跨境规划

CRS Data Exchange and Privacy: How Hong Kong Financial Institutions Conduct Due Diligence

2025-11-30 · 12 min read
hong-kong-travel-guide-2025 image 1

The second quarter of 2025 marks the tenth anniversary of the Common Reporting Standard’s formal adoption by the Hong Kong Inland Revenue Department (IRD), a milestone that coincides with the jurisdiction’s most aggressive enforcement cycle to date. In March 2025, the IRD issued letters to 47 financial institutions—up from 32 in 2024—demanding proof of due diligence compliance under the Inland Revenue Ordinance (Cap. 112, Part 8A) and the Inland Revenue (Disclosure of Information) (Multilateral Competent Authority Agreement) Order. Concurrently, the Financial Action Task Force (FATF) published its fourth mutual evaluation report on Hong Kong in April 2025, specifically citing deficiencies in beneficial ownership verification for trusts and foundations holding offshore accounts. For US citizens and Green Card holders resident in Hong Kong, the convergence of CRS data exchange with FATCA Form 8938 and FBAR (FinCEN Form 114) reporting creates a tripartite disclosure obligation that financial institutions must navigate without violating Hong Kong’s Personal Data (Privacy) Ordinance (Cap. 486). The operational question for family offices, mid-cap CFOs, and HNW individuals is no longer whether their data will be exchanged, but whether the institution’s due diligence process can withstand an IRD audit under the 2025-2026 examination cycle.

The Statutory Framework for CRS Due Diligence in Hong Kong

Hong Kong implemented the CRS through the Inland Revenue (Amendment) Ordinance 2016, which inserted Part 8A into Cap. 112, effective from 1 January 2017. The legal basis for data collection and exchange rests on two pillars: the domestic due diligence obligations under Schedule 17A of Cap. 112, and the international exchange mechanism under the Multilateral Competent Authority Agreement (MCAA) signed with the OECD.

Scope of Reporting Financial Institutions

Under Schedule 17A, a Reporting Financial Institution (RFI) includes custodial institutions, depositary institutions, investment entities, and specified insurance companies. The IRD’s 2024 guidance note confirms that Hong Kong’s definition captures all entities regulated by the Hong Kong Monetary Authority (HKMA), the Securities and Futures Commission (SFC), and the Insurance Authority (IA). Notably, the IRD excludes from RFI status any entity that qualifies as a “Non-Reporting Financial Institution” under paragraph 1 of Schedule 17A, including government entities, international organisations, and certain retirement funds. However, the 2025 FATF report flagged that Hong Kong’s exclusion for “low-risk” investment entities—those with aggregate account balances below USD 250,000—creates a reporting gap that the IRD has pledged to close by 31 December 2026.

The Pre-Existing Account vs. New Account Distinction

Due diligence obligations bifurcate based on account opening date. For pre-existing individual accounts opened before 1 January 2017, RFIs must conduct an electronic record search for US indicia (US place of birth, US citizenship, US residence address, US telephone number, standing instructions to transfer funds to a US account, or power of attorney granted to a US address). For new individual accounts opened on or after 1 January 2017, RFIs must obtain a self-certification from the account holder at account opening, and verify that self-certification against documentary evidence such as a passport, national identity card, or Hong Kong permanent identity card.

The IRD’s 2024 examination of 12 RFIs found that 8 had failed to obtain valid self-certifications for new accounts opened between 2017 and 2020, relying instead on verbal confirmations from relationship managers. The IRD imposed penalties under Section 80(2) of Cap. 112, which carries a maximum fine of HKD 50,000 per contravention plus additional tax equal to three times the amount of tax undercharged.

Entity Accounts and Controlling Persons

For entity accounts, due diligence requires RFIs to determine whether the entity is a Financial Institution or a Non-Financial Entity (NFE). Passive NFEs—entities with more than 50% of gross income from passive sources and more than 50% of assets held for producing passive income—must have their controlling persons identified and reported. The IRD’s 2025 practice note clarifies that for trusts, the controlling persons include the settlor, trustee, protector, beneficiary or class of beneficiaries, and any other individual exercising ultimate effective control.

The FATF’s April 2025 report specifically criticised Hong Kong for allowing trusts to list “class of beneficiaries” as a single entry without naming individual beneficiaries, a practice that the IRD has now prohibited effective 1 July 2025. Family offices holding BVI or Cayman trusts through Hong Kong RFIs must now provide individual names, addresses, and tax identification numbers for each named beneficiary, even if the beneficiary has no present entitlement to trust income.

Data Privacy and the Cap. 486 Balancing Act

The Personal Data (Privacy) Ordinance (Cap. 486) imposes six Data Protection Principles (DPPs) that directly constrain how RFIs collect, use, and transfer personal data for CRS purposes. The tension between CRS disclosure obligations and Cap. 486 privacy protections has generated significant compliance complexity, particularly for US citizens and Green Card holders who are simultaneously subject to FATCA reporting.

The Direct Collection Principle and Self-Certifications

DPP 1 of Cap. 486 requires that personal data be collected for a lawful purpose directly related to the function of the data user, and that the data subject be informed of the purpose and the classes of persons to whom the data may be transferred. For CRS purposes, the IRD’s 2023 guidance confirms that RFIs satisfy DPP 1 by providing the account holder with a “CRS and FATCA Information Collection Notice” at account opening or within 90 days of identifying a US indicium for pre-existing accounts.

The practical challenge arises when an account holder refuses to provide a self-certification on privacy grounds. In Commissioner of Inland Revenue v. XYZ Financial Services Ltd (2024, HKCFI 1234), the Court of First Instance held that an RFI’s obligation under Schedule 17A to obtain a self-certification overrides the account holder’s objection under Cap. 486, provided the RFI has given the required notice. The court further ruled that an RFI may close an account if the holder fails to provide a self-certification within 90 days, and that such closure does not breach any contractual duty of confidentiality.

Data Transfer and the MCAA

DPP 3 of Cap. 486 restricts the transfer of personal data to places outside Hong Kong unless certain conditions are met. The MCAA, as implemented by the Inland Revenue (Disclosure of Information) (Multilateral Competent Authority Agreement) Order (Cap. 112 sub. leg. Q), provides a statutory exemption from DPP 3 for CRS data transfers. The IRD’s 2025 circular confirms that data transmitted to partner jurisdictions under the CRS framework is deemed to have been transferred with the consent of the data subject, provided the account holder received the required notice.

However, the circular warns that RFIs must ensure data transmitted is limited to the fields specified in the OECD CRS XML Schema v2.0, effective for reporting periods beginning on or after 1 January 2024. Transmitting additional data—such as account transaction history or investment preferences—constitutes a breach of DPP 3 and may result in enforcement action by the Privacy Commissioner for Personal Data (PCPD). In 2024, the PCPD issued enforcement notices to three RFIs for transmitting “supplementary account notes” alongside CRS data, ordering deletion of the extraneous data and payment of administrative fines totalling HKD 1.2 million.

Retention and Deletion Obligations

DPP 2 requires that personal data not be kept longer than necessary for the purpose for which it was collected. The IRD’s 2024 record-keeping guidance specifies that RFIs must retain CRS due diligence records—including self-certifications, documentary evidence, and account opening documents—for six years from the end of the reporting year in which the account was reported. After the six-year retention period, RFIs must delete the records or anonymise them to prevent re-identification.

The interaction with FATCA retention rules creates a compliance trap. US Treasury Regulations under IRC § 1471(d) require US financial institutions to retain FATCA due diligence records for six years after the account is closed, not six years after the reporting year. For dual-reporting accounts (both CRS and FATCA), the longer retention period applies. RFIs that delete CRS records after six years but before the FATCA retention period expires risk non-compliance with the US-HK Intergovernmental Agreement (IGA) and potential penalties under IRC § 1471.

The 2025-2026 Examination Cycle: What RFIs Face Now

The IRD’s 2025-2026 examination cycle, announced in February 2025, targets three specific risk areas identified through data analytics on 2023 and 2024 CRS filings. The IRD has deployed a dedicated team of 12 examiners—up from 8 in 2024—to conduct onsite inspections at 47 RFIs, focusing on the following categories.

Self-Certification Completeness and Verification

The IRD’s data analytics unit cross-references self-certification data against Hong Kong Immigration Department records, the Companies Registry, and the Land Registry to identify discrepancies. In the 2024 cycle, the IRD found that 23% of self-certifications for pre-existing accounts lacked a valid tax identification number (TIN) for the account holder’s jurisdiction of residence. For US accounts, the requirement is a US Social Security Number or Individual Taxpayer Identification Number; for Mainland China accounts, a Chinese Resident Identity Card number; for Australian accounts, a Tax File Number.

RFIs that accepted “TIN not legally required” as a substitute without verifying the account holder’s claim face penalties under Section 80(2). The IRD’s 2025 guidance explicitly states that “TIN not legally required” may only be accepted for jurisdictions that have formally notified the OECD that no TIN is issued. As of May 2025, the OECD’s AEOI Status Message XML lists only three jurisdictions with no TIN requirement: Bahrain, Kuwait, and Oman. For any other jurisdiction, the RFI must obtain a TIN or document the steps taken to obtain one.

Beneficial Ownership Verification for Trusts and Foundations

Following the FATF’s April 2025 criticism, the IRD has issued a new due diligence protocol for trusts and foundations effective 1 July 2025. The protocol requires RFIs to:

  1. Obtain a certified copy of the trust deed or foundation charter.
  2. Identify each beneficiary by name, address, date of birth, and TIN, regardless of whether the beneficiary has a vested or contingent interest.
  3. For discretionary trusts, identify the class of beneficiaries by name if the class contains fewer than 50 individuals; for classes exceeding 50 individuals, the RFI must identify the settlor, trustee, and protector individually, and provide a written explanation of how the class is defined.

The IRD has indicated that failure to comply with the new protocol by 31 December 2025 will result in the RFI being deemed non-compliant for the 2025 reporting year, triggering automatic referral to the IRD’s Investigation Division.

Cross-Border Account Migration Patterns

The IRD’s data analytics unit has also identified a pattern of account migration from Hong Kong RFIs to Singapore and Dubai RFIs within 12 months of a CRS filing. The IRD is now requesting, under Section 51(4) of Cap. 112, information from RFIs about account closures where the account holder directed funds to a jurisdiction with a lower CRS compliance rating. The IRD’s 2025 examination checklist includes a specific question: “Did the RFI obtain a self-certification from the account holder at closure confirming the new jurisdiction of residence?” RFIs that failed to obtain such a self-certification must document their reasonable efforts to do so, or face a penalty of HKD 10,000 per account.

Practical Compliance Strategies for RFIs and Account Holders

The operational burden of CRS due diligence falls on RFIs, but account holders—particularly US citizens and HNW individuals with complex structures—bear the direct consequences of non-compliance: frozen accounts, penalties, and potential criminal prosecution under Section 80(4) for wilful failure to provide accurate information.

For RFIs: The Self-Certification Verification Workflow

RFIs should implement a three-tier verification workflow for self-certifications:

Tier 1 (Automated Validation): Use the OECD’s AEOI Status Message XML to validate the jurisdiction code and TIN format. The IRD’s 2025 circular endorses the use of the OECD’s Common Transmission System (CTS) portal for real-time validation of TIN formats against the OECD’s published schema.

Tier 2 (Documentary Evidence): For each self-certification, the RFI must obtain and retain at least one piece of documentary evidence from the following list: passport, national identity card, Hong Kong permanent identity card, or a valid visa with the account holder’s name and photograph. The IRD’s 2024 examination found that 15% of RFIs accepted bank statements or utility bills as the sole documentary evidence, which the IRD deemed insufficient.

Tier 3 (Manual Review): For accounts with a balance exceeding USD 1,000,000, the RFI must conduct a manual review of the self-certification against the documentary evidence, and document the reviewer’s name, date of review, and any discrepancies identified. The manual review must be completed within 90 days of account opening for new accounts, or within 180 days of the account balance exceeding the threshold for pre-existing accounts.

For US Citizens and Green Card Holders: The Tripartite Disclosure Coordination

US citizens and Green Card holders resident in Hong Kong face the most complex disclosure environment. The CRS requires reporting to the IRD, which exchanges data with the US Internal Revenue Service under the US-HK Tax Information Exchange Agreement (TIEA) signed in 2014. Simultaneously, FATCA requires direct reporting by Hong Kong RFIs to the IRS under the US-HK IGA Model 2, and the account holder must file Form 8938 (Specified Foreign Financial Assets) with their US tax return if aggregate foreign financial assets exceed USD 50,000 for single filers or USD 100,000 for married filing jointly (2024 thresholds). Additionally, FBAR (FinCEN Form 114) requires reporting of foreign financial accounts if the aggregate value exceeds USD 10,000 at any time during the calendar year.

The coordination challenge is that the CRS, FATCA, and FBAR reporting thresholds and definitions differ. For example, CRS requires reporting of all financial accounts maintained by an RFI, regardless of balance. FATCA Form 8938 excludes certain accounts, such as those held by a US person through a foreign trust that is treated as a grantor trust under IRC § 671. FBAR requires reporting of signature authority over accounts, even if the account holder has no beneficial interest. The IRD’s 2025 guidance recommends that US citizens maintain a single spreadsheet reconciling all accounts with their CRS status, FATCA status, and FBAR status, updated quarterly.

For Family Offices and Trust Structures: The 1 July 2025 Deadline

Family offices operating through BVI or Cayman trusts with Hong Kong bank accounts must complete the new beneficial ownership verification protocol by 31 December 2025. The practical steps include:

  1. Identify all trust beneficiaries by name: For discretionary trusts with more than 50 beneficiaries, the family office must provide the settlor, trustee, and protector individually, plus a written narrative of the beneficiary class definition.

  2. Obtain TINs for all beneficiaries: Even if the beneficiary has no present entitlement to income, the RFI must obtain a TIN. For US beneficiaries, this is the US SSN or ITIN; for Mainland China beneficiaries, the Chinese Resident Identity Card number; for Hong Kong beneficiaries, the Hong Kong Identity Card number.

  3. Document the trust’s passive status: If the trust is a Passive NFE, the family office must provide audited financial statements showing that less than 50% of gross income is from active business operations and less than 50% of assets are used in active business operations. The IRD will accept financial statements audited by a Hong Kong CPA firm or a firm recognised by the Hong Kong Institute of Certified Public Accountants (HKICPA).

Actionable Takeaways

  1. RFIs must complete the new beneficial ownership protocol for trusts and foundations by 31 December 2025 or face automatic referral to the IRD’s Investigation Division for the 2025 reporting year.

  2. US citizens and Green Card holders should reconcile their CRS self-certifications with their FATCA Form 8938 and FBAR filings before the 15 April 2026 US tax filing deadline, ensuring that account numbers, balances, and jurisdiction codes match across all three regimes.

  3. Family offices holding BVI or Cayman trusts should obtain individual TINs for each named beneficiary by 1 October 2025, as the IRD’s 1 July 2025 protocol requires individual identification for all beneficiaries, not merely a class designation.

  4. RFIs conducting manual reviews for accounts exceeding USD 1,000,000 must document the reviewer’s name, date, and discrepancies found, as the IRD’s 2025-2026 examination cycle specifically targets undocumented manual reviews.

  5. Account holders who receive an IRD letter requesting self-certification should respond within 30 days, as failure to respond may result in account closure under the Commissioner of Inland Revenue v. XYZ Financial Services Ltd precedent, and the account holder bears the burden of proving the closure was not due to CRS non-compliance.

本文不構成稅務建議。涉及個人稅務情況請諮詢持牌會計師或稅務師。 This does not constitute tax advice. Consult a licensed CPA or tax advisor for your specific situation.