Self-review guide and toolkit

A guide to assist financial institutions with CRS and FATCA obligations

Contents

1. Executive summary

1.1 Background

The ATO is responsible for data collection and exchanges with foreign jurisdictions for 2 automatic exchange of information (AEOI) regimes: the United States of America's Foreign Account Tax Compliance Act (FATCA) and the Common Reporting Standard (CRS).

Our AEOI compliance program seeks greater assurance that reporters with CRS and FATCA obligations (AEOI obligations) have appropriate frameworks in place and are correctly reporting to the ATO.

In 2021, Australia exchanged CRS data with 79 jurisdictions based on CRS reports received from over 2,600 domestic financial institutions. Each year, we publish a breakdown of the CRS statistics.

Reporting Financial Institutions (RFIs) are required to have procedures and systems in place to ensure that reportable accounts are identified, the relevant information collected, and that correct information is reported to the ATO. The international agreements to which Australia is a party expect the ATO, as the Competent Authority, to ensure that RFIs provide complete and accurate information for exchange with those jurisdictions.

1.2 Objective of this Guide and toolkit

This Guide provides practical information as part of a toolkit about how to conduct a self-review of your governance, due diligence, data and reporting systems, which we have referred to in this Guide as your 'AEOI framework'. It outlines the core elements and what we look for when we review the following 3 fundamental areas of compliance:

•

AEOI governance

•

due diligence obligations

•

reporting systems (and the accuracy of the information reported to the ATO, including data testing undertaken to verify your CRS and FATCA reporting).

You can use this Guide and toolkit to:

•

prepare for an AEOI review if you are an Australian RFI

•

review the design and operation of your AEOI framework as part of your AEOI obligations

•

undertake a review of your AEOI reporting systems and data testing to ensure your business systems are accurately recording and reporting information for AEOI purposes.

Throughout this Guide certain terms are capitalised as per the Standard for Automatic Exchange of Financial Account Information in Tax Matters (CRS) and the Agreement between the Government of Australia and the Government of the United States of America to Improve International Tax Compliance and to Implement FATCA (FATCA Agreement).

1.3 Benefits of a well-designed AEOI framework

The benefits to having a well-designed AEOI framework include that it:

•

provides a clear line of sight for the maintenance, reporting and compliance with your AEOI obligations

•

offers insights as to what your AEOI operating model looks like and what controls you have in place, including your compliance program for due diligence obligations

•

helps to identify potential systems and process gaps which may prevent reporting errors in advance and reduces incidence of misreporting

•

assists senior management with clarifying accountabilities for managing AEOI obligations, and any associated risks and issues

•

provides accurate reporting of your customers' information.

We expect that you will undertake assurance and verification procedures that align with your business and that are tailored to your own operating environment. The ATO considers having appropriate procedures for due diligence supported by data testing as critical elements of this process.

Another important factor of having your AEOI controls operating effectively is that they may prevent a range of penalties.

2. Our approach to reviewing AEOI obligations

2.1 AEOI review

Our compliance program includes undertaking AEOI reviews on RFIs from different sectors and of different sizes. We use our data analytics and other risk models to identify RFIs for review.

When we undertake an AEOI review, we evaluate your compliance with the AEOI obligations by obtaining objective evidence of your AEOI framework in accordance with this Guide and applying the staged ratings system. We look for evidence in the form of policies and procedures demonstrating the existence and design of the AEOI framework.

We use our data and analytics, as well as risk assessment methodologies, to select reporters for AEOI reviews. Some key factors that may indicate the need for a review include:

•

absence of reporting

•

large changes in the volume of reporting between reporting periods

•

reporting of tax identification numbers (TINs) for significantly fewer accounts in comparison with other RFIs

•

reporting of TINs which are noticeably wrong

•

reporting of non-reportable entities

•

reporting of Account Holders in non-tax jurisdictions

•

enquiries or information indicating under reporting or inaccurate reporting from the Competent Authority of another participating jurisdiction, or other Australian government agencies.

Once we have completed the AEOI review, and found no major deficiencies in your AEOI framework, it is intended that we may initiate the next review on a periodic basis at least once every 4 years.

During the intervening period ( 3 years), reporters are expected to proactively monitor their AEOI framework and act on any major reporting errors by preparing remediation plans and/or lodging amended reports, where appropriate. We encourage reporters to use this Guide to self-assess their AEOI framework.

We will also use our data and analytics program to safeguard against materially missing information or non-lodgment of CRS and/or FATCA reports.

After the AEOI review, we are not likely to initiate a specific review or audit where:

•

you provided evidence of a remediation plan with reasonable timeframes for concerned areas during the AEOI review

•

your lodged reports (new or amended) do not have a materially high number of data issues (for example, noticeably wrong TINs), and

•

we do not receive enquiries or information indicating under reporting or inaccurate reporting from the Competent Authority of another participating jurisdiction.

2.2 Maintenance and monitoring

We encourage reporters to use this Guide to self-assess areas which require actions, and/or need improvements. Our largest reporters will need to complete an annual questionnaire. We will continue to monitor your lodged reports and completed questionnaire.

We encourage you to engage early with the ATO, should you have any major deficiencies in your AEOI framework.

2.3 Standard ratings system

When we review your compliance with AEOI obligations, we apply a rating system, based on objective evidence provided by you to demonstrate that your AEOI framework is operating as required.

We assess your AEOI framework based on the following ratings system:

Example 2 below illustrates the application of the staged rating system in an ATO AEOI review:

3. Practical guidance to self-review AEOI obligations

3.1 Better practice AEOI framework

The following guidance provides the opportunity to verify and compare your AEOI framework against the ATO better practice principles and required AEOI standard.

This practical guidance is for use by:

•

ATO client engagement teams when undertaking AEOI reviews

•

AEOI reporters when self-assessing the AEOI framework compared against the 'better practices principles' set out in this Guide

•

professional firms engaged by entities to perform a review of the entity's AEOI framework for AEOI obligations.

We consider that a well-designed AEOI framework needs to incorporate 3 essential core elements as presented in Diagram 1 of this Guide:

•

AEOI governance

•

due diligence obligations

•

reporting systems and data testing.

Diagram 1: AEOI framework - core elements

The ATO expects that these core elements will be present in your AEOI framework. We recommend medium to small reporters consider adopting our better practices appropriate to their circumstances, depending on the type and size of their reporting entity, when assessing the robustness of their AEOI framework.

3.2 Self-assessment of your AEOI framework

We recommend that reporters (and their advisors) use the Appendix E self-assessment checklist in this Guide to self-assess their AEOI framework against the principles and required actions as outlined in Section 3 of this Guide. Where a reporter does not have the internal resources or capability to conduct an internal self-assessment, they may consider engaging third parties to conduct an independent review of their AEOI framework.

3.3 AEOI Governance

Intent

A well-documented AEOI governance is a key element of an effective AEOI compliance system. The AEOI framework sets out the parameters of how AEOI risks are to be managed, including compliance with AEOI rules and ATO lodgment and filing obligations.

What to look for

The core elements for AEOI governance are shown in Diagram 1 of this Guide.

3.3.1 Documented governance framework

An AEOI governance document is in place, setting out:

•

processes to identify, evaluate and manage CRS and FATCA risks to ensure that these are addressed in a timely manner (including risks arising from changes in business operations, operating processes, and/or external factors)

•

all entities subject to AEOI reporting

•

who is responsible for AEOI compliance and reporting, and a description of AEOI functions across the business, including training

•

the escalation processes for significant risks, including identifying which matters need to be escalated, to whom and how often (including information about resolution of risks/issues)

Better practice is to have a formal AEOI governance framework approved by appropriate personnel, such as Chief Financial Officers, Chief Operating Officers, Chief Executive Officers or the Board. Your AEOI governance framework may also form part of your overall risk management framework.

We acknowledge that formalisation of AEOI governance may vary between entities. For small reporters, some aspects of governance and implementation may not be structured or defined as they might be for large reporters. However, there should still be the required level of documentation and processes in place to ensure your AEOI reporting is accurate.

3.3.2 All in-scope entities are identified

The following should be documented:

•

process or procedures for identifying all entities in-scope for AEOI obligations within your business

•

a list of all legal entities in-scope for AEOI obligations, including reasons for each entity treatment - whether based on product or line of business classifications (and the process for keeping this list up to date)

•

a visual diagram or explanation of all entity types or branches that qualify as reporting entities and non-reporting entities

•

the total number of the group's reporting Australian Financial Institutions by type including

-

Custodial Institutions

-

Depository institution

-

Investment Entities (including Type A and Type B)

-

Specified Insurance Companies

•

the total number of the group's non-reporting entities by type and category, including

•

Active Non-Financial Entities (CRS) and Non-Financial Foreign Entity (FATCA).

3.3.3 Roles and responsibilities are clearly understood

Staff, management and other personnel roles and responsibilities are clearly defined and documented within the governance framework to ensure AEOI obligations are well managed, including:

•

role descriptions for AEOI compliance personnel, commonly set out in a matrix such as a RACI (Responsible, Accountable, Consulted and Informed)

•

formal responsibility or process for AEOI personnel to partner with account managers or customers or finance personnel to consider AEOI risks and issues with appropriate solutions

•

staff experience and knowledge of AEOI obligations, including the availability of staff training and support

•

staff responsibility for communication and process updates (internally and externally), especially when new legislation, or guidance is introduced, including updates to training material

•

For FATCA only: the details of the Responsible Officer for FATCA reporting obligations.

A documented training policy (timing and frequency) for CRS and FATCA obligations is in place, including:

•

training specific to staff responsible for on-boarding and documentation validation, such as collection of self-certifications and validity checks

•

how staff are informed of changes in guidance or procedures, including law changes

•

how often you update training material, and how you communicate these changes to staff and other stakeholders.

3.3.4 Documented compliance plan is in place

A documented AEOI compliance plan is in place involving key stakeholders that have oversight and responsibilities, setting out CRS and FATCA compliance and maintenance, including:

•

timing and frequency of periodic discussions with relevant stakeholders of ongoing compliance activities, such as on-boarding, self-certifications, due diligence, withholding (for FATCA), reporting, challenges and items that need escalations

•

policies and procedures to detect arrangements, schemes or transactions which may lead to circumvent reporting of financial account information and a documented process to report these to the ATO

•

the process for changing, approving and signing off AEOI policies and due diligence procedures.

Note: If you use third-party service providers for compliance with AEOI requirements, refer to Section 3.4.6 of this Guide for additional self-review guidelines.

3.3.5 Record keeping is up to date

You have a record-keeping and retention policy which documents:

•

an account holder's status and their self-certifications (generally 5 years)

•

procedures used in due diligence processes, including keeping a record of the evidence relied upon

•

key decisions on ongoing AEOI compliance, including any independent review or audit reports and/or key gap analysis for AEOI obligations.

3.4 Due diligence obligations

Intent

To ensure correct reporting of your AEOI obligations, you need to demonstrate that you comply with the due diligence requirements. Your due diligence procedures are documented, implemented and operate as required in practice.

The ATO considers that having the appropriate correct reporting controls for due diligence to be a critical aspect of this process.

Diagram 2: The different due diligence procedures that apply

What to look for

The core elements are shown in Diagram 1 in this Guide.

3.4.1 Accounts are identified and monitored

Documented systems and processes are in place to identify and monitor:

•

all Financial Accounts

•

all Reportable Accounts

•

Lower Value and HigherValue Accounts

•

non-reportable accounts

•

undocumented accounts

•

change in circumstances.

Identifying and monitoring Financial Accounts

•

Where applicable, your Product Life Cycle manual includes determination of CRS and FATCA classifications.

•

Product master list is up to date with relevant controls to test correct classification of products and services for AEOI purposes.

Identifying and monitoring Reportable Accounts

•

Which products and services are in scope (and out of scope) for AEOI reporting.

•

How the list of financial products and services that are in scope is kept up to date.

•

You have relevant controls in place to readily identify missing Financial Accounts which are Reportable Accounts.

•

Documented guidelines exist to determine which accounts meet the definitions within CRS and FATCA to identify:

-

Pre-existing Individual and New Individual Accounts

-

Pre-existing Entity and New Entity Accounts.

Identifying and monitoring Lower Value and Higher Value Accounts

•

Where an entity has elected (or not) to apply thresholds based on (aggregated) account balances (Appendix A of this Guide), what is the documented process to:

-

identify where accounts should be aggregated?

-

calculate total aggregated account balances?

-

ensure all accounts are correctly identified as low-value or high-value based on the aggregated account balance, including any accounts that were previously low-value accounts but have become high-value accounts?

-

regularly maintain and check account balances for in-scope AEOI purposes, including the requirement to consider the differences in currencies for Reportable Accounts?

Identifying and monitoring non-reportable accounts

•

Documented due diligence methods of assessing and classifying non-reportable accounts which may include Excluded Accounts, escrow accounts, retirement and pension accounts, etcetera are in place.

•

Documented due diligence procedures for dormant accounts, including changes and activities when these accounts become Reportable Accounts are in place.

Identifying and monitoring undocumented accounts

•

A documented CRS treatment is in place for undocumented accounts.

•

There are processes in place to track and initiate follow-up actions for undocumented accounts, where applicable.

Identifying and monitoring change in circumstances

You have documented due diligence procedures, including required action steps, for a trigger of change in circumstances^[3] for accounts including but not limited to:

•

account balances exceed a due diligence threshold

•

one or more new indicia becomes identified with the account, and

•

the reporting entity becomes aware of new information which indicates the existing classification of the account (or account holder) is unreliable or unreasonable.

3.4.2 Compliance with rules on Pre-existing Individual Accounts

One of the key decisions for implementing due diligence rules for Pre-existing Individual Accounts is the date from which the split between new account procedures and pre-existing account procedures applies. Documented due diligence procedures for Pre-existing Individual Accounts depends on the value of account balances (Diagram 3 of this Guide).

Documented due diligence procedures are in place for:

•

obtaining a valid self-certification, and

•

confirming the reasonableness of such self-certification.

Diagram 3: Due diligence procedures for pre-existing individual accounts

Pre-existing Individual Accounts: Lower Value Accounts

Residence address test

•

Documented procedures are in place outlining how this test is carried out, if elected, and where and how addresses are collected in line with acceptable listed Documentary Evidence.

•

Documented procedures are in place to identify indicia of Account Holders across different systems including inconsistent information and change in circumstances.

Electronic record search

•

Clear guidelines are in place outlining how electronic record searches are undertaken, including steps for change in circumstances and what to do if any foreign indicia are identified.

•

Documented procedures outline how and when this test should apply to Lower Value Accounts for AEOI obligations.

Paper record search

•

Documented procedures are in place for an 'in-care of' address or 'hold mail' instruction in a foreign jurisdiction, including steps for obtaining self-certification or Documentary Evidence from the account holder to establish their tax residency.

•

Clear guidelines are in place for what paper records (including scanned records) are maintained and whether master files are held for each account holder.

Pre-existing Individual Accounts: Higher Value Accounts

Electronic records search

•

Clear guidelines are in place outlining how electronic record searches are undertaken.

•

Documented procedures outline in what circumstances and how an electronic record search for Reportable Jurisdiction indicia should be carried out - including clear guidelines for AEOI obligations.

Paper record search

•

Documented procedures outlining how and when a paper record search should be conducted, including specific requirements for AEOI purposes.

•

Clear guidelines are in place for what paper records (including scanned records) are maintained and whether master files are held for each account holder.

Relationship manager

•

Documented procedures identify whether accounts have Relationship Managers and their roles relating to AEOI obligations.

•

Processes are in place to ensure when and how a Relationship Manager has actual knowledge that an account holder is a Reportable Person and if the account is treated as a Reportable Account.

•

Processes are in place which determine how a Relationship Manager determines the status of an account or aggregated accounts and identifying any change of circumstances.

Curing procedures

•

Documented curing procedures are in place, including required necessary steps for AEOI obligations.

•

Processes are in place which ensure that accounts with uncured indicia for more than one Reportable Jurisdiction are currently reported in respect of all relevant Reportable Jurisdictions.

3.4.3 Compliance with rules on New Individual Accounts

You have documented due diligence procedures for all New Individual Accounts, including process steps for (Diagram 4 of this Guide):

•

obtaining a valid self-certification

•

confirming the reasonableness of such self-certification, and

•

applying strong measures (CRS only).

Diagram 4: Due diligence procedures for new individual accounts

Obtaining and validating self-certifications

As significant penalties can apply for a failure to obtain self-certifications, the ATO considers that having documented correct due diligence measures for new accounts a critical aspect of this process. This includes:

•

end-to-end customer on-boarding processes for AEOI obligations, including digital on-boarding

•

details of how this on-boarding interacts with the entity's verification of anti-money laundering (AML) and know your customer (KYC) documentation

•

processes for identifying exceptions under CRS and FATCA, such as the Account Holder also holding a pre-existing account

•

procedures for situations where self-certification cannot be validated and what reasonable explanation and supporting evidence can be accepted for any discrepancies

•

processes for seeking a new self-certification.

3.4.4 Compliance with rules on Pre-existing Entity Accounts

You have documented:

•

due diligence procedures for

-

obtaining a valid self-certification

-

confirming the reasonableness of such self-certification.

•

procedures, policies or manuals for

-

any elections you may have made, including evidence of the election/s (Appendix A of this Guide)

-

monitoring and correctly identifying accounts based on their account balance aggregation and currency conversion, including timing when and how these triggers are reviewed

•

determination of active versus Passive Non-Financial Entity (NFEs), including 'look through' due diligence procedures^[4], and

•

changes in circumstances.

Identifying Account Holders

Documented procedures are in place identifying whether the entity and/or its Controlling Persons are Reportable Persons, including:

•

identifying the Controlling Persons of the entity, including Controlling Persons of a Passive NFE

•

procedures to obtain self-certifications from the account holder or Controlling Persons, and

•

Documentary Evidence used to verify the identity of Account Holders and any Controlling Persons to assess the reasonableness of their self-certifications.

Where you rely on AML/KYC procedures, you have documented guidelines which demonstrate how information and documentation were collected and maintained.

3.4.5 Compliance with rules on New Entity Accounts

Documented due diligence procedures are in place for:

•

obtaining a valid self-certification

•

confirming the reasonableness of such self-certification, and

•

applying strong measures (CRS only).

You have documented due diligence procedures for all New Entity Accounts and have processes to establish whether the entity is:

•

a Reportable Person, and/or

•

controlled by Controlling Persons that are Reportable Persons.

Beneficiaries of trusts - Controlling Persons

Your AML/KYC procedures contain steps identifying the Controlling Persons of a trust, including settlors and beneficiaries. These procedures outline the way your organisation is informed of distributions by the trust to foreign tax residents after the initial self-certification.

You have a clear process for where an exception applies, such as the account holder also holding a pre-existing account (Appendix A of this Guide).

You have documented 'look-through' due diligence procedures for certain entity Account Holders (Type B Investment Entities).

Reliance on AML/KYC and other procedures:

•

If relying on your AML/KYC procedures as part of meeting your AEOI obligations for CRS and FATCA, these procedures should be carried out correctly when determining Controlling Persons - this requires undertaking a review on a sample of accounts ensuring self-certifications have been obtained and the reasonableness of those self-certifications has been verified.

•

For entities which may not be covered by the AML/KYC procedures, you have documented processes which outline how due diligence applies to these entities.

3.4.6 Sector specific approaches

This section of the Guide focuses on sector-specific self-review issues and principles that your organisation needs to consider to ensure fulfillment of its due diligence obligations. These due diligence procedures are additional requirements you need to have in place.

Depository Institutions

Key issues in Diagram 5 of this Guide have been considered and documented. Your due diligence processes include:

•

processes to ensure that the undocumented accounts, dormant accounts and Excluded Accounts are reviewed periodically and continue to be classified correctly

•

risk mitigation strategies for customer-facing staff or agents who are responsible for gathering due diligence documentation for new account openings, such as self-certifications. For example, procedures are in place for systems or Day 2 procedures for staff (or agents) who are unable to make decisions on issues such as the reasonableness of a self-certification

•

classifying and identifying other financial institutions (reporters) such as Investment Entities, trusts and other entities which hold assets or accounts within your organisation. A system of identifying non-financial institutions and Financial Institutions is also implemented

•

for Depository Accounts only - information of the total gross amount of interest paid or credited to the account.

Diagram 5: Key issues for Depository Institutions

Insurers

Key issues in Diagram 6 of this Guide have been considered and documented. Your documented due diligence processes include:

•

identifying products that are in scope for AEOI reporting, for example 'cash value insurance' contracts

•

consideration of how due diligence procedures apply to all in-scope products, especially for products that have longer term tenures

•

data storage of customer information

•

periodic reviews for undocumented accounts, dormant accounts and Excluded Accounts to ensure they continue to be classified correctly.

Diagram 6: Key issues for insurers

Investment Entities and Custodial Institutions

Key issues in Diagram 7 of this Guide have been considered and documented. Your documented due diligence procedures include:

•

annual monitoring of your gross income attributable to holding financial assets

•

clear line of sight for which accounts are considered in scope for AEOI obligations

•

valuation considerations of account interests and any events that may trigger AEOI reporting obligations. For example, some entities may operate different investment tiers, which means that the relative proportion of the assets attributable to each investor cannot be determined until a certain event (that is, liquidation)

•

how accounts and account balances are determined for AEOI reporting obligations.

Diagram 7: Key issues for Investment Entities and Custodial Institutions

Third-party service providers

This section of the Guide outlines key considerations and issues (Diagram 8 of the Guide) for RFIs that engage third-party service providers to provide AEOI services to assist with CRS or FATCA reporting, for example:

•

advice and support in setting up internal systems

•

provision of IT and/or infrastructure (automated due diligence)

•

outsourced data validation

•

outsourced due diligence, reporting and lodgment services

If your entity engages third-party service providers, your documented processes include:

•

the terms and conditions (contractual arrangement or scope of work) between RFIs and third-party service providers

•

clear roles and responsibilities, including how data holders interact to fulfil the legal obligations of AEOI reporting

•

if a third-party service provider is responsible for the collection of the customer data, the processes used for data maintenance, transfer and use of data

•

if a third-party service provider undertakes due diligence, documented procedures which clearly outline the due diligence requirements

•

assessing the performance of third-party service providers including regular monitoring, communication and reporting

•

evaluating the outputs under the arrangement with the third-party service provider, including, the actioning of any recommendations or remediation activities

•

the methodology utilised by the third-party service provider to comply with the AEOI obligations and to provide correct reporting to the ATO

•

coverage of the key issues in Diagram 8 of this Guide.

If RFIs use third-party service providers to implement, monitor and carry out activities for AEOI purposes, it is important to note that the RFI will remain liable for their AEOI obligations. Where a penalty provision is triggered due to non-compliance, the penalty is applied to the RFI and not the third-party service provider. In this regard, the third-party service provider should be carefully vetted to ensure they have the appropriate level of expertise and experience, and the outputs from their work-streams should be regularly monitored and reviewed by the RFI.

Diagram 8: Key issues for using third-party providers

3.5 Reporting systems and data testing

RFIs are required to correctly identify, prepare and report financial account information in accordance with CRS and FATCA Extensible Markup Language (XML) Schemas. It is imperative that your AEOI governance and systems are working effectively in practice (and are regularly tested) to ensure the integrity and accuracy of your ATO reporting.

We have provided a series of recommendations in this Guide to assist you with AEOI framework testing, however, we emphasise that the design of your collection, processing and reporting systems should be robust and fit for purpose tailored to your circumstances to identify and mitigate any risks.

What to look for

IT reporting systems for AEOI, as outlined below.

3.5.1 AEOI reporting systems

You have business systems and procedures in place to ensure the required AEOI information is being collected, processed and stored in an appropriate manner.

The setup of your AEOI business systems may be bespoke and provide that:

•

the account information is collected in an electronic business system or in another format

•

multiples tiers of separate and/or interrelated business systems, and

•

CRS and FATCA have different reporting systems.

In undertaking a self-review of your business systems for AEOI purposes, it is important to consider:

•

how the account information is maintained

•

how many business systems manage reporting

•

if any new systems are built to manage CRS and FATCA reporting, how they interact with any legacy systems

•

where information is captured in multiple systems, what procedures are in place to reconcile the CRS and FATCA information with the source data

•

an explanation of data storage across one (or multiple) systems - how data is 'searched' or 'gathered' for due diligence purposes

•

if your organisation has undergone any mergers or acquisitions recently, a clear pathway of extracting data for due diligence purposes (the form and type).

3.5.2 Data extraction and analysis

In undertaking a self-review, seek to understand how information is extracted from your business systems and validated to ensure it complies with the relevant Schemas. This will include:

•

a data extraction process

•

a data analysis process, and

•

correcting data errors.

Data extraction process (what, how, who and when)

Documented processes are in place for:

•

a periodic AEOI data testing plan (Appendix D of this Guide)

•

a description of the reports run in each business system

•

validation checks performed regularly, for example, identification of missing or noticeably wrong TINs, and

•

a description of how reports are set up to ensure correct dates are selected for pre-existing accounts and new accounts. For example, reports for testing of aggregated balances for certain accounts and change in circumstances (Appendix C of this Guide's data tests).

Data analysis process (to ensure quality data is submitted)

Documented processes are in place for:

•

running standard and recommended data (and account) tests and trend analysis to check for errors and accuracy of data (Appendix C of this Guide's data tests)

•

standard checks to identify high-risk or high-value transactions. You also have processes in place to rectify errors once they are identified in relation to the annual report (Appendix C of this Guide's data tests)

•

procedures to ensure that the format of the annual report conforms with the most updated CRS and FATCA XML Schemas

•

regular data quality checks, and

•

any processes where data needs to be corrected or manually adjusted including the reasons for such correction/s.

We consider that better practice involves implementing AEOI data testing as part of your annual lodgment process (Appendix C of this Guide). You should document the findings and results from your data testing and keep records of working papers. We may ask for copies of these as part of our reviews.

Correcting data errors

If errors and exceptions are identified, you need to have a remediation action in place to correct identified errors and issues (Appendix B of this Guide's common issues and errors).

Evidence of any remediation activities should also be documented and the results of these recorded.

Early engagement with the ATO is essential if you identify errors and exceptions evidencing a major deficiency in your AEOI framework. In this case, you need to prepare an action plan to correct the errors and potentially lodge a voluntary disclosure. Major deficiencies in your AEOI framework may include:

•

missing CRS and FATCA reports for multiple years

•

a significant number of Reportable Accounts with missing self-certifications

•

a significant number of Reportable Accounts belonging to jurisdictions which are non-tax jurisdictions, and

•

a significant number of Reportable Accounts with TIN errors or TINs which are noticeably incorrect.

3.5.3 Submission of reports and questionnaires to the ATO

It is imperative that you have documented procedures in place to ensure that your CRS and FATCA reports and questionnaires can be submitted to the ATO on time and without errors by having in place:

•

checklists to confirm the review of data analysis results, conclusions and what is approved and signed off

•

a process to review any corrections of errors and the reasons before ATO lodgment, and

•

a quality control process to review the annual report before lodgment.

Your documented procedures to address any identified lodgment validation errors (ATO portal) include processes:

•

to determine if any changes are necessary for validation warnings, and

•

which outline what steps need to be undertaken to remediate any lodgment errors.

3.5.4 Managing amendments, cancellations and error notifications

We require that amendments, cancellations and error notifications are remedied promptly, including:

•

routine reviews to detect discrepancies or errors in Reportable Accounts, and pre-empting early any potential issues with the filing of the correct data in a timely manner

•

a designated officer being responsible for identifying and detecting any discrepancies/errors, and

•

systematic issues which may be the root-cause of the problem identified and resolved to ensure ongoing accurate AEOI reporting.

Appendix A - Elections by RFIs (CRS)

Unless otherwise specified, an RFI may make any of the elections permitted in the CRS (including elections that follow as a consequence of choices Australia has made) in determining its obligations under the CRS.

As part of an RFI's AEOI framework, we recommend the entity has records and documented procedures for any CRS elections which have been made, which may include, for example:

Appendix B - Common issues and errors

Core elements

Table 3 of this Guide lists the common issues in AEOI reporting:

Data errors

Table 4 of this Guide lists common data errors in AEOI reporting:

Appendix C - Data tests

Better practice for accurate reporting means embedding the following standard tests as part of an entity's lodgment process for CRS and FATCA reports.

Standard tests

Better practice includes performing recommended specific data tests throughout the year for trend analysis and early detection of errors and misreporting.

Recommended specific tests

*Noticeably wrong TINs include numerical and non-numerical entries which do not conform to any TIN structure, for example:

•

Numerical TINs - sequence numbers such as '123456789', repeating numbers such as '11111111' and single digit numbers such as '0'

•

Non-numerical TINs - words such as 'Pensioner', 'Retired', 'France', 'None', 'No' and single letters such as 'Z'

**Non-tax jurisdictions include jurisdictions which are uninhabited or contain a military or scientific presence. The following are considered non-tax jurisdictions: Antarctica, Bouvet Island, British Indian Ocean Territory, Heard and McDonald Islands, Svalbard, Jan Mayen Islands, French Southern Territories and South Georgia and South Sandwich Islands.

Note: residents of Christmas Island, Cocos (Keeling) Islands and Norfolk Island are tax residents of Australia and should not be reported. RFIs may wish to remove these codes from their International Organisation for Standardisation (ISO) lists to ensure they cannot be selected.

Appendix D - AEOI testing plan sample

This is a simplified sample template for AEOI testing.

Your actual AEOI testing documentation may vary, depending on your business size and operations, your wider enterprise risk management framework and policies you have in place.

•

Include details of the AEOI testing process.

•

Include details of the AEOI framework elements to be tested and the specific CRS and/or FATCA business processes covered.

•

Include details of the AEOI data to be extracted, analysed and tested, including any pre/post lodgment reports to be verified as part of the testing process.

•

Describe the key risks the testing will address. For example, non-compliance with certain elements of the CRS rules, or verification of the accuracy of reports lodged for the relevant period.

Include:

•

details of your AEOI policy and procedures that form part of the AEOI framework, or

•

specific details of each AEOI core element to be tested, for example:

-

specific AEOI governance and controls

-

due diligence obligations; for example, sample testing of financial accounts

-

AEOI reporting systems and data testing accuracy.

•

Document areas, entities, controls and AEOI regimes which will not be in the scope of testing.

•

Describe the methodology undertaken to conduct the testing.

•

Detail the type of report/deliverable that will be issued at the end of the testing.

•

We recommend that this document should include sufficient information including actions required to address identified gaps or issues, observation of the operational effectiveness of the AEOI framework and a recommendation as to whether the specific AEOI processes and procedures are operating as required.

Appendix E - AEOI self-assessment checklist

Assess rating of AEOI obligations

You can use this checklist as guidance to self-assess your AEOI framework's core elements. If you identify significant gaps, prepare a remediation plan to action and resolve identified gaps.

Checklist - compliance with AEOI obligations

Amendment History

Footnotes