Common Reporting Standard (CRS) is a compliance requirement for banks and Financial institutions. GDPR and CRS - what are the guidelines to comply to both?
The Common Reporting Standard (“CRS”) is the standard for automatic exchange of financial account information (“AEOI”) developed by the OECD.
With AML , CRS and FATCA (talking globally) the question that arises is whether there really is an “over-reporting” or whether it is not simply a different way of interpreting what must be reported. “Over-reporting” without presenting a good reason might be seen as data breach as both Swiss and EU data protection law determine that data can only processed as much as required. In this case a EU citizen could take legal action against a reporting Swiss FI also in the EU, or an EU citizen could take legal action in Switzerland, demanding that EU law be applied (Art. 139 IPRG). If the claimants demand compensation they have to prove it. Fines can only be imposed by a supervisory authority (in Switzerland, the current pre-draft of the revised data protection act provides that fines will be imposed by the penal authorities).
The affected person agreed to a regular reporting abroad, either explicitly or with a general waiver. However, the consent can be revoked at any time (Art. 7 Abs. 3 GDPR). A revocation applies to future data deliveries only (ex nunc) but is never retroactive (ex tunc). There is a debate going on whether the supplement of the terms and conditions and the explicit reference to future data deliveries lead to a (possible) limitation of the liability in case of e.g. a (true) “over-reporting”. For the sake of prudence it would be worth checking, the CRS self-certification forms (declaration and signature) have to be adapted to the conditions laid down in art, 7 of GDPR (as well as art. 49 Ziffer (1) (a) GDPR). Probably one could largely eliminate possible insecurities by seeking the explicit consent of a client as laid down in the conditions of GDPR.
Retrieving data ...