Share with your friends

AEOI - implementing an effective risk framework

AEOI - implementing an effective risk framework

How are you evolving to comply with the latest AEOI requirements?

Photo of Rohini Sanghani

Director, Operational Taxes (Financial Services Tax)

KPMG in the UK


Also on

Women rowing

“Data really powers everything that we do.” – Jeff Weiner, CEO, LinkedIn

Rewind the clock

Anti-Money Laundering and Know-Your-Customer (AML and KYC) processes are at the core of any customer-interfacing financial institution and have embodied how many firms kick-start their relationship with their customers. For many years, this has been a standard process, but the introduction of FATCA (Foreign Account Tax Compliance Act) and CRS (the Common Reporting Standard) has changed this established order, resulting in Reporting Financial Institutions (Reporting FIs) questioning how well they really know their customers.

In practical terms, Reporting FIs need to obtain and scrutinise whether the information provided by their customers is in line with publicly available information, activities/transactions on the account, as well as data provided by the customer in respect of a different product.

When FATCA and CRS - collectively Automatic Exchange of Information (AEOI) were introduced in 2014 and 2016 respectively, Reporting FIs allocated significant resource and budget to comprehend the impact this would have on their businesses and what changes would be required on an operational and procedural level.

Today’s challenges

Fast forward a few years and with other legislation and regulatory changes impacting a Reporting FI’s business, there is a risk that the tremendous amount of work done by an AEOI ‘project’ team to implement these regimes will be lost in the business as usual environment due to issues in clarifying ‘ownership’ and ‘responsibility’.

The result - significant gaps in processes, procedures, knowledge and ultimately a lack of oversight of the end-to-end customer journey.

The implications – poor client experience, potential for penalties and reputational damage.

What are we seeing?

At KPMG, we often see firms struggle to operate the processes required to help comply with AEOI requirements. This could be due to a lack of training to customer-facing staff, high turnover and key person risk or simply due to a lack of resource and/or knowledge.

For some Reporting FIs, this has been highlighted by enquiries from local tax authorities regarding the quality of data in the submitted FATCA and CRS returns. These queries have focused on whether the returns are both accurate and complete and in some instances, penalties have been imposed.

How can we help?

We acknowledge that every business model is different and for this we tailor our services accordingly. We recommend starting with a full assessment of the end-to-end process by conducting an AEOI health check, which is a detailed review of current processes and procedures. This enables us to see the strengths within your existing processes, but also areas which require additional support. We can then provide recommendations to facilitate the Reporting FI’s journey towards best practice and assist in the development of an AEOI risk framework.   

An effective AEOI risk framework takes a risk-based approach, but nevertheless captures the end-to-end process of a customer journey from on-boarding to account closure. Features of an effective AEOI risk framework include key controls, that are tested and scrutinised, and which change with the times. These controls must be effective, with sufficient second tier controls for escalation and resolution.

KPMG can assist with a review of your existing AEOI risk-framework or assist with a design and implementation of a risk framework suited to your specific needs and risk appetite.

Please get in touch if you need any help or have any queries – together we can build a robust risk framework that is futureproofed with risk management at its forefront.

“You can have data without information, but you cannot have information without data.”- Daniel Keys Moran, Computer programmer and science fiction author

For further information, please see:


© 2020 KPMG LLP a UK limited liability partnership and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organisation please visit

Connect with us


Want to do business with KPMG?


loading image Request for proposal