Self-review guide and toolkit
A guide to assist financial institutions with CRS and FATCA obligations
Contents
1. Executive summary | 3 |
1.1 Background | 3 |
1.2 Objective of this Guide and toolkit | 3 |
1.3 Benefits of a well-designed AEOI framework | 4 |
2. Our approach to reviewing AEOI obligations | 6 |
2.1 AEOI review | 6 |
2.2 Maintenance and monitoring | 7 |
2.3 Standard ratings system | 7 |
3. Practical guidance to self-review AEOI obligations | 9 |
3.1 Better practice AEOI framework | 9 |
3.2 Self-assessment of your AEOI framework | 10 |
3.3 AEOI Governance | 10 |
3.4 Due diligence obligations | 12 |
3.5 Reporting systems and data testing | 24 |
Appendix A - Elections by RFIs (CRS) | 28 |
Appendix B - Common issues and errors | 29 |
Core elements | 29 |
Data errors | 29 |
Appendix C - Data tests | 30 |
Standard tests | 30 |
Recommended specific tests | 31 |
Appendix D - AEOI testing plan sample | 32 |
Appendix E - AEOI self-assessment checklist | 33 |
Assess rating of AEOI obligations | 33 |
Checklist - compliance with AEOI obligations | 34 |
1. Executive summary
The ATO is responsible for data collection and exchanges with foreign jurisdictions for 2 automatic exchange of information (AEOI) regimes: the United States of America's Foreign Account Tax Compliance Act (FATCA) and the Common Reporting Standard (CRS).
Our AEOI compliance program seeks greater assurance that reporters with CRS and FATCA obligations (AEOI obligations) have appropriate frameworks in place and are correctly reporting to the ATO.
In 2021, Australia exchanged CRS data with 79 jurisdictions based on CRS reports received from over 2,600 domestic financial institutions. Each year, we publish a breakdown of the CRS statistics.
Reporting Financial Institutions (RFIs) are required to have procedures and systems in place to ensure that reportable accounts are identified, the relevant information collected, and that correct information is reported to the ATO. The international agreements to which Australia is a party expect the ATO, as the Competent Authority, to ensure that RFIs provide complete and accurate information for exchange with those jurisdictions.
1.2 Objective of this Guide and toolkit
This Guide provides practical information as part of a toolkit about how to conduct a self-review of your governance, due diligence, data and reporting systems, which we have referred to in this Guide as your 'AEOI framework'. It outlines the core elements and what we look for when we review the following 3 fundamental areas of compliance:
- •
- AEOI governance
- •
- due diligence obligations
- •
- reporting systems (and the accuracy of the information reported to the ATO, including data testing undertaken to verify your CRS and FATCA reporting).
You can use this Guide and toolkit to:
- •
- prepare for an AEOI review if you are an Australian RFI
- •
- review the design and operation of your AEOI framework as part of your AEOI obligations
- •
- undertake a review of your AEOI reporting systems and data testing to ensure your business systems are accurately recording and reporting information for AEOI purposes.
Throughout this Guide certain terms are capitalised as per the Standard for Automatic Exchange of Financial Account Information in Tax Matters (CRS) and the Agreement between the Government of Australia and the Government of the United States of America to Improve International Tax Compliance and to Implement FATCA (FATCA Agreement).
AEOI obligations - guidance
This Guide provides best practice for RFIs to self-assess their internal control framework for AEOI obligations. It does not cover interpretive guidance on how the FATCA and CRS rules, or other AEOI measures, apply to their circumstances. For more information about AEOI guidance, refer to ato.gov.au/crs |
1.3 Benefits of a well-designed AEOI framework
The benefits to having a well-designed AEOI framework include that it:
- •
- provides a clear line of sight for the maintenance, reporting and compliance with your AEOI obligations
- •
- offers insights as to what your AEOI operating model looks like and what controls you have in place, including your compliance program for due diligence obligations
- •
- helps to identify potential systems and process gaps which may prevent reporting errors in advance and reduces incidence of misreporting
- •
- assists senior management with clarifying accountabilities for managing AEOI obligations, and any associated risks and issues
- •
- provides accurate reporting of your customers' information.
We expect that you will undertake assurance and verification procedures that align with your business and that are tailored to your own operating environment. The ATO considers having appropriate procedures for due diligence supported by data testing as critical elements of this process.
Another important factor of having your AEOI controls operating effectively is that they may prevent a range of penalties.
Type | Penalty amount [1] |
Failure to collect a self-certification. | 1 penalty unit for each missing self-certification. |
Making a false or misleading statement. | For each statement with missing or incorrect information:
|
Failure to lodge a statement on time. | Up to 5 penalty units for each Reportable Account.
This penalty attracts a significant global entity uplift factor. |
Failure to keep records
(Financial Institutions need to keep records for at least 5 years that explain the procedures used for identifying these accounts). |
20 penalty units. |
Example 1: Failure to collect self-certifications and keep records
ABC Bank failed to implement an AEOI framework, which resulted in a lack of due diligence procedures in identifying any Reportable Accounts. ABC Bank was not able to provide complete and accurate information to the ATO, as it failed to collect 37,500 customers' self-certification upon account opening. In 2021, ABC Bank was liable to administrative penalties of:
To ensure your organisation has an effective AEOI framework, refer to Section 3 of this Guide. |
2. Our approach to reviewing AEOI obligations
Our compliance program includes undertaking AEOI reviews on RFIs from different sectors and of different sizes. We use our data analytics and other risk models to identify RFIs for review.
When we undertake an AEOI review, we evaluate your compliance with the AEOI obligations by obtaining objective evidence of your AEOI framework in accordance with this Guide and applying the staged ratings system. We look for evidence in the form of policies and procedures demonstrating the existence and design of the AEOI framework.
We use our data and analytics, as well as risk assessment methodologies, to select reporters for AEOI reviews. Some key factors that may indicate the need for a review include:
- •
- absence of reporting
- •
- large changes in the volume of reporting between reporting periods
- •
- reporting of tax identification numbers (TINs) for significantly fewer accounts in comparison with other RFIs
- •
- reporting of TINs which are noticeably wrong
- •
- reporting of non-reportable entities
- •
- reporting of Account Holders in non-tax jurisdictions
- •
- enquiries or information indicating under reporting or inaccurate reporting from the Competent Authority of another participating jurisdiction, or other Australian government agencies.
Once we have completed the AEOI review, and found no major deficiencies in your AEOI framework, it is intended that we may initiate the next review on a periodic basis at least once every 4 years.
During the intervening period ( 3 years), reporters are expected to proactively monitor their AEOI framework and act on any major reporting errors by preparing remediation plans and/or lodging amended reports, where appropriate. We encourage reporters to use this Guide to self-assess their AEOI framework.
We will also use our data and analytics program to safeguard against materially missing information or non-lodgment of CRS and/or FATCA reports.
After the AEOI review, we are not likely to initiate a specific review or audit where:
- •
- you provided evidence of a remediation plan with reasonable timeframes for concerned areas during the AEOI review
- •
- your lodged reports (new or amended) do not have a materially high number of data issues (for example, noticeably wrong TINs), and
- •
- we do not receive enquiries or information indicating under reporting or inaccurate reporting from the Competent Authority of another participating jurisdiction.
2.2 Maintenance and monitoring
We encourage reporters to use this Guide to self-assess areas which require actions, and/or need improvements. Our largest reporters will need to complete an annual questionnaire. We will continue to monitor your lodged reports and completed questionnaire.
We encourage you to engage early with the ATO, should you have any major deficiencies in your AEOI framework.
When we review your compliance with AEOI obligations, we apply a rating system, based on objective evidence provided by you to demonstrate that your AEOI framework is operating as required.
We assess your AEOI framework based on the following ratings system:
Operating as required | There is evidence to demonstrate that an AEOI framework is in place, has been designed effectively and is operating as required in practice.
There is evidence of periodic reviews and regular testing, and any recommendations, next actions or areas identified for improvement have been satisfactorily resolved. |
Operating in part (requires improvement) | There is evidence to demonstrate that an AEOI framework is in place and has been designed effectively, but one or more core elements[2] require improvements for the AEOI framework to be fully operational as required.
Where gaps or deficiencies in an AEOI framework are identified that require improvements, we will:
|
Not operating as required, or not in place | There is insufficient evidence to demonstrate an AEOI framework is in place,
or
there is evidence to demonstrate an AEOI framework is in place, but:
|
Example 2 below illustrates the application of the staged rating system in an ATO AEOI review:
Example 2: Assessment of AEOI framework
The ATO reviewed DEF Capital's AEOI obligations as part of an AEOI review. We obtained evidence and assessed the following components:
We were able to review the findings and outcomes of DEF Capital's internal review of their AEOI framework. The review was undertaken by DEF Capital's internal audit division or an independent firm. DEF Capital provided evidence of an action plan with the gaps identified, which was successfully remediated. As DEF Capital provided sufficient evidence demonstrating that their AEOI framework has not only been designed effectively, but is also operating as required, we assessed and rated DEF Capital's AEOI framework as 'Operating as required'. |
3. Practical guidance to self-review AEOI obligations
3.1 Better practice AEOI framework
The following guidance provides the opportunity to verify and compare your AEOI framework against the ATO better practice principles and required AEOI standard.
This practical guidance is for use by:
- •
- ATO client engagement teams when undertaking AEOI reviews
- •
- AEOI reporters when self-assessing the AEOI framework compared against the 'better practices principles' set out in this Guide
- •
- professional firms engaged by entities to perform a review of the entity's AEOI framework for AEOI obligations.
We consider that a well-designed AEOI framework needs to incorporate 3 essential core elements as presented in Diagram 1 of this Guide:
- •
- AEOI governance
- •
- due diligence obligations
- •
- reporting systems and data testing.
Diagram 1: AEOI framework - core elements
The ATO expects that these core elements will be present in your AEOI framework. We recommend medium to small reporters consider adopting our better practices appropriate to their circumstances, depending on the type and size of their reporting entity, when assessing the robustness of their AEOI framework.
3.2 Self-assessment of your AEOI framework
We recommend that reporters (and their advisors) use the Appendix E self-assessment checklist in this Guide to self-assess their AEOI framework against the principles and required actions as outlined in Section 3 of this Guide. Where a reporter does not have the internal resources or capability to conduct an internal self-assessment, they may consider engaging third parties to conduct an independent review of their AEOI framework.
Intent
A well-documented AEOI governance is a key element of an effective AEOI compliance system. The AEOI framework sets out the parameters of how AEOI risks are to be managed, including compliance with AEOI rules and ATO lodgment and filing obligations.
What to look for
The core elements for AEOI governance are shown in Diagram 1 of this Guide.
3.3.1 Documented governance framework
An AEOI governance document is in place, setting out:
- •
- processes to identify, evaluate and manage CRS and FATCA risks to ensure that these are addressed in a timely manner (including risks arising from changes in business operations, operating processes, and/or external factors)
- •
- all entities subject to AEOI reporting
- •
- who is responsible for AEOI compliance and reporting, and a description of AEOI functions across the business, including training
- •
- the escalation processes for significant risks, including identifying which matters need to be escalated, to whom and how often (including information about resolution of risks/issues)
Better practice is to have a formal AEOI governance framework approved by appropriate personnel, such as Chief Financial Officers, Chief Operating Officers, Chief Executive Officers or the Board. Your AEOI governance framework may also form part of your overall risk management framework.
We acknowledge that formalisation of AEOI governance may vary between entities. For small reporters, some aspects of governance and implementation may not be structured or defined as they might be for large reporters. However, there should still be the required level of documentation and processes in place to ensure your AEOI reporting is accurate.
3.3.2 All in-scope entities are identified
The following should be documented:
- •
- process or procedures for identifying all entities in-scope for AEOI obligations within your business
- •
- a list of all legal entities in-scope for AEOI obligations, including reasons for each entity treatment - whether based on product or line of business classifications (and the process for keeping this list up to date)
- •
- a visual diagram or explanation of all entity types or branches that qualify as reporting entities and non-reporting entities
- •
- the total number of the group's reporting Australian Financial Institutions by type including
- -
- Custodial Institutions
- -
- Depository institution
- -
- Investment Entities (including Type A and Type B)
- -
- Specified Insurance Companies
- •
- the total number of the group's non-reporting entities by type and category, including
- •
- Active Non-Financial Entities (CRS) and Non-Financial Foreign Entity (FATCA).
Example 3: Best practice - in-scope entities identified
GHI Funds Management's internal control framework includes an effectively designed control which identifies all legal entities within their group that are in-scope for AEOI obligations. The Fund Manager provided documentary evidence which (visually) depicted not only in-scope RFIs but also non-reporting entities for AEOI purposes. This control is built into business systems such that the Fund Manager can easily identify new in-scope entities and carve out entities which no longer meet the requirements for AEOI obligations. |
3.3.3 Roles and responsibilities are clearly understood
Staff, management and other personnel roles and responsibilities are clearly defined and documented within the governance framework to ensure AEOI obligations are well managed, including:
- •
- role descriptions for AEOI compliance personnel, commonly set out in a matrix such as a RACI (Responsible, Accountable, Consulted and Informed)
- •
- formal responsibility or process for AEOI personnel to partner with account managers or customers or finance personnel to consider AEOI risks and issues with appropriate solutions
- •
- staff experience and knowledge of AEOI obligations, including the availability of staff training and support
- •
- staff responsibility for communication and process updates (internally and externally), especially when new legislation, or guidance is introduced, including updates to training material
- •
- For FATCA only: the details of the Responsible Officer for FATCA reporting obligations.
A documented training policy (timing and frequency) for CRS and FATCA obligations is in place, including:
- •
- training specific to staff responsible for on-boarding and documentation validation, such as collection of self-certifications and validity checks
- •
- how staff are informed of changes in guidance or procedures, including law changes
- •
- how often you update training material, and how you communicate these changes to staff and other stakeholders.
3.3.4 Documented compliance plan is in place
A documented AEOI compliance plan is in place involving key stakeholders that have oversight and responsibilities, setting out CRS and FATCA compliance and maintenance, including:
- •
- timing and frequency of periodic discussions with relevant stakeholders of ongoing compliance activities, such as on-boarding, self-certifications, due diligence, withholding (for FATCA), reporting, challenges and items that need escalations
- •
- policies and procedures to detect arrangements, schemes or transactions which may lead to circumvent reporting of financial account information and a documented process to report these to the ATO
- •
- the process for changing, approving and signing off AEOI policies and due diligence procedures.
Note: If you use third-party service providers for compliance with AEOI requirements, refer to Section 3.4.6 of this Guide for additional self-review guidelines.
3.3.5 Record keeping is up to date
You have a record-keeping and retention policy which documents:
- •
- an account holder's status and their self-certifications (generally 5 years)
- •
- procedures used in due diligence processes, including keeping a record of the evidence relied upon
- •
- key decisions on ongoing AEOI compliance, including any independent review or audit reports and/or key gap analysis for AEOI obligations.
Intent
To ensure correct reporting of your AEOI obligations, you need to demonstrate that you comply with the due diligence requirements. Your due diligence procedures are documented, implemented and operate as required in practice.
The ATO considers that having the appropriate correct reporting controls for due diligence to be a critical aspect of this process.
Diagram 2: The different due diligence procedures that apply
Small reporters and due diligence
We acknowledge that AEOI due diligence may vary between AEOI reporters depending on the number of factors, including the type or size of reporting entities and their operational framework. For example, a trustee of a single reporting entity would be unlikely to use the same type of due diligence systems and processes to identify whether their account holders are Reportable Persons as a large regulated financial institution. |
What to look for
The core elements are shown in Diagram 1 in this Guide.
3.4.1 Accounts are identified and monitored
Documented systems and processes are in place to identify and monitor:
- •
- all Financial Accounts
- •
- all Reportable Accounts
- •
- Lower Value and HigherValue Accounts
- •
- non-reportable accounts
- •
- undocumented accounts
- •
- change in circumstances.
Identifying and monitoring Financial Accounts
- •
- Where applicable, your Product Life Cycle manual includes determination of CRS and FATCA classifications.
- •
- Product master list is up to date with relevant controls to test correct classification of products and services for AEOI purposes.
Identifying and monitoring Reportable Accounts
- •
- Which products and services are in scope (and out of scope) for AEOI reporting.
- •
- How the list of financial products and services that are in scope is kept up to date.
- •
- You have relevant controls in place to readily identify missing Financial Accounts which are Reportable Accounts.
- •
- Documented guidelines exist to determine which accounts meet the definitions within CRS and FATCA to identify:
- -
- Pre-existing Individual and New Individual Accounts
- -
- Pre-existing Entity and New Entity Accounts.
Identifying and monitoring Lower Value and Higher Value Accounts
- •
- Where an entity has elected (or not) to apply thresholds based on (aggregated) account balances (Appendix A of this Guide), what is the documented process to:
- -
- identify where accounts should be aggregated?
- -
- calculate total aggregated account balances?
- -
- ensure all accounts are correctly identified as low-value or high-value based on the aggregated account balance, including any accounts that were previously low-value accounts but have become high-value accounts?
- -
- regularly maintain and check account balances for in-scope AEOI purposes, including the requirement to consider the differences in currencies for Reportable Accounts?
Identifying and monitoring non-reportable accounts
- •
- Documented due diligence methods of assessing and classifying non-reportable accounts which may include Excluded Accounts, escrow accounts, retirement and pension accounts, etcetera are in place.
- •
- Documented due diligence procedures for dormant accounts, including changes and activities when these accounts become Reportable Accounts are in place.
Identifying and monitoring undocumented accounts
- •
- A documented CRS treatment is in place for undocumented accounts.
- •
- There are processes in place to track and initiate follow-up actions for undocumented accounts, where applicable.
Identifying and monitoring change in circumstances
You have documented due diligence procedures, including required action steps, for a trigger of change in circumstances[3] for accounts including but not limited to:
- •
- account balances exceed a due diligence threshold
- •
- one or more new indicia becomes identified with the account, and
- •
- the reporting entity becomes aware of new information which indicates the existing classification of the account (or account holder) is unreliable or unreasonable.
Example 4: Best practice - change in circumstances - due diligence triggered
JKL Bank has clearly documented due diligence procedures for a change in circumstances for New Individual Accounts, including documented required actions. As a result, several New Individual Accounts were identified which caused JKL Bank to know, or have reason to know, that the self-certification is incorrect or unreliable. JKL Bank's personnel took required action, as documented in the due diligence procedures, to obtain either a new self-certification or a reasonable explanation with documentation supporting the original self-certification. Due to timely action, JKL Bank obtained sufficient documentary evidence to treat these accounts as Reportable Accounts. |
3.4.2 Compliance with rules on Pre-existing Individual Accounts
One of the key decisions for implementing due diligence rules for Pre-existing Individual Accounts is the date from which the split between new account procedures and pre-existing account procedures applies. Documented due diligence procedures for Pre-existing Individual Accounts depends on the value of account balances (Diagram 3 of this Guide).
Documented due diligence procedures are in place for:
- •
- obtaining a valid self-certification, and
- •
- confirming the reasonableness of such self-certification.
Diagram 3: Due diligence procedures for pre-existing individual accounts
Pre-existing Individual Accounts: Lower Value Accounts
Residence address test
- •
- Documented procedures are in place outlining how this test is carried out, if elected, and where and how addresses are collected in line with acceptable listed Documentary Evidence.
- •
- Documented procedures are in place to identify indicia of Account Holders across different systems including inconsistent information and change in circumstances.
Electronic record search
- •
- Clear guidelines are in place outlining how electronic record searches are undertaken, including steps for change in circumstances and what to do if any foreign indicia are identified.
- •
- Documented procedures outline how and when this test should apply to Lower Value Accounts for AEOI obligations.
Paper record search
- •
- Documented procedures are in place for an 'in-care of' address or 'hold mail' instruction in a foreign jurisdiction, including steps for obtaining self-certification or Documentary Evidence from the account holder to establish their tax residency.
- •
- Clear guidelines are in place for what paper records (including scanned records) are maintained and whether master files are held for each account holder.
Pre-existing Individual Accounts: Higher Value Accounts
Electronic records search
- •
- Clear guidelines are in place outlining how electronic record searches are undertaken.
- •
- Documented procedures outline in what circumstances and how an electronic record search for Reportable Jurisdiction indicia should be carried out - including clear guidelines for AEOI obligations.
Paper record search
- •
- Documented procedures outlining how and when a paper record search should be conducted, including specific requirements for AEOI purposes.
- •
- Clear guidelines are in place for what paper records (including scanned records) are maintained and whether master files are held for each account holder.
Relationship manager
- •
- Documented procedures identify whether accounts have Relationship Managers and their roles relating to AEOI obligations.
- •
- Processes are in place to ensure when and how a Relationship Manager has actual knowledge that an account holder is a Reportable Person and if the account is treated as a Reportable Account.
- •
- Processes are in place which determine how a Relationship Manager determines the status of an account or aggregated accounts and identifying any change of circumstances.
Curing procedures
- •
- Documented curing procedures are in place, including required necessary steps for AEOI obligations.
- •
- Processes are in place which ensure that accounts with uncured indicia for more than one Reportable Jurisdiction are currently reported in respect of all relevant Reportable Jurisdictions.
Example 5: Best practice for electronically searchable data - effect of indicia documented
LMN Custodial Services maintains clearly documented guidelines of electronic searchable data, including an effect of finding indicia for its pre-existing individual higher-value accounts. Upon identifying a number of accounts with an 'in-care-of' address or 'hold mail' instruction in a foreign jurisdiction, LMN Custodial Services:
After conducting the paper records search, an additional foreign indicia was found (phone number in a Reportable Jurisdiction). However, LMN Custodial Services chose to use its curing procedures to confirm these accounts were non-reportable due to documentary evidence obtained which show a current Australian residential address. Due to LMN Custodial Services's clearly documented procedures, including documented steps what to do if foreign indicia are found, LMN Custodial Services personnel swiftly acted within a reasonable timeframe to remediate any issues. |
3.4.3 Compliance with rules on New Individual Accounts
You have documented due diligence procedures for all New Individual Accounts, including process steps for (Diagram 4 of this Guide):
- •
- obtaining a valid self-certification
- •
- confirming the reasonableness of such self-certification, and
- •
- applying strong measures (CRS only).
Diagram 4: Due diligence procedures for new individual accounts
Obtaining and validating self-certifications
As significant penalties can apply for a failure to obtain self-certifications, the ATO considers that having documented correct due diligence measures for new accounts a critical aspect of this process. This includes:
- •
- end-to-end customer on-boarding processes for AEOI obligations, including digital on-boarding
- •
- details of how this on-boarding interacts with the entity's verification of anti-money laundering (AML) and know your customer (KYC) documentation
- •
- processes for identifying exceptions under CRS and FATCA, such as the Account Holder also holding a pre-existing account
- •
- procedures for situations where self-certification cannot be validated and what reasonable explanation and supporting evidence can be accepted for any discrepancies
- •
- processes for seeking a new self-certification.
3.4.4 Compliance with rules on Pre-existing Entity Accounts
You have documented:
- •
- due diligence procedures for
- -
- obtaining a valid self-certification
- -
- confirming the reasonableness of such self-certification.
- •
- procedures, policies or manuals for
- -
- any elections you may have made, including evidence of the election/s (Appendix A of this Guide)
- -
- monitoring and correctly identifying accounts based on their account balance aggregation and currency conversion, including timing when and how these triggers are reviewed
- •
- determination of active versus Passive Non-Financial Entity (NFEs), including 'look through' due diligence procedures[4], and
- •
- changes in circumstances.
Identifying Account Holders
Documented procedures are in place identifying whether the entity and/or its Controlling Persons are Reportable Persons, including:
- •
- identifying the Controlling Persons of the entity, including Controlling Persons of a Passive NFE
- •
- procedures to obtain self-certifications from the account holder or Controlling Persons, and
- •
- Documentary Evidence used to verify the identity of Account Holders and any Controlling Persons to assess the reasonableness of their self-certifications.
Where you rely on AML/KYC procedures, you have documented guidelines which demonstrate how information and documentation were collected and maintained.
3.4.5 Compliance with rules on New Entity Accounts
Documented due diligence procedures are in place for:
- •
- obtaining a valid self-certification
- •
- confirming the reasonableness of such self-certification, and
- •
- applying strong measures (CRS only).
You have documented due diligence procedures for all New Entity Accounts and have processes to establish whether the entity is:
- •
- a Reportable Person, and/or
- •
- controlled by Controlling Persons that are Reportable Persons.
Beneficiaries of trusts - Controlling Persons
Your AML/KYC procedures contain steps identifying the Controlling Persons of a trust, including settlors and beneficiaries. These procedures outline the way your organisation is informed of distributions by the trust to foreign tax residents after the initial self-certification.
You have a clear process for where an exception applies, such as the account holder also holding a pre-existing account (Appendix A of this Guide).
You have documented 'look-through' due diligence procedures for certain entity Account Holders (Type B Investment Entities).
Reliance on AML/KYC and other procedures:
- •
- If relying on your AML/KYC procedures as part of meeting your AEOI obligations for CRS and FATCA, these procedures should be carried out correctly when determining Controlling Persons - this requires undertaking a review on a sample of accounts ensuring self-certifications have been obtained and the reasonableness of those self-certifications has been verified.
- •
- For entities which may not be covered by the AML/KYC procedures, you have documented processes which outline how due diligence applies to these entities.
3.4.6 Sector specific approaches
This section of the Guide focuses on sector-specific self-review issues and principles that your organisation needs to consider to ensure fulfillment of its due diligence obligations. These due diligence procedures are additional requirements you need to have in place.
Depository Institutions
Key issues in Diagram 5 of this Guide have been considered and documented. Your due diligence processes include:
- •
- processes to ensure that the undocumented accounts, dormant accounts and Excluded Accounts are reviewed periodically and continue to be classified correctly
- •
- risk mitigation strategies for customer-facing staff or agents who are responsible for gathering due diligence documentation for new account openings, such as self-certifications. For example, procedures are in place for systems or Day 2 procedures for staff (or agents) who are unable to make decisions on issues such as the reasonableness of a self-certification
- •
- classifying and identifying other financial institutions (reporters) such as Investment Entities, trusts and other entities which hold assets or accounts within your organisation. A system of identifying non-financial institutions and Financial Institutions is also implemented
- •
- for Depository Accounts only - information of the total gross amount of interest paid or credited to the account.
Diagram 5: Key issues for Depository Institutions
Insurers
Key issues in Diagram 6 of this Guide have been considered and documented. Your documented due diligence processes include:
- •
- identifying products that are in scope for AEOI reporting, for example 'cash value insurance' contracts
- •
- consideration of how due diligence procedures apply to all in-scope products, especially for products that have longer term tenures
- •
- data storage of customer information
- •
- periodic reviews for undocumented accounts, dormant accounts and Excluded Accounts to ensure they continue to be classified correctly.
Diagram 6: Key issues for insurers
Investment Entities and Custodial Institutions
Key issues in Diagram 7 of this Guide have been considered and documented. Your documented due diligence procedures include:
- •
- annual monitoring of your gross income attributable to holding financial assets
- •
- clear line of sight for which accounts are considered in scope for AEOI obligations
- •
- valuation considerations of account interests and any events that may trigger AEOI reporting obligations. For example, some entities may operate different investment tiers, which means that the relative proportion of the assets attributable to each investor cannot be determined until a certain event (that is, liquidation)
- •
- how accounts and account balances are determined for AEOI reporting obligations.
Diagram 7: Key issues for Investment Entities and Custodial Institutions
Third-party service providers
This section of the Guide outlines key considerations and issues (Diagram 8 of the Guide) for RFIs that engage third-party service providers to provide AEOI services to assist with CRS or FATCA reporting, for example:
- •
- advice and support in setting up internal systems
- •
- provision of IT and/or infrastructure (automated due diligence)
- •
- outsourced data validation
- •
- outsourced due diligence, reporting and lodgment services
If your entity engages third-party service providers, your documented processes include:
- •
- the terms and conditions (contractual arrangement or scope of work) between RFIs and third-party service providers
- •
- clear roles and responsibilities, including how data holders interact to fulfil the legal obligations of AEOI reporting
- •
- if a third-party service provider is responsible for the collection of the customer data, the processes used for data maintenance, transfer and use of data
- •
- if a third-party service provider undertakes due diligence, documented procedures which clearly outline the due diligence requirements
- •
- assessing the performance of third-party service providers including regular monitoring, communication and reporting
- •
- evaluating the outputs under the arrangement with the third-party service provider, including, the actioning of any recommendations or remediation activities
- •
- the methodology utilised by the third-party service provider to comply with the AEOI obligations and to provide correct reporting to the ATO
- •
- coverage of the key issues in Diagram 8 of this Guide.
If RFIs use third-party service providers to implement, monitor and carry out activities for AEOI purposes, it is important to note that the RFI will remain liable for their AEOI obligations. Where a penalty provision is triggered due to non-compliance, the penalty is applied to the RFI and not the third-party service provider. In this regard, the third-party service provider should be carefully vetted to ensure they have the appropriate level of expertise and experience, and the outputs from their work-streams should be regularly monitored and reviewed by the RFI.
Diagram 8: Key issues for using third-party providers
3.5 Reporting systems and data testing
RFIs are required to correctly identify, prepare and report financial account information in accordance with CRS and FATCA Extensible Markup Language (XML) Schemas. It is imperative that your AEOI governance and systems are working effectively in practice (and are regularly tested) to ensure the integrity and accuracy of your ATO reporting.
We have provided a series of recommendations in this Guide to assist you with AEOI framework testing, however, we emphasise that the design of your collection, processing and reporting systems should be robust and fit for purpose tailored to your circumstances to identify and mitigate any risks.
What to look for
IT reporting systems for AEOI, as outlined below.
3.5.1 AEOI reporting systems
You have business systems and procedures in place to ensure the required AEOI information is being collected, processed and stored in an appropriate manner.
The setup of your AEOI business systems may be bespoke and provide that:
- •
- the account information is collected in an electronic business system or in another format
- •
- multiples tiers of separate and/or interrelated business systems, and
- •
- CRS and FATCA have different reporting systems.
In undertaking a self-review of your business systems for AEOI purposes, it is important to consider:
- •
- how the account information is maintained
- •
- how many business systems manage reporting
- •
- if any new systems are built to manage CRS and FATCA reporting, how they interact with any legacy systems
- •
- where information is captured in multiple systems, what procedures are in place to reconcile the CRS and FATCA information with the source data
- •
- an explanation of data storage across one (or multiple) systems - how data is 'searched' or 'gathered' for due diligence purposes
- •
- if your organisation has undergone any mergers or acquisitions recently, a clear pathway of extracting data for due diligence purposes (the form and type).
3.5.2 Data extraction and analysis
In undertaking a self-review, seek to understand how information is extracted from your business systems and validated to ensure it complies with the relevant Schemas. This will include:
- •
- a data extraction process
- •
- a data analysis process, and
- •
- correcting data errors.
Data extraction process (what, how, who and when)
Documented processes are in place for:
- •
- a periodic AEOI data testing plan (Appendix D of this Guide)
- •
- a description of the reports run in each business system
- •
- validation checks performed regularly, for example, identification of missing or noticeably wrong TINs, and
- •
- a description of how reports are set up to ensure correct dates are selected for pre-existing accounts and new accounts. For example, reports for testing of aggregated balances for certain accounts and change in circumstances (Appendix C of this Guide's data tests).
Data analysis process (to ensure quality data is submitted)
Documented processes are in place for:
- •
- running standard and recommended data (and account) tests and trend analysis to check for errors and accuracy of data (Appendix C of this Guide's data tests)
- •
- standard checks to identify high-risk or high-value transactions. You also have processes in place to rectify errors once they are identified in relation to the annual report (Appendix C of this Guide's data tests)
- •
- procedures to ensure that the format of the annual report conforms with the most updated CRS and FATCA XML Schemas
- •
- regular data quality checks, and
- •
- any processes where data needs to be corrected or manually adjusted including the reasons for such correction/s.
We consider that better practice involves implementing AEOI data testing as part of your annual lodgment process (Appendix C of this Guide). You should document the findings and results from your data testing and keep records of working papers. We may ask for copies of these as part of our reviews.
Correcting data errors
If errors and exceptions are identified, you need to have a remediation action in place to correct identified errors and issues (Appendix B of this Guide's common issues and errors).
Evidence of any remediation activities should also be documented and the results of these recorded.
Early engagement with the ATO is essential if you identify errors and exceptions evidencing a major deficiency in your AEOI framework. In this case, you need to prepare an action plan to correct the errors and potentially lodge a voluntary disclosure. Major deficiencies in your AEOI framework may include:
- •
- missing CRS and FATCA reports for multiple years
- •
- a significant number of Reportable Accounts with missing self-certifications
- •
- a significant number of Reportable Accounts belonging to jurisdictions which are non-tax jurisdictions, and
- •
- a significant number of Reportable Accounts with TIN errors or TINs which are noticeably incorrect.
3.5.3 Submission of reports and questionnaires to the ATO
It is imperative that you have documented procedures in place to ensure that your CRS and FATCA reports and questionnaires can be submitted to the ATO on time and without errors by having in place:
- •
- checklists to confirm the review of data analysis results, conclusions and what is approved and signed off
- •
- a process to review any corrections of errors and the reasons before ATO lodgment, and
- •
- a quality control process to review the annual report before lodgment.
Your documented procedures to address any identified lodgment validation errors (ATO portal) include processes:
- •
- to determine if any changes are necessary for validation warnings, and
- •
- which outline what steps need to be undertaken to remediate any lodgment errors.
3.5.4 Managing amendments, cancellations and error notifications
We require that amendments, cancellations and error notifications are remedied promptly, including:
- •
- routine reviews to detect discrepancies or errors in Reportable Accounts, and pre-empting early any potential issues with the filing of the correct data in a timely manner
- •
- a designated officer being responsible for identifying and detecting any discrepancies/errors, and
- •
- systematic issues which may be the root-cause of the problem identified and resolved to ensure ongoing accurate AEOI reporting.
Appendix A - Elections by RFIs (CRS)
Unless otherwise specified, an RFI may make any of the elections permitted in the CRS (including elections that follow as a consequence of choices Australia has made) in determining its obligations under the CRS.
As part of an RFI's AEOI framework, we recommend the entity has records and documented procedures for any CRS elections which have been made, which may include, for example:
A. | using third-party service providers to fulfil their obligations |
B. | applying the due diligence procedures for new accounts to pre-existing accounts |
C. | applying the due diligence procedures for Higher Value Accounts to Lower Value Accounts |
D. | applying the residence address test for Lower Value Accounts |
E. | excluding Pre-existing Entity Accounts with an aggregate value or balance of US$250,000 or less from its due diligence procedures |
F. | applying alternative documentation procedure for certain employer-sponsored group insurance contracts or annuity contracts |
G. | making use of existing standardised industry coding systems for the due diligence process |
H. | using a single currency translation rule |
I. | applying the expanded definition of pre-existing account |
J. | applying the expanded definition of related entity |
K. | aligning the reporting obligations for trusts that are Passive NFEs with trusts that are Financial Institutions. |
Appendix B - Common issues and errors
Table 3 of this Guide lists the common issues in AEOI reporting:
Drivers | Issues |
Governance | Lack of internal AEOI governance framework that includes gaps in procedures and/or controls often lead to incorrect or the late reporting of AEOI obligations. |
Personnel issues | Staff turnover or leave at any level can lead to resource and capability gaps that impact on correct and timely AEOI reporting. |
Technical understanding and knowledge | Incorrect interpretation of the AEOI Standard and reporting requirements through lack of knowledge, capability and training of (new) staff. |
Changes to the law, AEOI standard and/or guidance | Not updating existing policies, procedures or knowledge to deal with AEOI standard and/or guidance changes. |
Due diligence | Undocumented procedures can lead to incorrect AEOI reporting and/or missed information. |
Data errors
Table 4 of this Guide lists common data errors in AEOI reporting:
Area | Types of error |
Non-reportable accounts | Accounts belonging to publicly-listed entities and Excluded Accounts are reported. |
Non-tax jurisdictions | Account holders reported belonging to non-tax jurisdictions - possible manual selection of jurisdiction codes. |
Missing or noticeably wrong TINs | Manual data entry, lack of due diligence procedures followed. |
Missing information | Date of birth, missing TINs. |
Appendix C - Data tests
Better practice for accurate reporting means embedding the following standard tests as part of an entity's lodgment process for CRS and FATCA reports.
Test number | Test | Description of the test | Benefits of the test |
1 | Reconciliation of legal entities subject to AEOI obligations | Reconcile reportable legal entities against the list of all legal entities the entity controls. | To verify in-scope entities have been identified for AEOI obligations. |
2 | Financial accounts identified | Obtain list of all products and services and determine CRS classification. | To identify financial products and services subject to AEOI reporting obligations, and carve out those which are out-of-scope. |
3 | Reportable accounts identified | Review all Reportable Accounts to confirm non-reportable and Reportable Account holders. | To confirm only Reportable Account holders are included in reporting (that is, excluding publicly-listed entities). |
4 | Excluded and dormant accounts | Identify all Excluded and dormant accounts. | To verify all accounts which are treated as Excluded Accounts meet the definitions of such accounts. |
5 | Account opening - due diligence requirements | Determine how many Reportable Accounts have missing self-certifications. | To verify required account opening due diligence procedures were correctly followed. |
6 | Account monitoring - TINs | Confirm all Reportable Accounts have TINs or identify noticeably wrong TINs. | Identify potential issues with TIN entries or missing TINs. |
7 | Account monitoring - change in circumstances | Identify which accounts had change in circumstances triggered and which did not. | To verify, monitor and review of accounts, and whether required due diligence procedures were followed. |
8 | Account monitoring and reporting - account balances | Identify all accounts with applicable thresholds (subject to elections made). | To ensure all accounts are correctly identified as lower value or higher value on the basis of the aggregated account balance. |
9 | Account monitoring: non-tax jurisdictions | Extract data of jurisdictions of residents to check for non-tax jurisdictions. | To verify all residents' jurisdictions are reasonable. |
Better practice includes performing recommended specific data tests throughout the year for trend analysis and early detection of errors and misreporting.
Recommended specific tests
Test number | Test | Description of the test | Benefits of the test |
1 | Account balances | To identify 20 largest account balances. | To ensure accounts are Reportable Accounts and due diligence procedures were followed. |
2 | Account payments | To identify 20 largest account payments. | To ensure accounts are Reportable Accounts and due diligence procedures were correctly followed. |
3 | Out-of-scope financial accounts | To randomly test out-of-scope financial accounts. | To ensure out-of-scope accounts are correctly excluded based on products and services offered. |
4 | Undocumented accounts | To identify undocumented accounts. | To ensure undocumented account procedures were correctly followed. |
5 | Noticeably wrong* or missing TINs | To identify noticeably wrong TINs or missing TINs | To ensure account opening procedures are operating as required to capture TINs. |
6 | Non-tax jurisdictions** | To identify accounts belonging to non-tax jurisdictions. | To correct possible incorrect manual selection of jurisdiction codes. |
*Noticeably wrong TINs include numerical and non-numerical entries which do not conform to any TIN structure, for example:
- •
- Numerical TINs - sequence numbers such as '123456789', repeating numbers such as '11111111' and single digit numbers such as '0'
- •
- Non-numerical TINs - words such as 'Pensioner', 'Retired', 'France', 'None', 'No' and single letters such as 'Z'
**Non-tax jurisdictions include jurisdictions which are uninhabited or contain a military or scientific presence. The following are considered non-tax jurisdictions: Antarctica, Bouvet Island, British Indian Ocean Territory, Heard and McDonald Islands, Svalbard, Jan Mayen Islands, French Southern Territories and South Georgia and South Sandwich Islands.
Note: residents of Christmas Island, Cocos (Keeling) Islands and Norfolk Island are tax residents of Australia and should not be reported. RFIs may wish to remove these codes from their International Organisation for Standardisation (ISO) lists to ensure they cannot be selected.
Appendix D - AEOI testing plan sample
This is a simplified sample template for AEOI testing.
Your actual AEOI testing documentation may vary, depending on your business size and operations, your wider enterprise risk management framework and policies you have in place.
SCOPE |
- •
- Include details of the AEOI testing process.
- •
- Include details of the AEOI framework elements to be tested and the specific CRS and/or FATCA business processes covered.
- •
- Include details of the AEOI data to be extracted, analysed and tested, including any pre/post lodgment reports to be verified as part of the testing process.
KEY RISKS |
- •
- Describe the key risks the testing will address. For example, non-compliance with certain elements of the CRS rules, or verification of the accuracy of reports lodged for the relevant period.
KEY CONTROLS AND DATA TESTED (INCLUDING AEOI POLICIES COVERED) |
Include:
- •
- details of your AEOI policy and procedures that form part of the AEOI framework, or
- •
- specific details of each AEOI core element to be tested, for example:
- -
- specific AEOI governance and controls
- -
- due diligence obligations; for example, sample testing of financial accounts
- -
- AEOI reporting systems and data testing accuracy.
OUT OF SCOPE |
- •
- Document areas, entities, controls and AEOI regimes which will not be in the scope of testing.
METHODOLOGY |
- •
- Describe the methodology undertaken to conduct the testing.
DELIVERABLE/REPORT |
- •
- Detail the type of report/deliverable that will be issued at the end of the testing.
- •
- We recommend that this document should include sufficient information including actions required to address identified gaps or issues, observation of the operational effectiveness of the AEOI framework and a recommendation as to whether the specific AEOI processes and procedures are operating as required.
Appendix E - AEOI self-assessment checklist
Assess rating of AEOI obligations
You can use this checklist as guidance to self-assess your AEOI framework's core elements. If you identify significant gaps, prepare a remediation plan to action and resolve identified gaps.
Operating |
There is evidence to demonstrate that a core element exists, has been designed effectively and is operating as required in practice. |
|
Designed |
There is evidence to demonstrate that a core element exists and has been designed effectively, but certain elements require improvement/s for the core element to be fully operational. |
|
Concerns |
There is insufficient evidence to demonstrate a core element exists, and/or there are significant number of areas requiring improvement both in terms of design and operational effectiveness. |
Checklist - compliance with AEOI obligations
1. AEOI governance | |||||
Documented governance framework
Section 3.3.1 of this Guide |
Documented governance framework including:
Evidence of AEOI governance may be included in the entity's broader risk management framework endorsed by the Board (this is not a specific requirement). |
||||
All in-scope entities are identified
Section 3.3.2 of this Guide |
Documented process or procedures for identifying and reconciling all entities in-scope and out-of scope for AEOI obligations, including reasons for each entity's treatment, including by type and category. | ||||
Roles and responsibilities are clearly understood (accountability, training, knowledge, connections with other business areas)
Section 3.3.3 of this Guide |
Documented roles and responsibilities:
Documentation outlining ongoing training policy to staff, other business units including any legislative, AEOI standard and/or guidance updates. |
||||
Documented compliance plan is in place
Section 3.3.4 of this Guide |
Documented compliance plan clearly setting out:
Documented processes are in place - third-party service providers:
|
||||
Record keeping is up to date
Section 3.3.5 of this Guide |
|
||||
2. Due diligence obligations | |||||
Accounts are identified and monitored
Section 3.4.1 of this Guide |
Documented procedures are in place identifying:
|
||||
Compliance with rules on Pre-existing Individual Accounts
Section 3.4.2 of this Guide |
Documented procedures for Pre-existing Individual Accounts:
|
||||
Compliance with rules on New Individual Accounts
Section 3.4.3 of this Guide |
Documented due diligence procedures for:
|
||||
Compliance with rules on pre-existing entity accounts
Section 3.4.4 of this Guide |
In addition to Section 3.4.3 due diligence procedures, additional documented procedures for:
|
||||
Compliance with rules on New Entity Accounts
Section 3.4.5 of this Guide |
In addition to Section 3.4.3 due diligence procedures, documented procedures for all New Entity Accounts have processes to establish whether the entity is:
Documented process is in place to obtain and validate self-certifications in the case of all New Entity Accounts. |
||||
Sector specific approaches
Section 3.4.6 of this Guide |
Key issues outlined in Section 3.4.6 of this Guide, and additional due diligence requirements have been considered and documented for each entity, where applicable. | ||||
3. Reporting systems and data testing | |||||
AEOI reporting systems
Section 3.5.1 of this Guide |
Documented processes consider:
|
||||
Data extraction and analysis
Section 3.5.2 of this Guide |
Evidence of 3 elements operating effectively:
Evidence of a periodic control testing plan and/or data testing embedded in your lodgment process. |
||||
Submission of reports and questionnaires to the ATO
Section 3.5.3 of this Guide |
|
||||
Managing amendments, cancellations and error notifications
Section 3.5.4 of this Guide |
|
||||
Overall Assessment and comments |
Amendment History
Date of Amendment | Part | Comment |
---|---|---|
7 September 2022 | Recommended specific tests - Table 6 | Update to include additional non-tax jurisdictions. |
Footnotes
Section 4AA of the Crimes Act 1914 provides the value of a penalty unit. In 2021, the value was $222 (this value is subject to future indexing in accordance with subsection 4AA(3) of the Crimes Act 1914).
Refer to Diagram 1 in Section 3.1 of this Guide for a summary of the AEOI - Core Elements.
Refer to section 4.17 of the AEOI online guidance at ato.gov.au
An RFI must look through, among other entities, certain investment entities that are not Participating Jurisdiction Financial Institutions to identify Controlling Persons who are Reportable Persons (see paragraph C of Section V, subparagraph D(2) of Section V and subparagraph D(8) of Section VIII of the CRS.