Common Reporting Standard Income Tax Act Part XIX v2.0

Compliance Programs Branch
High Net Worth Compliance Directorate

On this page

Overview & Privacy Impact Assessment (PIA) Initiation 

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Cathy Hawara
Assistant Commissioner
Compliance Programs Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Lia Jackson
Director
Access to Information and Privacy Directorate

Name of program or activity of the government institution

Reporting Compliance

Standard or institution specific class of record:

Competent Authority Program Administration
CRA CPB 261

Standard or institution specific personal information bank:

Competent Authority
Bank Number: CRA PPU 085
TBS Registration: 002021

Legal authority for program or activity

Domestic Legal Framework

Part XIX, Common Reporting Standard, of the Income Tax Act (sections 270 to 281), and in particular:

In addition to Part XIX, subsection 237(2) of the Income Tax Act provides the legal authority for the collection of a social insurance number, a business number, or a trust account number in the preparation of information returns.

Subsections 162(5), 162(6), and 162(7) of the Income Tax Act provide the legal authority to enforce the collection and reporting of the identification number and to impose a penalty for failure to comply with a requirement.

Section 220 of the Income Tax Act – The requirement to administer and enforce the Income Tax Act.

International Legal Framework

Subparagraph 241(4)(e)(xii) of the Income Tax Act – The authority to share taxpayer information collected by the CRA with another jurisdiction under the provision contained in a tax treaty, a comprehensive tax information exchange agreement, or the Convention on Mutual Administrative Assistance in Tax Matters.

Convention on Mutual Administrative Assistance in Tax Matters
Common Reporting Standard Multilateral Competent Authority Agreement
Canada’s tax conventions and tax agreements
Competent Authority Agreement

Summary of the project, initiative or change

Overview of the Program or Activity

The Common Reporting Standard is a legislative framework for the standardization of information maintained and reported by financial institutions, in relation to accounts held by non-resident individuals and entities. The standard sets out the financial account information to be reported, the financial institutions required to report, the different types of accounts and taxpayers covered, as well as the due diligence procedures to be followed by financial institutions.

The Common Reporting Standard is a way to ensure the uniformity and completeness of financial information exchanged between Canada and foreign jurisdictions, in accordance with international agreements. The purpose of sharing this information is to improve the CRA’s ability to detect and address cases of tax non-compliance, and to protect the fairness and integrity of Canada’s tax system.

The Common Reporting Standard has been implemented in Canada through Part XIX of the Income Tax Act. As a result, reporting financial institutions are required to file annual information returns with the CRA for any accounts that meet the criteria set out in Part XIX. Only information pertaining to financial accounts held by reportable persons is sent to the CRA in this manner. A reportable person means an individual or an entity resident in a jurisdiction other than Canada or the United States* (that is, a non-resident).

*Residents of the United States are covered under Part XVIII of the Income Tax Act.

Information contained in returns filed with the CRA pursuant to Part XIX may then be exchanged with foreign jurisdictions in accordance with the Common Reporting Standard Multilateral Competent Authority Agreement. The Government of Canada signed that agreement in 2015 for the automatic exchange of financial account information with foreign tax jurisdictions. The agreement specifies the details of what information will be exchanged between partner jurisdictions, and when. However, the agreement leaves it up to each jurisdiction to determine which tax authorities to partner with for the exchange of information. A listing of Canada’s active exchange relationships can be found at www.oecd.org/tax/automatic-exchange/international-framework-for-the-crs/exchange-relationships/.

The reciprocal exchange of financial account information with Canada’s partnered tax authorities has created the following two streams of personal information:

What’s New

The privacy impact assessment has been updated to include the following new program activities, systems used within the program, and users of the personal information:

Financial institution compliance activities

Sections 272 to 277 of the Income Tax Act set out the requirements for Canadian financial institutions, and foreign financial institutions operating in Canada, to exercise due diligence in searching for and identifying all non-resident-held accounts which must be reported to the CRA under Part XIX. The quality and completeness of due diligence checks regarding the tax residency of account holders and controlling persons, and the accuracy of the account information, are crucial to the usefulness of the information exchanged. The International Collaboration and Exchange of Information Division, within the CRA’s Compliance Programs Branch, is overseeing a compliance program to assess how well Canadian financial institutions are meeting their due diligence and reporting obligations under Part XIX.

The key parts of the compliance program include financial institution population identification; risk management; risk treatment and implementation of desk-based reviews and onsite audits; monitoring; evaluation; and measurement. Risk analysis may involve the review and analysis of large samples of Part XIX data to identify and quantify risk elements. Any resultant audits could include the review of a sample of all accounts held by a financial institution, as well the review of a financial institution’s policies and procedures related to Part XIX requirements.

Because there is similarity in reporting requirements, the CRA may collaborate with other supervisory bodies (for example, the Financial Transactions and Reports Analysis Centre of Canada and the Office of the Superintendent of Financial Institutions) to streamline processes. Common Reporting Standard data will not be shared with any collaborating parties. Based on past history with financial-institution-sector reporting, the CRA expects the level of compliance to be fairly high.

Sharing of Common Reporting Standard information with Revenu Québec

In general, Canada’s international exchange agreements prohibit the CRA from disclosing any Common Reporting Standard information received, unless the sending jurisdiction has provided their express authorization for doing so. The CRA is in the process of obtaining authorizations from its partner jurisdictions in order to share Common Reporting Standard information with Revenu Québec. This is in accordance with the agreement (a memorandum of understanding) between the CRA and Revenu Québec for the exchange of information regarding taxes and duties.

It is anticipated that partner jurisdictions may provide authorization in the future. The CRA will subsequently provide Revenu Québec with Common Reporting Standard information received from authorizing partner jurisdictions and associated with Quebec taxpayers, so long as Revenu Québec is able to adhere to the confidentiality and data safeguarding requirements set out in the Convention on Mutual Administrative Assistance in Tax Matters and the Common Reporting Standard Multilateral Competent Authority Agreement, in addition to those security requirements already established in the memorandum of understanding. Transfers of Common Reporting Standard information will be done in accordance with the memorandum of understanding and other related agreements to be developed.

System enhancements and additions

All international exchanges of Common Reporting Standard information are done electronically, using an online, secure portal. Only encrypted files in a specific format can be transferred through this portal. The CRA uses an internally developed software application to (a) package and encrypt Part XIX information uploaded to the portal, and (b) unpackage and decrypt Common Reporting Standard information received through the portal. This application has recently been updated in order to leverage managed file transfers for all exchanges since January 31, 2021.

The program is also using a new data mining workspace and application to enable the review and analysis of all Common Reporting Standard and Part XIX data received. This application is used for the purpose of business intelligence, compliance workload, and program evaluation. Program evaluation includes the review of Common Reporting Standard data quality, as well as the issuing of any feedback to partner jurisdictions.

Scope of the Privacy Impact Assessment

The operational requirements created by the Common Reporting Standard and Part XIX data flows are the focus of this PIA. This includes the storage, transmission, retention/disposition, handling, matching, and disclosure of all Part XIX information returns and summaries received from Canadian financial institutions, and all Part XIX and Common Reporting Standard information exchanged with Canada’s foreign exchange partners.

This PIA also covers the program’s use of personal information for the purpose of ensuring Canadian financial institutions are in compliance with their record keeping, due diligence, and reporting requirements set out in Part XIX of the Income Tax Act.

This PIA will not address personal information exchanged with the United States in accordance with the Canada-United States Enhanced Tax Information Exchange Agreement and Part XVIII of the Income Tax Act. A separate PIA has been prepared for those exchanges.

The use of Part XIX and Common Reporting Standard information by other CRA programs, which include Business Intelligence, Risk Assessment, Workload Development, Compliance Activities, Appeals and Collections, is addressed in the corresponding program PIAs.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement

Level of risk to privacy: 3

Details:

Outgoing data (Part XIX)

The Part XIX data collected from Canadian financial institutions is for the primary purpose of exchanging with partner jurisdictions. It is also used to monitor and assess the filing compliance of Canadian financial institutions.

The data received under Part XIX from Canadian financial institutions may also be used for existing domestic and non-resident tax compliance activities, including risk assessment, workload development, audit, and Part XIII determination of tax on income from Canada of non-resident persons. This includes manual and automated compliance activities.

Incoming data (Common Reporting Standard)

The Common Reporting Standard data provided to the CRA by partner jurisdictions can only be used for tax compliance purposes, including risk assessment, workload development, audit, and collections. This includes manual and automated compliance activities. In a small number of instances, the data could also be referred to the CRA Criminal Investigations Directorate by audit program areas. In these cases, any follow-up activity would be conducted by the Directorate, bearing in mind the increased expectation of privacy required to conduct a criminal investigation and the need in many cases for prior judicial authorization in the form of a warrant or production order.

B) Type of personal information involved and context

Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

Details:

Outgoing data (Part XIX)

In general, outgoing data pertains to non-resident individuals or entities that have financial accounts at Canadian financial institutions. For each reportable account maintained by a reporting financial institution, section 271 of the Income Tax Act requires all of the following information to be reported to the CRA:

Incoming data (Common Reporting Standard)

In general, incoming data pertains to Canadian tax residents who hold financial accounts in foreign jurisdictions which have partnered with Canada under the Common Reporting Standard. For each reportable account maintained by a Canadian resident at a reporting financial institution in a foreign jurisdiction, the Common Reporting Standard Multilateral Competent Authority Agreement requires partner tax authorities to exchange the following information with the CRA:

The data received from foreign tax partners can include the names of organizations and limited elements of free text.

*Reportable person could include a natural person, an entity, or a controlling person of an entity.

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments

Level of risk to privacy: 4

Details:

Outgoing data (Part XIX)

Canadian financial institutions are required to file Part XIX annual information returns with the CRA for all accounts held or controlled by tax non-residents. To help Canadian financial institutions meet their reporting and due diligence requirements under Part XIX, the CRA has published the Guidance on the Common Reporting Standard and will do compliance reviews.

The CRA’s competent authority may then exchange this Part XIX information with tax authorities from foreign jurisdictions which have partnered with Canada under the Common Reporting Standard Multilateral Competent Authority Agreement. The provision of Part XIX information to foreign governments is permitted under subparagraph 241(4)(e)(xii) of the Income Tax Act, which allows for the exchange of taxpayer information between two competent authorities representing a tax treaty or the Convention on Mutual Administrative Assistance in Tax Matters.

Incoming data (Common Reporting Standard)

In reverse, information about financial accounts held by Canadian tax residents in foreign jurisdictions is sent to the CRA’s competent authority by partner tax authorities.

Part XIX and Common Reporting Standard information will only be exchanged with a foreign jurisdiction if an active exchange agreement is in place. Additionally, all exchanges of Part XIX and Common Reporting Standard information are done electronically through a secure portal that was developed by the Organisation for Economic Co-operation and Development.

In accordance with the international exchange agreements, Canada and all partner jurisdictions must protect the confidentiality of any information exchanged. This includes a general restriction that exchanged information can only be used for tax purposes, and that it cannot be disclosed to any third parties other than as permitted within the Convention on Mutual Administrative Assistance in Tax Matters, or as authorized by the sending jurisdiction (and the authorized use of the data is in accordance with the sending jurisdiction’s domestic legislation). Also, all jurisdictions which participate under the Common Reporting Standard are required to have processes, procedures, and controls in place to protect and safeguard the information exchanged. Canada does not exchange information with any jurisdiction that fails to adhere to these confidentiality and data-safeguarding requirements.

In 2015, the Global Forum on Transparency and Exchange of Information for Tax Purposes (Global Forum) started confidentiality and data safeguard reviews of all jurisdictions committed to implementing the Common Reporting Standard, beginning with the early adopters. As part of the review process, jurisdictions complete a questionnaire, which is then reviewed by a team of employees from the Global Forum Secretariat and peers from jurisdictions which participate under the Common Reporting Standard. In most cases, the reviews include onsite visits by this team, to validate that the appropriate safeguards are in place. Once the review is completed, a confidentiality and data safeguard assessment report is produced and shared with members of the Global Forum’s Automatic Exchange of Information Peer Review Group for comment. If the results of the assessment are not satisfactory, the jurisdiction is placed on an action plan, and a follow-up review is done and a report prepared, once the jurisdiction and the Global Forum Secretariat have confidence that the jurisdiction has addressed the recommendations. The CRA’s confidentiality and data safeguards were assessed by the Global Forum in 2023, and there were no issues identified, or recommendations made.

Furthermore, the CRA has established a rigorous due diligence process with respect to the confirmation of Canada’s Common Reporting Standard exchange partners. In addition to ensuring that all required legal mechanisms are in place, the CRA examines the above-mentioned confidentiality reports, reviews its past information exchange experience with the jurisdiction in question, and consults with Government of Canada departments with respect to broader foreign policy issues, before developing a recommendation for consideration and approval by the commissioner of the CRA. Once commissioner approval is obtained, a jurisdiction can be confirmed as a legally activated Common Reporting Standard exchange partner for receiving and sending information.

Part XIX information returns filed, and Common Reporting Standard information received from foreign jurisdictions, are stored internally and processed by the Information Returns Section within the Assessment, Benefit, and Service Branch. Other CRA programs may then access the information on a need-to-know basis. The data is made available to other CRA programs for compliance purposes, including risk analysis, workload development, and audit. As a result of an administrative compliance action, the information could also be shared with the Criminal Investigations Directorate within the Compliance Programs Branch. Use of the information in the criminal context is subject to the same restrictions as other taxpayer data. There are no restrictions on the use of Common Reporting Standard information for criminal purposes expressed in the Multilateral Competent Authority Agreement or treaties.

Common Reporting Standard information received from foreign jurisdictions may also be provided to Revenu Québec, for the purpose of provincial tax administration. Only Common Reporting Standard information received from jurisdictions which have consented to sharing with Quebec would be provided to Revenu Québec, and such provincial exchanges will be done in accordance with the agreement (the memorandum of understanding) between the CRA and Revenu Québec concerning the exchange of information regarding taxes and duties.

The CRA will only provide Revenu Québec with Common Reporting Standard records received from consenting jurisdictions and relating to Quebec taxpayers. The CRA will provide Revenu Québec with these records, so long as Revenu Québec can adhere to the confidentiality and data safeguarding requirements set out in the Convention on Mutual Administrative Assistance in Tax Matters and Common Reporting Standard Multilateral Competent Authority Agreement, in addition to those security requirements already established in the memorandum of understanding and other related agreements to be developed. The CRA is in the process of obtaining authorizations from its partner jurisdictions in order to share Common Reporting Standard information with Revenu Québec.

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details:

This program has no sunset date.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details:

Outgoing data (Part XIX)

The program affects non-resident individuals and entities with non-resident controlling persons who hold financial accounts at financial institutions operating in Canada. Reporting Canadian financial institutions must take steps to identify and report to the CRA financial accounts held in Canada by, or for the benefit of, non-residents, including entities controlled by one or more non-resident persons.

Incoming data (Common Reporting Standard)

The program affects Canadian individuals and entities with Canadian resident controlling persons that hold or control financial accounts at foreign financial institutions operating in partner foreign tax jurisdictions.

F) Technology & privacy

  1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
    Risk to privacy: No
  2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
    Risk to privacy: Yes
  3. Does the new or modified program or activity involve the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

G) Personal information transmission

The personal information is used in a system that has connections to at least one other system.

Level of risk to privacy: 2

Details:

Outgoing data (Part XIX)

Financial institutions submit Part XIX information returns electronically to the CRA. This data is systematically stored internally.

Automated processes convert the Part XIX data to the Common Reporting Standard format. Following internal processing, the data is then transmitted via secure delivery to the portal. The International Collaboration and Exchange of Information Division also ensures that the legal instruments for the exchange of information are in place (the Convention on Mutual Administrative Assistance in Tax Matters and Common Reporting Standard Multilateral Competent Authority Agreement or a tax convention/agreement and bilateral competent authority agreement).

None of the business processes allow for the transport of data to another platform, or to store it on a removable Universal Serial Bus storage device.

To do periodic security audits, an independent third-party contractor has been selected by the Organisation for Economic Co-operation and Development’s portal’s expert subworking group. The most recent audit for the 2020/2021 period established that the platform continues to provide a good level of security. The next audit is planned to take place in 2023.

Incoming data (Common Reporting Standard)

The Common Reporting Standard data from partner jurisdictions is transmitted and received electronically. Data that is intended for Canada will be systematically stored internally.

The Part XIX and Common Reporting Standard information that is saved internally is then copied and accessible for matching, business intelligence, risk analysis, and workload development.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

In the event of a privacy breach, an individual may become a victim of identity theft, and their personal information may be used without their knowledge or consent in ways that could result in a financial or reputational loss, such as the misuse of credit card information or debts being incurred on their behalf.

Page details

Date modified: