Marco Zawar MBA (VWA)/ LLM (MCI, FSFM)
CRS Reporting – What are the hidden perils on Hong Kong’s Financial Institutions?
Updated: Oct 20, 2020
On September 30, 2020, the IRD released updates on their AEOI Portal enabling CRS Reporting financial institutions to submit notification and CRS Returns using the Financial Account Information Return XML Schema (“XML Schema 2.0”).
Starting January 01, 2021 Hong Kong based CRS Reporting financial institutions are obliged to file their CRS reportable accounts using XML Schema 2.0. This includes also corrections on CRS returns submitted prior January 01, 2021.
Not only that Financial Institutions (“FI’s) have to migrate their systems to XML Schema 2.0 to fulfil their CRS reporting obligations for reporting year 2020 and any subsequent year, FI’s also have to consider 51 additional CRS reporting jurisdictions within the CRS fiscal reporting.
The additional 51 CRS reportable jurisdictions are as follows:
Albania, Andorra, Anguilla, Armenia, Aruba, Azerbaijan, Bahrain, Barbados, Belize, Bermuda, British Virgin Islands, Burkina Faso, Cameroon, Cook Islands, Dominica, Dominican Republic, El Salvador, Gabon, Georgia, Ghana, Guatemala, Jamaica, Kazakhstan, Kenya, Liberia, Macao SAR, Maldives, Marshall Islands, Moldovia, Monaco, Morocco, Nauru, Nigeria, Niue, North Macedonia, Pakistan, Panama, Paraguay, Peru, Philippines, Saint Kitts and Nevis, Saint Lucia, Samoa, San Marino, Senegal, Sint Maarten, Trinidad and Tobago, Tunisia, Turks and Caicos Islands, Uganda, Ukraine.
Potential legal and financial risks through inaccurate CRS returns
IRD on their compliance web-site stated that the CRS due diligence and reporting requirements carried out by financial institutions must comply with the Inland Revenue Ordinance (Cap. 112), the IRD’s Guidance for Financial Institutions and shall be consistent with the OECD’s Commentaries on the Common Reporting Standard, CRS-related FAQ’s and the CRS Implementation Handbook.
The IRD further spelled out that transmitted CRS returns shall be
· accurate (without errors); and
· complete (without omissions).
I try to find a definition for the term “accurate” in data privacy regulations and obtained the following “negative” specification on the UK’s Information Commissioner’s Office (ico.org.uk)
“The GDPR does not define the word ‘accurate’. However, the Data Protection Act 2018 does say that ‘inaccurate’ means “incorrect or misleading as to any matter of fact”...”
Providing consultancy services on CRS due diligence and reporting related topics I encountered multiple times that especially tier-2 and tier-3 financial institutions (including trusts and funds) rely on manual processes to meet CRS reporting requirements.
In my view manual data entry processes in combination with the increased number of reportable jurisdictions has the potentials to boost Financial Institutions legal and financial risks through inaccurate reporting of their offshore account holder to the IRD and consequently the erroneous disclosure of account holder to 3rd Party tax authorities so that the earlier defined requirements by the IRD are not met.
I notably like to mention that such erroneous disclosure of account holder may finally violate data privacy and data security regulations.
The unsettled Covid-19 situations and inter alia the potential non-availability of adequate resources can be seen as trigger events having the potentials to foster legal and financial risks caused by the violation of the Personal Data (Privacy) Ordinance (“PDPO”) through the inaccurate CRS due diligence and reporting procedures.
It is my opinion that CRS reporting policies has to consider data privacy principals to safeguarded financial institutions CRS compliance.
Especially DPP2, one of the six data privacy principles (“DPP”) defined in Schedule 1 of the PDPO, implicitly requests from financial institutions to take all practicable steps into consideration to ensure that personal data obtained to identify and validate the account holders tax residency status under the Common Reporting Standard is accurate and complete.
To underpin the concerns caused by inadequate CRS due diligence and reporting policies and procedures, I like to bring your attention to a court hearing held on September 1st at the Swiss Federal Court .
In this hearing the plaintiff claimed that a Swiss Financial Institution had caused by flawed CRS due diligence processes erroneously reported his accountholder information to the Swiss Tax Authorities.
Based on an existing CRS data exchange agreement between Switzerland and Argentina the personal data of the plaintiff were disclosed by the Swiss Federal Tax Authorities to the relevant competent authorities in Argentina.
The plaintiff requested from the Swiss Tax Authorities the removal of the incorrect disclosed data as he saw in the transmission a violation of data security regulations.
The Swiss Federal Court did not follow the arguments of the plaintiff and spelled out that legal rights granted by the Swiss Data Protection Act can in principle only be asserted against the affected financial institution. The Court underlines the position with the argument that the Swiss Federal tax authority is not in the position to perform material checks on the data submitted by the reporting financial institutions.
The details on Court decision (in German) can be found here.
The Swiss Federal Court decision confirmed that the responsibility and liability for the accurate and complete CRS reporting is on the level of the reporting financial institutions.
Even when the verdict is related to a legal issues concerning a swiss bank, it should be understood, that the result of the court decision implicitly affects also financial institutions outside of Switzerland.
Hong Kong based financial institutions relying on manual processes are asked to assess their current CRS operating model on gaps that have the potentials to violate data privacy regulations.
One last word (or two)
I am aware that especially smaller financial institutions may hold off the automation of their CRS and FATCA reporting procedures as the automation as seen as an additional expense.
Is this approach still valid?
Effective manual process in place, requires a well-trained and properly motivated team to enter data cleanly, following the same format and rules field by field and column by column.
Constant changes within the CRS or FATCA regulations affects the manual data entry forms and requires constant adaptions and trainings of the team
Team member leaving the organisation and the successor(s) needs to get introduced and trained to understand the manual data processes.
Using a state-of-the-art RegTech Solutions like Transworld Compliance’s Software Solution CRS/FATCA OneTM as a Service (SaaS)
is an affordable alternative to the manual data processing;
mitigates legal and financial risks caused by inadequate fiscal reporting as it is always updated reflecting the latest legal and XML Schema requirements; and
reduce operational costs and allow staff member to be focused on core business requirements.