According to the Markets in Financial Instruments Directive (MiFID), which entered into force on 1 November 2007, banks and investment firms are required to collect a detailed profile of their customers. Most financial institutions collect this information from their customers via detailed questionnaires. In these questionnaires customers provide information on their financial assets, savings, real estate and other property (which may include information on assets held with other banks). This information should allow banks and investment firms to tailor their investment product offers to customers’ needs. The objective is to better protect consumers against investment risks.
In principle, the data provided in these questionnaires is covered by the bank’s secrecy obligations. However, the question was raised whether banks are obliged to share the questionnaires and detailed customer profiles with tax authorities requesting such information as part of a tax audit of individual taxpayers. Confidential customer data could thus be used by the tax authorities against the bank’s customer, even if this data is contained within internal documents which banks hold for their own commercial purposes.
There is a further concern that banks and financial institutions could start using the (mostly sensitive) financial information provided by customers for other business purposes (i.e. purposes not relating to the provision of tailored advice or investment products) such as targeted direct marketing campaigns for other products or services.
These concerns have led to a Parliamentary question to the Minister of Finance (competent in tax matters) and to the Minister of Justice (competent in data protection matters) about the compliance of the MiFID-questionnaires with the Belgian Data Protection Act of 8 December 1992 (questions n° 08/034 of 14 April 2008 and 08/064 of 17 April 2008).
In response to this question, the Minister of Finance has confirmed that the tax authorities (those responsible both for income taxes and VAT) have substantial powers to audit the financial situation of a taxpayer with a view to collecting the correct amount of taxes. Within those powers, the tax authorities can request any person to disclose books or other documents relating to his economic activity, or to reply orally or in writing to information requests. The Minister further explicitly confirmed that the tax authorities are able to request information from banks and financial institutions regarding their customers’ financial assets, including the MiFID-questionnaires. The Minister specified that, unlike the VAT administration, the income tax authorities do not require any specific ministerial authorisation to make such requests.
With regard to the compliance of the MiFID-questionnaire with the Data Protection Act of 8 December 1992, the Minister of Justice simply responded to the Parliamentary question by referring to the general principles laid down in this Act. The Minister pointed out that banks and financial institutions collecting and processing personal customer information within the framework of MiFID are required to comply with these principles. As a consequence, the processing of MiFID-questionnaires will need to remain fair, lawful and restricted to the purposes for which the data was collected. The Minister also referred to the information obligations stipulated by Article 9 of the Data Protection Act which require data controllers to inform data subjects inter alia of the purpose of the processing and of the recipients or categories of recipients of the data.
Banks and other financial institutions will therefore need to make sure that the information notice they provide to customers, together with the MiFID-questionnaire, adequately inform data subjects of the fact that their data may be provided to tax inspectors exercising their investigation powers.
As a general point, a more structured exchange of information (including personal data) between government databases in order to optimise the combat against tax (and social security) fraud seems to be high on the government’s agenda. Initiatives in this field will obviously also be closely monitored from a data protection perspective.