Will AEoI be the new Equifax?
We don’t know yet, who hacked Equifax. We just know that it happened some time ago and that hundreds of millions of people’s personal details were stolen and, even now, are likely to be being traded on the dark web.
But these hacks have been going on for many years now in all sorts of industries. Why do they do it? Four reasons – because they can (script kiddies, geeks and nerds); because they get a kick out of it (sociopaths, narcissists, psychopaths and weirdos); because they want to make a political or social point (idealogues) or because they want to make money (financial criminals). The reason that hackers target these kinds of organisations is that they hold truly massive amounts of data. As a result, if you’re any one of the first three, you’ll (i) get an adrenalin rush from the hack and/or (ii) your hack will hit the news big time – see (i). If you’re a criminal out to make money, you actually don’t want your hack to make the news, you want to be left alone strolling around other people’s databases and using them to make money. Making money can be accomplished in two ways – stealing directly from the targets if you can access their financial account information from the data you stole, or using some portion of their personal information to sell or leverage some other criminal activity.
The problem is that most of the data that’s stolen is pretty much useless. You might get to use a pensioner’s details to fake an ID but you’re not going to get rich directly from that. The problem with these kinds of hacks is that the amounts of data are so large that it’ll be a real task to find the valuable data in amongst all the worthless data – needles and haystacks.
AEoI, or the Automatic Exchange of [tax] Information is a framework developed by the Organisation for Economic Cooperation and Development (OECD) to coordinate a global set of rules to prevent and detect tax evasion through global data collection and cross border reporting. Those most interested in tax evasion are governments or, to be more precise, politicians and tax authorities. Politicians because focussing tax collection on the rich wins votes and their governments need the money. Tax authorities because they are usually the governmental agencies tasked with getting the job done on the ground. Many studies have tried to quantify the amount of tax that is being evaded through the use of cross border financial accounts and corporate structures. The figures vary, but the overall result is the same, and its what’s driving those politicians and tax authorities – the amounts of tax being evaded are huge.
Rich People Only Please
Below AEoI in a structural sense sits CRS or the Common Reporting Standard, because if you’re going to share information globally, the basis on which the information is collected needs to be standardised so everyone is looking at the same kind of data. So far, so good. The whole global AEoI framework is based on the principle that each government wants to get from every other government the details of anyone that has a financial account in those countries so that they can check to make sure that their citizen or tax resident is declaring and paying tax as they should. If not, they will be avoiding or evading tax and they’ll have to repay the tax, pay fines, interest and perhaps even go to jail. But AEoI is not a set of laws, its just a global data collection and cross border reporting framework and, as such, it has to be ‘adopted’ into each signatory country’s domestic legislation on either a bilateral or multilateral basis. At the moment there are over a hundred countries signed up to the AEoI framework – but let’s stick with a hundred here because it makes the arithmetic easier.
What this means is that in a hundred countries, every single financial institution must use the CRS rules from the framework to identify and collate information about any non residents that have accounts with them. Once a year, they must then present their domestic tax authorities with all this data, packaged up so it can be shared by that tax authority with up to ninety nine other countries. The key issue at this stage is that these governments don’t want to deluged with details of every single bank account that each citizen has; they only want the high value account holders – because that’s where tax evasion is more likely to be happening. So, the rules provide threshholds of account value below which account holders do not need to be reported. In other words, the data being packaged up is filtered so it only contains data about rich people. And what data would that be precisely? Well – account number, name of financial institution where the account is held, account holder’s tax ID number, value of the account… you see where this is going? The nature of this data, in its filtered form would be a cyber criminal’s definition of heaven. What makes it even more delicious is that, to the point of the whole system, some of that data represents people who really are evading tax by having money or securities in foreign accounts – and they are not likely to report thefts of those assets for obvious reasons.
So, each tax authority is going to receive, once a year to a pre-published schedule, a data file from every single financial institution, of all the non resident rich people they have on their books. But the tax authority can’t use that data in its delivered form because it contains data about account holders potentially from multiple countries. So the tax authority is going to have unpack all that data, from each financial institution, then re-pack it up in partner country order so that its ready to share.
So, AEoI poses at least three cyber risks. First at the data collection points in each financial institution just prior to submission in encrypted form. Trust me, in most cases, that data will probably be in simple unprotected spreadsheets. Second at each government location when its been decrypted for repackaging but not yet re-encrypted and third when it arrives at its destination tax authority and is decrypted again. Don’t get me wrong, it will also be at risk while it is encrypted and ‘in flight’, but as most industry professionals know, its easier to steal something when its not encrypted at a weak point than to steal it in flight and have to break the encryption. As we saw in the recent Bangladesh-SWIFT scenario, the weakest point is not the delivery mechanism, it’s at the end points.
So, to return to the title of this blog, Equifax was probably a target primarily because of the nature of the data it was holding. The problem is that the data volume there is massive and unfiltered from a criminal’s perspective. AEoI on the other hand, has multiple potential weak points including every financial institution in every country that has committed to AEoI and every tax authority in each of those countries. The data on the other hand, by the very nature of the framework, has been pre-packaged to suit a criminal’s every desire. All of these institutions will have cyber security policies and procedures in place as well as encryption systems aimed at defeating such hacks, but, as we’ve seen, these institutions will have to be right all the time; the criminals only need to be right once.
Understanding the Scale of the Issue
If we use the US’s FATCA regime as a very rough measure of the number of non-US reporting financial institutions in the world that would be subject to AEoI, based on the number Global Intermediary Identification Numbers (GIIN’s) they’ve issued, that would mean over 294,000 firms globally, not including the US (as at Sep 17 2017) each sending sensitive data about rich people to a hundred tax authorities every year. If each of those firms each had just 100 accounts of foreigners with over a threshold of $50,000 in it, that would mean 29,400,000 accounts being reported representing a total value of at least $1,470,000,000,000. I recognise here that there are several factors that would dilute this value to some potentially large extent, but I think its useful to make the point about the underlying value in the accounts being reported under the AEoI framework (as opposed to the tax that may be applicable to that value) and thus the attraction that might have for the criminal element.
For context, let’s also remember that the permutations of a hundred countries all sharing this data with each other once its been unpacked and re-packed is ten thousand. That’s ten thousand data sets travelling between a hundred tax authorities.
If the AEoI or CRS framework is successfully hacked in any kind of systemic way by leveraging the standardised model, it would, in my humble opinion, eclipse the Panama Papers and Equifax combined, not necessarily in volume, but certainly in value.
Finally, I just want to state here that I think the AEoI framework and CRS are very good tax evasion detection principles. This is not a criticism of the framework. The framework itself contains many good practices and recommendations for protection of data because it was obvious to the architects that this data is highly sensitive. My reason for writing this blog is to alert the industry and the financial institutions in it to a different scale of cyber threat represented by the nature of the AEoI framework so that it can be addressed in context to its importance. Forewarned is forearmed!
If you’re interested to hear more about my thoughts on AEoI, CRS and also BEPS and FATCA, check out my new book, co-authored with Chris Haye and Stuart Lipo of TConsult with much appreciated contribution from ethical hacker Jamie Woodruff of Metrix Cloud. It is due out in October from Palgrave Macmillan and its called ‘GATCA, a practical guide to global anti-evasion frameworks’.
Ross McGill is the CEO and subject matter expert for TConsult. Ross is a specialist in QI and FATCA operational compliance, cross border tax reclaims, relief at source and information reporting. He over 23 years of experience in financial services, including 19 years at C level; and 30 years’ senior management experience in blue chip FMCG, including sales, marketing and operations.