protection – and the stand-alone ‘ICO Assessing Adequacy’ guidance. Affected firms may take comfort from the ICO blog (from the Deputy Commissioner and Director of Data Protection) that “We’re certainly not rushing to use our enforcement powers. There’s no new and immediate threat to individuals’ personal data that’s suddenly arisen that we need to act quickly to prevent”.

The post Personal Data: US Safe Harbor first appeared on Complyport - Your Trusted Partner in Governance, Risk, Compliance & Technology .

• The OECD’s Common Reporting Standards (CRS)
• The Directive on Administrative Cooperation (DAC) (2011/16) which implements the CRS in the EU
• The UK’s FATCA Agreement with the US

The effect will be to place obligations on financial institutions to exchange information on reportable accounts to other jurisdictions.

The concept will already be familiar to firms subject to HMRC’s FATCA obligations as well as the defined terms (CRS pages 29 and on) such as ‘Financial Institution’, ‘Reporting Financial Institution’, ‘Reportable Account’ etc.  Having said that, a UK entity should in the first instance refer to SI 2015/878 for clarification of due diligence requirements, meaning of a reportable account etc, albeit that they will be referred back to the various agreements above.

With around 90  participating jurisdictions for the purposes of the CRS (see Schedule 1 of SI 2015/878) the agreement stretches further afield than the US (FATCA) and the EU (DAC) e.g. countries such Brunei Darussalam, Cayman Islands and Korea are CRS participants.

Aside from the existing FATCA requirements, the Regulations in respect of the DAC and the CRS have effect from 1 January 2016 in that the first reporting year for the latter two is the calendar year of 2016 (with a reporting deadline of 31 May in the following year).

HMRC has produced (draft) Guidance Notes (AEIM – Automatic Exchange of Information Manual) on the exchange of financial account information.  HMRC has also updated its FATCA Guidance Notes, although sections of it have been incorporated into the AEIM.  The table commencing on page 179 of the FATCA Guidance sets out what, and what hasn’t, been incorporated.

The post Common Reporting Standards: FATCA first appeared on Complyport - Your Trusted Partner in Governance, Risk, Compliance & Technology .

The current (August 2014) HMRC Guidance – e.g. see page 72 – advises that Reporting Financial Institutions with no Reportable Accounts are required to submit nil returns to HMRC. However, earlier this month HMRC clarified that those UK financial institutions that do not have any US reportable accounts will not have to submit nil returns.  Having said that, where the nil return position is as a result of application of the de minimis $50,000 threshold election (see section 5.1 of the Guidance – the de minimis is $250,00 for Cash Value Insurance Contracts or Annuity Contracts) then a return will still have to be submitted in order to make the election.

Elsewhere we are informed that holding companies and relevant treasury companies are no longer defined as financial institutions.

Revised HMRC Guidance is expected later this year.

The post FATCA Nil Returns first appeared on Complyport - Your Trusted Partner in Governance, Risk, Compliance & Technology .

Strictly speaking, as far as UK firms are concerned, the Guidance Notes relate to the UK Regulations SI 2013/1962 which in turn give effect to the UK/US Agreement under which relevant UK Financial Institutions will report to HMRC and not to the US Internal Revenue Service. Having said that, reporting firms will still need to obtain a GIIN (‘Global Intermediary Identification Number’) which is issued when a firm completes its registration on the IRS Portal.

As a reminder, the reporting of relevant Specified US Persons (and Specified US Controlling Persons) for 2014 needs to be completed by 31 May 2015. The reportable data will gradually increase over the following two years and firms may find the reporting timetable in section 9.3 of the Guidance Notes useful.

The next update of the Guidance Notes will be published in August 2014.

The post FATCA first appeared on Complyport - Your Trusted Partner in Governance, Risk, Compliance & Technology .