Common Reporting Standard - ITA Part XIX

International and Large Business Directorate, International, Large Business and Investigations Branch

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Mr. Ted Gallivan
Assistant Commissioner, International, Large Business and Investigations Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

International and Large Business Compliance and Criminal Investigations

Description of the class of record and personal information bank
Standard or institution specific class of record:
Competent Authority Program Administration (CRA ILBIB 261)

 Standard or institution specific personal information bank:
Competent Authority Program Administration
TBS Registration: 002021
Bank Number: CRA PPU 085

Legal authority for program or activity  

Domestic legal framework

New Part XIX of the Income Tax Act, Part 1 of Bill C-29 which received Royal Assent on December 15, 2016, and comes in to force on July 1, 2017.

Subsection 237(2) of the Income Tax Act provides the legal authority for the collection of the SIN in the preparation of information returns.  In addition, the new subsection 271(1) of the Income Tax Act provides the legal authority for the collection and reporting of the TIN in Common Reporting Standard (CRS) Part XIX information returns.
Subsection 270(1) of the Income Tax Act defines a TIN as a SIN, BN, an account number issued to a trust, or taxpayer identification number used in another jurisdiction to identify an individual or entity (or a functional equivalent).

Subsections 162(5), 162(6), and 162(7) of the Income Tax Act provide the legal authority to enforce the collection and reporting of the identification number and to impose a penalty for failure to comply.  Subsection 280(3) of the Income Tax Act also provides for the imposition of a penalty for a reportable person who fails to provide a TIN to a reporting financial institution, upon request.

International legal framework

Multilateral Convention on Mutual Administrative Assistance in Tax Matters (MAC)

Common Reporting Standard Multilateral Competent Authority Agreement (CRS MCAA)

Canada’s tax conventions and agreements

Competent Authority Agreement (CAA)

Summary of the project / initiative / change

For many years, the Canada Revenue Agency (CRA) and other foreign tax authorities have engaged in the automatic exchange of bulk taxpayer financial information (AEOI) provided for in bilateral tax conventions and tax agreements. However, most tax authorities do not have a standard platform for the exchanges.

Recognizing that exchange of information and co-operation between tax administrations is critical in the fight against tax evasion and in protecting the integrity of tax systems, in 2014, the Organisation for Economic Co-operation and Development (OECD) approved a new international standard for tax administrations to automatically exchange financial account information, the Common Reporting Standard (CRS). The G20 Leaders have endorsed the CRS as an important tool for promoting compliance and combating tax evasion. G20 Finance Ministers committed to work towards completing the necessary legislative procedures within the agreed timeframe.

On June 2, 2015, the Government of Canada signed the Multilateral Competent Authority Agreement on Automatic Exchange of Financial Account Information (CRS MCAA) an important step towards implementing the Common Reporting Standard for Automatic Exchange of Financial Account Information with other jurisdictions. Canada is one of more than 101 jurisdictions that have to date committed to implementing the CRS. By signing the CRS MCAA, Canada will benefit from a coordinated arrangement to exchange financial account information efficiently and securely with other tax jurisdictions using either its bilateral tax conventions and agreements or the Multilateral Convention of Mutual Administrative Assistance in Tax Matters (MAC). This information will improve the CRA’s ability to detect and address cases of tax evasion and to protect the integrity of Canada’s tax system.

In general, the CRS raises the due diligence for identifying non-residents, enhances the information exchanged, provides consistency to the practice, and improves the efficiency and timing of the information exchange.   Under the CRS, participating jurisdictions will exchange financial account information of reportable accounts and persons, simply explained in Canada as “Worldwide T5s +,” and comprehensively explained below.

Information will only be exchanged between the CRA and a partner jurisdiction if and only if a legally activated CRS relationship has been established, via either A) The MAC and the CRS MCAA or B) An existing tax convention or agreement and a CRS bilateral CAA.   The listing of all activated exchange partnerships under the MAC and the CRS MCAA is maintained by the OECD. In addition, Canada has signed two (2) bilateral agreements, one with Hong Kong and one with Singapore, and is still working on two more. The list of jurisdictions with which Canada seeks an exchange relationship will continue to be updated on a periodic basis as jurisdictions are approved, as updated notifications are filed, and as bilateral agreements are finalized.

Where legal relationships have been established, the CRA will send financial account information concerning non-residents of Canada to their resident tax authorities. In the reverse, the CRA will receive financial account information concerning residents of Canada holding financial accounts from those foreign tax authorities. CRS information will be exchanged under the confidentiality, protections and safeguards existing under the MAC or a bilateral tax convention or agreement and the corresponding CAA.

Part XIX – Common Reporting Standard, of the Income Tax Act received Royal Assent within Part 1 of Bill C-29 on December 15, 2016, and will come into force on July 1, 2017. As of that date, Canadian financial institutions will be required to have procedures in place to identify accounts held by non-residents and to report the required information to the CRA. 

Currently, financial institutions are required to file information returns on various types of income to the CRA, including the income of non-residents, on NR4 information returns. Financial institutions generally use a foreign address as the indicator for identifying non-residents of Canada. Effective July 1, 2017 and all subsequent years, Part XIX requires Canadian financial institutions and foreign financial institutions operating in Canada to have due diligence procedures in place to determine if their customers (existing and new account holders) are non-residents or are corporations, trusts, partnerships, and other organizations (referred to in this document as entities) controlled by non-residents.

With respect to new account holders, financial institutions must obtain self-certifications from customers at account opening as to whether the customer is a non-resident. With respect to existing account holders (customers with accounts on June 30, 2017), financial institutions are required to review records for indicators that the account holder is a non-resident, including seeking to obtain self-certification forms in certain circumstances. Indicators of non-residence in respect of an individual include foreign address and telephone number, and in respect of an entity, a foreign place of organization. Financial institutions also must look through entity account holders to determine if any controlling persons are non-residents. If, after completing the Part XIX due diligence, a financial institution identifies an account holder as a non-resident or an entity account holder that is controlled by a non-resident, the financial institution is required to electronically report, on the new Part XIX information return, the following information relating to those accounts, for each non-resident account holder and/or non-resident controlling person, to the CRA:

The financial institution is required to file the information annually and before May 2 of the following calendar year (for example, 2017 information is due May 1, 2018).

CRA will exchange information using the new electronic mechanism developed by the OECD for transmitting data between jurisdictions (the common transmission system or CTS).

As mentioned above, the CRA has been exchanging relevant tax information with foreign jurisdictions, on an automatic basis, for many years under the exchange of information provision of the respective tax convention or agreement.  Under the current process, the CRA has been exchanging information such as name, address, Taxpayer Identification Number (TIN), type of income, and amount of income, for both individuals and entities, with its partners. 

The CRA is re-utilizing established business processes and is modifying and implementing systems to manage this new activity.

To match current filing regimes for other information returns, financial institutions will use the current CRA internet filing portals, which form part of the infrastructure maintained by the SSC, to provide the required information returns. Information about Filing Information Returns Electronically can be found on the site.The Part XIX returns (slips and summaries) were released in March 2017 and are to be filed in electronic format only, via the Internet. No paper form is available.

These Part XIX information returns will be captured, processed and stored on CRA`s database (InfoDec) within the Assessment, Benefit, and Service Branch (ABSB). ABSB and Information Technology Branch (ITB) will then prepare the data (bundle, transform to the CRS common format, safeguard, etc.) for transmission to the intended recipient jurisdictions.
The Competent Authority Services Division of the International and Large Business Directorate, of the International, Large Business, and Investigations Branch (ILBIB) will review the information to ensure it is relevant and in accordance with the rules and procedures set out in the applicable bilateral exchange agreement. Where that is the case, the CRA Competent Authority will approve the transmission of the information to the Competent Authority of the applicable foreign jurisdiction and will execute the encrypted and secure transmission.

Information concerning the Enhanced financial account information reporting, including further links to Reporting and sharing of financial account information with other jurisdictions is available on the CRA’s website:

Guidance for financial institutions on Part XIX, including the filing of information returns, are also available on the CRA’s website.

The Department of Finance has posted the legislation and explanatory notes on its website.
Bill C-29, which includes amendments to the Income Tax Act, is posted on the Parliament of Canada website.

Risk identification and categorization

A) Type of program or activity
Compliance / Regulatory investigations and enforcement
Level of risk to privacy: 3


With respect to information collected from the Canadian financial institutions on the new Canadian Part XIX information returns (Outgoing information flow), the information is stored on CRA’s InfoDec mainframe database.  Compliance areas will continue to primarily use existing non-resident forms (i.e.: NR4, NR-T4A) for non-resident compliance activities, including risk assessment, audit, and Part XIII determination of tax on income from Canada of non-resident persons.  The CRS information received from Canadian financial institutions is not considered to be the primary source of information for existing domestic and non-resident compliance activities, and will only be available to CRA’s compliance areas, on a limited access and need-to-know basis.  This information would only be included in an audit file as supplementary information, and for comparison reasons during audit risk assessment.  For example, does the information on the NR4 match the information on the CRS return? This information will not be incorporated into automated business intelligence processes.


The information provided to the CRA by the participating jurisdictions can only be used for tax compliance purposes. The CRA will store the data that is collected on the CRS information returns and received from the other participating jurisdictions on InfoDec, and the data will be implemented within business intelligence systems and data marts, including the Program Data Provider and the Agency Data Warehouse. The information will be used for compliance activities, including risk assessment, workload development, audit, and collections.

B) Type of personal information involved and context
Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
Level of risk to privacy: 3
Details: Personal information such as financial information and Tax Identification Numbers (TIN) (including Social Insurance Numbers) will be provided to the CRA by financial institutions and by other participating jurisdictions.

C) Program or activity partners and private sector involvement
Private sector organizations or international organizations or foreign governments
Level of risk to privacy: 4


With respect to each financial account held at a financial institution by a reportable jurisdiction person or an entity with one or more reportable jurisdiction controlling person(s), the information will be collected by the financial institution and reported to CRA, who in turn will transmit the information to the respective participating jurisdiction(s). The information will not otherwise be shared outside of the CRA.


With respect to each financial account held by reportable jurisdiction person of Canada at another participating jurisdiction’s financial institution, the information will be collected by the other participating jurisdictions and then transmitted to the CRA.

The Multilateral Convention on Mutual Administrative Assistance in Tax Matters (MAC)
restricts the use of the information to tax purposes only and does not allow the CRA to share CRS information with a province or territory for any purpose without the express consent of the providing jurisdiction per Article 22, paragraph 4 of the MAC. The confidentiality restrictions of the MAC must be respected even if Canada’s domestic law that governs the use and disclosure of taxpayer information is less restrictive.

D) Duration of the program or activity
Long-term program
Level of risk to privacy: 3
Details: This is a new activity that has no sunset date.

E) Program population
The program impacts certain individuals for external administrative purposes.
Level of risk to privacy: 3


The program will impact non-resident individuals and entities with reportable accounts, who hold or control financial accounts at financial institutions operating in Canada.


The program will impact Canadian persons that hold or control financial accounts at financial institutions operating in other participating jurisdictions.

F) Technology & privacy
Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy: Yes

Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
Risk to privacy: Yes

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy: No
Details: N/A

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.
Risk to privacy: No
Details: This initiative does not involve the use of surveillance on the program population.

However, as part of CRA security program, CRA employees that will have access to personal taxpayer information will be monitored by the use of audit trails.

The audit trails are used to verify that only an authorized user accesses personal information and to ensure that access can be linked to specific individuals to support the investigation of suspected or alleged misuse. 

Every time CRA employees log in on their computers, a notice pops up requiring employees to acknowledge that they are aware that all access to CRA networks is monitored and that access is on a need-to-know basis. This information is already described in the standard personal information bank Electronic Network Monitoring Logs PSU 905.

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy: Yes

Prior to processing and storing the Part XIX information return, the CRA will perform validations to check again for filer errors and discrepancies. 
These include but are not limited to:
• Balance checks on reported amounts by the filer versus calculated amounts by the CRA on the return summary - to verify the filer’s calculations
• Validation on filer identification (i.e. Business Number of financial institutions) 
• Missing or incomplete information on the return
• Invalid format of the file (i.e. not XML)
• Improper structure of the XML file
• Invalid format in specific data elements

Prior to processing and storing the Part XIX information return, the CRA will perform validations to check for filer errors and discrepancies and record level errors.  Validations to check for filer errors and discrepancies and record level errors will include, but are not limited to:
• Missing or incomplete information on the return
• Invalid format of the file (i.e. not XML)
• Improper structure of the XML file
• Invalid format in specific data elements
• Invalid Canadian TIN
• Incorrect country code
• Invalid document reference identifier

As part of the CRA audit and collections programs, the CRS information returns will be subject to personal information matching by way of automated techniques, and by way of manual verification.  The matching process is imperative to determine non-compliance and must be completed prior to the CRA making any possible tax (re)assessments.  For more information, see the CRA PIA on Business Intelligence and Compliance Risk Assessment and the PIA on Collections and Verification Business Intelligence.

G) Personal information transmission

The personal information is used in a system that has connections to at least one other system.
Level of risk to privacy: 2

Financial institutions will submit the Part XIX information returns in XML format via the Internet with the use of CRA’s Internet File Transfer or Web forms services, of which the infrastructure is maintained by Shared Services Canada (SSC). These services are already in existence and are currently used by financial institutions to file other information returns in a secure manner. Through an automated process, this data will then be systematically stored in the InfoDec Returns master database.  There is no direct connectivity between the Internet application and the database on the mainframe.

The Assessment, Benefit, and Service Branch will receive the CRS data from Canadian financial institutions and provide that data to the Information Technology Branch-Electronic Exchange of Information Section (ITB-EEI), separated by jurisdiction, via the electronic Business Computing Infrastructure File Transfer Protocol dropzone (eBCI FTP dropzone).  ITB-EEI will transform each file into the CRS common XML format, and provide the files to the CRA Competent Authority, via the eBCI FTP dropzone.  The data files, once verified and approved by Competent Authority, will then be encrypted using encryption keys and transmitted to the SSC’s Corporate Gateway, for secure delivery to the Common Transmission System (CTS), the data exchange tool agreed to between Canada and the partner jurisdictions in collaboration with the Organization for Economic Cooperation and Development (OECD).  Competent Authority will also ensure that the legal instruments for the exchange of information are in place (the Multilateral Convention on Mutual Administrative Assistance in Tax Matters and the CRS Multilateral Competent Authority Agreement, or a tax convention/agreement and bilateral Competent Authority Agreement). 

Neither the business process nor the new application components provide the ability to take the data and store it on a USB.

Concerning the CTS, an independent third party contractor will be selected by the OECD’s CTS expert sub-working group to conduct a Security Audit of the CTS in July 2017.  The audit result evaluation and implementation of any critical findings is scheduled for early August 2017.  Future, periodical security audits, will also be conducted.


The data files from other participating jurisdictions will be transmitted through the encrypted CTS and received in XML format. Competent Authority will control the encryption keys and access to the packaged file.  Competent Authority will unpackage the file, ensure that the information was intended for Canada, and forward the file to ITB-EEI, via the eBCI FTP dropzone, in order for them to transform the data into the Canadian format.  In the improbable event that the information received was not intended for Canada, a notification will be immediately sent to the partner jurisdiction, and the file will be deleted immediately. Data that is intended for Canada will be systematically stored in the InfoDec Returns master database.  Competent Authority will also maintain a copy of the data on its restricted shared drive.  Restricted shared drives are subject to National Standard Operating Procedures for granting access and to Employee Systems Access Review on a regular basis.

H) Risk impact to the individual or employee
Details: If the personal information is compromised, it could potentially cause financial harm and embarrassment to the individual.




Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: