FATCA reporting system leaves taxpayer data vulnerable

After years of upheaval in the financial sector, taxpayer confusion, and widespread international angst, the IRS has finally unveiled its FATCA registration and reporting system. The system is known as IDES, or the International Data Exchange Service, and claims to provide “a secure web application … to transmit FATCA data directly to the IRS.”

Given the sensitive nature of the data involved, security is of paramount importance. Unfortunately, the track record of the U.S. government and the IRS suggests individual taxpayer data will be extremely vulnerable.

At issue is FATCA’s requirement that banks essentially spy on their U.S. customers and report a wide variety of detailed information to the IRS. The reporting requirements create multiple new sources of vulnerability for individual financial data thanks to the government’s inability to keep its technology up to date, the incompetence of its personnel, and the tendency of IRS bureaucrats to abuse their positions to punish political opponents.

Poor government record on cybersecurity

When it comes to cybersecurity, the record of the U.S. government can only be described as atrocious. Consider just a few recent events.

In 2012, sensitive infrastructure data on the nation’s 85,000 dams was taken from an Army Corps of Engineers database. A National Weather Service employee with ties to the Chinese government was later indicted for downloading restricted information that intelligence officials warn could be used to maximize the loss of life and property in a hypothetical attack on American infrastructure.

The next year, the Emergency Alert System was hacked and used to warn Americans of a zombie outbreak. Stations in several states interrupted programming to report that, “Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living.”

The month after that, in a particularly ironic twist, the web server of the National Institute of Standards and Technology, which hosts the government’s database of known software vulnerabilities, was itself exploited by a vulnerability and taken out of service for several days.

All told, there have been breaches of sensitive information from systems at the Departments of Defense, State, Justice, Labor, Energy, Commerce, and Homeland Security, as well as NASA, the EPA, the FDA, the Commodity Futures Trading Commission, and the Federal Reserve. And those are just the ones publicly reported.

Despite significant increases in federal spending on cybersecurity, the rate of breaches has grown each of the last 8 years for which data is available, increasing an incredible 1,012 percent from 5,503 incidents in 2006 to 61,214 in 2013. During this time the share of breaches exposing personal data has also grown, with an average of almost 40 percent of reported cybersecurity failures potentially exposing private data to outside groups.

The IRS itself has been accused by government watchdogs of having serious vulnerabilities, and of moving too slowly to fix them.

Every year since 2008, the Government Accounting Office has identified 100 cybersecurity weaknesses at the agency. Specifically, the IRS has been faulted for routinely failing to encrypt data or for using weak methods for doing so, allowing greater access to data than workers require to perform their duties, permitting user passwords that are easily guessed, and being dangerously slow to install crucial software updates and security patches.

This record alone is enough to question the ability of the IRS to secure and protect the sheer breadth of financial records it will receive due to FATCA, but serious concerns are already being raised about IDES’ specific security protocols.

The system’s rules for encryption recommend use of Electronic Codebook (ECB) as its encryption mode. ECB is widely faulted by cryptography experts as being incredibly weak, as it encrypts blocks one at a time and it thus does a poor job of hiding data patterns. Upon discovering the IDES recommendation of ECB in its protocols, prominent security expert Bruce Schneier incredulously asked, “Are they serious?”

Apparently they are not about protecting taxpayer information.

The human element may be worse

Cyber attacks are not the only threat to the private financial data collected by FATCA. Even greater danger may lurk in the form of IRS employees. Even the most secure system won’t provide sufficient protections if the IRS itself abuses the information it receives. There’s strong reason to suspect that will happen, as the IRS has in recent years engaged in numerous activities that either violate privacy rights or represent flagrant abuses of power.

For instance, the agency for years has been embroiled in scandal surrounding accusations that Tea Party and conservative groups were targeted for special attention.

During the course of the targeting investigation, emails revealed that donor lists from nonprofit groups were obtained as part of a “secret research project” conducted by a top IRS official. Two individuals involved in both the targeting and the secret project – Lois Lerner and David Fish – also had their hard drives containing tens of thousands of emails mysteriously crash.

When emails between the two were later recovered, one was reported to say, “No one will ever believe that both your hard drive and mine crashed within a week of each other.” They got that right.

The IRS initially claimed that the data on the drives was irretrievably destroyed because backup tapes did not exist, but it took only two weeks for outside investigators to find them. The Inspector General’s (IG) office conducting the investigation reported that the IT staff responsible for the tapes claim IRS officials never even asked for them. The IRS clearly believes itself beyond the law or legal oversight.

In another case, the IRS last year admitted wrongdoing and agreed to pay $50,000 in damages for the 2008 leak to a gay rights group of the National Organization for Marriage’s tax return. The leak included the name of the organization’s major donors, among which was then-Presidential candidate Mitt Romney, and also likely the leak’s true target.

And in further demonstration of the contempt with which the IRS treats the rules and its responsibilities, a recent IG report revealed that the IRS rehired hundreds of employees in recent years who had previously engaged in misconduct, including some who had improperly accessed taxpayer data.

Given this lax attitude toward preserving taxpayer privacy, it came as little surprise when another IG report last year revealed an identity theft ring operating out of an IRS office. The employees in that case were prosecuted and convicted, but how many such abuses are never caught thanks to the mismanagement and indifference of top IRS officials to the abuse of taxpayers is anyone’s guess.


Thanks to FATCA the IRS will have at its disposal more private taxpayer information than ever before. Institutions required to report on their clients owe it to them to demand the highest security for their data, security there is little reason to believe the IRS is willing or capable of providing.

These vulnerabilities don’t even account for the IGA nations where FATCA data will first be transmitted to local governments before the IRS, which could increase the risks exponentially. FATCA, in other words, is a privacy nightmare.

For all the trouble FATCA has caused during the implementation process alone, the worst may be yet to come. To make matters worse, it looks like just a warm-up to the OECD’s more ambitious plans for global tax information exchange.


Previous articleThe invisible increase in real income
Next articleQuarterly review
Michael Klein
Michael Klein Editor Pinnacle Media Group Ltd. PO Box 1365, Grand Cayman, KY1-1108, Cayman Islands T: 345-326-1720C: 345-815-0064 E: mklein@pinnaclemedialtd.com Michael is a financial journalist and copywriter.  In the past he has been responsible for the Risk Management and Corporate Finance sections of a British monthly Corporate Treasury publication.  He has written various financial handbooks, notably on European Banking and Cash Management and the Debt Capital Markets.   In addition he has worked as a copywriter for banks and investment funds and served as corporate communications consultant to US and European blue chip companies.   Michael holds an MA in Political Science and International Law from the University of Bonn in Germany. 

Pinnacle Media Ltd

Cayman Financial Review is the only magazine which promotes the Cayman Islands financial services industry at a local and international level. Produced by Cayman’s leading printing and publishing company Pinnacle Media Ltd, the Cayman Financial Review is published quarterly and is distributed in print and online to organisations and associations worldwide as well as at key financial conferences.

Over 30,000 online and targeted printed copies are distributed to clients, their nominated local and international contacts, relevant conference participation lists and a current researched international contact list continuously updated and prepared by Pinnacle Media Ltd. In addition the product has a fully integrated website, a link of which will be sent to ‘Top 500’ legal, accountant, government, insurance, financial service and hedge fund contact list in United States, United Kingdom, Europe, South East Asia, Dubai and the South Americas.

The Compass Centre
Shedden Road
PO Box 1365 GT
Grand Cayman
Cayman Islands
British West Indies

T: +1 (345) 949-5111
F: +1 (345) 949-7675
W: www.caycompass.com