KPMG AEOI Services Health Check and Risk Framework

The KPMG AEOI Health Check is a detailed review of processes and procedures to help ensure compliance with both the Foreign Account Tax Compliance Act (FATCA) and the Common Reporting Standard (CRS) and identify any gaps. The complementary KPMG Risk Framework helps to establish ongoing controls and compliance.

Why is there a need for the AEOI Health Check and Risk Framework?

Reporting information on ‘Financial Accounts’ to local tax authorities under AEOI has been required in the Wave 1 (early adopter) jurisdictions since 2017. AEOI is a challenging compliance obligation where the reporting process will highlight the accuracy and completeness of data and documentation obtained from all relevant account holders. While many organizations have implemented projects to meet the initial reporting deadline, it is important to consider that this is an on-going annual requirement which must be integrated into ‘business as usual’ (BAU) activities with appropriate controls and governance.

The initial legislation is likely to evolve in many jurisdictions making it challenging to stay aware and in control of these changing requirements without a robust governance and control mechanism.

KPMG member firms have developed two solutions to help financial institutions navigate this complex and changing environment:

  1. The AEOI Health Check — A detailed review of the current implementation and approach to identify gaps in existing AEOI processes (internal procedures and policies, processes, documents, data collection, reporting systems and reports, etc.).
  2. The AEOI Risk Framework — A review of an existing risk framework or assistance with implementing a new AEOI risk framework to identify gaps that may exist, help ensure that sufficient controls are in place, review effectiveness and completeness to help determine how compliance is evidenced
AEOI health check graph 1

Having the right processes and procedures in place is not the only challenge: there must be good controls to help ensure the financial institution is doing what it should to meet its AEOI obligations.
For many workstreams — the AEOI processes are reviewed in detail covering:

  • entity and product classification
  • client on-boarding and review of pre-existing accounts
  • change in circumstance
  • reporting
  • governance and compliance.

Following this, in-depth structured interviews with key personnel are conducted and live end-to-end process walk-throughs are performed to fully establish the processes being followed.

Testing will help identify any issues both with the underlying systems and the completeness of reporting that data. Statistical and targeted sample selection can help identify and review possible scenarios within the client lifecycle.

The health check uses both a top-down approach to identify deficiencies and inefficiencies in the existing processes and also a structured and methodical bottom-up approach using checklists and enquiry tools to help identify areas of non-compliance.

Using checklists, questionnaires and reviewing supporting documentation, a thorough understanding of each organization’s AEOI business processes is obtained.

A review of internal and external communications to help establish whether regulations are clearly explained, implemented and communicated in such a way that they can be understood by the recipients. The client experience is key for all businesses.  

The AEOI risk framework methodology

  • Financial institutions can make the most of their recent experience by adapting the governance and compliance framework introduced for FATCA to arrive at a solution that works best for them under CRS.
  • Many organizations have told their KPMG firm they don’t feel that the management of risk and compliance has been integrated as well as they would like. Our KPMG member firms believe risk management needs to be a primary part of any AEOI project, linking with different areas of the business (such as tax, operations, reporting, IT and legal) to paint a comprehensive picture of the risks involved, the controls needed to mitigate them, the tests required and any escalation process where issues are identified.
  • An effective AEOI monitoring program can be embedded into an existing risk framework or a new risk framework can be developed and implemented to help ensure on-going monitoring and compliance. KPMG member firms can design and execute tailored compliance frameworks to suit your business type and client offering to help make sure: 
  • regulatory requirements are met 
  • risks are identified 
  • effective controls are established 
  • testing of processes and documents 
  • identification of issues/gaps are documented and monitored.

Financial institutions need to keep track of how they incorporate ongoing AEOI processes into their everyday business so that it becomes standard practice.

Outputs from the AEOI health check and risk framework

AEOI health check graph 2
AEOI health check graph 3


Cyrus Daftary
Global AEOI Leader, KPMG International; Principal and US Operational Leader, Information Reporting & Withholding Tax Services, KPMG in the US
+1 617 512 3398

Peter Grant
KPMG in the UK
+44 (0)7500 608 649

Laurie Hatten-Boyd
KPMG in the US
+1 206 419 0487

Charles Kinsley
KPMG Hong Kong
+852 28 26 8070

Rohini Sanghani
KPMG in the UK
+44 7771 624268