FATCA/CRS update: ATO enforcement and new rules

ATO enforcement activity

The Australian Taxation Office (ATO) is ramping up its compliance reviews in relation to the Common Reporting Standard (CRS) and the Foreign Account Tax Compliance Act (FATCA) (collectively, the Automatic Exchange of Information (AEOI) rules).

In a recent Stakeholder Update, the ATO expressed its concern with ongoing compliance gaps which result in poor data quality and incorrect reporting. The ATO has transitioned from a supportive stance to one of enforcement, and is now ‘urgently encouraging’ financial institutions to plug compliance gaps and provide voluntary disclosures. Non-compliance can result in significant administrative penalties.

While initially focused on banks, the ATO has now targeted the funds management industry.

In the next 12 months, the ATO’s focus will include:

• A range of compliance activities including comprehensive, issue specific and early engagement reviews, and questionnaires across all sectors.
• A deep dive into Financial Institutions that should be reporting but are not, or are not aware of their AEOI obligations.
• Data analytics and matching to drive further improvements in completeness and quality of reported data.

CRS 2.0 and CARF

The Australian CRS law is expected to be amended (with effect from as early as 1 January 2026) to include the following.

• Additional reporting categories, including whether the Account Holder has provided a valid self-certification, whether the account is a joint account, roles of Controlling Persons, whether it is a Pre-existing or New Account, and other things.
• A requirement that procedures (AML/KYC Procedures) implemented under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) cannot be relied on to determine the Controlling Persons of a New Entity Account Holder, unless those procedures are in line with the 2012 Financial Action Task Force (FATF) Recommendations. In addition, if AML/KYC Procedures are not consistent with 2012 FATF Recommendations, the Financial Institution must apply substantially similar procedures.
• Consistent with FATF Recommendation 10, where a publicly listed company exercises control over an Account Holder that is a Passive NFE, there is no requirement to determine the Controlling Persons of such company if such company is already subject to disclosure requirements ensuring adequate transparency of beneficial ownership information.
• Where the self-certification cannot be obtained and validated in respect of a New Account, the Financial Institution must temporarily apply the due diligence procedures for Preexisting Accounts.
• Reflecting Government Verification Services (GVS) within the CRS due diligence procedures.
• Integrating Citizenship by Investment (CBI) and Residence by Investment (RBI) guidance into the CRS Commentary.
• Introduction of a new optional Non-Reporting Financial Institution category for Investment Entities that are genuine non-profit organisations.
• The creation of a new Excluded Account category for capital contribution accounts.
• Implementation of OECD FAQ guidance in the CRS Commentary (including guidance on strong measures which has been picked up by the ATO).

The CRS will shortly be implemented in the fintech industry. The Crypto-Asset Reporting Framework (CARF) will apply AEOI to crypto-assets and, under other amendments to the CRS, the CRS will apply to other digital financial products (including derivatives referencing crypto-assets).

Australian implementation

The Australian Treasury released a consultation paper on CRS 2.0 and the CARF. Submissions closed earlier this year with draft legislation expected during 2025. Australia also needs to sign the Addendum to the Multilateral Competent Authority Agreement.

Once legislated, CRS 2.0 (and likely CARF) may begin operating from 1 January 2026. This is to ensure that the first exchanges between the ATO and other tax authorities can take place by 2027 as required by the OECD.

See our earlier articles on the consultation paper (here) and a general outline of the new rules (here).

Compliance with the AML/CTF Act may be leveraged to assist with AEOI compliance  

Processes and procedures implemented by reporting entities to comply with obligations imposed under the AML/CTF Act are foundational to AEOI due diligence. For example:

• where an entity provides a ‘designated service’ under the AML/CTF Act in relation to a ‘Financial Account’ for the purposes of AOEI due diligence, entities are required to collect and verify customer identity information. These processes may also be used for AEOI purposes, such as ATO reporting on financial accounts; and
• ongoing customer due diligence procedures (OCDD), which require an entity to monitor its customers, may assist with identifying a customer’s change of circumstances for AEOI status.

As discussed above under ‘CRS 2.0 and CARF’, CRS 2.0 will even more closely align CRS and AML/KYC Procedures.

A failure to collect and verify customer information in accordance with the AML/CTF Act may have a flow-on effect on AEOI. For example, correctly identifying the customer, entity type, etc is essential to enable correct AEOI reporting.  The ATO may require customer identification procedures to be improved to ensure that the customer is correctly identified (which may be unexpected as customer identification is generally regulated by AUSTRAC). This gives greater impetus to ensure that Financial Institutions have robust AML/KYC Procedures in place, particularly given that AEOI, unlike the AML/CTF Act, is not a ‘risk-based’ regime.

Conversely, it would be a mistake to only rely on AML/CTF Procedures. While those procedures factor into AEOI compliance, there are a range of additional requirements under AEOI which mean that relying on AML/CTF Procedures alone would be insufficient. For example:

• the AML/CTF Act does not require a reporting entity to collect tax residency details; and
• AML/CTF Procedures only apply where the entity is providing a customer with a ‘designated service’, which may include some (but not all) ‘Financial Accounts’ as defined under the AEOI.

Late last year the Anti-Money Laundering and Counter-Terrorism Financing Bill 2024 (Amending Bill), which will significantly reform the AML/CTF Act to more closely align with FATF Recommendations, passed both houses of Parliament. While some reforms have already come into effect (for example, amendments to the tipping off offence), a significant portion of amendments will commence for current reporting entities on 31 March 2026.

Changes to systems, procedures and processes will likely be required for reporting entities to comply with the amendments to the AML/CTF Act commencing next year. This is an ideal time for entities to assess how to leverage those processes for AEOI compliance and/or update AEOI systems, procedures and processes at the same time (including for CRS 2.0).

For further information regarding the reforms to the AML/CTF Act, please see our alert summarising the Amending Bill when it was introduced into Parliament (here), and our May alert in relation to the consultation on the AML/CTF Rules (here).

How we can help you

KWM is at the forefront of advising Australian major financial institutions, insurance companies and investment entities on FATCA/CRS and AML/CTF compliance.

Please contact us if you would like us to review your AEOI and AML/CTF processes and/or advise on voluntary disclosures or other interactions with the ATO or AUSTRAC.