Tax treaties are usually positive or benign. The protocol amending the multilateral Convention on Mutual Administrative Assistance in Tax Matters, currently being considered for ratification by the United States senate, is being marketed by the Obama Treasury, the Organization for Economic Cooperation and Development (OECD) and tax officials in various national governments as just another tax treaty. It is nothing of the sort.

The protocol is part of a new information sharing regime that is being promoted by the OECD which will lead to substantially more transnational identity theft, crime, industrial espionage, financial fraud and the suppression of political opponents and religious or ethnic minorities by authoritarian and corrupt governments. The OECD regime has four parts: (1) the amended multilateral Convention on Mutual Administrative Assistance in Tax Matters (the Protocol), (2) the Competent Authority Agreement on Automatic Exchange of Financial Account Information, (3) the OECD Standard for Automatic Exchange of Financial Account Information in Tax Matters and (4) the OECD Base Erosion and Profit Sharing (BEPS) project.

The Obama administration has endorsed the protocol and the OECD standard but has not yet signed the Competent Authority Agreement. Given the administration’s strong support for automatic information sharing for tax purposes, it is probable that it will sign the Competent Authority Agreement and present it to the senate for ratification if the protocol is ratified.

The contemplated new international tax information sharing regime would result in the routine automatic sharing of bulk taxpayer information among governments worldwide, including many that are hostile to Western liberal democracies, corrupt or have inadequate data safeguards. The OECD initiatives will create a rich source of sensitive financial information, scattered in databases around the world, held by corrupt governments or governments with inadequate safeguards, to be hacked by or sold to criminals or hostile governments. Moreover, they will add another layer to the already voluminous compliance requirements imposed on financial institutions and have a disproportionately adverse impact on small banks and broker-dealers.

The protocol, the Competent Authority Agreement and OECD Standard would commit all participating government to provide to other participating foreign governments — regularly, automatically and in bulk — the private tax, banking, brokerage account and insurance information of almost all foreign individuals or businesses. In addition, both multinational business and businesses that export are at heightened risk given the information production requirements in the OECD BEPS project action item number 13 which would enable foreign governments to demand unprecedented information from domestic companies relating to transfer pricing documentation. The most serious overall risk, however, is to foreigners who have accounts in the West who are the political opponents of authoritarian governments or members of persecuted religious or ethnic minorities. It is virtually certain that financial information about these dissidents, opposition groups and minorities will be used inappropriately by authoritarian governments.

Perhaps the greatest difference between the amended convention and the original is that the amended convention is open to all countries not just those that are members of the OECD or the Council of Europe as was the case with the original convention. Seventy-two governments participate in the automatic information exchange protocol (the Amended Convention). Others (including the U.S.) participate in the original multilateral information sharing convention which does not require automatic information exchange.

Participating governments include China, Russia, Nigeria, Kazakhstan, Indonesia, Argentina, Colombia and other governments that are either hostile to the Western democracies or corrupt or both.
Many persons are disturbed by the recent hacks of the federal Office of Personnel Management (OPM), the U.S. Internal Revenue Service (IRS) and private databases. There is strong evidence that the Chinese and Russian governments are behind many of these database penetrations. But under the OECD information sharing regime, they will no longer need to hack Western governments or companies to get some of the sensitive information obtained in the hacks. Western governments will have already simply given them the information.

The U.S. Treasury Department is cognizant that the new information sharing regime raises serious confidentiality issues. But its assurances that we shouldn’t worry, the IRS will protect us are of little comfort given the recent IRS track record of abusing taxpayer information itself and of being unable to protect its own databases.

Even assuming, however, that various national tax agencies are serious and diligent in their efforts to protect private information and willing to terminate information sharing with a non-compliant foreign government, there is very little reason to believe they have the means to detect internal government transfers of data from, for example, the Russian or Chinese tax agencies to other Russian or Chinese government agencies such as the Federal Security Service of the Russian Federation (FSB) or the Chinese Ministry of State Security. The idea that the Russian, Chinese and other tax authorities will not share the information with their intelligence services, other government agencies and businesses (whether state-owned or private) is extraordinarily naïve. It is also naïve to think that Western governments will be able to detect this intragovernmental transfer of data between foreign government agencies.

Moreover, even making the heroic assumption that the participating governments will all operate in good faith and seek to protect rather than unlawfully use or disseminate the information received on businesses and individuals, there is little reason to believe that many of these governments’ data protection methods are as good as those of technologically advanced Western governments. Western governments, even with their resources and technology, have proven unable to protect the collected information. Developing countries such as Nigeria, Kazakhstan, Indonesia, Argentina or Colombia will not have sophisticated breach prevention technologies and information technology personnel. Thus, there is every reason to believe that the databases of bulk taxpayer information created in compliance with the protocol will be successfully hacked.

The protocol will enable authoritarian governments to abuse the information obtained to suppress dissidents, political opponents or disfavored ethnic or religious minorities. These governments will know precisely who has financial resources outside of the country and where. It will also aid corrupt governments, corrupt officials within those governments or criminal organizations to whom they sell the database information to engage in identity theft, industrial espionage or the identification of kidnapping or extortion targets.

Article 6 of the amended convention requires automatic information exchange only in the case of mutual agreement. Thus, although the protocol itself lays the groundwork for automatic information exchange, it is the subsequent agreement made by the U.S. and other countries with the G20 endorsement of the OECD Standard for Automatic Exchange of Financial Account Information in Tax Matters and the multilateral Competent Authority Agreement that actually implement the automatic exchange of information contemplated by the protocol.

The protocol also provides that exchanged information may be used for criminal tax purposes without the need of the prosecuting government to receive clearance from the government providing the information. This raises the potential for abuse. Authoritarian governments have often abused Interpol red notices. Since even the IRS has used uneven enforcement of the tax laws to influence the political process, there is little doubt that unaccountable foreign governments will use tax enforcement as an additional means to oppress opponents.

The OECD Common Reporting Standard provides for governments to annually and automatically collect and exchange with other participating governments bulk financial account information — such as balances, interest, dividends, investments and proceeds from sales of financial assets. It covers accounts held by individuals and entities, including businesses, trusts and foundations. Not only banks but broker-dealers, investment funds and insurance companies are required to report.

The OECD Standard has two parts. First, the CRS, contains the reporting and due diligence rules that will impose still another compliance burden on financial institutions. There are no exemptions for small financial institutions. The CRS rules run hundreds of pages long and add to the voluminous existing tax information reporting, “know your customer” and anti-money laundering provisions that financial institutions must currently comply with. Second, the model Competent Authority Agreement contains the detailed rules on the exchange of information. The financial information to be reported with respect to “reportable accounts” includes all types of investment income (including interest, dividends, income from certain insurance contracts and other similar types of income) plus information about account balances, investments and proceeds from the sale of financial assets. The financial institutions that are required to report under the CRS include not only banks and custodians but also other financial institutions such as brokers, investment funds and insurance companies. Reportable accounts include accounts held by individuals and entities (which includes trusts and foundations). The Standard includes a requirement to look through passive entities to report on the individuals that ultimately control these entities. The CRS also imposes due diligence procedures that must be followed by financial institutions to identify reportable accounts.

Under Competent Authority Agreement, this all become mandatory and automatic. It commits participating governments to automatic information exchange and it incorporates by reference the OECD CRS, which can and will be changed by OECD bureaucrats without any additional action required by the U.S. Senate or, for that matter, any other government.

In general, individuals should control who has access to information about their personal or financial lives. Individuals should be free to lead their life unmolested and unsurveilled unless there is a reasonable suspicion that they have committed or may commit a crime. Any information sharing regime needs to include serious safeguards to protect the privacy of individuals and businesses and should be directed at preventing terrorism, crime and fraud.

Financial privacy can be the difference between an opposition group in a country with an authoritarian government surviving or being systematically suppressed. Many dissident and human rights groups maintain accounts outside of the country where they are active for precisely this reason. Similarly, business people who are opposed to an authoritarian government will often maintain financial resources beyond the reach of that government. Financial privacy can help prevent corrupt officials from abusing their trust by selling information for purposes of identity theft, identifying kidnapping victims or financial fraud.

Financial privacy is the instrument citizens can use to protect themselves from corrupt or authoritarian governments or criminals working independently or in league with governments or government officials. Financial privacy can allow people to protect their life savings when a government confiscates its citizens’ wealth, whether for political, ethnic, religious or “merely” economic reasons. Businesses need to protect their private financial information, intellectual property and trade secrets from competitors to remain profitable. Financial privacy, in short, is of deep and abiding importance to freedom because many governments have shown themselves willing to routinely abuse private financial information.

The OECD initiatives put private financial information around the world at risk. They create a rich source of sensitive financial information, scattered in databases around the world, held by corrupt governments or governments with inadequate safeguards, to be hacked by or sold to criminals or governments hostile to Western human rights norms. That this information will be abused, there is no reasonable doubt. Thus, it is clear that the OECD initiatives will harm people around the world in serious, tangible and irreparable ways.