FATCA and compliance under Japanese data privacy laws
May 2013 | PROFESSIONAL INSIGHT | DATA MANAGEMENT
Financier Worldwide Magazine
On 17 January 2013, the US Treasury Department issued final regulations implementing the US Foreign Account Tax Compliance Act of 2010 (FATCA), a statute principally designed to reduce offshore tax evasion by ‘US persons’ (a defined term that includes not only citizens or residents of the United States, but a US corporation or partnership, any estate other than a foreign estate, or a trust with a nexus to the United States) by requiring the reporting of various information about US persons to the US Internal Revenue Service.
FATCA will apply to a broad range of companies conducting business in Japan, even companies that do not operate purely in the financial or investment arenas. Thus, understanding the interplay of FATCA’s extraterritorial requirements with Japanese data privacy laws is essential for companies conducting business in Japan (even those that are subsidiaries of non-Japanese companies) to ensure that penalties are not triggered and Japanese laws are not breached when such companies conduct business with US persons in Japan.
What is FATCA?
In general, FATCA requires a ‘foreign financial institution’ (which includes non-US banks, brokerage houses, hedge funds and private equity funds, trust companies, and insurance companies that offer certain products (FFIs)) to either: (i) comply with local law requirements that implement an inter-governmental agreement specifically entered into with respect to FATCA between its home country and the United States; or (ii) enter into a reporting and withholding agreement directly with the US Internal Revenue Service. The foregoing reporting and withholding agreement will require an FFI to implement complex customer identification procedures and, if a US person is identified, the FFI will be required to send to the US Internal Revenue Service information regarding such person’s name, tax identification number/social security number, account balance, and withdrawal/receipt history.
If there is no relevant inter-governmental agreement in place and an FFI has not entered into an IRS reporting and withholding agreement, then the FFI will be subject to a 30 percent withholding on certain payments it receives.
Balancing Japanese data privacy laws and FATCA compliance
An FFI operating in Japan needs to balance the disclosure restrictions under Japanese data privacy laws against FATCA’s reporting requirements in order to avoid breaching Japanese laws when disclosing customer data to third-persons. Japanese data privacy requirements arise from Japanese legislation and Japanese case law.
Japanese legislation. Japan’s Act on the Protection of Personal Information (the ‘Japan Privacy Act’) is the principal Japanese statute that impacts the legality of an FFI disclosing customer information to a third-person. Under the Japan Privacy Act, a ‘business operator’ is prohibited from disclosing ‘personal information’ to a third-person (which includes a Japanese and a non-Japanese governmental authority) without the prior written consent of the individual to whom the personal information relates (subject to certain exceptions).
Having a clear understanding of the following defined terms is key to comprehending the all-encompassing scope and application of the Japan Privacy Act. Firstly, a ‘business operator’ is defined under the Japan Privacy Act as an entity that handles, for its business, one or more databases that in the aggregate contains or has contained within the past six months personal information relating to more than 5000 individuals. As companies normally archive information pursuant to information retention policies and the 5000 individual threshold relates to any individual (i.e., not only customers, but personal information concerning employees, suppliers, business partners or anyone else who interacts with the subject institution), the 5000 individual threshold is often easily met by most companies conducting business in Japan.
Secondly, ‘personal information’ is defined broadly under the Japan Privacy Act to mean information about a living individual that can identify that specific individual by name, date of birth or other similar information. Personal information also includes information that on its face would seem not to specifically identify an individual but could lead to the discovery of personal information about a living individual (e.g., disclosing which zodiac animal in the Chinese traditional calendar applies to a person, or a person’s year of graduation from high school or college).
Absent an exception, an FFI that is also a ‘business operator’ in Japan would breach the Japan Privacy Act if it discloses to the US Internal Revenue Service the information stipulated under FATCA.
Japanese case law. The Supreme Court of Japan ruled in December 2007 that financial institutions conducting business in Japan owe a special duty of confidentiality to their customers with respect to information concerning customer transactions and customer credibility. The Court did not elaborate on the scope of ‘customer transactions and customer credibility’, which makes it difficult to advise on the limits of the Court’s holding. Thus, a financial institution in Japan should tread carefully and refrain from disclosing most forms of customer information without obtaining the prior written consent of the customer (subject to certain exceptions).
Piercing Japanese data privacy requirements
There are exceptions to the information disclosure barriers under the Japan Privacy Act and Japanese case law, including the following.
JapanPrivacy Act. A ‘business operator’ can disclose ‘personal information’ to a third-person without violating the Japan Privacy Act if the disclosure of such information is: (i) required under Japanese law; or (ii) necessary for cooperation with a Japanese national or local governmental agency.
Japanese case law. The Supreme Court of Japan has held that a financial institution can provide a third-person with customer information without violating its duty of confidentiality if it has ‘good reason’ to make such disclosure. It is generally believed that a financial institution has ‘good reason’ if disclosure is: (i) required under Japanese law (e.g., disclosure is permitted under the Japan Privacy Act); or (ii) necessary to protect the rights or interests of the financial institution (e.g., when the financial institution is involved in litigation with a customer).
Customer consent and mandated disclosure to a local governmental agency can provide a safe passage through the disclosure barriers under both the Japan Privacy Act and Japanese case law.
Customer consent. If an account holder executes a written consent permitting the processing and transferring of his/her personal data to a third-party or a waiver of his/her Japanese data privacy rights in favour of an FFI, such consent or waiver should be enforceable under Japanese law if it is in writing, stated in clear unequivocal language, and prepared in the native language of the account holder (most likely English under the circumstances). Generally speaking, a single consent or waiver should be sufficient for ongoing/multiple transfers of personal information about an account holder, so long as the document clearly stipulates as such.
Mandated government disclosure. A Japanese legal requirement that an FFI provide a Japanese governmental agency with the personal data of an account holder can serve as an effective route to bypass the personal information disclosure roadblocks under both the Japan Privacy Act and Japanese case law. Once the personal information is disclosed to the Japanese governmental agency, then the data could be transferred overseas by the agency without the consent of the account holder. An inter-government agreement, therefore, between Japan and the United States would need to exist to effect such pass-thru disclosure.
The makings of an inter-governmental agreement between Japan and the United States
The Japanese and US governments issued a joint statement on 21 June 2012 concerning their pursuit of a FATCA inter-governmental agreement. The joint statement seeks to establish a framework to facilitate the implementation of FATCA by requesting that FFIs in Japan: (i) register with the US Internal Revenue Service; and (ii) conduct due diligence on its customer base to identify the accounts of US persons, and report annually to the US Internal Revenue Service the US account information required for FATCA compliance (e.g., the account holder’s name, tax identification number/social security number, account balance, and withdrawal/receipt history) of those US account holders who consent to the reporting, and the aggregate number and aggregate value of accounts held by US persons who fail to consent or fail to provide the information required for FATCA compliance.
The framework for the inter-governmental agreement envisages that, by requests made by the US authority (most likely the US Internal Revenue Service), the receiving Japanese authority (most likely the National Tax Agency of Japan) would obtain the requested additional information from the identified FFI in Japan and the agency would transfer the information to the requesting US authority pursuant to the US-Japan tax treaty. The framework for the inter-governmental agreement further envisages that FFIs in Japan would not be required to: (i) terminate the accounts of account holders who fail to consent or provide the information required for FATCA compliance; or (ii) impose a 30 percent withholding on pass-thru payments to FFIs in Japan or certain account holders.
Practitioners are carefully watching the development of the FATCA inter-governmental agreement between Japan and the United States. Should FATCA’s withholding obligation come into effect before the adoption of an inter-governmental agreement, then an FFI in Japan may find itself between a rock and a hard place as there would be no Japanese legal grounds for an FFI to close a customer’s account or terminate a contractual agreement simply because the customer fails to consent or fails to provide the information needed for the FFI’s FATCA compliance.
Stephen D. Bohrer is a foreign law partner and Tsuyoshi Ito is a partner at Nishimura & Asahi. Mr Bohrer can be contacted on +81 3 5562 8648 or by email: email@example.com. Mr Ito can be contacted on +81 52 533 2591or by email: firstname.lastname@example.org.
© Financier Worldwide
Stephen D. Bohrer and Tsuyoshi Ito
Nishimura & Asahi