Individual Returns Directorate
Assessment, Benefit and Service Branch, and

Large Business Directorate
Compliance Programs Branch

On this page

• Overview & Privacy Impact Assessment Initiation (PIA)
• Summary of the project, initiative or change
• Risk identification and categorization

Overview & Privacy Impact Assessment (PIA) Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Frank Vermaeten
Assistant Commissioner
Assessment, Benefit, and Service Branch, and

Ted Gallivan
Assistant Commissioner
International, Large Business and Investigations Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
Director
Access to Information and Privacy Directorate

Name of program or activity of the government institution

Individual Returns and Payment Processing
International and Large Business

Standard or institution specific class of record:

T1 Individual Income Tax and Benefits Returns – Initial Assessment Program CRA ABSB 126
Competent Authority Program Administration CRA CPB 261

Standard or institution specific personal information bank:

Individual Returns and Payment Processing
CRA PPU 005
TBS Registration Number: 002014

Competent Authority Program Administration
CRA PPU 085
TBS Registration Number: 002021

Legal authority for program or activity

The Canada—United States Enhanced Tax Information Exchange Agreement Implementation Act implements the Agreement signed between Canada and the United States to improve

International Tax Compliance through Enhanced Exchange of Information under the Convention between Canada and the United States of America with Respect to Taxes on Income and on Capital (the "Agreement"). Canada has also enacted legislation to require certain Canadian FIS to report certain information with respect to accounts held by certain U.S. persons to the CRA. Under the Agreement, Canada will automatically exchange this information with the United States pursuant to Article XXVII of the Convention between Canada and the United States of America with Respect to Taxes on Income and on Capital.

(Note: Under Section VI (C) of the Agreement, a Canadian FI is required to aggregate all financial accounts but only to the extent that its computerized systems link the accounts by reference to a data element such as a client number or taxpayer identification number, and allow account balances or values to be aggregated.)

Amendments to the Income Tax Act

Amendments to the Income Tax Act require certain Canadian FIS to report certain information with respect to accounts held by certain U.S. persons to the CRA. They are:

• Changes to subsection 162(6) of the ITA (Failure to provide an identification number)
• A new part is added to the ITA — Part XVIII Enhanced International Information

Reporting (sections 263 to 269). (Note: New ss. 263(4) states, "For the purposes of this Part, a reference in the Agreement to "Canadian TIN" or 'taxpayer identification number" is to be read as including a reference to Social Insurance Number.")

Legislation implementing the Agreement and related amendments to the Income Tax Act, was set out in Part 5 of Bill C-31. Bill C-31 received Royal Assent on June 19, 2014 and entered into force on June 27, 2014. The provisions of the legislation generally have effect as of July 1, 2014.

Summary of the project, initiative or change

Overview of the Program or Activity

In 2010, the U.S. enacted the Foreign Account Tax Compliance Act (FATCA). FATCA was enacted to protect the U.S. tax base by preventing the use of offshore accounts to evade taxes. FATCA does so by requiring non-U.S. financial institutions (Fls) to enter into an agreement with the U.S. Internal Revenue Service (IRS) and report on all accounts held by U.S. persons or by non-U.S. entities (passive and non-financial entities) controlled by one or more U.S. persons. For the purposes of FATCA, a U.S. person includes:

• a citizen or resident of the U.S.
• a U.S. entity (for example, a corporation, trust, or partnership).

If a non-U.S. FI is not compliant with FATCA, payers making certain payments of U.S.-sourced income to the non-compliant FI would be required to withhold a tax equal to 30% of the payment. The 30% FATCA withholding tax can also be levied on individual account holders at a compliant non-U.S. FI who fail to provide documentation as to whether they are U.S. persons, and on non-U.S. entities that fail to identify its U.S. controlling persons.

In July 2012, the U.S. released a model I reciprocal agreement (Intergovernmental Agreement or IGA). Under the model I IGA, a partner country agrees to impose obligations on its FIs to identify the financial accounts of U.S. persons and non-U.S. entities with U.S. controlling persons and report certain information on these accounts to the partner's domestic tax authority. The model 1 IGA requires the partner's tax authority to then provide this information to the IRS. In return, the U.S. agrees to not apply FATCA to the FIs operating in the partner country.

The U.S. also agrees to collect and provide certain information on financial accounts held by residents of the partner country at U.S. FIs to the partner country.

On February 5, 2014, Canada and the U.S. signed the Agreement, which is based on the model 1 IGA. Under the agreement, Canada and the U.S. agreed to automatically and annually exchange certain information pursuant to Article XXVII (Exchange of Information) of the Convention between Canada and the United States of America with Respect to Taxes on Income and on Capital (the Canada-U.S. tax treaty).

It is important to note that, for the purposes of this PIA, the CRA and the IRS have been exchanging information for any years under Article XXVII (Exchange of Information) of the Canada — U.S. tax treaty. Except for the Canadian TIN, the information the CRA will receive from the IRS under the Agreement will be a subset of the information the CRA currently receives. The CRA will continue to actively work the information received, as it currently does with the information received. Except for the U.S. TIN, account balance and account number, the information the CRA will be sending to the IRS is a subset of the information the CRA currently sends. Information that is relevant for tax purposes of the other country, may be exchanged under Article XXVII (Exchange of Information) of the Canada-U.S. tax treaty. Income earned in Canada by U.S. taxpayers would be relevant to the tax administration of tax in the U.S. A U.S. taxpayer includes a U.S. citizen no matter where in the world he or she lives.

Currently, FIs are obligated to file information returns on various types of income to the CRA and in particular, are required to identify non-residents and to report the income of the non-residents on a different return (i.e., NR4 information return). The significant changes caused by the agreement include the higher due diligence required of FIs and the new electronic mechanism by which the data will be transmitted. In addition to a U.S. address as an indicator, the due diligence procedures under the Agreement require FIs to look for several other indicators to identify a U.S. taxpayer. The focus at this time is the operational requirements created by the Agreement, which requires the collection of the data from the FIs and its transmission by the new electronic means. As such, the scope of this PIA is limited to the collection of the data from the FIs and the new electronic transmission of the data between the CRA and the IRS. Uses for the data will be reflected in other program level PIAs.

Canadian Obligations under the Agreement

The identification and reporting requirements are effective July 1, 2014 and for all subsequent years. Canadian FIs and foreign FIs operating in Canada are required to implement procedures to determine if their customers (existing or new account holders) are U.S. persons or non-U.S. entities with U.S. controlling persons. With respect to new account holders, FIs can either:

(1) obtain a self-certification from the customer at account opening as to whether the customer is a U.S. person; or

(2) review documentation collected at account opening for indicators that the customer is a U.S. person.

With respect to existing account holders (i.e., customers with accounts on June 30, 2014), FIs are required to review records for indicators that the account holder is a U.S. person.

If, after completing the above-described due diligence, a FI identifies an account holder as a U.S. person or as a non. US. entity with at least one U.S. controlling person, the FI is required to annually report those accounts to the CRA. The information required to be reported include (see legislative excerpts in section V below):

• name, address, Canadian TIN (e.g., SIN or BN) and U.S. TN;
• the account number;
• the account balance; and,
• interest, dividends and other income paid or credited to the account
• amount of sales/redemption proceeds paid or credited to the account or other amounts paid or credited to the account holder with respect to the account.

In addition to these data elements, the FI can include its Global Intermediary Identification Number (GIIN) obtained from the IRS.

Under new section 266 of the Income Tax Act, FIs are required to electronically report the information on the new Part XVIII information return to the CRA by May 1st of the following calendar year (e.g., 2014 information is due May 1, 2015).

The CRA is re-utilizing established business processes and has modified and/or implemented information systems to manage this new program. FIs require an acceptable medium for the electronic transmission of the Part XVIII information returns. To match current filing regimes for other information returns, it is requested that FIs utilize the current CRA internet filing portals to provide the required information in XML format. As a result, a new information return is required (slip and summary) which will be filed in electronic format only, via the Internet. No paper form is available. This electronic reporting mechanism by the FIs to the CRA was implemented in January 2015.

The Part XVIII information returns reported by the FIs will then be captured, processed and stored on CRA's databases within the program area.

The program area will then prepare the data bundle, encrypt, etc. for transmission to the IRS. The data transfer mechanism is currently being tested and will be in place by September 2015 for the transmission of the 2014 calendar information.

What’s New

The CRA will review the information to ensure it is relevant and in accordance with the Agreement and the competent authority agreement (CAA). Where that is the case, the CRA Competent Authority will approve the transmission of the information to the IRS Competent Authority and request that Information Technology Branch execute the transmission. A Competent Authority Agreement was negotiated with the IRS which provides the rules and procedures for administering the Agreement, including the information exchange.

The new reporting requirement is expected to apply to roughly 1,000 FIs in Canada, including banks and other deposit-taking institutions, life insurance companies, investment dealers and brokers, and investment funds. Based on data published by Statistics Canada, it is reasonable to estimate that the CRA could potentially receive an aggregate of 30,000 to 90,000 information returns each year, starting in 2015; the actual number of individual records received for the calendar year 2014 (received in 2015) was approximately 155,000 records.

Scope of the Privacy Impact Assessment

The scope of this PIA is limited to the collection of the data from the financial institutions and the new electronic transmission of the data between the CRA and the IRS. Uses for the data will be reflected in other program level PIAs.

Risk identification and categorization

A) Type of program or activity

Compliance/Regulatory investigations and enforcement

Level of risk to privacy: 3

Details:

Implementing legislation (the Canada—United States Enhanced Tax Information Exchange Agreement Implementation Act) that implements the Agreement signed on February 5th, 2014, and related amendments to the Income Act was set out in Part 5 of Bill C-31. Bill C-31 received Royal Assent on June 19, 2014 and entered into force on June 27, 2014. The provisions of the legislation generally have effect as of July 1, 2014. Under new Part XVIII of the Income Tax Act, FIs are required to annually file the Part XVIII information return with the CRA reporting information with respect to financial accounts held by U.S. persons and by non-U.S. entities that are controlled by one or more U.S. persons.

The CRA will collect personal information in connection with financial accounts from the FIs on the new Part XVIII information returns, on an annual basis. The CRA will then transmit the data to the IRS for tax compliance purposes. The CRA is obligated to annually collect and transmit the information to the IRS, under the Agreement.

With respect to information collected from the FIs on the new Part XVIII information returns (southbound information flow), the information is stored on CRA's mainframe database and available to CRA's compliance areas. The information may be reviewed and compared to the other available sources of information in order to support compliance activities. To the extent that information is used in compliance activities, documentation will be contained in audit records (ie. Working papers, audit reports, etc.) for specific taxpayers as they relate and audit work undertaken.

With respect to information received from the IRS (northbound information flow), the CRA will annually receive personal information in connection with financial accounts held at U.S. Fls. The CRA will store the data that is collected on the Part XVIII information returns and received from the IRS. Information received from the IRS will be referred to the Offshore Compliance Division Headquarters for risk assessment and business intelligence purposes. If a potential compliance issue is identified, the case will be referred to the applicable tax services office. Information received from the IRS will be contained in audit records (ie. Working papers, audit reports, etc.) for specific taxpayers as they relate to the risk assessment and audit work undertaken.

B) Type of personal information involved and context

Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

Details:

Full name, address, Canadian tax identification number (social insurance number, business number), United States tax identification number, account number, date of birth, financial information.

C) Program or activity partners and private sector involvement

Private-sector organizations, international organizations or foreign governments

Level of risk to privacy: 4

Details:

Southbound

With respect to each financial account held at a FI by a U.S. person or a non-U.S. entity with one or more U.S. controlling persons, the information will be collected by the FI and reported to CRA, who in turn will transmit the information to the IRS.

Northbound

With respect to each financial account held by a resident of Canada at a U.S. FI, the information will be collected by the IRS and then transmitted to the CRA.

D) Duration of the program or activity

Indefinite

Level of risk to privacy: 3

Details:

This is a new program that has no sunset date.

E) Program population

The program affects certain individuals (U.S. residents or citizens) for administrative purposes external to Canada.

Level of risk to privacy: 3

Details:

Southbound

The program will affect U.S. persons and non-U.S. entities with U.S. controlling persons, who hold financial accounts at FIs operating in Canada.

Northbound

The program will affect residents of Canada that hold financial accounts at FIs operating in the U.S.

F) Technology & privacy

1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
   
   Risk to privacy: Yes
2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
   
   Risk to privacy: Yes
3. Does the new or modified program or activity involve the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

G) Personal information transmission

The personal information is used in a system that has connections to at least one other system.

Level of risk to privacy: 2

Details:

Filers use two Web based services, available on the CRA public Web site, to file their PART XVIII information returns. The first one is the Internet File Transfer Application where filers can submit their return in an XML format. The second service is Web Forms where the filer can manually create and submit their return. These electronically submitted returns are then processed and stored on CRA's mainframe database.

Southbound

FIs will submit the Part XVIII information returns in XML format via the Internet with the use of CRA's Internet File Transfer or Web forms services. These services are already in existence and are currently used by FIs for filing other information returns. Through an automated process, this data will then be systematically stored in the CRA database. There is however no direct connectivity between the Internet application and the database on the mainframe.

Neither the business process nor the new application components provide the ability to take the data and store it on a USB.

Northbound

The data files received from the IRS will be in XML format and transmitted through encrypted transmission channel, the same tools employed in the southbound information flow.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

If the personal information is compromised it could potentially cause financial harm and embarrassment to the individual.