After having been voted on July 1, 2015, the Luxembourg law of July 24, 2015 transposing the Luxembourg-US IGA (“the Law”) was promulgated, and published on July 29, 2015.
Amendments to the initial version of the draft Law already had been proposed in June 2015 by the Finance and Budget Commission, in particular in order to more appropriately cover data protection aspects in the text of the law.
In addition, the Luxembourg tax authorities released the final versions of Circular Letters ECHA 2 and ECHA 3 on July 31, 2015. Circular Letter ECHA 2 explains the legal obligations of Luxembourg Reporting Financial Institutions (RFI). Circular Letter ECHA 3 contains the technical details of the reporting format to be used between Luxembourg and the US. The Circular Letters update earlier draft versions.
The following summarizes certain points of the Law and the Circular Letters:
- Flexibility to opt for IGA or Regulations principles: The Law, as well as Circular Letter ECHA 2, reconfirm certain principles of the Luxembourg-US IGA (such as the option to apply the definitions of the U.S. FATCA Regulations instead of the definitions in the IGA).
- Classification of Luxembourg entities: Circular Letter ECHA 2 provides guidance on the classification principles to be applied to Luxembourg SOPARFIs, SPF, and securitization vehicles.
- US indicia and changes in circumstances: Circular Letter ECHA 2 provides useful examples of how the detection of US indicia should be handled, how changes in circumstances after year-end may impact the status of an account, and as from when (and for which reportable period) an account becomes a reportable US account, respectively, ceases to be a reportable US account. This Circular also details how the closure of accounts should be approached in respect of classification of the holder and reporting.
- No registration with the Luxembourg tax authorities: Under the Law, there is no requirement to register with the Luxembourg tax authorities. However, Circular Letter ECHA 3 requires a third party service provider that will act as a data depositor to have a Luxembourg matriculation number (in the absence of such number, this can be obtained from the Luxembourg tax authorities).
- Deadline for reporting and zero reporting: The Law stipulates that the annual reporting deadline is June 30 of the year following the calendar year the reporting is related to. As announced earlier, the deadline relating for the 2014 reporting was, after having been postponed to July 31, 2015, further postponed to August 31, 2015. Relevant 2014 data is filed through E-File operated by Fundsquare or SOFiE operated by Cetrel. Action is required as setting up the secured data channel in practice generally takes one week, and reportable persons need to be informed sufficiently in advance in respect of their data protection rights (see below). Also note that the Luxembourg tax authorities require zero reporting in the absence of reportable accounts. As an exception to this rule, Circular Letter ECHA 2 stipulates that a Sponsoring Entity does not need to file a zero report for a Luxembourg Sponsored Entity provided the latter does not have any reportable US accounts, and as long as the Sponsored Entity does not have its own GIIN.
- Data protection – information obligations: The Law explicitly mentions that RFI are data controllers within the meaning of the data protection Law of August 2, 2002. The Law obligates an RFI to inform any reportable person in advance of the data transmission to the Luxembourg authorities that personal data relating to this person will be collected and transferred in application of the Luxembourg-US IGA. Furthermore, the Law specifies which elements need to be part of this communication (such as the fact that the RFI is a data controller, that the data concerned will be reported to the Luxembourg authorities, and that the latter will transmit this data to the US, that the person concerned is obliged to respond to queries of the RFI in respect of FATCA, and the consequences of not responding, and that the person concerned has the right to access and rectify the data transmitted). The RFI should also ensure that the data collected is not stored during a period longer than necessary for the purposes of applying the Luxembourg-US IGA, or other statute of limitation that may apply. Additionally, both the Luxembourg tax authorities and any RFI are obligated to inform reportable persons on any security breach related to this data in case this security breach could harm the individual’s personal data protection or private life. RFI will need to ensure that these obligations are appropriately exercised, sufficiently in advance of the reporting due on August 31, 2015, at the latest.
- Tax audits and sanctions: The Law explicitly mentions that the Luxembourg tax authorities will verify the procedures put in place by financial institutions to meet the automatic exchange of information obligations under the Luxembourg IGA, and the reasonable diligence applied in respect of these obligations. Additionally, the Law mentions that Luxembourg tax authorities will in particular verify whether financial institutions did not implement mechanisms to circumvent the exchange of information taking place. Circular Letter ECHA 2 contains an illustrative example of such avoidance (a financial institution immobilizes its bearer securities with a depository institution that is not a reporting financial institution).The Law also contains the sanctions framework. On the one hand, where reasonable diligence obligations would not be met, or exchange of information mechanisms would not have been sufficiently implemented, an RFI could incur an administrative fiscal fine of maximum 250.000€. On the other hand, in case reporting obligations would not have been met, or in case of late, incomplete or incorrect exchange of information, an RFI would be exposed to an administrative sanction of 0,5% of the amounts that should have been communicated, with a minimum of 1.500€. Additionally, as RFI are data controllers under the above-mentioned data protection Law, administrative sanctions could be imposed by the National Data Protection Commission, and specific criminal law sanctions foreseen in this Law could apply as well (generally, imprisonment up to 1 year and fines up to 125.000€).