Significant updates to CRS and FATCA reporting regime in the UK
The regulations implementing the CRS and FATCA in the UK (the AEOI Regulations) have been substantially amended, bringing in a mandatory requirement to register for all Financial Institutions, regardless of whether they have any returns to make. We anticipate this will enable HMRC to contact Financial Institutions to enquire about their client due diligence processes and other AEOI compliance obligations.
The changes are of importance to all Financial Institutions, but especially:
- e-money institutions, which are now explicitly within scope of the CRS;
- Trustee-Documented Trusts, which will now be required to register with HMRC for AEOI purposes; and
- those which have previously not registered for AEOI reporting with HMRC because they have no reportable accounts, despite falling within the definition of a Financial Institution for the purposes of the AEOI Regulations. These will now be required to register with HMRC, even if they have no returns to make.
Act now to avoid HMRC penalties
To avoid significant penalties being levied by HMRC, we recommend:
- all Financial Institutions not yet registered for AEOI reporting review whether they are now required to register;
- all Financial Institutions, including Trustee-Document Trusts, ensure that they are registered with HMRC for AEOI purposes by 31 December 2025 and have in place compliant due diligence and (where necessary) reporting procedures;
- e-money institutions should review and expand their AEOI due diligence and reporting procedures to ensure compliance with the CRS;
- all Financial Institutions now review their client-facing documentation and procedures to confirm clients are appropriately notified of their information being reported to HMRC for the purposes of that data being transferred to non-UK tax authorities; and
- crypto-asset service providers now review if they are required from 1 January 2026 to report information on an annual basis, with the first deadline for doing so being 31 May 2027.
The changes to the more prescriptive penalty regime have effect from 16 July 2025 and therefore Financial Institutions must now check that they are fully compliant with their due diligence and reporting obligations to ensure that they are not at risk of the new penalties.
The key changes are summarised below.
E-money institutions within scope of the CRS
Institutions which hold e-money products and/or central bank digital currencies, are now explicitly within the scope of the CRS. Previously, there was uncertainty in the market as to whether e-money institutions were Financial Institutions for the purposes of AEOI due diligence and reporting obligations.
Obligations under the AEOI Regulations in relation to the CRS will apply to such institutions from 1 January 2026, providing some time for such institutions to implement AEOI due diligence and reporting procedures.
Mandatory registration requirements
Financial Institutions which have previously not registered for AEOI reporting with HMRC because they have no reportable accounts, despite falling within the definition of a Financial Institution for the purposes of the AEOI Regulations, will now also be required to register with HMRC. In addition, Trustee-Documented Trusts will now be required to register with HMRC.
Financial Institutions, including Trustee-Documented Trusts, must register with HMRC by the later of 31 December 2025, or 31 January following the calendar year in which they fall within this category.
Removal of qualified non-profit entities from definition of Financial Institution
Most charities will be removed from the scope of the CRS from 1 January 2026.
Obligation for account holders to provide self-certifications
The AEOI Regulations now contain a positive obligation for account holders and controlling persons of entity account holders to provide self-certification information. In line with this, HMRC is now able to levy a penalty of £300 on those who fail to provide self-certification information where the failure to do so is careless or deliberate.
This obligation applies to account holders and controlling persons from 16 July 2025.
Penalty for failure to notify individuals that information will be reported to HMRC
Whilst there has always been an obligation to notify individuals whose information is reported to HMRC under the AEOI Regulations that their information:
- will be reported to HMRC; and
- may be transferred to other jurisdiction,
there is now a specific penalty which will apply should the Financial Institution fail to do so. This is £100 for each individual who has not been notified, with further daily penalties applying where there is a failure to rectify. Financial Institutions must now review their client-facing documentation and procedures to confirm clients are appropriately notified, to avoid significant fines.
Overhaul of the penalty regime
The penalty regime has been revised and expanded, with the new regime enabling HMRC to levy penalties for specific failures, as summarised below.
| Penalties for failure to apply due diligence procedures | Up to £100 per account holder or controlling person, or £300 where the failure relates to obtaining a valid self-certification. |
| Penalties for record-keeping failures | Up to £5,000 per reportable period. |
| Penalties for late returns | Up to £5,000, with additional daily penalties of up to £600 for continuing failures. |
| Penalties for inaccurate or incomplete returns | Up to £100 per affected account holder or controlling person. |
| Penalties for failure to notify reportable persons | Up to £100 per person, with additional daily penalties for continuing failures. |
| Penalties for failure to register with HMRC | Up to £1,000, with additional daily penalties of up to £300. |
| Penalties for failure to provide information to HMRC | Up to £5,000, with additional daily penalties of up to £600. |
Given the number of different failures for which a penalty can be levied, the updated AEOI Regulations contain provisions to prevent the duplication of penalties for the same act or omission. As with the previous version of the regulations, reasonable excuse provisions remain.
The Crypto-Asset Reporting Framework (CARF) and Crypto-Assets and the CRS
Separately (but alongside the updates to the AEOI Regulations) regulations have been made in the UK implementing the CARF (the CARF Regulations). The CARF is intended to provide visibility on the transactions of users of crypto-assets. The obligations under the CARF Regulations have effect from 1 January 2026 and in-scope reporting crypto-asset service providers will be required to report information in relation to in-scope transactions on an annual basis, with the first deadline for doing so being 31 May 2027. The CARF is intended to work in a similar manner to existing automatic exchange of information regimes, such that HMRC will share information received on non-UK users of crypto-asset service providers with jurisdictions who have also implemented the CARF.
In addition, the updated AEOI Regulations implement in the UK changes which have been made to relevant definitions in the CRS to ensure that derivatives that reference crypto-assets and are held in Custodial Accounts and Investment Entities investing in crypto-assets are covered by the CRS.
More detail on the changes to the CRS in relation to crypto-assets, and the alignment with the CARF, can be found here: Introduction to Crypto-Asset Reporting Framework, the new OECD international standard on automatic exchange of information and amendments to the CRS and here: Introduction to the Crypto-Asset Reporting Framework
CMS Comment
Our experience is that HMRC has a renewed focus on ensuring that Financial Institutions are complying with their obligations under the AEOI Regulations. These updates to the AEOI Regulations are further reason for all financial institutions to review:
- whether they are required to register with HMRC for AEOI reporting purposes;
- their due diligence procedures;
- their reporting procedures,
especially in light of the new and more specific penalty regime from 16 July 2025.
The explicit inclusion of e-money institutions within the Financial Institution categories provides clarity to the market but means that those e-money institutions who took the view they did not fall within scope, will now need to implement the required due diligence and reporting procedures.
If you would like to discuss further, please contact Anna Burchner or Hannah Jones.
