Fisherman throwing fishing nets after sunset

How financial institutions can stay CRS compliant

Related topics

As scrutiny increases on CRS compliance, global financial institutions must prepare and have a governance framework in place.

  • The OECD has urged tax authorities to perform desktop reviews, utilize analytics, and conduct in-person audits to ensure compliance.
  • The primary focus areas for audits are data quality, governance, and accurate identification of in-scope entities and products.
  • Financial institutions have various methods to enhance CRS compliance, such as staying updated on filing deadlines and reviewing implementation controls.

Financial institutions around the world are experiencing an increase in notices and other inquiries as tax authorities seek to enforce the Common Reporting Standard (CRS).

The latest Organisation for Economic Co-operation and Development (OECD) 2022, Peer Review of the Automatic Exchange of Financial Account Information report highlights shortcomings both in correctly identifying in-scope entities and in reporting complete and accurate information from the entities identified.

The review focused in particular on the ability of tax authorities to check that financial institutions are reporting as required and whether information is accurate. It called out actions by tax authorities to conduct desktop reviews, deploy analytics and conduct in-person audits on compliance. The review also noted the extent to which tax authorities had issued penalties as part of their compliance approach.

The CRS, developed in response to a request from the G20, and approved by the OECD Council in 2014, calls on jurisdictions to obtain information from their financial institutions and conduct an Automatic Exchange Of Information (AEOI) with other jurisdictions on an annual basis. It sets out the financial account information to be exchanged, the financial institutions required to report, the different types of accounts and taxpayers covered, and common due diligence procedures to be followed by financial institutions. 

To assess compliance, the OECD is conducting a range of peer reviews designed to verify firstly whether individual jurisdictions have implemented appropriate legal frameworks and secondly whether the AEOI is effective in practice. The report from the latest round of reviews, published in November 2022, uses a green, amber and red traffic light system to indicate whether each jurisdiction has appropriate frameworks ‘in place,’ ‘in place but needing improvement,’ or ‘not in place,’ and also whether their AEOI is deemed ‘on track,’ ‘partially compliant,’ or ‘non-compliant.’ A further review, likely to begin this year, is expected to involve a more detailed assessment, including the proper preparation, validation and transmission of data.

Although the peer reviews indicated that the majority of tax authorities were on track, closer reading of the peer review report indicates that around 10%–15% of jurisdictions could be considered leading class, using a wide range of measures to check compliance, including analytics, audits and penalties. But around 40% of jurisdictions have significant steps to take to get to the OECD’s minimum standards.

How tax authorities are responding and what they are looking for

No jurisdiction wants an amber or red review, and consequently, financial institutions across the globe have experienced a significant increase in inquiries from revenue authorities. Some jurisdictions have been issuing questionnaires as a means to identify areas of risk that they might wish to investigate further. In many cases, the completed questionnaire, or other data provided, will lead to a more detailed compliance check, often starting with a desktop review and sometimes progressing to an onsite visit. In some cases, the tax authority will ask if the financial institution has had an independent review of its compliance.

Three main areas are under scrutiny

In some countries, there is still an element of debate over what constitutes an in-scope entity. Canada, for example, has used domestic legislation to exempt a product considered low risk and institutions which they consider to be passive entities, versus financial institutions, and the OECD reviewers have disputed these decisions, according to Jillian Nicolson, partner at Ernst & Young LLP.

Businesses there need to adhere to domestic legislation until the issue is resolved, but the eventual resolution will be in the government’s interest. Impacted entities, such as holding companies and certain private trusts, should monitor legislative developments, as a reversal would cause a significant change in responsibilities. Linked to this, in some jurisdictions, including Australia, Ireland and Singapore, there has been an increase in notices for institutions that have filed a nil-return.

Just two years ago, the Singapore authority was focused mainly on institutions that were submitting a standard report for data quality, but recently have seen their focus shift to those who have filed nil reports to verify the veracity of those reports and existence of appropriate processes and controls. While deliberate fraud attempts have been uncovered by the authorities in some jurisdictions, erroneous nil-returns are more likely to be the result of misunderstanding what constitutes an in-scope entity.

Resourced for rigor

To handle the increased scrutiny, some tax authorities have hired additional inspectors and invested in enhanced data analysis capabilities. In fact, the latest OECD peer review indicated that tax authorities have employed more than 450 full-time equivalent personnel to support and review compliance with CRS. In Ireland, according to Amanda Murphy, Business Tax Advisory, Financial Services Partner, at EY Ireland the revenue authority is taking a strict approach, having set up a new division with dedicated personnel who are building data analytics tools and issuing 70-question tailored surveys that need to be responded to in a tight deadline.

In Canada, the tax authority is conducting onsite as well as desk audits of a broad sample of institutions to assess compliance with Foreign Account Tax Compliance Act (FATCA) and CRS requirements, said Nicolson.


Having recently run a series of educational workshops between the Australian Taxation Office (ATO) and impacted institutions, the ATO is shifting the focus of its personnel from guidance to enforcement and is investing heavily in data analytics capability, according to Robert Davies, Director , Business Tax advirosy, Financial Services Group at Ernst & Young in Australia.

Penalties for non-compliance vary by jurisdiction. Although, in the majority of situations, authorities appear to be taking a benevolent approach, with frequent reminders and extensions for institutions that need further time to prepare a correct filing, there is nonetheless an arsenal of penalties at their disposal.


Things can go wrong

CRS presents many operational and compliance challenges; it impacts customers, requires vast amounts of data processing, and contains many technical and nuanced terms which are difficult to interpret. Mistakes occur when third parties or multiple teams across an organization are responsible for compliance. If a bank, for example, uncovers a significant backlog of customers that had been incorrectly reported, they will need to make a voluntary disclosure to the revenue authority, propose a remediation plan and then re-file the relevant data.

Likewise, when a key member of the team leaves the organization, knowledge can be lost and processes can break down. For example, a large private equity client failed to comply with some of its key obligations because they had assumed that their US headquarters would do it, while the headquarters was focusing only on the main fund and not the special purpose vehicles in another region. In a context where many fund houses have multiple fund administrators, it is easy for elements of the process to slip through the cracks, with the quality of reports varying according to the strength of the fund administrator. People given responsibility for key CRS compliance controls may not be sufficiently knowledgeable in CRS requirements, with key controls often falling to customer relations, front office or other operations teams. Operating model considerations are still high on the agenda, with many tax or compliance teams coming under pressure to “do more with less” and without the bandwidth to take a comprehensive overview of governance, data quality and overall compliance.

The steps that financial institutions can take to stay compliant are:

  • Make sure that all entities are correctly classified and registered, and all in-scope products are identified.
  • Review your governance and implement controls on a yearly basis. Check that all policies and procedures are clearly documented and be prepared to talk an inspector through your procedures if needed.
  • Stay abreast of filing deadlines and updates to reporting requirements and schemas.
  • Analyze and clean up your own data, ideally throughout the year but at a minimum before filing.
  • Be prepared to respond speedily and comprehensively to surveys and other requests for information.
  • Consider asking an independent external reviewer to assess your governance, your compliance and due diligence processes, and your data.
  • If you spot an issue, engage with the tax authority early to agree on remediation and to mitigate penalties.


This article looks at how tax authorities are responding to the latest OECD peer reviews of CRS compliance, including the operational challenges and the steps financial institutions can take to stay compliant.

About this article

Related articles

Why customer experience and tax reporting need a joined-up approach

Tax authorities demand more detailed customer tax reporting – here are four ways organizations can balance it.

25 Aug 2021 Ian Bradley

How businesses are responding to the wider customer tax reporting net

Organizations need to transform their people, processes and technology to meet fast-changing obligations and mitigate risk.

11 Jun 2021 Ian Bradley