1. What is CRS?

The Common Reporting Standard, or CRS, is a new inter-government data-collection and information-sharing program established by the Organization for Economic Cooperation and Development (“OECD”) to improve tax collection on private wealth held overseas.

Under CRS, financial institutions are required to collect and share the financial and personal data of foreign account holders with any other CRS-participating government to which the account holder is obligated to pay taxes.

For example, if a Chinese national has an account with a financial institution located in Panama, his/her financial and personal information will be reported to the Chinese tax authorities. Another example, if a Taiwan national has an account with a financial institution located in China, Hong Kong, British Virgin Islands, the USA or anywhere outside Taiwan, then his/her financial and personal information will be automatically reported to the Taiwan tax authorities.

Wealth management advisors, corporate trust professionals and their clients should note that, under CRS, participating jurisdictions are required to establish public trust registries for trustees to publicly disclose the identities and key client information about the trusts, including information about donors and beneficiaries. This type of data-collection and information-sharing will apply to all trusts, foundations and trust-like structures globally.

It has been reported that half the CRS jurisdictions are already setting up these mass data collection and trust-disclosing mechanisms. Legitimate wealth planning, as the world has known it for the last century, is under assault by the coordinated inter-government action. By seizing and disclosing confidential information without any form of legal due process and without regard to any domestic national constitutional or statutory privacy protections, CRS treats all trust professionals and their clients as if they were guilty of tax evasion, infringing on innocent families’ personal privacy and jeopardizing their safety.

For example, a Taiwan national/family may have a trust in a foreign jurisdiction because he/she wants to preserve assets, while also facilitating succession planning and managing philanthropic activities. These are all legitimate reasons to establish a trust. Under CRS, his/her personal financial information will be collected and shared with the Taiwanese tax authorities, as if he/she were guilty of tax evasion. This type of date collection and disclosure will apply to all families and anyone who forms a trust, foundation or trust-like arrangement, regardless of nationality

2. What is the intended purpose of CRS?

The Common Reporting Standard was unveiled by the OECD in 2014. The intended purpose of the new information sharing standard is to support coordinated global government efforts to improve cross-border tax compliance and to combat offshore tax evasion, money laundering and terrorist financing. The systematic and annual transmission of taxpayer information provides global tax authorities with critical information on non-compliance.

While OECD’s stated aim appears ostensibly reasonable, CRS ultimately presents a set of extremely serious risks to the safety of innocent civilians and account holders. CRS opens the door to misuse of private financial and personal data by participating governments, activist leakers and potential hackers. By collecting massive data on innocent civilians and accountholders, governments put those civilians and accountholders and their private data at unnecessary risk. Governments and financial institutions have a poor track record of preventing leakage, misuse and hacking resulting in large-scale erosion of privacy and identity and data theft. In the past decade, for example, the financial account data of millions of customers of US banks and US taxpayers and social security beneficiaries has been hacked or compromised.

3. What countries will be impacted by CRS?

As of July 26, 2016, 101 jurisdictions have pledged to implement CRS by 2018[1]. Over half of the signatories to CRS have already passed the primary domestic legislation required to engage in the automatic global exchange of information, and over a quarter have completed all the prerequisites and are poised for CRS launch.

(For the latest information on the list of participating countries and jurisdictions, please refer to the chart on the OECD website[2])

4. When will CRS be implemented?

Around 50 “early adopter” jurisdictions have committed to having the first round of information exchanges in September of 2017. A second round will follow in September of 2018.

(For information on the intended implementation timeline for a specific country, please refer to the chart on the OECD website[3]).

5. Whose information will be shared under CRS?

CRS articulates two sets of requirements that determine whose information will be collected and reported. Financial institutions must release an account holder’s information if the holder is:

  1. a) A Reportable Person, an individual who is a tax resident of a Relevant Jurisdiction


  1. b) An entity which is controlled by a Reportable Person of a Relevant Jurisdiction,

where “tax resident” is defined as a person who, under the laws of that country, is liable for tax due to domicile, residence, place of management, or any other similar criterion; and “Relevant Jurisdiction” is defined as any signatory of the Multilateral Competent Authority Agreement (“MCAA”). The MCAA is a multilateral framework agreement that specifies the details of what information will be exchanged and when[4].

6. What information will be exchanged under CRS?

According to the MCAA, after a person or account is deemed to be reportable, the following information about the Reportable Person must be disclosed:

  • Name
  • Address
  • Jurisdiction(s) of Residence
  • Tax identification Number(s)
  • Date of Birth
  • Place of Birth
  • Account Number
  • Name and Identifying Number of the Reporting Financial Institution
  • The Account Balance or Value as of the End of the Relevant Calendar Year

Given that name, date of birth and address are routinely used by many financial institutions to authenticate customers calling by telephone or remote login, one sees that the compromising of such information will get criminals at least half way to committing successful account frauds.

7. How is information transferred under CRS?

Financial institutions will first collect data from account holders and analyze that data to determine whether those account holders must be reported. If an account must be reported, the financial institution must compile data on the account holder and the account in a digital format and send the information to the local tax authority. The local tax authority will then validate the information and send the final report to tax authorities in any other jurisdictions where the account holder is obligated to pay taxes. It remains to be seen whether the transmittal and sharing process will be completed in a secure manner to ensure against data leaks and hackers.

Even if the information is transferred successfully without interception, its security on a foreign server or database cannot be guaranteed. There have been successful “inside jobs” of data theft within banks and tax authorities in the past and there is no reason to think they are less likely when the potential data prize will be so much more valuable.

8. What is the OECD?

Established in 1961, the Organization for Economic Cooperation and Development is an intergovernmental economic organization that seeks “to promote policies that will improve the economic and social well-being of people around the world.”

The OECD is composed of 35 member countries—including many of the world’s most advanced economies, such as the United States, the United Kingdom, France, Germany, Canada, and Australia. The organization also works closely with major emerging economies such as the People’s Republic of China, India and Brazil. The CRS will apply to all OECD countries and OECD compliant territories, which include almost all the territories conducting international commerce.

The OECD’s scope of activities spans from providing policy recommendations on world trade and economic growth to publishing statistics on a wide range of issues such as school systems and pension programs. The common thread is a “shared commitment to market economies backed by democratic institutions and focused on the wellbeing of all citizens.”

9. What is the legal basis for CRS?

For almost two decades, the OECD has waged a war against harmful tax practices—and particularly tax havens—with the aim of curbing tax evasion and non-compliance.

The MCAA that is signed by all CRS-participating jurisdictions is based on the Convention on Mutual Administrative Assistance on Tax Matters (“Convention”). Unveiled by the OECD in 1988, the Convention is an agreement that creates the legal basis for a multilateral automatic exchange of information; or in other words, it creates the legal basis for the MCAA to exist.

The Convention seeks to regulate tax information exchanges among member countries, in accordance with 4 principles:

  • Multilateral: it offers a single legal basis for multi-country cooperation
  • Wide scope: it proposes extensive forms of cooperation on all taxes
  • Flexible: it guarantees reservation on certain issues
  • Uniform: a coordinating body ensures a consistent application.

Currently, 98 jurisdictions have signed the Convention, thereby pledging to cooperate to catch tax evaders[5].

10. Will private data be secure under CRS?

Just like any system that relies on the collection and exchange of data, CRS concentrates vast amounts of private information and puts it at risk of leaks and/or hacks. Major data breaches have become increasingly common in recent years. The website InformationIsBeautiful created an interactive chart that visualizes the world’s largest data breaches.

Governments, financial institutions and corporations have fallen victim to hackers and rogue employees—and CRS won’t likely ameliorate such data breaches; rather, it will likely increase the risk. Under CRS, there are three main areas of increased risk: 1) increased collection risk, 2) increased storage risk and 3) increased transmission risk. At any point personal financial data is collected, stored and/or transmitted, that data is vulnerable to potential hacks or breaches. Hackers could target the weakest link at each of these three stages. Given data will be stored at both ends it will be open to attack either where collected or where received.

For instance, a Taiwan national has an account with a financial institution located overseas. When his/her financial data is collected, a hacker could infiltrate the financial institution’s system and compromise the data. Or, the data breach could occur when the financial data is being transmitted to the Taiwan tax authorities. In addition, increased risk is incurred since the relevant tax authority may begin sharing the private data with other agencies or parties, thus increasing cyber-security risks and the likelihood of data theft and privacy loss. Widespread hacks of financial institutions, government agencies and private sector companies are already common.

The OECD has acknowledged the importance of maintaining data security and has published a data security standard. However, participating countries are not required to abide by it and will be free to manage, keep and transmit data under whatever protocol they are accustomed to using. The lack of a cohesive protocol may increase the risk of hacks or leaks, as different jurisdictions have different security standards for data management and transfer procedures.

Many of the 101 participating jurisdictions simply do not and will not have the skilled professionals to maintain constantly updated security systems for data either transmitted or received.

11. What are the differences between CRS and FATCA?

In 2010, the United States took its own action against those hiding wealth offshore, passing the Foreign Account Tax Compliance Act (“FATCA”). FATCA relies on over 100 bilateral information-sharing treaties. Many observers believe FATCA may have served as a template for CRS, due to significant similarities between the two laws.

However, one important difference between the two is the distinction between FATCA’s bilateral international agreements and CRS’s multilateral international agreements. FATCA relies on bilateral agreements, so each participating government is only obligated to share data with the US. By contrast, CRS’s multilateral structure requires each participating country to share data with every other participating country. Due to its multilateral structure, CRS represents an even greater loss of privacy than FATCA.

Another difference between FATCA and CRS is their legal status. While FATCA was drafted and passed by elected legislators in the United States, CRS was drafted by unelected OECD bureaucrats with no accountability to any citizens or any legislature. While CRS must be translated into domestic law by local legislators, it still represents a serious challenge to basic principles of national sovereignty and public oversight and accountability.

12. What Should I Do To Protect My Assets, My Privacy and My Family?

Concerned families should consult their wealth advisors to learn more about the threats posed by the CRS regime. Together with advisors, trust and foundation holders can evaluate any potential exposure and devise solutions that respect CRS disclosure requirements while protecting their legitimate interests. By acting expeditiously, families can comply with CRS requirements and safeguard their privacy.

13. Where can I find more information about CRS?

Convention on Mutual Administrative Assistance in Tax Matters

[1] https://www.oecd.org/tax/transparency/AEOI-commitments.pdf

[2] http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/crs-by-jurisdiction/#d.en.345489

[3] http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/crs-by-jurisdiction/#d.en.345489

[4] http://www.oecd.org/tax/automatic-exchange/international-framework-for-the-crs/multilateral-competent-authority-agreement.pdf

[5] http://www.oecd.org/tax/exchange-of-tax-information/Status_of_convention.pdf