Singapore has issued Compliance Guidelines [IRAS-CG] setting out the basis on which IRAS will undertake CRS Audits. The Guidelines have been issued in anticipation of the Global Forum CRS peer review process due to commence next year [Global Forum Terms of Reference].
When will Audits Commence?
IRAS will commence audit reviews during the second half of 2019 [section 2.4 IRAS-CG]. The audit period is therefore now live.
Who will be Targeted?
IRAS will apply a risk-based approach in targeting SGFIs for review and audit [section 5.1.1 IRAS-CG]. IRAS will take into account previous regulatory reporting lapses either under the CRS or FATCA, and the wider tax and AML reporting record of the SGFI as well as feedback from CRS jurisdiction partners.
Similarly, IRAS has made clear that the resources and internal controls dedicated to the CRS function will be assessed on a “proportionate” basis taking into account “... type, scale and complexity of the business activities, customer profile, types of products sold and its CRS risk level ...” [section 6.1.1 (a) IRAS-CG].
What will be Reviewed?
IRAS will take a holistic approach with assessment made at three levels:
(i) Entity
(ii) Process
(iii) Reporting
(i) Entity
Entity level assessment is broadly geared to understanding the SGFIs CRS compliance culture, internal controls and CRS compliance resourcing.
The key areas subject to review include:
(a) SGFI’s general CRS risk management framework, including policies and procedures to ensure key staff have necessary training and knowledge to discharge their CRS compliance activities - here IRAS will want to see that the SGFI has actually invested in the CRS compliance function, through training and development of key compliance staff, and that there are processes in place to capture and assimilate changes in the CRS (e.g. through updated FAQs both at domestic and OECD level);
(b) SGFI’s preventive risk management framework, here IRAS will assess whether the SGFI has processes and measures in place to identify, prevent and detect CRS avoidance arrangements. The guidance does not explicitly make reference to the OECD Mandatory Disclosure Rules for CRS Avoidance Arrangements (MDRs), but it’s reasonable to anticipate that the scope of the MDRs will be taken into account and therefore SGFIs would be best advised to understand the scope of the MDRs in designing and implementing any internal controls and concomitant training requirements.
(c) Effective segregation of CRS accounts by type, including undocumented, dormant and excluded accounts with separate associated audit and document trails will be assessed.
IRAS will want to see Financial Account segregation by type as part of an overall compliance strategy. In this regard supporting and associated data integrity will be taken into account.
The clear challenge here is for SGFIs that either outsource, or in-source, the compliance function outside of Singapore (perhaps in a foreign centralized team). There will need to be processes and procedures demonstrating that notwithstanding the centralized approach, unified and accurate reporting is achieved and an adequate audit trail is maintained.
Clearly if there is a disconnect between client facing teams (RMs) (either because of a lack of training and/or procedures to notify changes that may have a client reporting impact) and the centralized team, a fail on this head of assessment can be expected.
(d) IRAS encourage periodic internal and external CRS compliance reviews. The guidance suggests that an external review should not be conducted by the SGFIs current auditors [section 8.5.1 IRAS-CG].
Best practice would dictate that at minimum an SGFI ought to conduct an internal review before the end of the year, whether or not subject to an imminent CRS review.
A SGFI with grave concerns as to their ability to meet the IRAS guidance requirements (i.e. no CRS manual, no internal controls, no active monitoring of financial account status, reliance on self certificates without application of reasonableness test, high compliance staff turnover, no or little investment in staff training, no CRS rule change monitoring) mighty feel an external review is the first step in recovering their compliance position.
(ii) Process
Under this head IRAS will assess practical application of the CRS function, including the following areas in particular:
(a) Effective segregation and documentation of:
(i) new, existing entity and existing high and low value individual accounts; and
(ii) excluded, dormant and undocumented accounts.
Clearly client analytics will be an important part of the review: the ability of the SGFI to demonstrate that accounts are not simply lumped together, but are separately documented, assessed and monitored according to their CRS designation will be important.