Subscribe to news digests

News Search

Industry News

Switzerland suspends automatic information exchange with Bulgaria following data leak

Monday, 7 October, 2019

The Swiss Federal Council has cancelled the automatic exchange of financial account information with Bulgaria, following the discovery that the personal data of four million Bulgarian and foreign taxpayers was hacked from the Bulgarian National Revenue Agency in July.

As well as names, addresses, personal identification numbers and dates of birth of Bulgarian and foreign nationals, the leaked data includes individuals' annual tax returns; records of their income; 'acts of administrative violations'; health and social insurance status; and tax information automatically exchanged with foreign governments.

The personal information of 189 individuals was publicly disclosed by the hackers. These victims are at special risk of impersonation by fraudsters and have been personally contacted by the Bulgarian authorities.

Swiss-resident individuals with accounts in Bulgaria were also affected by the leak, as were individuals with tax residence in Bulgaria with bank accounts in Switzerland. Once Bulgaria had confirmed this to the Swiss authorities, the matter was referred to the Swiss Federal Council, which immediately exercised its powers under the Federal Act on the International Automatic Exchange of Information on Tax Matters to suspend the exchange of data with Bulgaria.

The 2018 financial account data collected by the Swiss financial institutions, and passed to the Swiss federal tax authority at the end of September 2019 under the bilateral agreement between Switzerland and the European Union, will thus not be passed to Bulgaria until the security problem is resolved. Bulgaria's corrective measures will have to be validated by the OECD Global Forum on Transparency and Exchange of Information for Tax Purposes before exchange is resumed.

Switzerland automatically exchanges personal financial account information with 75 countries, but has always maintained that it will only work with jurisdictions whose data security and probity can be trusted.

This is the first time it has suspended cooperation because of a publicly admitted leak, although it has named 11 other countries that it considers do not meet its security requirements.

Sources