Bank confidentiality has regularly come into the spotlight over the last few years. The most recent episodes centre around the efforts made by the United States, Germany, the UK and other countries to obtain details of undeclared income earned by their citizens from investments held outside the country. Banks located in Switzerland and Liechtenstein have come under particular scrutiny in this area.
But the protection of government revenues is not the only reason for seeking access to financial details which, otherwise, would remain confidential. All countries would wish to track funds which are destined for use in terrorist activity, and thus to choke off its lifeblood. For understandable reasons, the United States has demonstrated particular zeal in this area.
These measures create tensions between, on the one hand, the government's right to maximise its revenues and to empower their law enforcement agencies and, on the other, the individual's right to privacy for his personal and financial affairs. These tensions create legal difficulties even when they arise in a purely domestic arena. But the conflicts can become acute where they arise – as they frequently do – in a cross-border context. In such a case, the government's right to raise revenue, to detect crime and to seek information in support of those objectives will be governed by its national law (say, US law), whilst the taxpayer will enjoy a right to confidentiality under the law (say, Swiss law) of the country in which the relevant account is held. How are these direct conflicts of laws and governmental interests to be resolved? What principles are available to resolve international problems of this kind?
Overview of recent developments
The last two years have seen a number of issues revolving around taxation, bank confidentiality and the alleged use of tax havens for the purpose of tax evasion by wealthy individuals.
These have been preceded in recent years by attempts by the UK authorities to trace undeclared income held in foreign accounts, and a programme initiated by the US Treasury to track international payments through a worldwide information system, with a view to identifying and confiscating terrorist funds. It appears that the payment details revealed by the US Treasury programme would have principally involved EU and other non-US citizens.
As so often in cases of this kind, the purely legal issues tend to be overtaken by both the weight and the pace of the political debate, and the diplomatic tensions which may arise between the countries concerned. In the case of the US, for example, the terrorist investigation programme was held to outweigh any considerations of confidentiality and data privacy in relation to the individuals whose payment details were officially viewed. In the light of 9/11 and the attacks on the World Trade Centre and other targets, it is perhaps unsurprising that public opinion fell behind this approach when the existence of the hitherto secret programme was disclosed by the New York Times. Yet, as will be seen the EU adopted an equal and opposite approach to data privacy.
Likewise, the recent attack by a US Senate sub-committee on the activities of foreign banks has focused on the need to ensure that tax evasion by the wealthy does not impose unfair burdens on ordinary, decent, hard-working Americans.
As a result, the political agenda tends to overshadow the legal framework. Nevertheless, there is a legal framework and it is of particular importance to the financial institutions involved. It is true that, in some cases, institutions have been accused of positive wrongdoing but, leaving that aside, it is important to remember that the banks concerned are caught in the middle of a dispute which is not their direct concern. The real dispute arises between the foreign government concerned and its own national or resident, who is allegedly delinquent in declaring his own income and paying his own taxes. The bank is involved to the extent that it holds, or may hold, assets or information relevant to the customer's tax liability, but that information will be impressed with a duty of confidentiality. How then does the bank deal with a disclosure request from a foreign government?
These are complex issues and, in order to address them, this briefing is arranged as follows:
first of all, the general laws on bank confidentiality will be considered;
secondly, the competing disclosure obligations will be outlined;
thirdly, the US experience will be described; and
fourthly, the action taken in the United Kingdom will be considered; and
finally, a few comments will be made about the current situation.
Laws on bank confidentiality
The detailed of laws on bank confidentiality will obviously vary from country to country. But there are, in essence, two models.
First of all, many common law countries follow the 1923 decision of the English Court of Appeal in Tournier v National Provincial and Union Bank of England. That case establishes that a bank must maintain the confidentiality of all information derived from the banker–customer relationship, unless:
disclosure is required by law;
disclosure is required to protect the bank's interests (e.g. in issuing proceedings to recover an overdraft);
disclosure is in the public interest (e.g. as in the case of major international frauds); or
the customer has consented to disclosure.
This rule takes effect as an implied term of the banker–customer contract, with the result that a breach of the duty gives rise to a claim for damages, but no criminal offence is involved.
In contrast, other countries adopt a statutory approach to the subject. A few examples may suffice.
In Switzerland, disclosure of secret information relating to a bank customer is a criminal offence under Article 47 of the Federal Law on Banks and Savings Banks. Financial penalties apply, and a period of up to six months imprisonment may be imposed in more serious cases.
Section 47 of the Banking Act of Singapore prohibits the disclosure of customer information except in accordance with a legal requirement or certain other instances. Breach of the provision may attract financial penalties and, in the case of individual bank officers, a prison term of up to three years.
In the Cayman Islands, the Confidential Relationships (Preservation) Law 1995 criminalises the improper disclosure of information, but provides for exceptions and allows for an application to count.
So, some countries regard bank secrecy as a purely contractual matter giving rise only to civil claims as between the parties, whilst others elevate it to the level of public policy, making it part of the criminal law regime. Bankers working under the latter type of system will naturally have greater cause for concern over lapses in confidentiality.
Whilst purporting to protect bank confidentiality, many countries also boast an array of powers to compel banks to disclose account information about their customers.
Historically, many of these laws related to taxation or the investigation of serious fraud. As already noted, they have in more recent times been extended to the tracking of terrorist funds. But, obviously, confidentiality laws in force in one jurisdiction may come into direct conflict with disclosure laws in another. These problems are not new, but every government has a duty to uphold its national laws. Conflicts of this kind therefore tend to have a highly political dimension, and disagreements are often debated in a highly charged atmosphere. How can these difficulties be resolved in practice?
The US experience
The most recent and high profile disputes in this area have arisen in the United States, which has something of a reputation for aggressive assertion of extra-territorial jurisdiction.
Historically, US courts have been prepared to issue disclosure orders against branches of foreign banks in the United States even though (i) the relevant documents are held outside the country at another branch, (ii) the US branch is unconnected with the subject matter and (iii) the US branch has no power to compel production by the foreign branch concerned. The US Supreme Court has decided that the power to issue such orders is not constrained by treaties which regulate the international gathering of evidence (the Aerospatiale case, 1987).
In the taxation context, the United States has continued its battle at both a political and a legal level. Following its hearing on 17 July 2008, the US Senate's Permanent Subcommittee on Investigations released a Staff Report entitled "Tax Haven Banks and US Tax Compliance". The Report is critical of the activities of US residents who allegedly used the services of banks in Switzerland and Liechtenstein to evade taxes, avoid creditors and defy court orders. Those residents were said to be taking advantage of secrecy laws in those countries to shelter their income.
Recommendations of the Report include:
where tax haven banks refuse to disclose details of accounts held by US customers, they should be barred from doing business with US financial institutions. The Patriot Act – passed in the wake of the 9/11 attacks – should be amended to allow the US Treasury to take action of this kind; and
Congress should enact the Stop Tax Haven Abuse Act, introduced by Senators Levin, Coleman and Obama in February 2007. That Act would create a presumption that a US taxpayer who forms an entity in an offshore tax haven or who sends/receives assts from such a jurisdiction is liable for income tax on those assets. It would then be for the taxpayer to refute that assumption.
Matters have also proceeded down a judicial path. On 30 June 2008, the Government of the United States filed a petition with the US District Court for the Southern District of Florida, seeking disclosure of details of US clients of the Swiss bank who held accounts with the bank in Switzerland and for whom appropriate US tax documentation had not been filed. Although the summons was of an administrative nature, the approval of the District Court is required for the service of such a document where the identity of the taxpayer is unknown. The court approved service of the summons and it is understood that the US and Swiss governments have been negotiating over the terms of its execution. At all events, this represents the first attempt ever made by the US to overcome Swiss banking secrecy to obtain details of foreign accounts held by US clients.
At this point, of course, it becomes necessary to consider how the relevant information can be removed from Switzerland, bearing in mind the stringent banking secrecy law which has already been described. A spokesman for the Swiss bank indicated that Swiss bank secrecy may not apply where a foreign government is investigating tax fraud and a request for the relevant information is presented to the Swiss authorities.
Yet matters may not be quite so straightforward. The Swiss authorities may communicate otherwise confidential information to a foreign requesting authority:
for administrative purposes, where the information is to be used for the purposes of banking or financial market supervision. However, such information is provided to the foreign authority on the explicit understanding that it will not be passed to any tax authority; and
for the purposes of a criminal investigation, pursuant to a Swiss law on international co-operation in such matters (loi féderale sur l'entraide internationale en matière pénale). Even if criminal proceedings are contemplated however, the matter must come before the Swiss courts to sanction co-operation, and it is by no means certain that they would do so. According to the Senate Report, the Swiss banker who provided documents and information to the Senate Subcommittee was in possession of that material some two years after he left the bank. It is at least possible – although by no means certain – that (i) the individual concerned was in possession of, and released, that material in contravention of the Swiss banking law and (ii) it would be contrary to public policy for the Swiss courts to assist a foreign investigation founded on documents obtained in contravention of local law. In this context, it may be noted that the Swiss Federal Tribunal recently refused to order the disclosure of account information at the request of the Russian government, on the grounds that (i) the assistance was required for the purposes of proceedings in which accepted international standards for a fair trial would not be met, and (ii) it would be contrary to Swiss public policy to assist in such a case. A certain degree of assessment and appreciation is therefore involved.
It may be, therefore, that a few further legal hurdles will have to be overcome before Swiss account information can be handed over to US authorities. It may be added that:
the Swiss tax authorities already have the right to demand information from Swiss banks when investigating a deliberate tax fraud; and
under Article 4 of the USA-Switzerland Treaty on Mutual Assistance in Criminal Matters, it must use the same powers if it seeks to obtain information at the request of the USA.
It is true that the Mutual Assistance Treaty only applies in criminal matters and allows Switzerland to refuse to co-operate with a request if this would be "… likely to prejudice its sovereignty, security or similar essential interest …" and that the exchange of correspondence which accompanies the treaty states that the provision of secret bank information might " … in exceptional circumstances .." prejudice Switzerland's essential interest. However, given the diplomatic strains already created by this dispute, it is perhaps unlikely that Switzerland will seek to resist disclosure on these grounds.
The difficulties posed by extra-territoriality have also become apparent as a result of an anti-terrorist finance programme implemented by the United States.
The Society for Worldwide Financial Telecommunications ("SWIFT") provides a secure messaging service for banks in the wholesale market. SWIFT is a co-operative organisation owned by its user banks. Its Head Office is based in Belgium, but the nature of its business means that it has offices in many countries. It is not itself a financial institution and thus is not subject to the specific confidentiality rules applicable to banks. Nevertheless, and as might be expected, users of SWIFT are themselves subject to such obligations and are sensitive to questions of privacy. As a result, SWIFT's contractual documentation includes obligations of secrecy and its published materials include a data protection policy.
Following 9/11, the US implemented a Terrorist Finance Tracking Programme, whose objectives require no further explanation. In furtherance of that programme, the Treasury issued subpoenas to SWIFT requiring access to messaging information. Although much of this information will have related to transactions executed abroad, the necessary details would have been accessible from computer terminals at SWIFT agencies within the United States. To this extent, it may be said that the subpoeanas did not involve any exercise of extra-territorial jurisdiction at all although, as will be seen, that proposition was disputed by the European Commission.
At all events, whilst SWIFT had to comply with the subpoenas, it did seek to preserve confidentiality as far as it could. It negotiated safeguards such as independent auditing of the disclosure process and a prohibition against the transmission of information to other governmental agencies.
The existence of the subpoenas remained confidential until June 2006, when the New York Times elected to publish details of SWIFT's co-operation with the US Treasury. The reaction was immediate. Within the United States, the newspaper was condemned for publicising the programme and, hence, prejudicing US national security. The EU, by contrast, condemned SWIFT for releasing information to the US authorities in breach of the EU Data Protection Directive and without adequate safeguards.
The nature and sensitivity of the subject matter created a heated debate. A resolution of the EU Parliament referred to "… the climate of deteriorating respect for privacy and data protection … engendered by US anti-terrorism measures…". It also noted that the relevant information could be used for "… large-scale forms of economic and industrial espionage…" and deplored "… any secret operations on EU territory that affects the privacy of EU citizens…". From there, both the Belgian Data Protection Agency and the EU's Data Protection Working Party published reports to the effect that the transfer of data from the EU to the US constituted a breach of the EU Directive.
As between the US and the EU, the matter was ultimately resolved by an agreement dealing with the protection and handling of the information, and the appointment of an EU "eminent person" to oversee the process.
The UK experience
The UK revenue authorities have also taken an interest in offshore accounts in recent years.
In 2006, they obtained permission to serve notices on Barclays Bank to provide information relating to accounts held by UK residents with offshore subsidiaries. The notices were given on the basis that:
Barclays in the UK processed information on behalf of its offshore subsidiaries; and
that information was therefore within the "possession or power" of Barclays within the UK. This was so every though very few people had the necessary access codes.
The disclosure of such information to the UK tax authorities would, of course, have placed the offshore subsidiaries in breach of their duty of confidentiality to the customer. That obligation would be governed by the law of the relevant offshore centre, and could thus not be varied or discharged by an order taking effect under English law.
It is regrettable that, in deciding to sanction the issue of the notice, the Special Commissioner merely noted the bank's argument that "… it is a crime under the operative laws in some foreign jurisdictions in which it operates to disclose documents relating to the accounts in that jurisdiction. I have no information about the operative law in those jurisdictions and, in any case, it is not obvious to me that such law is relevant to a notice given to a UK company to make available documents situated within the UK…". Yet a disclosure notice may not be sanctioned if compliance would be “onerous” and it must be at least arguable that an order requiring disclosure of information protected by foreign confidentiality laws should not be made. It is therefore unfortunate that this point did not receive more detailed attention.
Since that case, the revenue authorities have issued further notices against other banks and, with the aid of amnesty arrangements, claim to have recovered significant amounts of tax on previously undisclosed income.
Nevertheless the "possession or power" test does raise various questions in this context. For example:
in the absence of actual data processing in the UK, to what extent is documentation held at a foreign branch or subsidiary within the "possession or power" of the UK head office? Can it be required to produce such documents even though they are not readily available or accessible within the UK?
if a director of an offshore subsidiary is resident in the UK, can he be compelled to produce documentation from that subsidiary on the basis that all directors have access to the books and records of the company, and that such materials are thus within his "possession or power"?
The current position
It is clear that the conflict between confidentiality and disclosure and conflicting national interests will continue.
Given that confidentiality is in the nature of a private or personal right and that disclosure may be seen as a matter of public interest transparency to uncover terrorist financing and tax evasion, it seems that disclosure is winning the argument at present and that this is likely to continue for the foreseeable future. As noted above, it appears that Switzerland is to cooperate with US tax investigations. Equally, Liechtenstein is examining ways of shedding the “tax haven” label, although it will not renounce bank secrecy. Future court decisions in the field of bank confidentiality will no doubt take into account this changed political climate.
Yet the pendulum may swing back at a later date if it is found that personal data is unnecessarily placed at risk. As always, the challenge will be to find a balance between the two competing interests, and to adopt a proportionate approach.