MOST AMERICANS would gladly opt out of their long-term relationship with the Internal Revenue Service. To that end, a good many of us pay CPAs to ensure we don’t give the IRS one penny more than we must.
So when sundry people and corporations manage to avoid paying billions in arguably due taxes, you’d think we might celebrate them as rebels for our cause. We don’t. We make of them objects of scorn. Willingly or not, if we have to cough up, we reason, so should they. Else, we are carrying their load.
Readers may recall hotel magnate Leona Helmsley, who with her husband was convicted of tax evasion in 1989. It seemed the Helmsleys had written off $8 million under hotel maintenance expenses which they had in fact spent remodeling their private, 21-room mansion. At trial, the Helmsleys’ housekeeper famously testified to having heard Leona say, “We don’t pay taxes. Only the little people pay taxes.”
The Helmsleys broke the law, but even legal tax evasion can get up the public’s dander. Perhaps you have heard the words “tax return” bandied about with reference to a certain presidential candidate. The accusations of “not paying taxes” do not include a reference to fraud—although perhaps some raising the hue and cry would gladly let you infer as much—but rather that it simply ain’t fair.
Apple, Inc. should be pleased.
The noise of the election tax issue has to an extent diverted attention from Apple’s recent, alleged abuse of international tax laws. Apple took advantage of what is colloquially known as the Double Irish Arrangement, which essentially consists of setting up a company that doesn’t really exist in any particular place along with a nominal presence in Ireland to meet minimal tax obligations.
… most profits were internally allocated away from Ireland to a “head office” within Apple Sales International. This “head office” was not based in any country and did not have any employees or own premises. Its activities consisted solely of occasional board meetings. Only a fraction of the profits of Apple Sales International were allocated to its Irish branch and subject to tax in Ireland. The remaining vast majority of profits were allocated to the “head office”, where they remained untaxed.
Therefore, only a small percentage of Apple Sales International’s profits were taxed in Ireland, and the rest was taxed nowhere. In 2011, for example (according to figures released at US Senate public hearings), Apple Sales International recorded profits of US$ 22 billion (c.a. €16 billion) but under the terms of the tax ruling only around €50 million were considered taxable in Ireland, leaving €15.95 billion of profits untaxed. As a result, Apple Sales International paid less than €10 million of corporate tax in Ireland in 2011 – an effective tax rate of about 0.05% on its overall annual profits. In subsequent years, Apple Sales International’s recorded profits continued to increase but the profits considered taxable in Ireland under the terms of the tax ruling did not. Thus this effective tax rate decreased further to only 0.005% in 2014 …
The Commission’s investigation has shown that the tax rulings issued by Ireland endorsed an artificial internal allocation of profits within Apple Sales International and Apple Operations Europe, which has no factual or economic justification.
The European Commission has ordered Apple to pay the equivalent of about $14.5 billion US plus interest in back taxes. This is not good news for Apple, even though a Washington Post article opined that “…$14.5 billion in back taxes is just a slice of Apple’s cash stockpile.”
In an open letter on behalf of Apple, CEO Tim Cook stated Apple’s intention to appeal. Meanwhile, the United States has expressed concern that the repayment could unfairly fall upon U.S. taxpayers’ shoulders. Bgr.com’s Chris Mills wrote:
The US Treasury Department has been unusually vocal about this case, in statements last week and also after the ruling was handed down today. Mostly, the Department objects to retroactive taxation, which is says is “unfair, contrary to well-established legal principles, and call into question the tax rules of individual Member States.”
Apple isn’t the only multinational hovering over hot water for exploiting international tax loopholes. It is to date simply the most infamous. Last year at this time, the EU ordered Starbucks and Fiat Chrysler to repay in euros the equivalent of about $34 million US apiece. As I write, the EU is looking into Amazon, McDonald’s, and Google, to name a few.
In two weeks, the election will be over and with it, hopefully, its accompanying noise. Perhaps at that time the tax conversation will resume with Apple et al as its focus.
TODAY’S OBJECT LESSON begins in the mid 19th century, when a Minnesota jewelry store declined a shipment of watches.
Railroad agent Richard Sears purchased the shipment, peddled the watches, and ordered more. Knowing a good thing when he saw one, he quit the railroad and set up a mail order watch business. A year later, he moved to Chicago, partnered with Alvah Roebuck, expanded into farming equipment and supplies, and published what became a highly successful mail order catalog. That was in 1888. By the 1970s, Sears, Roebuck and Company, today simply known as Sears, had become the world’s largest retailer.
In time, Sears diversified into the financial services arena. They created Allstate Insurance Company in 1931. Later, Dean Witter and Coldwell Banker real estate fell under the Sears umbrella. Sears introduced the Discover card in 1985.
There simply was no catching Sears.
Which may come as a surprise to anyone who happens to know that things soon began going south for the once uncatchable Sears. So south that, in 2005, bankrupt Kmart was able to buy Sears outright.
Today the world’s largest retailer is a company by the name of Walmart. You may have heard of Walmart. It attained world’s-largest status in 1990.
Other instances of toppled business giants abound. If you haven’t heard of WordStar, you probably weren’t doing much writing in the mid 1980s. That’s when WordStar was the dominant player in the word processing software market. There simply was no catching them. Until, that is, WordPerfect took the world by storm, and there simply was no catching them. Until, that is, Microsoft Word came along and, like many things Microsoft, took over.
Or, take Prodigy (in which Sears was a partner), which gave way to AOL, which gave way to Netscape, which gave way to Explorer, which gave way to Google, which you may also have heard of. Likewise, there was no catching Kodak, once the world’s leading film marketer and, no less, the inventor of the digital camera. They filed for bankruptcy in 2012. There once was no catching Dell, Blockbuster, and Motorola, either.
Underlying all of this is a lesson of humility and caution for giant companies and one of hope for up and coming, scrappy ones.
For the former, the lesson of caution is never assume you’re safe, that you’re uncatchable. For the latter, the lesson of hope is, who says you can’t become the next world’s largest?
It’s not hard to pick out the banker in a Western. Just look for someone sporting sleeve garters and a translucent visor.
This is a rare case in which Hollywood actually gets things right. In the late 19th century, sleeve garters served a practical purpose. Back then, you couldn’t walk into Nordstrom and ask for your neck size and sleeve length; if you couldn’t afford your own tailor, you made do with a one-size-fits-nobody. Shirt makers tended to err on the side of making sleeves way too long, so unless you wanted cuffs below your fingertips, you’d don garters to hoist them up where they belonged. This also helped reduce soiling from dragging sleeves over ink, dusty shelves, and musty documents.
Translucent green visors came along a little later on the heels of newfangled incandescent lighting. Clerks donned the visors to protect their eyes from the harsh overhead light of early bulbs. That’s also why green shades sit atop the traditional banker’s lamp.
Fast forward to a few decades ago …
Worsted and flannel suits in navy and charcoal gray had become all but required attire for bankers and other professionals. Suits were dark and somber for two reasons. One was that dark fabrics hide stains better than light ones. The other was that, until dry cleaning came along, the only way to make a stain “disappear” was to dye the whole suit a few shades darker.
Fast forward to today …
A growing number of banks are opting for business casual, having traded the suit and tie for khakis and sport shirts.
Assuming, that is, we’re talking about banks that still bother with physical locations. For all you know, your online banker could be in a T-shirt and blue jeans.
And that has marketing implications. Despite their practical origins, sleeve garters, visors, and, later, dark suits circled around to become symbols of professionalism. You could walk into a bank, see the attire, and—right or wrong—feel some assurance that you were dealing with competence.
The new challenge is to convey an aura of competence absent the traditional trappings that once characterized banks. That job increasingly falls to websites and apps. More than function, they must look and feel like the kind of business to whom people would willingly entrust their funds, business and personal information, and more.
Branding isn’t going away. Like everything else, it’s going digital.
Data breaching is big business. It is, as I wrote last week, something of an arms race. When we strengthen our armor, we don’t send the bad guys home in ignominious defeat; we send them off to upgrade their armor-piercing weaponry so they can return for another foray.
The financial fraud arms race is as old as currency itself, and there’s no reason to expect it ever to end. Last week, HEI Hotels became the latest large-scale victim, following in the footsteps of notables like MySpace, the Internal Revenue Service, The Home Depot, Target, Neiman Marcus, and others.
The above are not anomalies. If you’re in the mood for being alarmed, click here to view “World’s Biggest Data Breaches: Selected losses greater than 30,000 records. Lest bankers seek solace in the thought that breaches are more a retail than a banking problem, click “banking” in the filter box at the upper right.
But before you decide that your best option is to wait out the arms race under your desk in fetal position, I have good news. There is much that banks can do to protect themselves, merchants, and consumers.
Here are a few tips:
Keep up with security technology. Bad guys regrouping and returning notwithstanding, it turns out that we good guys are pretty good at keeping pace and, at times, a step or two ahead. To ignore the state of the art is to look for trouble. That should go without saying, but you’d be surprised how many financial institutions give data security more lip service than action. To be sure, upgrading is costly in terms of software, hardware, retraining personnel, and, sometimes, retraining consumers. But the cost of keeping current is a bargain compared with the costs—which include legal, insurance, and client confidence costs—of a serious breach.
Keep up with security news. A host of business and financial publications are available and useful. Still in the mood for a good but needful scare? Try UBM Technology’s DarkReading.com. You might also follow UBM’s blackhat blog and consider attending a blackhat® convention.
Never assume the security arms race has been won. The much-heralded credit card chip has a track record of reducing but not eliminating fraud.
If your financial institution is small, don’t fall into the trap of thinking you’re an unlikely target. Smallness may increasingly make you a more likely target. Like anyone, hackers prefer the course of least resistance. More hackers are turning their attention to smaller banks and other smaller businesses that tend not to be able to afford the best protections or not to bother with them. Which means you must bother with them and find a way to afford them.
Beware the isolation trap. Data security is its own field of expertise. Even if you employ your own, first-rate team of tech geniuses, their combined expertise cannot approach that of companies entirely focused on digital banking technology. (Note: Should you accuse me of using my blog to make a blatant, shameless pitch for the likes of my employer, Fiserv, I’m offended at the accusation—even though that’s exactly what I’m doing. I highly recommend checking out our compliance and fraud management page among others.)
Be proactive in educating your merchant and consumer clients. This is as much a marketing as a security measure. Security concerns have been known to hold people back from adopting mobile banking technology. Educating clients on security precautions increases mobile technology adoption.
For merchants, PC Magazine’s Max Eddy reported on an interesting piece of advice: Do not use chip reading terminals that still have magnetic stripe reading capability. According to Eddy, during a recent Black Hat conference, security guru Peter Fillmore showed that terminals which read both chips and stripes leave an exploitable security gap. Fillmore also demonstrated the ease of capturing data from tap cards.
For what it’s worth, Eddy reported that Fillmore had reluctant, high praise for Apple Pay:
“I want to kick at Apple Pay but I can’t,” Fillmore joked. “It’s one of the best methods for these transactions … and is generally more secure than your cards.”)
Fillmore said that Apple Pay has a lot going for it since it has a separate secure element chip and performs the transactions on that secure chip. But Fillmore reasoned that Apple Pay is susceptible to the attacks he demonstrated because the cards themselves are insecure. It would depend on the cards loaded into Apple Pay and if an attacker found a way to force someone to make a particular transaction in order to snag the data.
For consumers, U.S. News & World report contributor Anisha Sekar suggests that financial institutions advise them in the basics: only buy from websites whose URL starts with “https,” set up alerts for every card and digital transaction, sign card backs, avoid use of public Wi-Fi, and, to limit personal liability, notify the bank immediately of a lost or stolen card.
I urge you to take heed. I don’t want to see you on the next version of the World’s Biggest Data Breaches: Selected losses greater than 30,000 records. There are better ways to earn recognition.
HEI Hotel properties affected by the breach
(click to enlarge)
You may not have heard of HEI, but you have certainly heard of the 20 potentially targeted properties, or at least their brands, that HEI operates. These include Marriott, Hyatt, Equinox, Intercontinental, Sheraton, Westin, and others.
From the HEI Notice:
Based upon an extensive forensic investigation, it appears that unauthorized individuals installed malicious software on our payment processing systems at certain properties designed to capture payment card information as it was routed through these systems.
HEI believes the malware could have affected “… payment card data—including name, payment card account number, card expiration date, and verification code—of customers who used a payment card at point-of-sale terminals at the affected properties.”
According to a DigitalTrends.com report released two days ago, the malware had its way with HEI for a whopping 15 months, from March 1, 2015 through June 21, 2016. That’s plenty of time for tens of thousands of transactions.
HEI operates high-end properties, so it may not be unreasonable to assume that the average wealth of those targeted, and their respective card limits, may be higher than, say, the average THD or Target shopper. Moreover, both business and consumer credit cards may have been hacked.
Digital security is an arms race. Each time the good guys come up with a new way to foil hackers, the hackers simply busy themselves defeating it. I don’t expect the arms race to end anytime soon, if ever. Not even chip cards will do away with fraud, although chip use in Canada and other countries has reduced it.
But we needn’t sit helpless. There is much that banks, merchants, and consumers can do to protect themselves. In next week’s post, I’ll go into that in more depth.