Here we set out the answers to some frequently asked questions about the Common Reporting Standard (CRS).
The Common Reporting Standard (or ‘CRS’) is a global system of automatic information exchange developed by the OECD (the Organisation for Economic Cooperation and Development based in Paris) and adopted by 102 jurisdictions around the world.
Under the CRS, financial institutions based in any of the countries that have adopted the standard will have to provide their local authorities with the following information about their clients for onward transmission to the tax authorities of the country of residence of the client. The information that will be exchanged under the CRS includes:
  • The name of the account holder;
  • His/her date and place of birth;
  • His/her tax reference number (‘TIN’):
  • The name of the financial institution;
  • The account number;
  • The account balance at the end of the relevant reporting period (e.g. at the end of the year); and
  • The total gross amount paid to the account during the relevant reporting period.
The CRS has been designed as a global automatic information exchange system. Although some countries are considering the reporting position in relation to high-risk countries, there is no consensus in this area. The issue is not academic: the extent of the problem is evident if one compares the list of countries that will exchange and receive information under the CRS with well-known corruption indexes (such as the Corruption Perception Index published by Transparency International or the crony-capitalism index published by The Economist).
In this case, the reporting financial institution has to apply a ‘look-through’ approach and report the individuals behind the relevant company, trust, foundation or similar. The term used by the CRS is ‘Controlling Person’ or (in the case of a self-reporting entity), ‘Equity Interest’ holder. The definition of ‘Controlling Person’/’Equity Interest’ holder contained in the CRS is very wide and is based on broad money laundering concepts. In other words, it matters not whether the relevant individual has an actual tax liability in relation to the bank account to which s/he is linked. Thus, the CRS provides that the settlor of a trust/a founder or a foundation, the trustees (or members of the foundation council), any protector and the beneficiaries or class of beneficiaries ‘must always be treated as Controlling Persons’ [and therefore must be reported upon] regardless of whether or not any of them exercises any control over the trust/foundation.’ The definition of ‘Equity Interest’ holder is practically identical and although discretionary beneficiaries of trusts and foundations who do not receive distributions may find that they will not be subject to reporting because of a quirk contained in the commentary published by the OECD, in most cases trusts and foundations (but also partnerships and passive companies) will be subject to extensive reporting. Because of the way it operates, in many cases the CRS requires multiple reporting, i.e. the whole value of the account is attributed to several people, e.g. in the case of an ‘usufruit’ or a trust/foundation. In practice, this is likely to increase the risk of tax audits, especially where the reported individuals are resident in different jurisdictions.
A number of European data protection agencies have raised concerns about the broad nature of the new rules and the fact that they require a generalised exchange of information which is automatic and independent of the existence of any actual risk of tax evasion. Clients living in high-risk jurisdictions are particularly vulnerable. In addition, the nature of the information exchanged (name, date and place of birth, bank account details) has the potential of exposing millions of individuals who have a bank account abroad (or who are ‘Controlling Persons’/’Equity Interest’ holders of foreign structures) to the risk of hacking and data theft. With experts in taxation, data protection and cyber-security, Mishcon de Reya is at the forefront of the campaign to raise awareness in relation to the potential risks of the new rules on automatic exchange of information, as well as the risks associated with the EU registers of beneficial ownership which entered into force in June 2017. Under the new EU rules, anyone who can demonstrate a legitimate interest may obtain information about the beneficial owners of corporate and other legal entities, whereby the definition of ‘beneficial owner’ follows closely the definition of ‘Controlling Person’ under the CRS.
Some 50 countries around the world started to exchange information before September 2017. In many countries, financial institutions had to send the relevant information to their local authorities for onward transmission by 30 June 2017. A second group of countries (so-called ‘Late Adopters) will start exchanging information from 2018 using data relating to 2017. As time is running out, it is important to consider the CRS treatment of any account, especially in the presence of corporate structures, trusts or foundations. The rules are very complex and most financial institutions tend to apply a broad approach to reporting. Where a financial institution applies a wrong approach or where the rules are too broad, individuals may have no alternative but to resort to litigation to ensure that the data to be exchanged is correct or to prevent the exchange of information which is irrelevant for tax purposes.
There is no general exclusion for charities under the CRS. Most charities will qualify as ‘active’ entities, which means that the only reporting will be made to the country where the charity is based. However, charities that derive most of their income from passive investments (e.g. endowment charities) are potentially caught by the new rules and will have to report their grantees. In many cases (e.g. in the case of a charity that supports political activists, LGBT campaigners in traditional jurisdictions, anti-corruption activists, human rights advocates or similar) this may expose the grantees to danger. Following an activist campaign in which some of our lawyers took a leading role, the UK tax authorities have amended their guidance to enable charities to apply for redacted reporting. However, the position in other countries remains unclear and as far as the UK is concerned it is too early to gauge how the UK tax authorities will approach this topic in practice.
With limited exceptions, UK companies, LLPs and certain other corporate entities are required to identify and record the people who own or control them on a “register of people with significant control” (a “PSC register”). The PSC rules are aimed at achieving transparency in relation to the individuals who control companies and other entities and who previously might not have been identifiable because they sat behind opaque corporate or trust structures. The PSC regime was expanded in June 2017, to ensure that the UK had fully complied with its obligation to implement the Fourth Money Laundering Directive (4MLD). The amendments brought entities including “eligible Scottish partnerships” within scope, but in this article we have focused on the rules as they apply to companies rather than other entities. For further information please click here.

For other Data Protection news, please click here.