HMRC reverse position on collecting customer IP data from financial institutions

United KingdomScotland

On 26 January 2023, the first report on HMRC’s use of financial institution notices (“FINs”) was laid before Parliament. The report includes a number of important updates, including an unexpected retreat on HMRC’s proposal, previously undisclosed, to use FINs to collect data held by financial institutions on where customers have accessed their online or mobile accounts (i.e., their geographical location by reference to an IP address, “Location Data”). The CMS Tax Disputes & Investigations team has been advising representatives of the UK banking and financial services industry to help secure this significant victory for financial institutions and taxpayer privacy.


HMRC have statutory powers under schedule 36 to the Finance Act 2008 (“Schedule 36”) to compel the sharing of information in order to investigate the tax affairs of both businesses and individuals.

Amongst other types of information notices outlined in Schedule 36, HMRC can issue “third party notices” to require third parties (including financial institutions) to provide certain information where (amongst other conditions):

  • the information is “reasonably required” by HMRC for the purpose of checking the tax position of, or collecting a tax debt from, a known taxpayer; and
  • approval has been given in advance by the First-tier Tribunal (Tax Chamber) (the “Tribunal”), unless the relevant taxpayer has already consented in advance to the information being disclosed to HMRC.

The Tribunal can only approve a third party notice where various conditions have been met, including that HMRC would be justified in issuing the notice in the first place (i.e., that the information is actually reasonably required and that HMRC are not simply on a ‘fishing expedition’).

FINs were introduced from June 2021 as a new type of information notice aimed specifically at financial institutions (although, importantly, HMRC still have the option of issuing third party notices to financial institutions instead).

As with third party notices, information required by FINs must be “reasonably required” by HMRC for the purpose of checking the tax position of, or collecting a tax debt from, a known taxpayer.

However, unlike third party notices, no prior approval is required from the Tribunal and no consent is needed from the relevant taxpayer before FINs can be issued. There is also no right of appeal. The decision as to what is “reasonably required” is, in practice, left to HMRC by default.

This removal of the key safeguards normally associated with HMRC information notices generated widespread criticism from tax professionals and the financial services industry. HMRC attempted to justify the removal of any judicial oversight for FINs on the basis that it was taking too long to comply with exchange of information requests from overseas tax authorities (12 months on average compared with the six-month target set under international standards).

In light of such controversy, an annual report is now required to be laid before Parliament on HMRC’s use of FINs in order to keep this new power under review. In responses to freedom of information requests submitted by our team, HMRC had suggested that the first report might even be published as early as last spring (much earlier than anticipated). However, following delays and the discussions referenced below, that report has finally now been published.

Location Data

The report includes a number of important updates, most notably an unexpected retreat on HMRC’s proposal, previously undisclosed, to use FINs to collect Location Data. Location Data might be relevant in order to determine, for example, the residence of a taxpayer (by establishing the number of days spent in or outside the UK in a particular tax year). The possibility of using FINs in this way was not specifically considered at any time during the consultation process prior to their introduction in June 2021.

As Location Data contains information about an individual’s geographical location at a certain point in time, it is clearly somewhat sensitive (arguably tantamount to surveillance). In the context of non-criminal investigations (FINs and other Schedule 36 information notices are civil powers only), it is arguable that Location Data will therefore be invariably disproportionate. Location Data is also inherently unreliable given the possibility to disguise an IP address (e.g., through the use of VPNs).

For these reasons, Location Data would arguably not be “reasonably required” by HMRC within the meaning of Schedule 36 under any circumstances. Given the lack of independent judicial oversight, this would create potential legal and data privacy issues for financial institutions.

Fortunately, as made clear in the report, HMRC have decided not to go ahead with this proposal following discussions with representatives of the industry. Having advised on these discussions, we are very pleased to have helped secure this significant victory for financial institutions and taxpayer privacy.

Employee and contractor information

As part of the discussions with HMRC referenced above, HMRC also raised the possibility of using FINs to obtain information on employees and contractors of financial institutions (as opposed to their customers). Again, this use of FINs was not specifically considered as part of the consultation process. In addition, as mentioned in the report, concerns were raised that this would unfairly put financial institutions in a different position to other employers. The report notes that HMRC still plan to go ahead with this proposal.

Other observations

Prior to the introduction of FINs, HMRC previously suggested that FINs were expected to have a “negligible impact on about 20 financial institutions, such as banks and building societies”. Similarly, the new report claims that the “number of FINs issued has not substantially increased the number of third-party information notices issued, when compared with previous years”. However, based on the latest available data, HMRC issued 426 Tribunal-approved third party notices in the year ended 31 March 2020 (whether to financial institutions or otherwise) and the report reveals that HMRC have already issued 355 FINs in the nine-month period from 1 July 2021 to 31 March 2022. It will be interesting to see how FINs impact the number of third party notices (i.e., under the old powers) being issued – the potential concern being if HMRC effectively try to replace third party notices to some extent with FINs, thereby avoiding judicial scrutiny.

Unfortunately, the report does not specify the type or number of individual institutions that have received an FIN to date. Contrary to HMRC’s previous suggestions, the legislation defines “financial institution” very widely and can apply to a broad range of entities (and not just a small number of banks and building societies). Please see our previous article here for more information.

Less than 40% of the FINs issued up to 31 March 2022 related to international information requests. HMRC point out that it would be unlawful for them to issue FINs solely in relation to international requests, but given this was the entire justification for introducing FINs in the first place, it does seem odd that the overwhelming majority of FINs have apparently been issued in connection with domestic tax matters.

Moreover, the report states that HMRC are still not quite meeting their six-month target for responding to international information requests, at an average of 197 days (although HMRC expect this figure to improve as legacy cases are resolved).

Given the lack of judicial oversight, HMRC have also previously emphasised other safeguards built into the legislation, in particular that FINs must be approved by an authorised officer of HMRC. As pointed out in our previous article (see here), in practice such approval is not going to be difficult to obtain. Indeed, the new report states that authorised officers have approved over 91% of the applications put to them.


FINs represent a significant and potentially wide-reaching power in HMRC’s arsenal. The latest information indicates that HMRC are willing to use this power in previously unanticipated ways and potentially on a scale larger than expected. All financial institutions potentially affected – not just a handful of banks and building societies - should ensure that they are adequately prepared.

Many financial institutions are likely to already have procedures in place for dealing with information requests from law enforcement authorities, such as HMRC, to ensure that data privacy and other relevant obligations are properly complied with. Such institutions may want to consider whether those procedures should now be reviewed.

Whilst there are no grounds for appealing against FINs, there may be scope for other potential methods of challenge (including, where appropriate, judicial review and appealing against penalties for non-compliance).

CMS Tax Disputes & Investigations

As part of the CMS global network with tax capability in over 70 offices, the CMS Tax Disputes & Investigations team is well-placed to advise on all forms of (direct and indirect) contentious tax matters. Our dedicated specialists have a wealth of experience guiding both individuals and corporates (across a wide range of sectors) through all aspects of tax dispute prevention, management and resolution.

Our team regularly helps clients to challenge HMRC’s use of information powers under Schedule 36 and other provisions, ensuring that matters are resolved efficiently without unnecessarily disclosing sensitive information.

For more information, please contact a member of our team or click here.