EU Public CbCR : How Luxembourg's European passport helps banks meet reporting rules

As a premier financial hub at the heart of Europe, with easy access to major European markets and financial centers, Luxembourg attracted over 100 banks in 2024¹. Over the years, it has cultivated a strong culture of investor protection by proactively adopting best practices in transparency and global anti-tax evasion measures. In this context, Luxembourg implemented Public Country-by-Country Reporting (CbCR) in 2023 as part of the OECD Base Erosion and Profit Shifting (BEPS) project. While these reporting obligations may initially seem resource-intensive, they can become valuable assets for multinational enterprises (MNEs) and financial institutions that integrate robust compliance systems into their operations.

Luxembourg and its Regulatory Framework

In line with global efforts to enhance tax transparency and prevent tax avoidance, Luxembourg has undertaken a series of initiatives to reshape its financial landscape and align with international standards set by the Organization for Economic Co-operation and Development (OECD) and the European Union (EU).

In particular, Luxembourg has implemented the Common Reporting Standard (CRS), which facilitates the automatic exchange of information (AEOI). Additionally, the OECD Base Erosion and Profit Shifting (BEPS) project introduced Country-by-Country (CbC) Reporting, requiring multinational enterprises (MNEs) to provide detailed disclosures on global income, taxes paid, and economic activities. To further bolster its regulatory framework, Luxembourg has incorporated the Anti-Tax Avoidance Directives (ATAD) and the Directives on Administrative Cooperation (DAC).

For banks operating in Luxembourg under the European passport, these developments are significant. The European passport allows banks authorized in one EU Member State to offer services across the EU without needing additional licenses. Although this framework supports cross-border banking efficiency, it also demands robust risk management and compliance systems to meet evolving regulatory obligations.

Understanding CbCR and Public CbCR

The primary goal of Tax CbCR (simply referred to as CbCR) is to provide tax authorities with a comprehensive view of an MNE's global activities, enabling them to assess risks and enforce tax compliance. This framework applies to MNEs with consolidated group revenue equal to or exceeding EUR 750 million in the preceding fiscal year. The Ultimate Parent Entity (UPE) is responsible for filing the CbC report.

Public CbCR² extends this framework by requiring MNEs to publicly disclose (often through the MNE website or a public registry) certain financial and operational data on a country-by-country basis. This applies to MNEs and standalone undertakings operating in the EU with consolidated revenues exceeding EUR 750 million in the last two consecutive fiscal years. However, concerns about the confidentiality and security of sensitive financial data remain significant challenges for both CbCR and Public CbCR.

Both frameworks target similarly sized MNEs but differ in purpose: CbCR is focused on helping tax authorities assess risk, whereas Public CbCR is about public accountability by making financial data accessible to a wider audience.

When do CbCR and Public CbCR apply

CbCR applies to MNEs with consolidated group revenues of at least EUR 750 million in the preceding fiscal year. These entities must provide detailed financial data for each jurisdiction in which they operate, giving tax authorities a global view of income allocation, taxes paid, and other financial metrics. This helps identify transfer pricing risks and tax avoidance strategies.

In Luxembourg, CbCR obligations³ require that a UPE residing in Luxembourg file a CbCR report. Surrogate Parent Entities can file on behalf of the group if designated, while subsidiaries must file locally if neither a UPE nor a surrogate parent fulfills the reporting obligation elsewhere.

Public CbCR applies to MNEs and standalone undertakings operating in the EU with consolidated revenues exceeding EUR 750 million in the last two consecutive fiscal years. This requirement applies regardless of the location of the UPE if the entity has significant operations in the EU. The goal is to improve corporate transparency by requiring public disclosure of financial data.

In Luxembourg, the disclosure requirements stipulate that detailed information must be provided for each EU Member State and for jurisdictions identified by the EU as non-cooperative jurisdictions (i.e., Annex I of the EU List) or under review by the EU (i.e., Annex II of the EU List). For all other jurisdictions, data can be presented in aggregate form. This information must be submitted through a standardized template and a common electronic reporting format.

How to disclose CbCR/ Public CbCR and Key Exemptions

CbCR is submitted confidentially to tax authorities. In Luxembourg, these reports are filed electronically via the MyGuichet.lu platform, following the OECD XML Schema format. They include key financial metrics such as revenue, profit or loss, taxes paid, and employee numbers for each jurisdiction where the MNE operates. CbC Reports remain strictly confidential, shared only among tax authorities under the OECD Multilateral Competent Authority Agreement (MCAA) or bilateral treaties.

Public CbCR, in contrast, is publicly disclosed to increase transparency and build stakeholder trust, aligning with Environmental, Social, and Governance (ESG) principles. In Luxembourg, companies are required to publish Public CbCR reports on their websites or on the website of the Trade Register⁴ and publish them by way of a filing notification in the Recueil électronique des sociétés et associations (RESA). The format requires clear, non-technical language for accessibility. Reports must be updated annually and remain publicly accessible for at least five years.

The EU Public CbCR directive includes several key exemptions to balance transparency with simplified compliance for MNEs:

• Revenue threshold: MNEs with consolidated revenue below EUR 750 million in the last two consecutive fiscal years.
• Equivalent reporting: If the parent company is subject to equivalent public CbCR rules in another jurisdiction, duplicate reporting under the EU directive is not required. In Luxembourg, if an MNE parent company is in a country with equivalent rules, the Luxembourg entity can use the parent report to meet its own requirements, reducing the need for duplicate reports across jurisdictions. However, Luxembourg authorities must verify that the foreign rules meet EU standards, ensuring transparency and accessibility.
• Confidentiality: MNEs may withhold specific information on a case-by-case basis if disclosure could harm their commercial position.
• Public disclosure on website: MNEs are not required to publish the report on their own websites if it is already publicly available on the RCS website and published with a filing notification in the RESA in a free, electronic, machine-readable format. However, they must include a notice on their websites explaining this exemption and provide a link to the RCS website where the declaration can be accessed.
• Surrogate entity: Non-EU parent entities can assign an EU-based surrogate parent entity to handle public CbCR obligations. This entity consolidates and reports the group financial information, avoiding duplicate reporting if the non-EU parent already complies with equivalent rules. This approach allows MNEs to choose the most suitable EU-based entity for compliance management.
• EU Parent companies: If the parent company of an MNE is based in the EU and already meets Public CbCR requirements in its home EU country, its subsidiaries or branches in other EU countries may not need to submit separate CbCR reports.
• Exemption for EU Banks with UPE in the EU – Simplified Public CbCR Compliance: Banks with their UPE located in the EU benefit from an exemption under the Capital Requirements Regulation (CRR)⁴. This exemption allows EU banks to use their existing CRR-compliant disclosures to meet Public CbCR obligations, avoiding the need for separate reports.

However, Luxembourg's implementation of the EU Public CbCR directive through the Law of December 2021 presents some discrepancies:

• Designation of Surrogate Parent Entity: Luxembourg law does not currently clearly address the EU directive requirement for non-EU parent entities to designate an EU-based surrogate parent.
• Scope of Reporting: The Luxembourg framework does not specify whether surrogate entities must report on non-EU group activities, as the EU directive mandates.
• Notification and Approval: The process for designating a surrogate parent entity, outlined in the EU directive, is not fully reflected in Luxembourg law.

These gaps in legislation may create uncertainty for MNEs regarding their reporting obligations, potentially leading to incomplete or non-compliant submissions. In the near future, one can expect the Luxembourg tax authorities to clarify these discrepancies and align national laws with EU requirements. Yet, the directive should take precedence over national legislation.

Challenges for Banks in Complying with CbCR and Public CbCR

Banks face several challenges in meeting CbCR and Public CbCR requirements, including complex reporting standards, the need for data management systems, and the technical support required to manage these processes effectively. Additionally, varying interpretations of CbCR and Public CbCR rules across jurisdictions can create uncertainty.

To address these challenges, banks can adopt standardized data collection processes, conduct regular audits, and establish clear compliance policies. These measures ensure consistency, identify discrepancies early, and provide guidance in navigating regulatory complexities.

Data Accuracy and Consistency

When publishing Public CbCR reports, banks need to ensure they are easy to understand, accessible, and hosted securely. With the five-year accessibility requirement, banks must also have a plan to archive reports properly.

Confidentiality is another concern. Publicly sharing detailed financial data could reveal sensitive business strategies, so banks must balance transparency with protecting their competitive edge.

Operating in multiple jurisdictions adds complexity, especially when local laws conflict with EU rules. This is even more challenging in non-EU countries, where data privacy laws may conflict with CbCR obligations.

Public CbCR disclosures can attract scrutiny from the media, NGOs, or the public, especially in cases involving low-tax jurisdictions. Banks need to manage their reputation by communicating transparently.

The Future of the Compliance Landscape for Banks in Luxembourg and the EU

Luxembourg banks can turn compliance obligations into opportunities. Its integration of the EU passport system with CbCR reporting offers banks a unique opportunity to streamline operations and enhance compliance. By embracing transparency and innovation, Luxembourg banks can maintain their competitive edge and solidify their position as reliable and ethical financial institutions on the global stage.