Why is there a need for the AEOI Health Check and Risk Framework?

Reporting information on "Financial Accounts" to local tax authorities under AEOI has been required in the Wave 1 (early adopter) jurisdictions since 2017. AEOI is a challenging compliance obligation where the reporting process will highlight the accuracy and completeness of data and documentation obtained from all relevant account holders. Whilst many organisations have implemented projects to meet the initial reporting deadline, it is important to consider that this an on-going annual requirement which must be integrated into Business As Usual (BAU) activities with appropriate controls and governance

The initial legislation is likely to evolve in many jurisdictions making it challenging to stay aware and in control of these changing requirements without a robust governance and control mechanism.

KPMG has developed two solutions to help financial institutions navigate this complex and changing environment:

  1. The AEOI Health Check – A detailed review of the current implementation and approach to identify gaps in existing AEOI processes (internal procedures and policies, processes, documents, data collection, reporting systems and reports, etc.).
  2. The AEOI Risk Framework – A review of an existing risk framework or assistance with implementing a new AEOI risk framework to identify gaps that may exist, ensure that sufficient controls are in place, review effectiveness and completeness to help determine how compliance is evidenced.

How can this help Financial Institutions?

  1. Helps provide confidence that your business is compliant with the AEOI requirements across all legal entities.
  2. Enables a seamless transition into BAU with a strong maintainable monitoring mechanism which helps guarantee complete and accurate reporting.
  3. Highlights potential cost savings by removing in efficiencies and leveraging your existing FATCA and CRS controls.
  4. Enables you to provide your clients with a positive experience by aligning all relevant documentation (procedures, policies etc.) with processes.
  5. Offers a rigorous review of procedures to help demonstrate compliance in any upcoming tax authority review or audit.

Having the right processes and procedures in place is not the only challenge: there must be good controls to help ensure the financial institution is doing what it should to meet its AEOI obligations.

For all workstreams – the end-to-end AEOI processes are reviewed in detail covering:

— Entity and product classification

— Client on-boarding and review of pre-existing accounts

— Change in circumstance

— Reporting

— Governance and compliance

Following this we will conduct in-depth structured interviews with key personnel and perform live end-to-end process walk-throughs to fully establish the processes being followed.

End-to-end testing will then identify any issues both with the underlying systems data and the completeness of reporting that data. Statistical and targeted sample selection can help identify and review all possible scenarios within the client lifecycle.

The Health Check uses both a top-down approach to identify deficiencies and inefficiencies in the existing processes and also a structured and methodical bottom-up approach using checklists and enquiry tools to help identify areas of non-compliance.

Using checklists, questionnaires and reviewing supporting documentation, we will obtain a thorough understanding of each of the organisation's AEOI business processes.

A review of internal and external communications to help establish whether regulations are clearly explained, implemented and communicated in such away that they can be understood by the recipients. The client experience is key for all businesses.

The AEOI Risk Framework Methodology

  1. Financial institutions can make the most of their recent experience, by adapting the governance and compliance framework introduced for FATCA to arrive at a solution that works best for them under CRS.
  2. Many organisations have told us they don't feel that the management of risk and compliance has been integrated as well as they would like. We believe risk management needs to be a primary part of any AEOI project, linking with different areas of the business (such as tax, operations, reporting, IT and legal) to paint a comprehensive picture of the risks involved, the controls needed to mitigate them, the tests required and any escalation process where issues are identified.
  3. An effective AEOI monitoring programme can be embedded into an existing risk framework or a new risk framework can be developed and implemented to help ensure on-going monitoring and compliance. KPMG can design and execute tailored compliance frameworks to suit your business type and client offering to help make sure:
    • End-to-end regulatory requirements are met
    • Risks are identified
    • Effective controls are established
    • Testing of processes and documents
    • Identification of issues/gaps are documented and monitored

Financial institutions need to keep track of how they incorporate ongoing AEOI processes into their everyday business so that it becomes standard practice.

Outputs from the AEOI Health Check and Risk Framework

  1. We will document our findings and recommendations in a detailed report which will include our opinion on the severity of any gaps identified allowing you to prioritise remediation activities for any areas of non-compliance.
  2. Through generic peer comparisons, we can make recommendations to help your organisation meet best practice.
  3. Our detailed approach to identifying the existing controls within the current risk framework will allow you to leverage what has been already implemented to maximize cost savings and operational efficiency.
  4. Establishes an AEOI risk framework which provides confidence that risks have been identified, sufficient controls are in place and these will be properly maintained.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.