Self-review guide and toolkit



A guide to assist financial institutions with CRS and FATCA obligations

Contents

1. Executive summary 3
1.1 Background 3
1.2 Objective of this Guide and toolkit 3
1.3 Benefits of a well-designed AEOI framework 4
2. Our approach to reviewing AEOI obligations 6
2.1 AEOI review 6
2.2 Maintenance and monitoring 7
2.3 Standard ratings system 7
3. Practical guidance to self-review AEOI obligations 9
3.1 Better practice AEOI framework 9
3.2 Self-assessment of your AEOI framework 10
3.3 AEOI Governance 10
3.4 Due diligence obligations 12
3.5 Reporting systems and data testing 24
Appendix A - Elections by RFIs (CRS) 28
Appendix B - Common issues and errors 29
Core elements 29
Data errors 29
Appendix C - Data tests 30
Standard tests 30
Recommended specific tests 31
Appendix D - AEOI testing plan sample 32
Appendix E - AEOI self-assessment checklist 33
Assess rating of AEOI obligations 33
Checklist - compliance with AEOI obligations 34

1. Executive summary

1.1 Background

The ATO is responsible for data collection and exchanges with foreign jurisdictions for 2 automatic exchange of information (AEOI) regimes: the United States of America's Foreign Account Tax Compliance Act (FATCA) and the Common Reporting Standard (CRS).

Our AEOI compliance program seeks greater assurance that reporters with CRS and FATCA obligations (AEOI obligations) have appropriate frameworks in place and are correctly reporting to the ATO.

In 2021, Australia exchanged CRS data with 79 jurisdictions based on CRS reports received from over 2,600 domestic financial institutions. Each year, we publish a breakdown of the CRS statistics.

Reporting Financial Institutions (RFIs) are required to have procedures and systems in place to ensure that reportable accounts are identified, the relevant information collected, and that correct information is reported to the ATO. The international agreements to which Australia is a party expect the ATO, as the Competent Authority, to ensure that RFIs provide complete and accurate information for exchange with those jurisdictions.

1.2 Objective of this Guide and toolkit

This Guide provides practical information as part of a toolkit about how to conduct a self-review of your governance, due diligence, data and reporting systems, which we have referred to in this Guide as your 'AEOI framework'. It outlines the core elements and what we look for when we review the following 3 fundamental areas of compliance:

AEOI governance
due diligence obligations
reporting systems (and the accuracy of the information reported to the ATO, including data testing undertaken to verify your CRS and FATCA reporting).

You can use this Guide and toolkit to:

prepare for an AEOI review if you are an Australian RFI
review the design and operation of your AEOI framework as part of your AEOI obligations
undertake a review of your AEOI reporting systems and data testing to ensure your business systems are accurately recording and reporting information for AEOI purposes.

Throughout this Guide certain terms are capitalised as per the Standard for Automatic Exchange of Financial Account Information in Tax Matters (CRS) and the Agreement between the Government of Australia and the Government of the United States of America to Improve International Tax Compliance and to Implement FATCA (FATCA Agreement).

AEOI obligations - guidance

This Guide provides best practice for RFIs to self-assess their internal control framework for AEOI obligations. It does not cover interpretive guidance on how the FATCA and CRS rules, or other AEOI measures, apply to their circumstances. For more information about AEOI guidance, refer to ato.gov.au/crs

1.3 Benefits of a well-designed AEOI framework

The benefits to having a well-designed AEOI framework include that it:

provides a clear line of sight for the maintenance, reporting and compliance with your AEOI obligations
offers insights as to what your AEOI operating model looks like and what controls you have in place, including your compliance program for due diligence obligations
helps to identify potential systems and process gaps which may prevent reporting errors in advance and reduces incidence of misreporting
assists senior management with clarifying accountabilities for managing AEOI obligations, and any associated risks and issues
provides accurate reporting of your customers' information.

We expect that you will undertake assurance and verification procedures that align with your business and that are tailored to your own operating environment. The ATO considers having appropriate procedures for due diligence supported by data testing as critical elements of this process.

Another important factor of having your AEOI controls operating effectively is that they may prevent a range of penalties.

Table 1: CRS and FATCA potential penalties
Type Penalty amount [1]
Failure to collect a self-certification. 1 penalty unit for each missing self-certification.
Making a false or misleading statement. For each statement with missing or incorrect information:

60 penalty units for intentional disregard
40 penalty units for recklessness, or
20 penalty units for lack of reasonable care.

This penalty attracts a significant global entity uplift factor.

Failure to lodge a statement on time. Up to 5 penalty units for each Reportable Account.

This penalty attracts a significant global entity uplift factor.

Failure to keep records

(Financial Institutions need to keep records for at least 5 years that explain the procedures used for identifying these accounts).

20 penalty units.
Example 1: Failure to collect self-certifications and keep records

ABC Bank failed to implement an AEOI framework, which resulted in a lack of due diligence procedures in identifying any Reportable Accounts.

ABC Bank was not able to provide complete and accurate information to the ATO, as it failed to collect 37,500 customers' self-certification upon account opening. In 2021, ABC Bank was liable to administrative penalties of:

$8,325,000 for a failure to collect self-certifications for 37,500 accounts as required by the CRS (37,500 × $222)
$4,440 for a failure to keep or retain records of relevant procedures (20 × $222).

To ensure your organisation has an effective AEOI framework, refer to Section 3 of this Guide.

2. Our approach to reviewing AEOI obligations

2.1 AEOI review

Our compliance program includes undertaking AEOI reviews on RFIs from different sectors and of different sizes. We use our data analytics and other risk models to identify RFIs for review.

When we undertake an AEOI review, we evaluate your compliance with the AEOI obligations by obtaining objective evidence of your AEOI framework in accordance with this Guide and applying the staged ratings system. We look for evidence in the form of policies and procedures demonstrating the existence and design of the AEOI framework.

We use our data and analytics, as well as risk assessment methodologies, to select reporters for AEOI reviews. Some key factors that may indicate the need for a review include:

absence of reporting
large changes in the volume of reporting between reporting periods
reporting of tax identification numbers (TINs) for significantly fewer accounts in comparison with other RFIs
reporting of TINs which are noticeably wrong
reporting of non-reportable entities
reporting of Account Holders in non-tax jurisdictions
enquiries or information indicating under reporting or inaccurate reporting from the Competent Authority of another participating jurisdiction, or other Australian government agencies.

Once we have completed the AEOI review, and found no major deficiencies in your AEOI framework, it is intended that we may initiate the next review on a periodic basis at least once every 4 years.

During the intervening period ( 3 years), reporters are expected to proactively monitor their AEOI framework and act on any major reporting errors by preparing remediation plans and/or lodging amended reports, where appropriate. We encourage reporters to use this Guide to self-assess their AEOI framework.

We will also use our data and analytics program to safeguard against materially missing information or non-lodgment of CRS and/or FATCA reports.

After the AEOI review, we are not likely to initiate a specific review or audit where:

you provided evidence of a remediation plan with reasonable timeframes for concerned areas during the AEOI review
your lodged reports (new or amended) do not have a materially high number of data issues (for example, noticeably wrong TINs), and
we do not receive enquiries or information indicating under reporting or inaccurate reporting from the Competent Authority of another participating jurisdiction.

2.2 Maintenance and monitoring

We encourage reporters to use this Guide to self-assess areas which require actions, and/or need improvements. Our largest reporters will need to complete an annual questionnaire. We will continue to monitor your lodged reports and completed questionnaire.

We encourage you to engage early with the ATO, should you have any major deficiencies in your AEOI framework.

2.3 Standard ratings system

When we review your compliance with AEOI obligations, we apply a rating system, based on objective evidence provided by you to demonstrate that your AEOI framework is operating as required.

We assess your AEOI framework based on the following ratings system:

Table 2: Overall standard ratings system for the AEOI framework
Operating as required There is evidence to demonstrate that an AEOI framework is in place, has been designed effectively and is operating as required in practice.

There is evidence of periodic reviews and regular testing, and any recommendations, next actions or areas identified for improvement have been satisfactorily resolved.

Operating in part (requires improvement) There is evidence to demonstrate that an AEOI framework is in place and has been designed effectively, but one or more core elements[2] require improvements for the AEOI framework to be fully operational as required.

Where gaps or deficiencies in an AEOI framework are identified that require improvements, we will:

make recommendations/request actions for identified areas, and
verify you have satisfactorily resolved any required actions and/or recommendations.

Not operating as required, or not in place There is insufficient evidence to demonstrate an AEOI framework is in place, or there is evidence to demonstrate an AEOI framework is in place, but:

significant concerns exist that information is not accurately recorded and reported to the ATO, or
a significant number of core elements require improvements both in terms of design and operational effectiveness.

Example 2 below illustrates the application of the staged rating system in an ATO AEOI review:

Example 2: Assessment of AEOI framework

The ATO reviewed DEF Capital's AEOI obligations as part of an AEOI review.

We obtained evidence and assessed the following components:

AEOI governance - we determined that an effectively operating governance framework for AEOI obligations was in place.
Due diligence - we considered that documented due diligence procedures with core elements were also in place for individual and entity accounts as well as strong measures (CRS only) for the onboarding of clients.
Reporting system and data testing - we verified that operating procedures and relevant controls that support data collection, extraction, testing, preparation and submission of reports, and a process for reviewing and approving ATO lodgments were operational.

We were able to review the findings and outcomes of DEF Capital's internal review of their AEOI framework. The review was undertaken by DEF Capital's internal audit division or an independent firm. DEF Capital provided evidence of an action plan with the gaps identified, which was successfully remediated.

As DEF Capital provided sufficient evidence demonstrating that their AEOI framework has not only been designed effectively, but is also operating as required, we assessed and rated DEF Capital's AEOI framework as 'Operating as required'.

3. Practical guidance to self-review AEOI obligations

3.1 Better practice AEOI framework

The following guidance provides the opportunity to verify and compare your AEOI framework against the ATO better practice principles and required AEOI standard.

This practical guidance is for use by:

ATO client engagement teams when undertaking AEOI reviews
AEOI reporters when self-assessing the AEOI framework compared against the 'better practices principles' set out in this Guide
professional firms engaged by entities to perform a review of the entity's AEOI framework for AEOI obligations.

We consider that a well-designed AEOI framework needs to incorporate 3 essential core elements as presented in Diagram 1 of this Guide:

AEOI governance
due diligence obligations
reporting systems and data testing.

Diagram 1: AEOI framework - core elements

Diagram 1: AEOI framework - core elements

The ATO expects that these core elements will be present in your AEOI framework. We recommend medium to small reporters consider adopting our better practices appropriate to their circumstances, depending on the type and size of their reporting entity, when assessing the robustness of their AEOI framework.

3.2 Self-assessment of your AEOI framework

We recommend that reporters (and their advisors) use the Appendix E self-assessment checklist in this Guide to self-assess their AEOI framework against the principles and required actions as outlined in Section 3 of this Guide. Where a reporter does not have the internal resources or capability to conduct an internal self-assessment, they may consider engaging third parties to conduct an independent review of their AEOI framework.

3.3 AEOI Governance

Intent

A well-documented AEOI governance is a key element of an effective AEOI compliance system. The AEOI framework sets out the parameters of how AEOI risks are to be managed, including compliance with AEOI rules and ATO lodgment and filing obligations.

What to look for

The core elements for AEOI governance are shown in Diagram 1 of this Guide.

3.3.1 Documented governance framework

An AEOI governance document is in place, setting out:

processes to identify, evaluate and manage CRS and FATCA risks to ensure that these are addressed in a timely manner (including risks arising from changes in business operations, operating processes, and/or external factors)
all entities subject to AEOI reporting
who is responsible for AEOI compliance and reporting, and a description of AEOI functions across the business, including training
the escalation processes for significant risks, including identifying which matters need to be escalated, to whom and how often (including information about resolution of risks/issues)

Better practice is to have a formal AEOI governance framework approved by appropriate personnel, such as Chief Financial Officers, Chief Operating Officers, Chief Executive Officers or the Board. Your AEOI governance framework may also form part of your overall risk management framework.

We acknowledge that formalisation of AEOI governance may vary between entities. For small reporters, some aspects of governance and implementation may not be structured or defined as they might be for large reporters. However, there should still be the required level of documentation and processes in place to ensure your AEOI reporting is accurate.

3.3.2 All in-scope entities are identified

The following should be documented:

process or procedures for identifying all entities in-scope for AEOI obligations within your business
a list of all legal entities in-scope for AEOI obligations, including reasons for each entity treatment - whether based on product or line of business classifications (and the process for keeping this list up to date)
a visual diagram or explanation of all entity types or branches that qualify as reporting entities and non-reporting entities
the total number of the group's reporting Australian Financial Institutions by type including

-
Custodial Institutions
-
Depository institution
-
Investment Entities (including Type A and Type B)
-
Specified Insurance Companies

the total number of the group's non-reporting entities by type and category, including

Active Non-Financial Entities (CRS) and Non-Financial Foreign Entity (FATCA).

Example 3: Best practice - in-scope entities identified

GHI Funds Management's internal control framework includes an effectively designed control which identifies all legal entities within their group that are in-scope for AEOI obligations. The Fund Manager provided documentary evidence which (visually) depicted not only in-scope RFIs but also non-reporting entities for AEOI purposes.

This control is built into business systems such that the Fund Manager can easily identify new in-scope entities and carve out entities which no longer meet the requirements for AEOI obligations.

3.3.3 Roles and responsibilities are clearly understood

Staff, management and other personnel roles and responsibilities are clearly defined and documented within the governance framework to ensure AEOI obligations are well managed, including:

role descriptions for AEOI compliance personnel, commonly set out in a matrix such as a RACI (Responsible, Accountable, Consulted and Informed)
formal responsibility or process for AEOI personnel to partner with account managers or customers or finance personnel to consider AEOI risks and issues with appropriate solutions
staff experience and knowledge of AEOI obligations, including the availability of staff training and support
staff responsibility for communication and process updates (internally and externally), especially when new legislation, or guidance is introduced, including updates to training material
For FATCA only: the details of the Responsible Officer for FATCA reporting obligations.

A documented training policy (timing and frequency) for CRS and FATCA obligations is in place, including:

training specific to staff responsible for on-boarding and documentation validation, such as collection of self-certifications and validity checks
how staff are informed of changes in guidance or procedures, including law changes
how often you update training material, and how you communicate these changes to staff and other stakeholders.

3.3.4 Documented compliance plan is in place

A documented AEOI compliance plan is in place involving key stakeholders that have oversight and responsibilities, setting out CRS and FATCA compliance and maintenance, including:

timing and frequency of periodic discussions with relevant stakeholders of ongoing compliance activities, such as on-boarding, self-certifications, due diligence, withholding (for FATCA), reporting, challenges and items that need escalations
policies and procedures to detect arrangements, schemes or transactions which may lead to circumvent reporting of financial account information and a documented process to report these to the ATO
the process for changing, approving and signing off AEOI policies and due diligence procedures.

Note: If you use third-party service providers for compliance with AEOI requirements, refer to Section 3.4.6 of this Guide for additional self-review guidelines.

3.3.5 Record keeping is up to date

You have a record-keeping and retention policy which documents:

an account holder's status and their self-certifications (generally 5 years)
procedures used in due diligence processes, including keeping a record of the evidence relied upon
key decisions on ongoing AEOI compliance, including any independent review or audit reports and/or key gap analysis for AEOI obligations.

3.4 Due diligence obligations

Intent

To ensure correct reporting of your AEOI obligations, you need to demonstrate that you comply with the due diligence requirements. Your due diligence procedures are documented, implemented and operate as required in practice.

The ATO considers that having the appropriate correct reporting controls for due diligence to be a critical aspect of this process.

Diagram 2: The different due diligence procedures that apply

Diagram 2: The different due diligence procedures that apply

Small reporters and due diligence

We acknowledge that AEOI due diligence may vary between AEOI reporters depending on the number of factors, including the type or size of reporting entities and their operational framework. For example, a trustee of a single reporting entity would be unlikely to use the same type of due diligence systems and processes to identify whether their account holders are Reportable Persons as a large regulated financial institution.

What to look for

The core elements are shown in Diagram 1 in this Guide.

3.4.1 Accounts are identified and monitored

Documented systems and processes are in place to identify and monitor:

all Financial Accounts
all Reportable Accounts
Lower Value and HigherValue Accounts
non-reportable accounts
undocumented accounts
change in circumstances.

Identifying and monitoring Financial Accounts

Where applicable, your Product Life Cycle manual includes determination of CRS and FATCA classifications.
Product master list is up to date with relevant controls to test correct classification of products and services for AEOI purposes.

Identifying and monitoring Reportable Accounts

Which products and services are in scope (and out of scope) for AEOI reporting.
How the list of financial products and services that are in scope is kept up to date.
You have relevant controls in place to readily identify missing Financial Accounts which are Reportable Accounts.
Documented guidelines exist to determine which accounts meet the definitions within CRS and FATCA to identify:

-
Pre-existing Individual and New Individual Accounts
-
Pre-existing Entity and New Entity Accounts.

Identifying and monitoring Lower Value and Higher Value Accounts

Where an entity has elected (or not) to apply thresholds based on (aggregated) account balances (Appendix A of this Guide), what is the documented process to:

-
identify where accounts should be aggregated?
-
calculate total aggregated account balances?
-
ensure all accounts are correctly identified as low-value or high-value based on the aggregated account balance, including any accounts that were previously low-value accounts but have become high-value accounts?
-
regularly maintain and check account balances for in-scope AEOI purposes, including the requirement to consider the differences in currencies for Reportable Accounts?

Identifying and monitoring non-reportable accounts

Documented due diligence methods of assessing and classifying non-reportable accounts which may include Excluded Accounts, escrow accounts, retirement and pension accounts, etcetera are in place.
Documented due diligence procedures for dormant accounts, including changes and activities when these accounts become Reportable Accounts are in place.

Identifying and monitoring undocumented accounts

A documented CRS treatment is in place for undocumented accounts.
There are processes in place to track and initiate follow-up actions for undocumented accounts, where applicable.

Identifying and monitoring change in circumstances

You have documented due diligence procedures, including required action steps, for a trigger of change in circumstances[3] for accounts including but not limited to:

account balances exceed a due diligence threshold
one or more new indicia becomes identified with the account, and
the reporting entity becomes aware of new information which indicates the existing classification of the account (or account holder) is unreliable or unreasonable.

Example 4: Best practice - change in circumstances - due diligence triggered

JKL Bank has clearly documented due diligence procedures for a change in circumstances for New Individual Accounts, including documented required actions. As a result, several New Individual Accounts were identified which caused JKL Bank to know, or have reason to know, that the self-certification is incorrect or unreliable.

JKL Bank's personnel took required action, as documented in the due diligence procedures, to obtain either a new self-certification or a reasonable explanation with documentation supporting the original self-certification. Due to timely action, JKL Bank obtained sufficient documentary evidence to treat these accounts as Reportable Accounts.

3.4.2 Compliance with rules on Pre-existing Individual Accounts

One of the key decisions for implementing due diligence rules for Pre-existing Individual Accounts is the date from which the split between new account procedures and pre-existing account procedures applies. Documented due diligence procedures for Pre-existing Individual Accounts depends on the value of account balances (Diagram 3 of this Guide).

Documented due diligence procedures are in place for:

obtaining a valid self-certification, and
confirming the reasonableness of such self-certification.

Diagram 3: Due diligence procedures for pre-existing individual accounts

Diagram 3: Due diligence procedures for pre-existing individual accounts

Pre-existing Individual Accounts: Lower Value Accounts

Residence address test

Documented procedures are in place outlining how this test is carried out, if elected, and where and how addresses are collected in line with acceptable listed Documentary Evidence.
Documented procedures are in place to identify indicia of Account Holders across different systems including inconsistent information and change in circumstances.

Electronic record search

Clear guidelines are in place outlining how electronic record searches are undertaken, including steps for change in circumstances and what to do if any foreign indicia are identified.
Documented procedures outline how and when this test should apply to Lower Value Accounts for AEOI obligations.

Paper record search

Documented procedures are in place for an 'in-care of' address or 'hold mail' instruction in a foreign jurisdiction, including steps for obtaining self-certification or Documentary Evidence from the account holder to establish their tax residency.
Clear guidelines are in place for what paper records (including scanned records) are maintained and whether master files are held for each account holder.

Pre-existing Individual Accounts: Higher Value Accounts

Electronic records search

Clear guidelines are in place outlining how electronic record searches are undertaken.
Documented procedures outline in what circumstances and how an electronic record search for Reportable Jurisdiction indicia should be carried out - including clear guidelines for AEOI obligations.

Paper record search

Documented procedures outlining how and when a paper record search should be conducted, including specific requirements for AEOI purposes.
Clear guidelines are in place for what paper records (including scanned records) are maintained and whether master files are held for each account holder.

Relationship manager

Documented procedures identify whether accounts have Relationship Managers and their roles relating to AEOI obligations.
Processes are in place to ensure when and how a Relationship Manager has actual knowledge that an account holder is a Reportable Person and if the account is treated as a Reportable Account.
Processes are in place which determine how a Relationship Manager determines the status of an account or aggregated accounts and identifying any change of circumstances.

Curing procedures

Documented curing procedures are in place, including required necessary steps for AEOI obligations.
Processes are in place which ensure that accounts with uncured indicia for more than one Reportable Jurisdiction are currently reported in respect of all relevant Reportable Jurisdictions.

Example 5: Best practice for electronically searchable data - effect of indicia documented

LMN Custodial Services maintains clearly documented guidelines of electronic searchable data, including an effect of finding indicia for its pre-existing individual higher-value accounts. Upon identifying a number of accounts with an 'in-care-of' address or 'hold mail' instruction in a foreign jurisdiction, LMN Custodial Services:

conducts the paper records search to identify any additional foreign indicia, or
seeks a self-certification or documentary evidence from the account holder to establish their tax residency.

After conducting the paper records search, an additional foreign indicia was found (phone number in a Reportable Jurisdiction). However, LMN Custodial Services chose to use its curing procedures to confirm these accounts were non-reportable due to documentary evidence obtained which show a current Australian residential address.

Due to LMN Custodial Services's clearly documented procedures, including documented steps what to do if foreign indicia are found, LMN Custodial Services personnel swiftly acted within a reasonable timeframe to remediate any issues.

3.4.3 Compliance with rules on New Individual Accounts

You have documented due diligence procedures for all New Individual Accounts, including process steps for (Diagram 4 of this Guide):

obtaining a valid self-certification
confirming the reasonableness of such self-certification, and
applying strong measures (CRS only).

Diagram 4: Due diligence procedures for new individual accounts

Diagram 4: Due diligence procedures for new individual accounts

Obtaining and validating self-certifications

As significant penalties can apply for a failure to obtain self-certifications, the ATO considers that having documented correct due diligence measures for new accounts a critical aspect of this process. This includes:

end-to-end customer on-boarding processes for AEOI obligations, including digital on-boarding
details of how this on-boarding interacts with the entity's verification of anti-money laundering (AML) and know your customer (KYC) documentation
processes for identifying exceptions under CRS and FATCA, such as the Account Holder also holding a pre-existing account
procedures for situations where self-certification cannot be validated and what reasonable explanation and supporting evidence can be accepted for any discrepancies
processes for seeking a new self-certification.

3.4.4 Compliance with rules on Pre-existing Entity Accounts

You have documented:

due diligence procedures for

-
obtaining a valid self-certification
-
confirming the reasonableness of such self-certification.

procedures, policies or manuals for

-
any elections you may have made, including evidence of the election/s (Appendix A of this Guide)
-
monitoring and correctly identifying accounts based on their account balance aggregation and currency conversion, including timing when and how these triggers are reviewed

determination of active versus Passive Non-Financial Entity (NFEs), including 'look through' due diligence procedures[4], and
changes in circumstances.

Identifying Account Holders

Documented procedures are in place identifying whether the entity and/or its Controlling Persons are Reportable Persons, including:

identifying the Controlling Persons of the entity, including Controlling Persons of a Passive NFE
procedures to obtain self-certifications from the account holder or Controlling Persons, and
Documentary Evidence used to verify the identity of Account Holders and any Controlling Persons to assess the reasonableness of their self-certifications.

Where you rely on AML/KYC procedures, you have documented guidelines which demonstrate how information and documentation were collected and maintained.

3.4.5 Compliance with rules on New Entity Accounts

Documented due diligence procedures are in place for:

obtaining a valid self-certification
confirming the reasonableness of such self-certification, and
applying strong measures (CRS only).

You have documented due diligence procedures for all New Entity Accounts and have processes to establish whether the entity is:

a Reportable Person, and/or
controlled by Controlling Persons that are Reportable Persons.

Beneficiaries of trusts - Controlling Persons

Your AML/KYC procedures contain steps identifying the Controlling Persons of a trust, including settlors and beneficiaries. These procedures outline the way your organisation is informed of distributions by the trust to foreign tax residents after the initial self-certification.

You have a clear process for where an exception applies, such as the account holder also holding a pre-existing account (Appendix A of this Guide).

You have documented 'look-through' due diligence procedures for certain entity Account Holders (Type B Investment Entities).

Reliance on AML/KYC and other procedures:

If relying on your AML/KYC procedures as part of meeting your AEOI obligations for CRS and FATCA, these procedures should be carried out correctly when determining Controlling Persons - this requires undertaking a review on a sample of accounts ensuring self-certifications have been obtained and the reasonableness of those self-certifications has been verified.
For entities which may not be covered by the AML/KYC procedures, you have documented processes which outline how due diligence applies to these entities.

3.4.6 Sector specific approaches

This section of the Guide focuses on sector-specific self-review issues and principles that your organisation needs to consider to ensure fulfillment of its due diligence obligations. These due diligence procedures are additional requirements you need to have in place.

Depository Institutions

Key issues in Diagram 5 of this Guide have been considered and documented. Your due diligence processes include:

processes to ensure that the undocumented accounts, dormant accounts and Excluded Accounts are reviewed periodically and continue to be classified correctly
risk mitigation strategies for customer-facing staff or agents who are responsible for gathering due diligence documentation for new account openings, such as self-certifications. For example, procedures are in place for systems or Day 2 procedures for staff (or agents) who are unable to make decisions on issues such as the reasonableness of a self-certification
classifying and identifying other financial institutions (reporters) such as Investment Entities, trusts and other entities which hold assets or accounts within your organisation. A system of identifying non-financial institutions and Financial Institutions is also implemented
for Depository Accounts only - information of the total gross amount of interest paid or credited to the account.

Diagram 5: Key issues for Depository Institutions

Diagram 5: Key issues for Depository Institutions

Insurers

Key issues in Diagram 6 of this Guide have been considered and documented. Your documented due diligence processes include:

identifying products that are in scope for AEOI reporting, for example 'cash value insurance' contracts
consideration of how due diligence procedures apply to all in-scope products, especially for products that have longer term tenures
data storage of customer information
periodic reviews for undocumented accounts, dormant accounts and Excluded Accounts to ensure they continue to be classified correctly.

Diagram 6: Key issues for insurers

Diagram 6: Key issues for insurers

Investment Entities and Custodial Institutions

Key issues in Diagram 7 of this Guide have been considered and documented. Your documented due diligence procedures include:

annual monitoring of your gross income attributable to holding financial assets
clear line of sight for which accounts are considered in scope for AEOI obligations
valuation considerations of account interests and any events that may trigger AEOI reporting obligations. For example, some entities may operate different investment tiers, which means that the relative proportion of the assets attributable to each investor cannot be determined until a certain event (that is, liquidation)
how accounts and account balances are determined for AEOI reporting obligations.

Diagram 7: Key issues for Investment Entities and Custodial Institutions

Diagram 7: Key issues for Investment Entities and Custodial Institutions

Third-party service providers

This section of the Guide outlines key considerations and issues (Diagram 8 of the Guide) for RFIs that engage third-party service providers to provide AEOI services to assist with CRS or FATCA reporting, for example:

advice and support in setting up internal systems
provision of IT and/or infrastructure (automated due diligence)
outsourced data validation
outsourced due diligence, reporting and lodgment services

If your entity engages third-party service providers, your documented processes include:

the terms and conditions (contractual arrangement or scope of work) between RFIs and third-party service providers
clear roles and responsibilities, including how data holders interact to fulfil the legal obligations of AEOI reporting
if a third-party service provider is responsible for the collection of the customer data, the processes used for data maintenance, transfer and use of data
if a third-party service provider undertakes due diligence, documented procedures which clearly outline the due diligence requirements
assessing the performance of third-party service providers including regular monitoring, communication and reporting
evaluating the outputs under the arrangement with the third-party service provider, including, the actioning of any recommendations or remediation activities
the methodology utilised by the third-party service provider to comply with the AEOI obligations and to provide correct reporting to the ATO
coverage of the key issues in Diagram 8 of this Guide.

If RFIs use third-party service providers to implement, monitor and carry out activities for AEOI purposes, it is important to note that the RFI will remain liable for their AEOI obligations. Where a penalty provision is triggered due to non-compliance, the penalty is applied to the RFI and not the third-party service provider. In this regard, the third-party service provider should be carefully vetted to ensure they have the appropriate level of expertise and experience, and the outputs from their work-streams should be regularly monitored and reviewed by the RFI.

Diagram 8: Key issues for using third-party providers

Diagram 8: Key issues for using third-party providers

3.5 Reporting systems and data testing

RFIs are required to correctly identify, prepare and report financial account information in accordance with CRS and FATCA Extensible Markup Language (XML) Schemas. It is imperative that your AEOI governance and systems are working effectively in practice (and are regularly tested) to ensure the integrity and accuracy of your ATO reporting.

We have provided a series of recommendations in this Guide to assist you with AEOI framework testing, however, we emphasise that the design of your collection, processing and reporting systems should be robust and fit for purpose tailored to your circumstances to identify and mitigate any risks.

What to look for

IT reporting systems for AEOI, as outlined below.

3.5.1 AEOI reporting systems

You have business systems and procedures in place to ensure the required AEOI information is being collected, processed and stored in an appropriate manner.

The setup of your AEOI business systems may be bespoke and provide that:

the account information is collected in an electronic business system or in another format
multiples tiers of separate and/or interrelated business systems, and
CRS and FATCA have different reporting systems.

In undertaking a self-review of your business systems for AEOI purposes, it is important to consider:

how the account information is maintained
how many business systems manage reporting
if any new systems are built to manage CRS and FATCA reporting, how they interact with any legacy systems
where information is captured in multiple systems, what procedures are in place to reconcile the CRS and FATCA information with the source data
an explanation of data storage across one (or multiple) systems - how data is 'searched' or 'gathered' for due diligence purposes
if your organisation has undergone any mergers or acquisitions recently, a clear pathway of extracting data for due diligence purposes (the form and type).

3.5.2 Data extraction and analysis

In undertaking a self-review, seek to understand how information is extracted from your business systems and validated to ensure it complies with the relevant Schemas. This will include:

a data extraction process
a data analysis process, and
correcting data errors.

Data extraction process (what, how, who and when)

Documented processes are in place for:

a periodic AEOI data testing plan (Appendix D of this Guide)
a description of the reports run in each business system
validation checks performed regularly, for example, identification of missing or noticeably wrong TINs, and
a description of how reports are set up to ensure correct dates are selected for pre-existing accounts and new accounts. For example, reports for testing of aggregated balances for certain accounts and change in circumstances (Appendix C of this Guide's data tests).

Data analysis process (to ensure quality data is submitted)

Documented processes are in place for:

running standard and recommended data (and account) tests and trend analysis to check for errors and accuracy of data (Appendix C of this Guide's data tests)
standard checks to identify high-risk or high-value transactions. You also have processes in place to rectify errors once they are identified in relation to the annual report (Appendix C of this Guide's data tests)
procedures to ensure that the format of the annual report conforms with the most updated CRS and FATCA XML Schemas
regular data quality checks, and
any processes where data needs to be corrected or manually adjusted including the reasons for such correction/s.

We consider that better practice involves implementing AEOI data testing as part of your annual lodgment process (Appendix C of this Guide). You should document the findings and results from your data testing and keep records of working papers. We may ask for copies of these as part of our reviews.

Correcting data errors

If errors and exceptions are identified, you need to have a remediation action in place to correct identified errors and issues (Appendix B of this Guide's common issues and errors).

Evidence of any remediation activities should also be documented and the results of these recorded.

Early engagement with the ATO is essential if you identify errors and exceptions evidencing a major deficiency in your AEOI framework. In this case, you need to prepare an action plan to correct the errors and potentially lodge a voluntary disclosure. Major deficiencies in your AEOI framework may include:

missing CRS and FATCA reports for multiple years
a significant number of Reportable Accounts with missing self-certifications
a significant number of Reportable Accounts belonging to jurisdictions which are non-tax jurisdictions, and
a significant number of Reportable Accounts with TIN errors or TINs which are noticeably incorrect.

3.5.3 Submission of reports and questionnaires to the ATO

It is imperative that you have documented procedures in place to ensure that your CRS and FATCA reports and questionnaires can be submitted to the ATO on time and without errors by having in place:

checklists to confirm the review of data analysis results, conclusions and what is approved and signed off
a process to review any corrections of errors and the reasons before ATO lodgment, and
a quality control process to review the annual report before lodgment.

Your documented procedures to address any identified lodgment validation errors (ATO portal) include processes:

to determine if any changes are necessary for validation warnings, and
which outline what steps need to be undertaken to remediate any lodgment errors.

3.5.4 Managing amendments, cancellations and error notifications

We require that amendments, cancellations and error notifications are remedied promptly, including:

routine reviews to detect discrepancies or errors in Reportable Accounts, and pre-empting early any potential issues with the filing of the correct data in a timely manner
a designated officer being responsible for identifying and detecting any discrepancies/errors, and
systematic issues which may be the root-cause of the problem identified and resolved to ensure ongoing accurate AEOI reporting.

Appendix A - Elections by RFIs (CRS)

Unless otherwise specified, an RFI may make any of the elections permitted in the CRS (including elections that follow as a consequence of choices Australia has made) in determining its obligations under the CRS.

As part of an RFI's AEOI framework, we recommend the entity has records and documented procedures for any CRS elections which have been made, which may include, for example:

A. using third-party service providers to fulfil their obligations
B. applying the due diligence procedures for new accounts to pre-existing accounts
C. applying the due diligence procedures for Higher Value Accounts to Lower Value Accounts
D. applying the residence address test for Lower Value Accounts
E. excluding Pre-existing Entity Accounts with an aggregate value or balance of US$250,000 or less from its due diligence procedures
F. applying alternative documentation procedure for certain employer-sponsored group insurance contracts or annuity contracts
G. making use of existing standardised industry coding systems for the due diligence process
H. using a single currency translation rule
I. applying the expanded definition of pre-existing account
J. applying the expanded definition of related entity
K. aligning the reporting obligations for trusts that are Passive NFEs with trusts that are Financial Institutions.

Appendix B - Common issues and errors

Core elements

Table 3 of this Guide lists the common issues in AEOI reporting:

Table 3: Common issues for AEOI reporting
Drivers Issues
Governance Lack of internal AEOI governance framework that includes gaps in procedures and/or controls often lead to incorrect or the late reporting of AEOI obligations.
Personnel issues Staff turnover or leave at any level can lead to resource and capability gaps that impact on correct and timely AEOI reporting.
Technical understanding and knowledge Incorrect interpretation of the AEOI Standard and reporting requirements through lack of knowledge, capability and training of (new) staff.
Changes to the law, AEOI standard and/or guidance Not updating existing policies, procedures or knowledge to deal with AEOI standard and/or guidance changes.
Due diligence Undocumented procedures can lead to incorrect AEOI reporting and/or missed information.

Data errors

Table 4 of this Guide lists common data errors in AEOI reporting:

Table 4: Common data errors in AEOI reporting
Area Types of error
Non-reportable accounts Accounts belonging to publicly-listed entities and Excluded Accounts are reported.
Non-tax jurisdictions Account holders reported belonging to non-tax jurisdictions - possible manual selection of jurisdiction codes.
Missing or noticeably wrong TINs Manual data entry, lack of due diligence procedures followed.
Missing information Date of birth, missing TINs.

Appendix C - Data tests

Better practice for accurate reporting means embedding the following standard tests as part of an entity's lodgment process for CRS and FATCA reports.

Standard tests

Table 5: Standard tests when lodging CRS and FATCA reports
Test number Test Description of the test Benefits of the test
1 Reconciliation of legal entities subject to AEOI obligations Reconcile reportable legal entities against the list of all legal entities the entity controls. To verify in-scope entities have been identified for AEOI obligations.
2 Financial accounts identified Obtain list of all products and services and determine CRS classification. To identify financial products and services subject to AEOI reporting obligations, and carve out those which are out-of-scope.
3 Reportable accounts identified Review all Reportable Accounts to confirm non-reportable and Reportable Account holders. To confirm only Reportable Account holders are included in reporting (that is, excluding publicly-listed entities).
4 Excluded and dormant accounts Identify all Excluded and dormant accounts. To verify all accounts which are treated as Excluded Accounts meet the definitions of such accounts.
5 Account opening - due diligence requirements Determine how many Reportable Accounts have missing self-certifications. To verify required account opening due diligence procedures were correctly followed.
6 Account monitoring - TINs Confirm all Reportable Accounts have TINs or identify noticeably wrong TINs. Identify potential issues with TIN entries or missing TINs.
7 Account monitoring - change in circumstances Identify which accounts had change in circumstances triggered and which did not. To verify, monitor and review of accounts, and whether required due diligence procedures were followed.
8 Account monitoring and reporting - account balances Identify all accounts with applicable thresholds (subject to elections made). To ensure all accounts are correctly identified as lower value or higher value on the basis of the aggregated account balance.
9 Account monitoring: non-tax jurisdictions Extract data of jurisdictions of residents to check for non-tax jurisdictions. To verify all residents' jurisdictions are reasonable.

Better practice includes performing recommended specific data tests throughout the year for trend analysis and early detection of errors and misreporting.

Recommended specific tests

Table 6: Recommended specific tests when lodging CRS and FATCA reports
Test number Test Description of the test Benefits of the test
1 Account balances To identify 20 largest account balances. To ensure accounts are Reportable Accounts and due diligence procedures were followed.
2 Account payments To identify 20 largest account payments. To ensure accounts are Reportable Accounts and due diligence procedures were correctly followed.
3 Out-of-scope financial accounts To randomly test out-of-scope financial accounts. To ensure out-of-scope accounts are correctly excluded based on products and services offered.
4 Undocumented accounts To identify undocumented accounts. To ensure undocumented account procedures were correctly followed.
5 Noticeably wrong* or missing TINs To identify noticeably wrong TINs or missing TINs To ensure account opening procedures are operating as required to capture TINs.
6 Non-tax jurisdictions** To identify accounts belonging to non-tax jurisdictions. To correct possible incorrect manual selection of jurisdiction codes.

*Noticeably wrong TINs include numerical and non-numerical entries which do not conform to any TIN structure, for example:

Numerical TINs - sequence numbers such as '123456789', repeating numbers such as '11111111' and single digit numbers such as '0'
Non-numerical TINs - words such as 'Pensioner', 'Retired', 'France', 'None', 'No' and single letters such as 'Z'

**Non-tax jurisdictions include jurisdictions which are uninhabited or contain a military or scientific presence. The following are considered non-tax jurisdictions: Antarctica, Bouvet Island, British Indian Ocean Territory, Heard and McDonald Islands, Svalbard, Jan Mayen Islands, French Southern Territories and South Georgia and South Sandwich Islands.

Note: residents of Christmas Island, Cocos (Keeling) Islands and Norfolk Island are tax residents of Australia and should not be reported. RFIs may wish to remove these codes from their International Organisation for Standardisation (ISO) lists to ensure they cannot be selected.

Appendix D - AEOI testing plan sample

This is a simplified sample template for AEOI testing.

Your actual AEOI testing documentation may vary, depending on your business size and operations, your wider enterprise risk management framework and policies you have in place.

SCOPE

Include details of the AEOI testing process.
Include details of the AEOI framework elements to be tested and the specific CRS and/or FATCA business processes covered.
Include details of the AEOI data to be extracted, analysed and tested, including any pre/post lodgment reports to be verified as part of the testing process.

KEY RISKS

Describe the key risks the testing will address. For example, non-compliance with certain elements of the CRS rules, or verification of the accuracy of reports lodged for the relevant period.

KEY CONTROLS AND DATA TESTED (INCLUDING AEOI POLICIES COVERED)

Include:

details of your AEOI policy and procedures that form part of the AEOI framework, or
specific details of each AEOI core element to be tested, for example:

-
specific AEOI governance and controls
-
due diligence obligations; for example, sample testing of financial accounts
-
AEOI reporting systems and data testing accuracy.

OUT OF SCOPE

Document areas, entities, controls and AEOI regimes which will not be in the scope of testing.

METHODOLOGY

Describe the methodology undertaken to conduct the testing.

DELIVERABLE/REPORT

Detail the type of report/deliverable that will be issued at the end of the testing.
We recommend that this document should include sufficient information including actions required to address identified gaps or issues, observation of the operational effectiveness of the AEOI framework and a recommendation as to whether the specific AEOI processes and procedures are operating as required.

Appendix E - AEOI self-assessment checklist

Assess rating of AEOI obligations

You can use this checklist as guidance to self-assess your AEOI framework's core elements. If you identify significant gaps, prepare a remediation plan to action and resolve identified gaps.

Green Dot

Operating

There is evidence to demonstrate that a core element exists, has been designed effectively and is operating as required in practice.

Yellow Dot

Designed

There is evidence to demonstrate that a core element exists and has been designed effectively, but certain elements require improvement/s for the core element to be fully operational.

Red Dot

Concerns

There is insufficient evidence to demonstrate a core element exists, and/or there are significant number of areas requiring improvement both in terms of design and operational effectiveness.

Checklist - compliance with AEOI obligations

Red Dot

Red Dot

Red Dot

Red Dot

Red Dot

Red Dot

1. AEOI governance
Documented governance framework

Section 3.3.1 of this Guide

Documented governance framework including:

process to identify, evaluate and manage CRS and FATCA risks
list of all entities subject to AEOI reporting
responsible personnel for AEOI reporting
clear description of AEOI functions across the business
the escalation processes for significant risks.

Evidence of AEOI governance may be included in the entity's broader risk management framework endorsed by the Board (this is not a specific requirement).

Checkbox

Checkbox

Checkbox

All in-scope entities are identified

Section 3.3.2 of this Guide

Documented process or procedures for identifying and reconciling all entities in-scope and out-of scope for AEOI obligations, including reasons for each entity's treatment, including by type and category.

Checkbox

Checkbox

Checkbox

Roles and responsibilities are clearly understood (accountability, training, knowledge, connections with other business areas)

Section 3.3.3 of this Guide

Documented roles and responsibilities:

of all CRS and FATCA functions and personnel; this should include the identification, escalation, reporting and resolution of significant risks, and, if needed, procedures and the Responsible Officer at each stage
for key roles: commonly set out in a matrix such as a RACI (Responsible, Accountable, Consulted and Informed)
of third-party providers as set out in the contractual arrangements
FATCA only: of a Responsible Officer who is responsible to ensure compliance with FATCA obligations.

Documentation outlining ongoing training policy to staff, other business units including any legislative, AEOI standard and/or guidance updates.

Checkbox

Checkbox

Checkbox

Documented compliance plan is in place

Section 3.3.4 of this Guide

Documented compliance plan clearly setting out:

different tiers of reporting AEOI components and/or obligations
the process for changing, approving and signing off policies and procedures
policies and procedures to detect arrangements, schemes or transactions which may lead to circumvent reporting of financial account information.

Documented processes are in place - third-party service providers:

setting out terms and conditions (contractual arrangement) between RFIs and external service providers, such as statement/scope of work
assessing the performance of third-party service providers, including monitoring, communication and reporting
issues register with any issues and/or risks related to AEOI obligations and/or reporting.

Checkbox

Checkbox

Checkbox

Record keeping is up to date

Section 3.3.5 of this Guide

Documented record-keeping and retention policy, including procedures used for identifying Reportable Accounts.
Business operations and due diligence procedures.
Storage, retention and accessibility of records is clearly documented.

Checkbox

Checkbox

Checkbox

2. Due diligence obligations
Accounts are identified and monitored

Section 3.4.1 of this Guide

Documented procedures are in place identifying:

Financial Accounts - list of products and services and applicable CRS/FATCA treatment
Reportable Accounts
non-reportable accounts
Lower Value and Higher Value Accounts
undocumented accounts
change in circumstances.

Checkbox

Checkbox

Checkbox

Compliance with rules on Pre-existing Individual Accounts

Section 3.4.2 of this Guide

Documented procedures for Pre-existing Individual Accounts:

Lower Value Accounts.
Higher Value Accounts.

Checkbox

Checkbox

Checkbox

Compliance with rules on New Individual Accounts

Section 3.4.3 of this Guide

Documented due diligence procedures for:

obtaining a self-certification
confirming the reasonableness of such self-certification, and
application of strong measures (CRS only).

Checkbox

Checkbox

Checkbox

Compliance with rules on pre-existing entity accounts

Section 3.4.4 of this Guide

In addition to Section 3.4.3 due diligence procedures, additional documented procedures for:

any elections you may have made, including evidence of the election/s (Appendix A of this Guide)
monitoring and correctly identifying accounts based on their account balance aggregation and currency conversion - including timing when and how these triggers are reviewed
determination of Active versus Passive NFE
change in circumstances
identifying Account Holders, for example, Controlling Persons of the entity.

Checkbox

Checkbox

Checkbox

Compliance with rules on New Entity Accounts

Section 3.4.5 of this Guide

In addition to Section 3.4.3 due diligence procedures, documented procedures for all New Entity Accounts have processes to establish whether the entity is:

a Reportable Person
controlled by Controlling Persons that are Reportable Persons.

Documented process is in place to obtain and validate self-certifications in the case of all New Entity Accounts.

Checkbox

Checkbox

Checkbox

Sector specific approaches

Section 3.4.6 of this Guide

Key issues outlined in Section 3.4.6 of this Guide, and additional due diligence requirements have been considered and documented for each entity, where applicable.

Checkbox

Checkbox

Checkbox

3. Reporting systems and data testing
AEOI reporting systems

Section 3.5.1 of this Guide

Documented processes consider:

whether you have any new systems built to manage CRS and FATCA reporting, and how they interact with any legacy systems
where information is captured in multiple systems, procedures are in place to reconcile the CRS and FATCA information with the source data
data storage across one (or multiples) systems and how data is searched or gathered for due diligence requirements.

Checkbox

Checkbox

Checkbox

Data extraction and analysis

Section 3.5.2 of this Guide

Evidence of 3 elements operating effectively:

data extraction process
data analysis process
correcting errors.

Evidence of a periodic control testing plan and/or data testing embedded in your lodgment process.

Checkbox

Checkbox

Checkbox

Submission of reports and questionnaires to the ATO

Section 3.5.3 of this Guide

Checklists to confirm the review of data analysis results, conclusions and what is approved and signed off.
Process to review any corrections of errors and the reasons.
Quality control process to review the annual report before lodgment.
Process to remediate any lodgment errors.

Checkbox

Checkbox

Checkbox

Managing amendments, cancellations and error notifications

Section 3.5.4 of this Guide

Routine reviews to detect discrepancies.
A designated officer is responsible for identifying and detecting any discrepancies/errors.
A plan to rectify any data errors or missing information for relevant accounts.

Checkbox

Checkbox

Checkbox

Overall Assessment and comments

Amendment History

Date of Amendment Part Comment
7 September 2022 Recommended specific tests - Table 6 Update to include additional non-tax jurisdictions.

Footnotes

Section 4AA of the Crimes Act 1914 provides the value of a penalty unit. In 2021, the value was $222 (this value is subject to future indexing in accordance with subsection 4AA(3) of the Crimes Act 1914).

Refer to Diagram 1 in Section 3.1 of this Guide for a summary of the AEOI - Core Elements.

Refer to section 4.17 of the AEOI online guidance at ato.gov.au

An RFI must look through, among other entities, certain investment entities that are not Participating Jurisdiction Financial Institutions to identify Controlling Persons who are Reportable Persons (see paragraph C of Section V, subparagraph D(2) of Section V and subparagraph D(8) of Section VIII of the CRS.