FBAR delinquents and the provision of personal data of third parties to the US government | FATCA

If you are a US citizen living in the EU, you may be a FBAR-delinquent if you don’t file financial information; if you do file you may be violating fundamental rights of third parties. This is explained here.

Extraterritorial US laws
The US is a specialist in extraterritorially working laws, with their tax law / FATCA and sanctions law as the most important examples. These laws are applied and sanctioned with disregard of fundamental principles and human rights [1]. The US tax system is citizen based; American citizens have to file tax returns in the US over their world income [2]. The US government obliges banks all over the world to provide the US tax authority, the IRS, with personal financial data regarding US citizens [3]. In Europe banks provide the data to governments and these governments (usually the tax authorities) transfer the data – in violation of applicable European data protection legislation – to IRS, even after Schrems II [4].

Those US citizens not only have tolerate the exchange of their own personal data between banks & governments and between their government & IRS [5] and that they have to provide IRS directly with financial information.

The great FBAR data leak
Next to that US citizens have to directly supply to the US Financial Crimes Enforcement Network (FinCEN) data of third parties. They every year have to file a form with FinCEN, the so called “FinCEN Form 114, Report of Foreign Bank and Financial Accounts (FBAR)” and have to report third party information:

Signature authority: you have authority to control the disposition of the assets in the account by direct communication with the financial institution maintaining the account.

The US citizen with such signature authority has to report the data of the the owner of these assets/accounts (‘financial accounts’) and information on the these financial accounts outside the US, also when this US citizen has not a financial interest in the account [5]. Examples:

  • If the US citizen has a joint account with his/her partner, the personal data of the partner have to be reported.
  • If the US citizen has signature authority on an account of a family member, personal data (including information on the financial accounts) of the family member have to be reported.
  • If the US citizen is managing director of a Dutch company, the financial accounts of the Dutch company have to reported to FinCEN.

Anyone violating the FBAR-obligations is a ‘FBAR delinquent’ [7] and subject to severe penalties.

I have found no explanation why FinCEN is requesting “Information on Financial Account(s) Where Filer has Signature or Other Authority but No financial Interest in the Account(s)“. It looks like unhealthy interference with other people’s business.

Third party protection by EU law?
The above makes me wonder in what way these third parties are protected against American greediness (and American data leaks like the SolarWind Hack [8]) by European and national EU law [9].


[1] The US has sanctioned two employees of the International Criminal Court, thus grossly violating human rights of these two persons.

[2] The US is the only large country in the world that has not a residence based system of taxation of the world income. As far as I know the only other example of citizen based taxation is Eritrea. Information in Dutch on FATCA and the Accidental Americans. Consequence of the US system is that US citizens are taxed over their world income in their country of residence and also in the US. In theory double taxation laws apply.

[3] The way the US treats foreign banks verges on extortion.

[4] “Schrems II” is the short name for the Court of Justice ruling in Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximilian Schrems. In this judgment the EU-US Data Protection Shield was declared invalid. The Court decided that US law does not satisfy fundamental requirements equivalent to those required under EU law, e.g. because US surveillance programs are not limited to what is strictly necessary.
After this judgment the European privacy supervisor EDPS “strongly encourages EUIs to avoid transfers of personal data towards the United States for new processing operations or new contracts with service providers” (press release). EUIs are European institutions. Of course the same applies to national governments.

[5] This data exchange is worrying US expats. Read for instance the correspondence of this attorney with the EU authorities on data protection. Read this list of incidents.

[6] An explanation is given by IRS in Comparison of Form 8938 and FBAR Requirements. In the tax-related Form 8938 the following has to be reported: “If any income, gains, losses, deductions, credits, gross proceeds, or distributions from holding or disposing of the account or asset are or would be required to be reported, included, or otherwise reflected on your income tax return“. Regarding the FinCEN Form 114 the answer to “When do you have an interest in an account or asset?” is: “Financial interest: you are the owner of record or holder of legal title; the owner of record or holder of legal title is your agent or representative; you have a sufficient interest in the entity that is the owner of record or holder of legal title.
Signature authority: you have authority to control the disposition of the assets in the account by direct communication with the financial institution maintaining the account.
See instructions for further details.

[7] Explanation by IRS on Report of Foreign Bank and Financial Accounts (FBAR) and on FBAR delinquents. According to the filing information third party information (“Information on Financial Account(s) Where Filer has Signature or Other Authority but No financial Interest in the Account(s)“)  has to be provided, including:

  • financial institution name;
  • account number or other designation;
  • full name of the third party;
  • taxpayer identification number (TIN) of the third party and TIN type;
  • address of the third party.

[8] It seems that the US government does not have adequate cybersecurity measures, the SolarWinds Hack has hit governmental agencies. Read e.g. Senators Ask IRS Whether Taxpayer Data Hit in SolarWinds Hack, Bloomberg 17 December 2020.

[9] US law is not a legal base for providing personal data under the General Data Protection Regulation (GDPR). Under article 6 GDPR processing may be lawful when it is necessary for compliance with a legal obligation to which the controller is subject, but that only applies to EU law or member state law. Is a US citizen living in Europe who is filing the FinCEN form a ‘controller’ under GDPR?


Addition 5 October 2022
On JDSupra this article appeared: Important Supreme Court Decision will Decide how Non-Willful FBAR Penalties are Calculated. The article ends with:

The overall goal of FBAR penalties is to encourage compliance.  No matter how Bittner is decided this fall, we expect the IRS to not let up its scrutiny of FBAR and international tax issues.  The time is now for noncompliant taxpayers to carefully consider how to return to compliance.

Over Ellen Timmer

Weblog: https://ellentimmer.com/ ||| Microblog: https://mastodon.nl/@ellent ||| Motto: goede bedoelingen rechtvaardigen geen slechte regels
Dit bericht werd geplaatst in Belastingrecht, English - posts in English on this blog, Europa, Financieel recht, onder meer Wft, Wtt, Fraude, witwasbestrijding, Wwft, Grondrechten, ICT, privacy, e-commerce en getagged met , , , , , , , , . Maak dit favoriet permalink.

Geef een reactie

Vul je gegevens in of klik op een icoon om in te loggen.

WordPress.com logo

Je reageert onder je WordPress.com account. Log uit /  Bijwerken )


Je reageert onder je Twitter account. Log uit /  Bijwerken )

Facebook foto

Je reageert onder je Facebook account. Log uit /  Bijwerken )

Verbinden met %s