All the recent compliance headlines in the financial services sector, at least in the UK and Europe, have been around Solvency II, Basel III and MiFid II. A regulation that has been largely overlooked (except by Trillium (which has just announced the Trillium FATCA Compliance Data Assessment service) by the IT industry is FATCA.
FATCA (foreign account tax compliance act) is a US law that comes into effect on 1st January 2013. It is designed to ensure that US citizens who hold assets abroad pay relevant taxes. So, suppose I lived in Boston (Massachusetts not Lincolnshire) and had an account with a UK-based bank, through which I held various investments. Today, I might be able to get away with not paying US tax on any profit I made from these investments. FATCA has been designed to ensure that that will not be possible in future.
FATCA applies to both US financial institutions that have any dealings overseas and to so-called foreign financial institutions: USFIs and FFIs respectively. These include banks, insurance companies, alternative investment companies, private equity companies, hedge funds and so on and (subject to their being some level of non-US interaction) to any financial company that either has US citizens as customers or which holds US assets.
FFIs can either register as participating or as non-participating. Non-participation means that you are effectively opting out. However, if you do this, or if you are a participating company and fail to comply with the regulations, then the US tax authorities will apply a 30% withholding tax against any sales of US assets. Moreover, this is not against profits but against revenue so you could sell a stock at a loss and then have the 30% deducted. It is difficult to imagine any company that has any significant US business not wanting to both participate and comply.
If you decide to participate then you must be able to recognise which of your clients are US citizens and you will be required to provide relevant information about those clients. You must also have relevant processes in place to recognise whether new clients are American or not. The same is also true if you formally decide not to participate: you will need to demonstrate that you have procedures in place to recognise if new clients are American and, therefore, reject them as clients.
Unfortunately, the requirement for participating FFIs to provide relevant information about their US clients will fly in the face of the data protection laws of a number of countries. Where this is the case then the FFI will need to obtain a waiver from each of its clients to confirm that that information can be passed to the IRS or it will need to close that account.
Needless to say there are significant data governance implications in order to support FATCA, whether you are a USFI or are an FFI. You will need to know which clients are US citizens, ensure that they have signed a waiver, if relevant, have procedures for identifying whether new clients are US citizens or not, and have processes that ensure that only information about US citizens is provided upon request and that you do not break data protection laws by inadvertently sending information about non-US citizens. You will also need to be very clear about your data quality processes and careful about de-duplication and merging of records.
I have to say that this makes me feel a little sorry for financial services companies. In the UK they have only recently had to comply with FSCS regulations and the insurance sector and banks (those that provide asset management) have to comply with Solvency II, which is the same official start date (it may be delayed) as FATCA. That's a lot to do in a short space of time (not to mention MiFID II and Basel III waiting in the wings). The one consolation is that you need good data governance for all three of these. Those that thought they could get away without seriously addressing data governance for FSCS may not be wishing that they had done it properly the first time.