I.R.S. C.C.A. AM-2015-005
Internal Revenue Service memorandum
Number: AM2015-005
Release Date: 7/17/2015
CC:INTL:B02:SAMusher POCAN-143374-12
UILC: 6103.11-00, 6105.00-00
date: June 09, 2015
to: John M. Dalrymple (Deputy Commissioner for Services and Enforcement)
from: Steven A. Musher Associate Chief Counsel (International)---
subject: INTERNATIONAL DATA EXCHANGE SERVICE (IDES) -- RESPONSIBILITY FOR DATA TRANSMITTED UNDER SECTIONS 6103 AND 6105, AND TAX TREATIES
The Commissioner requested written advice regarding when the legal responsibilities to protect tax return information arise in the context of electronic data transmission through the International Data Exchange Service (IDES). IDES is a system to report and exchange financial account information to and between tax administrations around the world developed as part of the Internal Revenue Service's (IRS) implementation of the Foreign Account Tax Compliance Act (FATCA). For purposes of this advice, the data transmitted includes: (1) taxpayer data that will be sent to the IRS from foreign tax administrations, as well as from third parties such as foreign financial institutions (FFIs) (inbound transmissions); and (2) taxpayer data that will be sent by the IRS to foreign tax administrations or to third parties (outbound transmissions). We understand that earlier in the development of IDES, oral advice was rendered by Counsel that IDES was a sufficiently secure means of transmission so that using it did not give rise to an improper disclosure of tax return information.1
The facts contained in this advice, particularly with regard to the description of IDES, how that system will be used, and responsibilities of the third-party vendor/contractor, are based on information and representations provided to our office by those within the IRS that are involved with and familiar with the development of IDES. Counsel has not independently verified that information or the representations. This document will address the potential application of sections 6103 and 6105 of the Internal Revenue Code,² and confidentiality provisions in tax treaties (and other bilateral or multilateral agreements for the exchange of information – referred to collectively as “tax treaties”) with regard to the data transmitted through IDES. This advice does not purport to make any legal conclusions on the adequacy for, or satisfaction of, any other pertinent requirements or rules applicable to the IDES system, such as, but not limited to, requirements under FISMA or NIST. Finally, it does not address the existence, if any, of a party’s right for redress for violation of any of the provisions of such other requirements.
In order to efficiently receive and exchange financial account information with tax administrations around the world, the IRS contracted with, and paid for, a third-party to provide a secure computerized system (IDES). IDES was designed based on business and technical requirements provided by the IRS with assistance from our international partners. The system encrypts both the “pipeline” used to transmit the information to and from the sender/recipient, and within the “pipeline,” the information that is being delivered.
Returns, return information, and tax convention information are categories of information related to taxes that are generally protected from disclosure under Code sections 6103 and 6105. Data transmitted via IDES will fall within one or more of these categories. In addition, the language of the United States’ bilateral and multilateral tax conventions, tax information exchange agreements, as well as intergovernmental agreements and draft competent authority agreements concerning the implementation of FATCA all contain provisions protecting covered information from disclosure.
We have been asked to opine on the moment during the exchange of information via IDES that information becomes protected under the various sources of statutory and tax convention protection from disclosure.
Briefly, information that is provided by the IRS to foreign tax administrations (outbound) through IDES already is return information under section 6103 in the hands of the IRS, so throughout the exchange process should be protected by section 6103. Furthermore, that information becomes treaty protected information in the hands of the foreign country when the information is exchanged pursuant to a tax convention or other international agreement on taxes.
In the case of information provided to the IRS by foreign tax administrations (inbound) through IDES, the moment when legal protection arises is less certain. There are two moments that are most likely the moment when the protection arises: the moment information is uploaded to IDES by the foreign tax authority, and the moment when the United States downloads the information from IDES.
There is no direct authority regarding the precise moment legal protection arises. Reasonable arguments can be made for the selection of either moment as the time when legal protection should arise. In particular, close reading of the various statutory and tax convention language, as well as related court decisions seem to indicate that protection will not arise until the information is actually held by the IRS.
Under the current facts and circumstances, we believe that 6103 protection arises on the inbound transfer of information at the time that the information is uploaded to IDES. Furthermore, we believe section 6105 and treaty protections are likely to follow the conclusion under section 6103. We understand that the IRS will likely act as if the information were protected at upload and that business decision would be conservative and justified under the current state of the law. Our conclusion is highly fact dependent.
IDES is a computerized system for secure, encrypted transmission of taxpayer financial account information. It was primarily designed by the IRS and developed and implemented by a third-party vendor with whom the IRS has a contract. Development of IDES was undertaken in large part to facilitate required transmission of financial account information pursuant to FATCA.3 More specifically, IDES will be used by the IRS and foreign tax administrations to exchange financial account information, as well as by the IRS to receive submissions of account information from other entities4 worldwide.
5, currently IDES is only being used for transmission of data to (and very soon, from) the IRS. Consequently, currently only the IRS has negotiated a contract with the third-party vendor that operates IDES, and the IRS is bearing fully the costs associated with the development and operation of the system.
Under the terms of the contract with the third-party vendor, the vendor is responsible for ensuring that information systems, and the information itself that is transmitted to or by the IRS, are protected by state-of-the-art encryption and otherwise secured at all times. In that regard, the contract provides that the vendor must adhere to the general guidance and specific security control standards and requirements contained in IRM 10.8.1 (Information Technology Security, Policy and Guidance) and are subject to the requirements described in IRS Publication 4812 (Contractor Security Controls) regarding both physical and personnel security measures. The negotiated contract terms also provide for adherence to the requirements of the Federal Information Security Management Act of 2002 (FISMA), Public Law 107-347, as well as the standards and guidelines developed by the National Institutes of Standards and Technology (NIST) regarding specific security controls and requirements.
Regarding the technical/functional features of IDES, it was developed to ensure that only authorized users or entities are allowed to log in, upload/download files, or initiate transmission of files.
Section 6103(a) provides the general rule that returns and return information must be kept confidential and can only be disclosed as authorized under the Code. The term “return” means any tax or information return, declaration of estimated tax, or claim for refund required by, or provided for or permitted under, the Code filed with the IRS by, or on behalf of any person. Section 6103(b)(1). Section 6103(b)(2) defines return information broadly to include the taxpayer’s identity and any taxpayer-related information that is “received by, recorded by, prepared by, furnished to, or collected by the Secretary”. But return information does not include data in a form that cannot be associated with, or otherwise identify, directly or indirectly a particular taxpayer. Section 6103(b)(2).
An exception to the general confidentiality rule in section 6103(a) is found in section 6103(k)(4), which provides that “return or return information may be disclosed to a competent authority of a foreign government which has an income tax or gift and estate tax convention, or other convention or bilateral agreement relating to the exchange of tax information, with the United States but only to the extent provided in, and subject to the terms and conditions of, such convention or bilateral agreement.'
Section 6103(n) permits, pursuant to regulations, returns and return information to be disclosed to any person to the extent necessary in connection with the processing, storage, transmission, and reproduction of such returns and return information, the programming, maintenance, repair, testing, and procurement of equipment, and the providing of other services, for purposes of tax administration. Regulations under section 6103(n) permit such disclosures only where the performance of the contract or agreement cannot otherwise be reasonably, properly, or economically carried out without the disclosure. Treas. Reg. § 301.6103(n)-1(b).
Case law has addressed what information is protected by section 6103, but does not directly address when information begins to be protected by section 6103. For instance, in Landmark Legal Foundation v. IRS, 267 F.3d 1132 (11th Cir. 1996), the Eleventh Circuit addressed the appropriate scope of an IRS claim that information constituted 'return information.' In that case, the appellant sought to overturn the district court's holding that identities of third parties who requested audits or investigations of certain tax-exempt entities and the content of those requests constituted return information under section 6103(b)(2)(A). The Eleventh Circuit rejected the appellant's argument that the identities and requests were not 'data' or 'received by...[the IRS] with respect to a return or with respect to' any issue. Id. at 1136 (emphasis in original). The Eleventh Circuit concluded that the 'deliberately sweeping' language of section 6103 reached any data 'received by, recorded by, prepared by, furnished to, or collected by' the IRS and whether or how the IRS used that data once it arrived was irrelevant to its status as return information. Id. Similarly, in Hull v. IRS, 656 F.3d 1174, 1187 (10th Cir. 2011), citing Landmark Legal Foundation, the Tenth Circuit found that whether the IRS actually 'used' the information at issue was immaterial; what mattered was that the information was received by the IRS with regard to the possible existence of a tax liability. Neither opinion addresses exactly when the data became 'return information' however.
There is broad consensus that to be protected by section 6103, information must be possessed in some manner by the IRS. For instance, the Eleventh Circuit has clarified that 'the statutory definition of 'return information' confines it to information that has passed through the IRS.' Ryan v. U.S., 74 F.3d. 1161, 1163 (11th Cir. 1996). In that case, an IRS special agent assisted the US Attorney's Office in collecting certain information related to a criminal investigation. Because the U.S. Attorney's office itself had sought and received that information, not the IRS, the information did not belong to the IRS and therefore was not return information protected by section 6103. See also Stokwitz v. U.S., 831 F.2d 893 (9th Cir. 1987), cert. denied, 485 U.S. 1033 (1988). In Stokwitz, a case cited approvingly by Ryan, Naval investigators searched a personal office, discovered personal copies of income tax returns filed with the IRS, and subsequently disclosed information from those returns. The Ninth Circuit held that because the copies of the income tax returns were not obtained as a result of those materials being filed with the IRS, they were not protected by section 6103. Section 6103 “is concerned solely with the flow of tax data to, from, or through the IRS.” Id. at 896. Similar distinctions are also followed by the Fifth Circuit. See Baskin v. U.S., 135 F.3d 338, 342 (1998) (“[T]o be ‘return information’ any information must first be ‘received by, recorded by, prepared by, furnished to, or collected by’ the IRS. The plain language of the statute reveals that ‘return information’ must be information which has somehow passed through, is directly from, or generated by the IRS.”)
Information received from a foreign government pursuant to a tax convention is also subject to the confidentiality rules of section 6105. Section 6105(a) contains the general rule that tax convention information must not be disclosed unless it falls under one of the exceptions listed in section 6105(b). The terms “tax convention information” and “tax convention” are defined in sections 6105(c)(1) and (c)(2), respectively. In general, tax convention information, subject to the protection of section 6105(a), includes information exchanged pursuant to a tax treaty or other bilateral agreement (including multilateral conventions) providing for the exchange of information which is treated as confidential or secret under the relevant convention or agreement. Therefore, information that is exchanged (transmitted through IDES) with a foreign tax administration under a tax treaty or a FATCA Intergovernmental Agreement (IGA) will be subject to the protections of section 6105.
The legislative history under section 6105 does not describe when information becomes tax convention information. There is very sparse case law under section 6105 and the treaties, and it does not address the timing of when protection arises.
Each of the tax treaties, as well as the IGAs, to which the United States is a party, include confidentiality provisions that require all information exchanged to be kept confidential in accordance with the provisions of such treaty or agreement, as well as provisions generally limiting the use of the information only for purposes of tax administration.11 Similarly, the explanation of Article 26 (addressing exchange of tax information between countries) of the US model treaty (and corresponding model under the OECD) does not shed light on the exact moment when the duty to protect treaty exchanged information arises. Where terms are otherwise undefined under a treaty, or by mutual agreement by the competent authorities pursuant to a treaty, they have the meaning that is assigned to that term under the law of the country for the purposes of the taxes to which the treaty applies.12
To analyze when section 6103, section 6105, and treaty, TIEA, or IGA protection applies, it is helpful to separately consider the outbound and inbound transmission of data. As noted above, outbound transmission is the transmission of data held by the IRS through IDES to a foreign tax administration or third party. Inbound transmission is the submission of data to the IRS by a foreign HCTA or a third party.
Any information received under this Article by a Contracting State shall be treated as secret in the same manner as information obtained under the domestic laws of that State and shall be disclosed only to persons or authorities (including courts and administrative bodies) involved in the assessment, collection, or administration of, the enforcement or prosecuting in respect of, or the determination of appeals in relation to, [taxes covered by this Article], or the oversight of such functions. Such persons or authorities shall use the information only for such purposes. They may disclose the information in public court proceedings or in judicial decisions.
In the case of outbound transmission, the IRS already possesses the data to be transmitted, so it already constitutes tax returns or tax return information under sections 6103(b)(1) and (b)(2). Consequently
both the IRS and the third-party vendor are responsible for taking appropriate steps to protect the data. Under the terms of the treaty, TIEA, IGA, or CAA governing the transmission, the foreign HCTA is, or will be, also obligated to protect the data once it has possession of it. Thus, the outbound transmission of financial data will be protected accordingly throughout its transmission on IDES.
Regarding the inbound transmission of data through IDES, there is some uncertainty as to the point at which the data acquires legally protected status under section 6103, section 6105, and under applicable treaties, IGAs, and CAAs. From a legal perspective, because of current uncertain precedent, arguments can be made for both the position that protection arises when the data is successfully uploaded in IDES by the sender, and for the position that protection will not arise until the data has been downloaded by the IRS. As described below, we ultimately believe that, based on the current facts and circumstances, the arguments that protection arises on upload outweigh the arguments that protection arises only at download by the IRS. We understand that in its internal operation, the IRS intends to act to protect the confidentiality of the information even while it is on IDES by maintaining appropriate security protocols that the third-party provider must by contract comply with and that any knowledge of significant confidentiality breaches would be addressed by appropriate action.
The statutory language of subsections 6103(b)(1) (definition of “return”) and (b)(2) (definition of “return information”) use different verbs to define the scope of their terms. Under the statutory language, a return includes certain items “filed with” the IRS. By contrast, “return information” under section 6103(b)(2) includes data “received by, recorded by, prepared by, furnished to, or collected by” the IRS. Accordingly, the different statutory language (and the absence of controlling precedent) might lead a court to apply different timing rules to a “return” than to “return information.” On the other hand, because the information exchanged over IDES does not precisely fit within either category, a court may be inclined to hold that the same timing analysis should apply (i.e., as to when section 6103 protection arises) regardless of whether the item is a return under paragraph (b)(1) or return information under paragraph (b)(2). As a preliminary matter, the financial information transmitted through IDES is most likely characterized as a mix of “returns” and “return information”. Data uploaded by FFIs with regard to particular account holders will be provided on Form 8966, and would likely constitute an information return that falls within section 6103(b)(1)’s definition of “return.” Information provided by foreign HCTAs is the same as or similar to information provided on Form 8966. Given the broad scope of the definition of “return information” in section 6103(b)(2), if an item is not considered a “return,” then it would still likely be considered “return information.” Therefore, we believe the better interpretation is to apply a uniform timing analysis to all information exchanged over IDES.
Existing authorities lend some support to the position that section 6103 should not apply until the IRS downloads the information from IDES. The jurisprudence that exists emphasizes that it is not enough for information to be related to a tax matter (as in Ryan) or even copies of returns that had been filed with the IRS (as in Stokwitz) in order for section 6103 to arise. Instead the touchstone described in case law is that the information had “passed through, is directly from, or generated by the IRS” before section 6103 protections arise.14
the limited case law arguably supports the proposition that section 6103 protection does not arise until the IRS downloads the data, be it a return or return information.
Arguments may also be made, however, to draw different inferences from the case law. For one, we are unaware of a case addressing whether section 6103 applies when information is on its way to the IRS, and therefore it is possible to argue that the existing case law is distinguishable. Further, the case law does not address situations where the IRS has entered into a contract to procure or convey the information.
In weighing these arguments, we believe
it is more likely that a court, taking into account the current facts and circumstances, would hold that section 6103 protection on inbound transmission arises when information is uploaded to IDES.15
b. Section 6105 and Tax Convention Considerations.
Information uploaded directly by FFIs and other non-HCTA entities to IDES is not exchanged between competent authorities and is not therefore exchanged pursuant to a tax convention. Consequently, protection of this information, if any, is limited to the application of section 6103, described above. The protection of information exchanged directly between HCTAs is discussed below.
Information exchanged by HCTAs is covered by protections contained in the exchange of information articles of treaties,16 and by consequence, potentially under section 6105. Under the statutory language of section 6105(c)(1)(E), information becomes tax convention information when it is “exchanged pursuant to a tax convention which is treated as confidential or secret under the tax convention.” Arguably, the use of the past tense “exchanged” suggests that section 6105 protection will not arise for this class of tax convention information until the exchange is completed. Therefore it is also arguable that information uploaded to IDES is not fully exchanged until it is actually downloaded successfully from IDES. Article 26, section 2, of the U.S. Model Tax Treaty contains a similar past tense usage: “Any information received under this Article…” (emphasis added). Consequently, similar inferences might be drawn from the language of the U.S. Model treaty.
[REDACTED]
[REDACTED]
Over time, facts as well as law could change. Given the considerable uncertainty attendant with this analysis, this could mean different arguments and analysis may come to the forefront in the future.
Because information already held by the IRS will be protected under section 6103 regardless of changes in facts regarding the design, operation, and funding of IDES, we believe that analysis of the application of section 6103 in the outbound context is less likely to change in the future absent a change in law. With the applicability of section 6103, in regard to the United States' handling of the information exchanged, it is largely moot whether additional reasons for protecting the information also arise under section 6105, an applicable treaty, IGA, or CAA. Each would simply independently and redundantly require that the United States protect the information. Of course, once the information is exchanged, the obligation of the foreign HCTA to protect the information arises by application of the treaty, IGA, and CAA.