Where are we and what happens next?
CRS has been keeping us and our bank clients very busy over the last few months. The first reporting deadline of 30 June 2017 (which was effectively extended to 31 July 2017 in both Guernsey and Jersey) has passed. But that does not mean that it is over – there are a lot of lessons that can be learned from the first round of reporting, due diligence procedures are ongoing, reporting is annual and new business needs to be brought within the regime.
Common problem areas
Some of the issues Guernsey and Jersey reporting financial institutions (including banks) have had to deal with include:
- Whether a particular person is reportable – a careful and thorough analysis of the CRS legislation and account records is needed to identify who to report on. The risk of getting it wrong (by either failing to report or unnecessary reporting) could be severe
- The form and content of self-certification forms and notifications to individuals that they will be reported on
- Whether reporting on a particular individual will be a breach of the financial institution's duty of confidentiality or its data protection obligations
- The exemptions to the reporting requirements which also require careful analysis
CRS is a complex area. Because it is new and Guernsey and Jersey are early adopters, there is little guidance and no examples of how certain aspects will be treated by the tax authorities and the courts. On the plus side, we can use our experience to improve systems and procedures for next year and to become leaders in this field, ahead of jurisdictions who will not be reporting until 2018 or after.
What you should do now
Banks should, over the next few months, examine their CRS policies and procedures, identifying what went well for the 2017 reporting and what did not, and to make any necessary changes.
For example banks should consider the following:
- Client agreements and terms and conditions should be reviewed to ensure they adequately deal with disclosures under CRS and provide sufficient protection in the event of a challenge to the bank's reporting
- Data protection policies in the lead up the introduction of the General Data Protection Regulation (GDPR) in May 2018. From a CRS perspective, particular attention should be given to ensuring the bank's data protection policies comply with its CRS obligations and are compatible with its CRS policies. Whilst reporting under CRS in most, if not all, cases will not of itself be a breach of data protection legislation, it will be a breach if the reporting is not in accordance with the bank's data protection obligations
- The bank's self-certification forms and notices may need fine-tuning
- The bank's CRS resources
Hopefully over the next twelve months banks will feel better equipped to deal with the 2018 reporting, having gone through it once. Also there may well be further guidance issued by the Guernsey and Jersey authorities and/or the OECD on the most common issues which have arisen.