一些初步的想法:
- 全球税务透明,并不代表纳税人的涉税信息会向全社会公布,其含义仅限于税务机关之间的透明。
- 任何实施CRS的国家在进行跨国信息交换之前,都必须通过国际安全评估机制的审核,符合国际标准后,方可进行交换。目前一些发展中国家,并未加入实施CRS,其主要原因在于信息保密和安全系统上达不到国际标准要求。但这一问题正在逐一解决中。
- 根据去年底全球税务透明论坛大会通过的“CRS全面审议职权范围”,信息安全和保密是判断CRS参与国是否合规的三大核心指标之一,直接关系到2020年以后国际社会对一国CRS实施情况的评级打分。
******
2019年7-9月是各个税收主管当局的国家或地区CRS全球金融账户涉税信息交换的高峰期,就在这样关键的时期,保加利亚国税局BNRA近期不得不向外界公布,BNRA遭遇历史上最大的黑客袭击,成为全球税收主管当局被泄露纳税人信息最大的税务机构。该消息公布后,立刻引发保加利亚居民和跨境保加利亚和其他国家的高净值人士的极度恐慌。
对此,经济合作与发展组织于8月30日发表了相关声明:
经济合作与发展组织 - 巴黎,2019年8月30日
经合组织关于保加利亚国家税务局数据泄露的声明
(此为谷歌自动翻译,仅供参考。以官方英文版为准)
保加利亚国家税务局(NRA)的信息技术系统遭到黑客攻击,并于2019年7月15日向媒体提供了大量数据。保加利亚随后确认这些数据来自国家税务局系统,其中包括根据统一报告标准(CRS)多边主管当局协议、欧盟行政合作指令与国际条约下自动交换的数据。
经合组织全球税务透明论坛(全球论坛)在得知违规行为后立即暂停了保加利亚与其他国家的税务信息交换,并组建了一个数据安全专家小组,目前正在评估保加利亚的实地情况。在CRS框架下所有其他国家(地区)自动向保加利亚发送税务信息的义务将继续暂停,直至完成当前的评估审查并确定所存在的缺陷。
所有参与税务自动交换信息(AEOI)的国家(地区),在接受任何税收信息(包括CRS信息)之前都必须遵守国际数据安全标准。全球论坛有一个评估各国家(地区)数据安全安排的多边程序,旨在确保遵守标准。然而,国家(地区)内部数据泄露的可能性永远无法完全消除。
因此,全球论坛的流程还包括评估和应对违规行为的机制。当全球论坛秘书处得知保加利亚的违规事件时,该机制就相应启动,同时还与其信息交换伙伴国家(地区)就此保持沟通。
自违规事件发生以来,保加利亚一直积极主动地与国内有关当局、全球论坛及其信息交换伙伴合作,以遏制、调查和解决这一局面。包括采取行动以显著改善保加利亚国家税务局的内部安全制度。保方一直与其信息交换伙伴国家(地区)保持沟通,以便根据相关法律义务通知其数据受到影响的人员。全球论坛秘书处对保加利亚采取的开放和建设性方法表示赞赏。
值得注意的是,保加利亚的数据安全违规事件与经合组织(用来传输CRS数据信息)的“共同传输系统”无关,该“共同传输系统”将继续确保税务机关之间信息交换的安全。此外,任何经验教训都将被纳入并加强全球论坛有关信息交换国家(地区)的持续合规程序中。
CRS(以及所有其他税务信息交换标准)都包含与信息保护相关的广泛要求,包括在发生数据泄露时应采取的行动。全球论坛的多边评估程序旨在确保满足这些要求。
其中包括:
(i)对每个国家(地区)进行预先交换评估,以确保所有打算参与税务信息自动交换的税务机关在获得信息之前,其数据安全安排符合国际标准;
(ii)在实施税务信息交换并收到信息后对交换系统进行评估,并确保国际标准得到持久落实,并可以应对不断变化的数据安全威胁。一些国家(地区)被要求实施一项行动计划,以解决在在评估完成和信息交换之前所识别出的问题。同时,全球论坛会给相关国家提供技术协助,帮助其解决相关系统缺陷和问题。
后附原文:
OECD– Paris, 30 August 2019
STATEMENTON THE DATA BREACH IN THE NATIONAL REVENUE AGENCY OF BULGARIA
The information technology system of the National Revenue Agency (NRA) of Bulgariawas hacked and a significant amount of its data was provided to the media on 15July 2019. Bulgaria subsequently confirmed that this data was from NRA systemsand that it included data automatically exchanged with international treatypartners under the Common Reporting Standard (CRS) Multilateral CompetentAuthority Agreement and the EU Directive on Administrative Cooperation.
Immediatelyupon becoming aware of the breach, the Global Forum on Tax Transparency and Exchange of Informationfor Tax Purposes suspended exchanges with respect to Bulgaria and assembled a teamof data security experts who are currently assessing the situation on theground in Bulgaria. All jurisdictions’ obligations to automatically send datato Bulgaria will remain suspended until a satisfactory review has beenconcluded and the deficiencies identified have been addressed.
Alljurisdictions participating in automatic exchange of information (AEOI) in tax matters, including via the CRS, are requiredto comply with international data security standards before any information issent to them. The Global Forum has a multilateral process to assess jurisdictions’ data security arrangements, which is intended to ensure compliancewith the standards. Nevertheless, the possibility of data breaches within organisations can never be entirely eliminated.
The Global Forum’s process therefore also includes a mechanism to assess andrespond to breaches. This mechanism was accordingly activated when the GlobalForum Secretariat became aware of the Bulgarian breach and its international exchangepartners are being kept informed.
Sincethe breach, Bulgaria has worked constructively and proactively with relevantdomestic authorities, the Global Forum and its international exchange partnersto contain, investigate and address the situation. This has included actions tosignificantly improve the NRA’s internal security arrangements. The NRA hasbeen working with its partner tax administrations with a view to notifying persons whose data were affected in line with relevant legal obligations. The Global Forum Secretariat is appreciative of the open and constructive approachBulgaria has taken.
Itis important to note that the breach was not linked to the OECD Common Transmission System, which continues to ensure the security of information exchanges between tax authorities. Furthermore, any lessons learned will beincorporated into and strengthen the Global Forum’s ongoing assurance processwith respect to all jurisdictions automatically exchanging information.
TheCRS (and all other exchange standards) includes extensive requirements inrelation to safeguarding of the information exchanged, including the actions totake in the event of a data breach. The Global Forum’s multilateral assessment process seeks to ensure that these requirements are met. This includes: (i) apre‑exchange assessment of each jurisdiction to ensure that all tax administrations intending to participate in AEOI have data security arrangements aligned with international security standards in place before theycan receive information; and (ii) a post-exchange assessment that assesses theAEOI systems after they have been implemented and information has beenreceived, and ensures the standards are implemented on an ongoing basis inresponse to evolving data security threats. Some jurisdictions have beenrequired to implement an action plan to address issues identified before a satisfactory assessment has been concluded and information can be received.Assistance is provided to jurisdictions where needed to close the gaps identified.
Source: https://www.oecd.org/tax/transparency/statement-on-the-data-breach-in-the-national-revenue-agency-of-bulgaria.htm
本文来源:科林的税言碎语。
全球财富生活规划平台
