18 March 2024

UK Financial Institution Notices: HMRC Doubles Down On Customer Location And Employee Data

The second report on HMRC's use of financial institution notices (FINs), which was laid before Parliament on 25 January, offers several important updates, including the resurrection of HMRC's...
UK Finance and Banking
To print this article, all you need is to be registered or login on

The second report on HMRC's use of financial institution notices (FINs), which was laid before Parliament on 25 January, offers several important updates, including the resurrection of HMRC's previously abandoned proposal to use FINs to collect data held by financial institutions on where customers have accessed their online or mobile accounts.

HMRC has also confirmed that it intends to proceed with another proposal to use FINs to obtain information on employees and contractors of financial institutions, despite further concerns being raised.

FINs: the background

FINs were introduced from June 2021 as a new type of HMRC information notice aimed specifically at financial institutions.

Unlike standard third-party notices, no prior approval is required from the First-tier Tribunal and no consent is needed from the relevant taxpayer before FINs may be issued by HMRC. There is also no right of appeal to the First-tier Tribunal under any circumstances. Instead, two main conditions must be satisfied for a FIN to be issued:

  • Condition A. The information or document must be, in the reasonable opinion of the HMRC officer issuing the notice, of a kind that it would not be onerous for the financial institution to provide or produce.
  • Condition B. The information or document must be "reasonably required" by that HMRC officer for the purpose of checking the tax position of, or collecting a tax debt from, a known taxpayer. Critically, the legislation does not expressly state that HMRC should be the arbiter of this issue (unlike Condition A which refers to the reasonable opinion of the relevant officer). However, given the lack of any role for the First-tier Tribunal, the decision as to what is "reasonably required" is, in practice, left to HMRC by default (subject to any potential legal challenge).

Restrictions on the type of information that HMRC may request (for example, relating to legally privileged information) apply equally to standard third-party notices and FINs.

The removal of the key safeguards normally associated with HMRC information notices generated widespread criticism from the financial services industry and tax and legal professionals and, in light of the controversy surrounding their introduction, an annual report is required to be laid before Parliament on HMRC's use of FINs in order to keep this power under review. The recently published annual report covers the period from 1 April 2022 to 31 March 2023.

Location data

The second annual report confirms that HMRC intends to use FINs to collect data held by financial institutions on where customers have accessed their online or mobile accounts; that is, their geographical location by reference to an internet protocol (IP) address. This location data might be relevant in order to determine, for example, the residence of a taxpayer by establishing the number of days spent in a jurisdiction in a particular tax year.

The possibility of using FINs in this way was not specifically considered during the original consultation process and HMRC's first annual report on FINs (published on 26 January 2023) revealed that the proposal had at that time been abandoned following discussions with the industry. The latest report discloses that the same proposal is to be resurrected following changes to parts of the Investigatory Powers Act 2016, which would have otherwise further restricted HMRC's ability to request location data.

On a practical basis, IP addresses can be misleading and are arguably not a reliable source of evidence for tax purposes. As a matter of principle, it could be argued that collecting location data is inherently disproportionate as it involves sensitive information, akin to surveillance and that FINs are appropriate to civil investigations only (HMRC has separate powers intended for criminal investigations). On that basis, location data would not be "reasonably required" by HMRC within the meaning of the legislation. Coupled with the lack of independent judicial oversight for FINs, this could create potential legal and data privacy issues for financial institutions.

Employee data

Despite further concerns raised by the industry, the second annual report confirms that HMRC still plans to proceed with its other controversial proposal to use FINs to obtain information on employees or contractors of financial institutions (as opposed to their customers).

Like location data, the use of FINs to collect this employee data was not specifically considered at any time during the original consultation process. The report defends the proposal on employee data on the basis that the legislation strictly refers to "taxpayers" and, therefore, makes no express distinction between taxpayers who are customers of a financial institution and those who are employees or contractors. This argument is undermined by the stated purpose of the annual report to consider "the impact of the FIN on financial institutions and customers". There is no satisfactory explanation as to why, according to HMRC, Parliament decided to single out financial institutions in respect of employee data (that is, rather than to introduce legislation applicable to a broader range of employers).

Osborne Clarke comment

The report does not reveal the impact on the number of standard third-party notices being issued to financial institutions (which remains an option for HMRC). However, the report does confirm that almost 80% of new FINs were issued in connection with domestic investigations rather than international exchange of information requests (the latter being HMRC's original justification for the introduction of FINs). That statistic, together with the proposals on location data and employee data, raises potential concerns that HMRC may effectively attempt to replace standard third-party notices to some extent with FINs, thereby avoiding judicial scrutiny on matters that were never envisaged would be within the scope of FINs.

The latest information also does not provide the number or range of financial institutions that have received a FIN to date. In the original policy paper on FINs, "Amending HMRC's Civil Information Powers" published on 3 March 2021, HMRC downplayed the potential impact of its new powers, stating that FINs were expected to have a "negligible impact on about 20 financial institutions, such as banks and building societies".

However, the legislation defines a "financial institution" very widely – as it links back to the definition in the Organisation for Economic Co-operation and Development's Common Reporting Standard (CRS), which includes "custodial institutions", "depositary institutions", "investment entities" and "specified insurance companies" (each as defined under the CRS). HMRC, therefore, has the power to issue FINs to a range of entities far broader than a handful of banks and building societies.

The latest proposals from HMRC indicate that it is prepared to use FINs in ways previously unanticipated and so all types of financial institutions may wish to consider their position. In particular, financial institutions should ensure that their procedures for dealing with information requests from law enforcement and regulatory agencies, such as HMRC, remain adequate.

While there are no grounds for appealing against FINs, there may be scope for other methods of legal challenge (including, where appropriate, judicial review proceedings or appealing against penalties for non-compliance).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More