State Secretary for Finance - Taxation and Revenue Marnix van Rij sends the House reports of two PwC investigations into the Tax Administration's Fraud Signaling Facility (FSV).
Dear Chairman,
In accordance with the schedule set out in the letter of December 16, 2021 (1), I hereby send your Chamber the reports of two studies by PwC on the Tax Administration's Fraud Signaling Facility (FSV); the first on the effects of FSV for citizens registered by the Directorate of Individuals, the second on the sharing of data from FSV with external parties. I would like to thank PwC for its diligence in identifying both issues. The reports follow the report on FSV registrations by Supplements (2) and precede those for registrations by the SME Directorate and "queries at the gate." The conclusions in the reports are harsh and confirm that FSV was fundamentally flawed. I am weighing the findings in shaping an accommodation scheme for undue consequences of FSV. Below, I will briefly and as factually as possible describe the findings for each report. I will then provide my appreciation and comment on the management actions taken.
PwC finds that FSV performed a registration and consultation function in the surveillance process of Individuals and thus had a limited direct effect, but registered citizens nevertheless experienced effects - from the registration in FSV itself or from the handling process of which FSV was a part. The largest effects occurred when a signal left the board of entry. Although treatment records are missing in a small portion (6%) of the files reviewed by supervision, PwC concludes that the Directorate of Individuals was careful in recording investigations and substantiating conclusions. According to PwC, FSV does not appear to have played a role in drawing conclusions on returns.
However, several observations point to inadequate assurance of the general principles of proper administration, including some observations regarding the use of nationality by the Combiteam Approach Facilitators (CAF). In addition, the investigators found examples in communications within and with the Inland Revenue regarding risk identification where the risk of fraud was based on personal characteristics such as nationality and external appearance. These I strongly disapprove of.
In line with findings previously shared and discussed with your Chamber (3), PwC concludes that it is highly plausible that citizens were excluded from amicable debt restructuring for natural persons (MSNP), tax debt forgiveness, or a personal allowance debt payment plan when their registration in FSV had the "1x1 check mark" turned on. An estimated 4% of the study population made such a request. The 1x1 checkmark indicated possible fraud, but could be interpreted by the Recovery Department as proven fraud.
Similar to the Autoriteit Persoonsgegevens (AP) report on FSV (4), the researchers conclude that the privacy of citizens registered in FSV was violated. For example, registrations were almost never deleted and PwC estimates that a portion (11%) of the population included special personal data or information about nationality. The processing of these data in FSV was unlawful.
In the "analysis at the gate" process, income tax returns can be selected for checking for possible inaccuracies (5). Until early 2018, the citizens involved in this were also registered in FSV. As in the Tax Administration's own earlier study of "analysis at the gate" (6), PwC concludes that a portion (6% of FSV registrations) of these citizens were subject to intensive monitoring for longer than they should have been according to internal regulations. In addition, files used to record the outcomes of the "analysis at the gate" process in FSV were not removed from the Tax Administration's disks.
PwC estimates that about 5% of the surveyed population was registered in FSV based on a signal from CAF. A number of concerns emerged from the file analysis based on these registrations. PwC notes that nationality-based analyses were done in several CAF investigations to gain visibility into groups that were likely using facilitators. My predecessor shared similar signals with your Chamber Nov. 15, 2019 (7) and very rightly distanced himself from them. The investigators found documentation that appears to suggest that investigations of citizens were initiated to use as leverage in the investigation of a facilitator.
PwC analyzed approximately 300,000 emails from the functional mailboxes in which signals registered in FSV arrived at the Tax Office. In these, PwC observed 536 instances of sharing with a third party. In doing so, PwC broadly distinguished three types: exports, information about registrations and loose signals.
Four emails were found with lists of more than 11,000 BSNs added together. In this observation, I requested and received clarification of the report: one email was addressed to the software developer involved in building FSV. On one occasion, a list of citizens was sent to the private e-mail address of an employee with authorization to FSV. The list was sent with a request to include the BSNs in FSV. Two times involved a consulting firm that was performing an analytical assignment for the Internal Revenue Service.
A total of 576 BSNs were mentioned in 343 emails with information about registration in FSV. This may be direct, as when it is reported that the citizen in question was in FSV. It may also be indirect, such as in the response to a report from another organization in which a colleague from the Tax Department is asked in the cc to register the report in FSV.
Separate signals were forwarded in 189 emails that also occurred or could occur in FSV. In these, 275 citizens were mentioned.
Sharing took place with government parties such as UWV, the SVB, municipalities, the criminal justice chain and the Ministry of Justice and Security. In 25 cases, information was shared with private parties such as health insurers and consulting firms, in 21 cases with civil society organizations (e.g., for guardianship) and 20 times with other parties, such as the private email of Tax Department employees, among others.
The question of why information was shared and whether there is a basis for this is beyond the scope of the study. In an initial analysis, however, PwC finds no basis for the type of data sharing observed in three covenants examined with implementing organizations. The researchers point out that there are about 80 other potentially relevant functional mailboxes that were outside the scope of the study. Also, business e-mail boxes of individual employees were not analyzed.
The findings from both reports are serious and confirm that the safeguards in place around supervision and data protection at the Tax Administration have been inadequate. The conclusions on MSNP, privacy and "analysis at the gate" were already known (8), and improvement actions have already been initiated. On other issues, the reports show that further action is needed. I address both.
The observed privacy violation confirms that the decision to turn off the facility in February 2020 was justified (9). The signals process in which FSV was used is currently at a standstill. A new facility has been developed to support the process. It will be put into use after advice from the Data Protection Officer (FG) and the AP on the Data Protection Impact Assessment (DIA).
Furthermore, as communicated earlier (10), a bill on Data Processing Safeguards for Tax Administration, Surcharges and Customs is being prepared. This bill aims to strengthen the foundations for data processing, make them future-proof and create a legal framework for guaranteeing lawful, proper and transparent data processing.
In January 2021, the Tax Administration began an analysis to determine which citizens' requests for debt restructuring may have been wrongfully denied. With the quarterly HVB report of November 25, 2021 (11), your Chamber was informed of the latest status. I will have the signals that the 1x1 registration in FSV may also have been used in the assessment of debt remission requests investigated. Based on this, I will determine the number of affected citizens for this as well and identify and approach them. My starting point is that those who have been unjustly denied amicable debt settlement, remission or personal payment arrangements will be eligible for the relief scheme that I am developing in compliance with your House's budget rights.
The results of the "analysis at the gate" process have not been included in FSV since the beginning of 2018. In addition, additional safeguards have been established to prevent citizens' declarations from being unnecessarily involved in intensive monitoring (12). The Audit Department Rijk (ADR) has reviewed and described the presence and operation of these (13). PwC is currently investigating the queries (searches) used in "analysis at the gate." I expect to share that report with your Chamber in early March 2022. The files found by PwC on the disks containing the results of the "analysis at the gate" process should not have been accessible except for research purposes. In order not to disrupt any future research, they will not be removed but will be secured in a protected environment.
External information sharing is necessary for effective supervision, but it must be done properly. PwC recommends reviewing safeguards around the dissemination of risk signals. Employee access to the mailboxes where information requests come in is now highly restricted and authorizations are monitored. An GEB has been established for the relevant process of information requests. Long-term efforts are underway to broadly improve the process of information flows, including signals and information requests, also to implement the government's vision of sharing information through secure platforms.
I find basing the risk of fraud on nationality or appearance unacceptable. PwC's observations are therefore extremely worrisome. My predecessor indicated earlier (14) that nationality should only be used in enforcement if there is an explicit legal basis for doing so. I concur. The Tax Administration has launched a sweep of applications and lists that include nationality data. Your Chamber was informed of the latest status in the quarterly HVB report (15).
On January 27, 2021 (16), my predecessor reported to your Chamber that the work of CAF has definitively ended. I consider it desirable that there will be complete clarity about the investigations and working methods of CAF and the steering of them from, for example, the MT Fraud. Earlier, my predecessor promised Member Omtzigt an investigation. I will have this conducted externally. Because the investigation must be put out to tender, it will unfortunately not be possible to inform your Chamber as promised earlier this month. When an external party has been selected, I will inform your Chamber about the planning and design via the quarterly HVB report.
PwC points out that more information from FSV may have been shared externally than the attached investigation revealed; it has identified additional email boxes from which FSV data may have been shared. I believe it is important for citizens to have the fullest possible picture of who their data has been shared with and intend to have the identified functional mailboxes investigated as well. In that context, the extent to which there was a sufficient legal basis for the identified data sharing will also be further examined. In addition, the Tax Administration will enter into consultations with the organizations with which data was shared.
The AP asked the Tax Administration to share with it new information on external data sharing. I have therefore provided the report on FSV data sharing with external parties to the AP. In line with Member Marijnissen's motion (17), where possible, the Tax Administration will inform citizens about whom information from or about an FSV record has been shared.
As also pointed out by my predecessor, FSV had fundamental flaws and the facility should never have been used in this way. At the same time, it is the Tax Administration's responsibility to monitor the accuracy and completeness of returns. Risk selection and the processing of signals are an essential part of this. My predecessor started on the road to the right safeguards in supervision and data protection with the plan of approach Herstellen, Verbeteren, Borgen (18). I will continue its trajectories and will return to the management measures described above in the next quarterly HVB report.
The picture of the effects of FSV is not yet complete with these two studies. PwC is conducting several studies. On December 3, 2021, your Chamber received the first report (19), which describes the effects of registrations by Toeslagen. In addition, one study on the effects of registrations by the SME Directorate and one on the "queries at the gate"-queries used that could lead to inclusion in FSV-are currently underway. Unfortunately, I must slightly adjust the schedule outlined by my predecessor on December 16, 2021 (20). Because delivery has been delayed, I expect to share the report for SMEs in late February, and that for queries in early March 2022, with your Chamber.
I will use all findings in the attached and upcoming reports in further developing a compensation scheme for undue consequences of FSV, as requested by your Chamber in the motion of Member Snels (21). In his letter of December 6, 2021 (22), my predecessor discussed the contours of such a scheme and the dilemmas involved. Important issues here include whether, and if so how, violation of privacy is in itself grounds for a form of relief, who should administer such a scheme, and the desired and feasible degree of customization in the implementation of such a scheme. I will return to the elaboration in the first quarter of 2022.
Sincerely,
Secretary of State for Finance - Taxation and Revenue,
Marnix L.A. van Rij
(1) Parliamentary Papers II 2021/22, 31 066, no. 949
(2) Administrative response to FSV Toeslagen research report "Effects Fraud Alert Facility on Beneficiaries," December 3, 2021
(3) Parliamentary Papers II 2020/21, 31 066, no. 681, no. 807 &Board response to FSV Toeslagen research report "Effects Fraud Alert Facility on Beneficiaries," December 3, 2021, technical briefings October 14 and 28, 2021
(4) Parliamentary Papers II 2021/22, 31066, no. 911
(5) Parliamentary Papers II 2020/21, 31 066, no. 711, no. 803
(6) Research declarations with AKI 1043-1044, Parliamentary Papers II 2021/22, 31 066, no. 920
(7) Parliamentary Papers II 2019/20, 31 066, no. 538
(8) Parliamentary Papers II 2019/20, 31 066, no. 681, 2020/21, no. 801, 2021/22, no. 920
(9) Parliamentary Papers II 2019/20, 31 066, no. 604
(10) Most recently when answering factual questions on FSV, Parliamentary Papers II 2021/22, 31066, no. 930, inter alia answer 17
(11) Parliamentary Papers II 2021/22, 31 066, no. 920
(12) Parliamentary Papers II 2020/21, 31 066, no. 803
(13) Parliamentary Papers II 2020/21, 31 066, no. 802 & 2021/22 31 066, no. 920
(14) Parliamentary Papers II 2019/20, 31 066, no. 538
(15) Parliamentary Papers II 2021/22, 31 066, no. 920
(16) Parliamentary Papers II 2020/21, 31 066, no. 807
(17) Parliamentary Papers II 2019/20, 28 362, no. 41
(18) Parliamentary Papers II 2020/21, 31 066, no. 709
(19) Administrative response to FSV Toeslagen research report "Effects of Fraud Alerting Facility on Beneficiaries," December 3, 2021
(20) Parliamentary Papers II 2021/22, 31 066, no. 949
(21) Kamerstukken II 2020/21, 31 066, no. 776
(22) Kamerbrief contours tegemoetkoming FSV, December 6, 2021
View the Retail Securities Report from PwC
View the Report External Data Sharing from PwC's FSV
