2. The methodologies for the Global Forum’s AEOI peer reviews

Abstract

This chapter provides an overview of the methodologies used for the Global Forum’s peer reviews, including explanations for the determinations in relation to the legal frameworks for AEOI and the ratings of the effectiveness in practice.

    

In order to ensure that the implementation of the AEOI Standard is both complete and effective, the Global Forum conducts peer reviews in relation to all of the key areas of the AEOI Standard. These are conducted in accordance with the agreed Terms of Reference for the AEOI reviews, which are contained in Annex B of this report. As set out therein, the Terms of Reference comprise of Core Requirement 1 in relation to the domestic collection of the information, Core Requirement 2 in relation to the international exchange of the information and Core Requirement 3 in relation to confidentiality and data safeguards.

Global Forum AEOI peer reviews: covering all relevant areas

Properly implementing the AEOI Standard requires various legal, technical and operational aspects to be put in place and for them to operate effectively in practice. The Global Forum has therefore designed and conducted a range of peer review processes specifically suited to assess each area of the requirements. The processes are as follows:

  • Reviews of the domestic and international legal frameworks in place: The AEOI Standard requires complete domestic and international legal frameworks to be in place. Domestically, Financial Institutions must be required to conduct the prescribed due diligence procedures and report the specified information. Internationally, jurisdictions must have a legal basis in place to exchange the information, in the required manner, with all of their Interested Appropriate Partners. The Global Forum conducts peer reviews of the domestic and international legal frameworks in place to ensure they are complete and provide a sound basis for the effective operation of the AEOI Standard.

  • Reviews of the effectiveness of the implementation of the AEOI Standard in practice: In addition to having complete legal frameworks, jurisdictions must ensure that they operate effectively in practice. The Global Forum therefore also reviews each jurisdiction’s implementation of the AEOI Standard in practice, including the administrative frameworks in place and activities undertaken to ensure compliance by Financial Institutions and the functioning of the exchanges in practice. These reviews are done in two stages: (i) initial desk-based reviews of effectiveness in practice to assess whether jurisdictions are “On Track”; and in-depth reviews of effectiveness that include an on-site visit to obtain a deeper level of assurance.

  • Assessments of confidentiality and data safeguards frameworks: The information exchanged, which includes sensitive information identifying taxpayers and their international investments, must be properly safeguarded and used only for the purpose for which it was exchanged (or subsequently authorised). The Global Forum therefore conducts reviews of the legal and operational arrangements jurisdictions have in place to safeguard data before they can receive information through AEOI exchanges. Assistance is given where needed. The Global Forum again reviews the arrangements in place once exchanges are underway, to ensure the requirements are met on an ongoing basis. This Global Forum process includes a mechanism to react to breaches of confidentiality or the safeguarding of data. Due to their confidential nature, the results of these assessments are not published.

Further details in relation to the assessments and work of the Global Forum with respect to confidentiality and data safeguards can be found in the Terms of Reference for the Confidentiality and Data Safeguards Assessments1 and the Confidentiality and Information Security Management Toolkit.2 With respect to the other reviews, further details on their scope and the process can be found below.

Peer reviews of the AEOI legal frameworks

A key early step in the implementation process is putting in place complete domestic and international legal frameworks, in accordance with the AEOI Standard and the commitments made. The Global Forum reviews the frameworks once they are put in place to allow any issues to be identified early so they can be promptly addressed.

The requirements

The AEOI Terms of Reference group the requirements with respect to the legal frameworks into two Core Requirements. These are set out below:

  • Core Requirement 1: Jurisdictions should have a domestic legislative framework in place that requires all Reporting Financial Institutions to conduct the due diligence and reporting procedures in the CRS, and that provides for the effective implementation of the CRS as set out therein.

  • Core Requirement 2: Jurisdictions should have exchange relationships in effect with all Interested Appropriate Partners as committed to and that provide for the exchange of information in accordance with the Model CAA.

Each Core Requirement is split into detailed Sub-Requirements, which are contained in Annex B.

How the requirements are reviewed

For each of the review processes in relation to the AEOI legal frameworks, the following steps are conducted:

  • The Global Forum Secretariat conducts an initial in-depth analysis of the legal texts and drafts proposed recommendations where issues are identified.

  • The analysis and draft recommendations are sent to all AEOI Peers3 for input, which is incorporated as appropriate.

  • The analysis and proposed recommendations are sent to the AEOI Peer Review Group (APRG) for approval.

  • The approved analysis and recommendations are submitted to all AEOI Peers for adoption.

What is reviewed in relation to Core Requirement 1

Core Requirement 1 in the AEOI Terms of Reference refers to the detailed due diligence and reporting procedures that Financial Institutions must follow. These are standardised procedures to ensure that Financial Institutions report the correct information on Financial Accounts and their Account Holders to the tax authority in a uniform manner. It is therefore crucial that each jurisdiction properly reflects these requirements in its domestic legislative framework. The specific elements reviewed are as follows:

  • The due diligence and reporting rules: This involves a review of how each jurisdiction has: (i) defined the scope of Reporting Financial Institutions, (ii) defined the scope of the Financial Accounts that must be reviewed, (iii) implemented the detailed due diligence procedures that must be applied to identify Reportable Accounts, and (iv) defined the information that must be reported. If a jurisdiction relies on non-AEOI legislation that defines “beneficial owners” in order to identify Controlling Persons with respect to the AEOI Standard, this legislation is also reviewed.

  • Jurisdiction-specific Non-Reporting Financial Institutions and Excluded Accounts: This consists of a specific review of each entry to ensure that the Non-Reporting Financial Institutions and Excluded Accounts provided for by each jurisdiction meet the requirements of the AEOI Standard and pose a low-risk of use for tax evasion purposes.

  • The framework to enforce the requirements: This includes, amongst other aspects, a review of the provisions that jurisdictions have in place to: (i) prevent the circumvention of the AEOI Standard, (ii) require Reporting Financial Institutions to maintain appropriate records; and (iii) enforce the requirements and address non-compliance. Where the provisions relied upon are included in non-AEOI legal frameworks, these provisions are also reviewed, to the extent they are relevant for the implementation of the requirements of the AEOI Standard.

Where gaps are identified, recommendations are made.

What is reviewed in relation to Core Requirement 2

Core Requirement 2 in the AEOI Terms of Reference contains requirements with respect to both the contents of the international agreements used to exchange the information and the scope of the networks of exchange relationships. These requirements are therefore also essential to ensure the effective operation of the AEOI Standard, based on a level playing field. The particular processes conducted are as follows:

  • The contents of the exchange agreements: The contents of the exchange agreements put in place are reviewed to ensure their provisions are in accordance with the requirements. This includes the international agreement that provides the legal basis for the exchange and the administrative agreement containing the detailed specificities.

  • Ensuring exchange networks are complete: It is ensured that each jurisdiction’s exchange network includes all of its Interested Appropriate Partners (i.e. the jurisdictions interested in receiving information from a jurisdiction and that meet the expected standards in relation to confidentiality and data safeguards). The process includes facilitating jurisdictions in putting agreements in place, which can be escalated into a peer review mechanism that jurisdictions can trigger if they become concerned about delays with respect to the putting in place of an agreement with a particular partner.

Again, where gaps are identified, recommendations are made.

Drawing conclusions and issuing determinations on the completeness of the AEOI legal frameworks

The determinations on the AEOI legal frameworks are made with respect to each Core Requirement and overall. They are either: “In Place”, “In Place But Needs Improvement” or “Not In Place”, with the determination for each Core Requirement and the overall determination taking into account all relevant factors (i.e. it is not a mechanical exercise). Further details on how to interpret each of these determinations, along with an indication of the relevant considerations, are set out in Table 2.1 below.

Table 2.1. The determinations made in relation to the AEOI legal frameworks

Determination

Description

In Place

A jurisdiction’s legal framework is determined as being “In Place” where the review of its legal framework does not identify any gaps that need to be addressed in order for the legal framework to be in accordance with the AEOI Terms of Reference.

This is the case where the peer review processes have not resulted in any recommendations. It is possible, although unusual, for a legal framework to be determined to be In Place even where there is a recommendation. This is only the case where the gap is viewed as so minor that it would have a highly limited impact on the operation of the AEOI Standard.

In Place But Needs Improvement

A jurisdiction’s legal framework is determined as being “In Place But Needs Improvement” where the review of its legal framework concludes that the legal framework is in place but certain aspects need improvement in order for it to be fully in accordance with the AEOI Terms of Reference.

This is the case where the peer review processes have identified one or more deficiencies material to the proper functioning of elements of the AEOI Standard.

The determination of In Place But Needs Improvement is therefore a broad category. It includes jurisdictions with one recommendation, as well as jurisdictions with multiple recommendations. In all cases, the deficiencies are viewed collectively as material to the proper functioning of certain elements of the AEOI Standard, but not to its overall operation.

Not In Place

A jurisdiction’s legal framework is determined as being “Not In Place” where the review of its legal framework shows that the legal framework needs to be significantly improved in order to be in accordance with the AEOI Terms of Reference.

At the extreme, this is the case where a jurisdiction has not implemented the relevant legal framework. More commonly, this is where the peer review processes have resulted in recommendations viewed collectively as having a material impact on the overall operation of the AEOI Standard.

It is important to note, aside from the jurisdictions that have not implemented a legal framework, a determination of Not In Place does not mean that a jurisdiction’s legal framework is not in effect. In fact, several aspects of that legal framework are likely to be in place as required. The determination instead means that the impact of the deficiencies found are viewed as creating a material risk to the overall proper functioning of the AEOI Standard (e.g. a jurisdiction’s legal framework to enforce the due diligence requirements is substantively incomplete).

Peer reviews of the effectiveness in practice of AEOI implementation

Having complete legal frameworks is not sufficient to ensure that the AEOI Standard is effective and delivers the potential benefits it has to offer. It must also be ensured that the requirements are being implemented effectively in practice. The Global Forum therefore carries out peer reviews to assess the effectiveness in practice of each jurisdiction’s implementation of the AEOI Standard.

The peer reviews in relation to the effectiveness in practice of the implementation of the AEOI Standard are carried out in two stages. Firstly, there in an initial assessment to verify whether the jurisdiction is “On Track” and, secondly, there is an in-depth review in order to obtain a deeper level of assurance.

The requirements

Similarly to the legal frameworks, the AEOI Terms of Reference group the requirements with respect to effectiveness in practice into the same two Core Requirements. The requirements are the same for the initial and in-depth reviews. These are set out below:

  • Core Requirement 1: Jurisdictions should have an administrative framework to ensure the effective implementation of the CRS and ensure that in practice Reporting Financial Institutions correctly implement the due diligence and reporting procedures in the CRS.

  • Core Requirement 2: Jurisdictions should exchange the information effectively in practice, in a timely manner, including by sorting, preparing, validating and transmitting the information in accordance with the AEOI Standard.

Each Core Requirement is again split into detailed Sub-Requirements, as set out in Annex B.

How the requirements are reviewed during the initial reviews

For the initial reviews of effectiveness in practice (the first round of AEOI effectiveness reviews), the following procedures are carried out:

  • Each jurisdiction provides a detailed description of the operational compliance frameworks they have implemented to ensure the effective implementation of the AEOI Standard by Financial Institutions, including information on the strategy adopted and details of the compliance activities completed, the outcomes achieved as well as any follow-up actions undertaken.

  • All AEOI Peers are invited to provide input in relation to their experiences of the exchanges in practice with each of their exchange partners, including the timeliness and technical aspects, as well as any issues experienced when trying to utilise the information received. Input is also provided on the level of co-operation experienced with each exchange partner when looking to address any such issues that arise.

  • Expert assessors from AEOI Peers, supported by the Global Forum Secretariat, conduct a desk-based review to analyse the information provided and other relevant information and follow up with each jurisdiction and its exchange partners with respect to any omissions or uncertainties. Once a clear view of the situation is established, the analysis is finalised and a short report is prepared on the jurisdiction being reviewed.

  • The reports are provided to each jurisdiction for comment before they are submitted to the APRG for discussion and approval. They are then sent to all AEOI Peers for adoption, prior to their publication.

Statistics in relation to the operational activities to ensure compliance domestically and in relation to the various aspects of the exchanges in practice play an important role in the assessment, including through benchmarking certain key areas across all jurisdictions. In this regard, it should be noted that the statistics used are based on the disclosure and interpretation of each jurisdiction. Therefore, especially with respect to certain aspects of the domestic compliance frameworks, the statistics are shaped by the framework implemented by individual jurisdictions and may therefore not always be directly comparable. They are nevertheless useful indicators when considered alongside the other information available and have been collected annually from 2021.

How the requirements are reviewed during the in-depth reviews

For the in-depth reviews of effectiveness in practice under the second round of AEOI effectiveness reviews, the procedures are as above, aside from the following additions:

  • With respect to Core Requirement 1, Assessment Teams consisting of two expert assessors from AEOI Peers, supported by the Global Forum Secretariat, review and analyse the information provided and other relevant information and conduct onsite visits where all key governmental and private sector stakeholders are met and interviewed. Once a clear view of the situation is established, the analysis is finalised and a short report is prepared on the jurisdiction being reviewed, which is provided to the jurisdiction for comment.

  • With respect to Core Requirement 2, all AEOI Peers are invited to provide input on an annual basis, over a three-year period, in relation to their experiences of the exchanges in practice and covering the same areas as during the initial reviews. The Assessment Teams analyse the information received and decide which issues to follow-up on. There is engagement with the jurisdictions and their exchange partners to understand the situation and a horizontal report is prepared each year.

  • All of the reports are submitted to the APRG for discussion and approval. At the end of the three-year schedule, the analysis is updated and the reports with respect to Core Requirements 1 and 2 are brought together. Consolidated reports are then prepared and submitted to the APRG for approval. The reports are then sent to all AEOI Peers for adoption, prior to publication.

What is reviewed in relation to Core Requirement 1

The AEOI Terms of Reference refer to jurisdictions ensuring that, in practice, Reporting Financial Institutions are effectively implementing the detailed due diligence and reporting procedures specified in the AEOI Standard. Various specific elements in relation to the required framework are set out, such as various components of the administrative compliance framework that must be put in place, some of which are referred to below.

  • Having an effective administrative framework to ensure compliance: Various components of each jurisdiction’s compliance framework are assessed in detail. Including their implementation in practice. Each jurisdiction is therefore asked for details of, amongst other things: (i) the compliance strategy it has in place, including whether it is based on a risk assessment specific to their jurisdiction and that takes into account a range of relevant information sources, (ii) the procedures the jurisdiction has implemented and the actions taken to ensure that Reporting Financial Institutions are reporting information as required, including to identify incorrect non-reporting and to follow-up to ensure compliance, (iii) the verification procedures implemented in practice and the actions taken to ensure that the information being reported is complete and accurate, including analysis of the information reported and details of the desk-based and onsite reviews conducted, and (iv) the enforcement activities carried out, including the application of penalties as appropriate and their impact. Each jurisdiction’s exchange partners are also asked for any issues with respect to compliance by Financial Institutions that they might have identified when using the data received.

  • International collaboration to ensure effectiveness: There are provisions in the AEOI Standard for collaboration between exchange partners to address errors or non-compliance by Reporting Financial Institutions identified by exchange partners. Feedback is therefore also obtained from each jurisdiction’s exchange partners on how effective the cooperation has been in practice.

Where deficiencies or areas for improvement are identified, then recommendations are made.

What is reviewed in relation to Core Requirement 2

The AEOI Terms of Reference also contain requirements in relation to the processing of the information reported by Reporting Financial Institutions and its subsequent transmission to exchange partners. Some of the key elements are below.

  • Preparing and validating the information: Once reported by Reporting Financial Institutions, the information must be sorted, prepared and validated in accordance with the technical requirements set out in the AEOI Standard (e.g. the Common Reporting Standard User Guide and XML Schema). Each jurisdiction’s exchange partners are therefore asked about any errors that might have been experienced when trying to utilise the information received. The cause of the issues is identified, including to establish whether there are deficiencies in the jurisdiction’s systems to process and send the information reported.

  • Using secure channels to exchange the information: It is of vital importance that the information is kept safe while it is being transmitted. This is ensured through the use of the CTS which utilises industry leading security standards and which is used by all jurisdictions. This requirement has therefore always been found to be met in practice.

  • Timeliness in the exchanges and follow-up: The timeliness of the exchanges is also reviewed, including the timeliness of any response to follow-up from a jurisdictions’ partners and the provision of additional or amended information as necessary. Again, feedback on these issues is obtained from each jurisdiction’s exchange partners.

Where deficiencies or areas for improvement are identified, then recommendations are made.

Drawing conclusions and issuing ratings on the effectiveness of the implementation of AEOI in practice

Ratings issued during the initial reviews

The ratings issued following the initial reviews of the effectiveness in practice of AEOI implementation (the first round of AEOI effectiveness reviews) are also made with respect to each Core Requirement and overall. They are either: “On Track”, “Partially Compliant” or “Non-Compliant”, with the rating for each Core Requirement and the overall rating taking into account all relevant factors (i.e. it is not a mechanical exercise). The terminology for the ratings reflects the fact that these are initial reviews and that the frameworks to ensure effectiveness in practice are not yet fully mature. For these reasons the effectiveness ratings are issued separately to the determinations with respect to the AEOI legal frameworks (which are relatively mature), although legal gaps with a direct influence on the framework to ensure the effective implementation of the requirements by Financial Institutions are taken into account in the initial reviews of effectiveness. Further details on how to interpret each of these ratings, along with an indication of the relevant considerations, are set out in Table 2.2 below.

Table 2.2. The ratings issued during the initial reviews of the effectiveness in practice of AEOI

Rating

Description

On Track

The effectiveness in practice of jurisdiction’s implementation of the AEOI Standard is rated as “On Track” where the initial review of its implementation in practice establishes that:

  1. (i) the jurisdiction has developed and commenced implementing a complete administrative compliance framework to ensure that Financial Institutions effectively implement their due diligence and reporting obligations and there is an absence of evidence to suggest that it will not be effective in practice, and

  2. (ii) the exchanges successfully take place in accordance with the technical requirements and on time, or where issues arise then they are addressed in a timely manner.

Given that this rating framework is used for the initial reviews in relation to the effectiveness of operational frameworks that are not yet fully mature, the On Track category is broad. In general, it is given where the review has not identified issues significant to the proper functioning of a Core Requirement or the AEOI Standard, taking into account the general maturity of implementation. The review might nevertheless have identified areas for improvement, beyond simply continuing to implement the framework as envisaged, in which case recommendations for improvement are made.

Partially Compliant

The effectiveness in practice of jurisdiction’s implementation of the AEOI Standard in practice is rated as “Partially Compliant” where the initial review of its implementation in practice establishes that:

  1. (i) the jurisdiction has developed a complete administrative compliance framework to ensure that Financial Institutions effectively implement their due diligence and reporting obligations, although it has not yet begun to fully implement it, and/or

  2. (ii) the exchanges are generally taking place successfully, but significant issues have arisen that are often not been addressed in a timely manner.

In such cases the assessment has found deficiencies that are significant to the proper functioning of a Core Requirement of the AEOI Standard as a whole.

Non-Compliant

The effectiveness in practice of jurisdiction’s implementation of the AEOI Standard in practice is rated as “Non-Compliant” where the initial review of its implementation in practice establishes that:

  1. (i) the jurisdiction has not yet developed a complete administrative compliance framework to ensure that Financial Institutions effectively implement their due diligence and reporting obligations, and/or

  2. (ii) the exchanges are generally not taking place successfully and fundamental issues have arisen that are often not been addressed in a timely manner.

In such cases the assessment has found deficiencies that are fundamental to the proper functioning of a Core Requirement of the AEOI Standard as a whole.

In this regard, the effectiveness rating takes into account fundamental deficiencies in a jurisdiction’s legal framework for AEOI (e.g. jurisdictions with a legal determination of Not In Place), that will likely result in there being fundamental deficiencies in practice. This could be the case where a jurisdiction has not implemented a legal framework or where it has gaps in key areas relating to the enforcement of the requirements.

Ratings issued during the in-depth reviews

The first tranche of in-depth reviews under the second round of AEOI effectiveness reviews is currently underway and is due to be finalised in 2025. Under the in-depth reviews, effectiveness ratings are given that take into account and incorporate the determinations on the AEOI legal frameworks. Furthermore, a four-tier rating system will be used, mirroring the approach used for the Exchange of Information on Request (EOIR). The ratings used will therefore be: “Compliant”, “Largely Compliant”, “Partially Compliant” or “Non-Compliant”. These reflects the greater maturity in the implementation of the AEOI Standard.

Notes

← 1. Terms of Reference for the Confidentiality and Data Safeguards Assessments,

www.oecd.org/tax/transparency/documents/confidentiality-data-safeguards-assessments-tor.pdf

← 2. OECD (2020), Confidentiality and Information Security Management Toolkit, Global Forum on Transparency and Exchange of Information for Tax Purposes, OECD, Paris, www.oecd.org/tax/transparency/documents/confidentiality-ism-toolkit_en.pdf.

← 3. All jurisdictions committed to implementing the AEOI Standard and that have passed domestic legislation to that effect.

3 A peer review group of the Global Forum consisting of 33 members which replaced the former AEOI Group (www.oecd.org/tax/transparency/who-we-are/structure/).

Legal and rights

This document, as well as any data and map included herein, are without prejudice to the status of or sovereignty over any territory, to the delimitation of international frontiers and boundaries and to the name of any territory, city or area. Extracts from publications may be subject to additional disclaimers, which are set out in the complete version of the publication, available at the link provided.

© OECD 2023

The use of this work, whether digital or print, is governed by the Terms and Conditions to be found at https://www.oecd.org/termsandconditions.