Blog
JANUARY 22, 2026 • 5 MIN READ
CRS 2 Reporting Requirements for Financial Institutions and E-Money Firms Explained
Fiona Jelly,
Founder & CEO of Complyfirst
This applies to PIs/EMIs and Banks in the EU & the UK
What CRS Means for Financial Institutions (Including E Money Firms)
The OECD Common Reporting Standard (CRS) applies to banks and other financial institutions and has done so for many years. From 1 January 2026, amendments to CRS (CRS 2) take effect in both the UK and the EU.
These amendments clarify scope, expand data and due-diligence requirements, and update reporting expectations. For e-money institutions in particular, they remove long-standing uncertainty around whether certain e-money and digital account products fall within CRS.
In the EU, the amended CRS rules are implemented through DAC8. In the UK, they are implemented through domestic legislation. While the legislative routes differ, the underlying OECD standard is the same.
For e-money institutions that have not previously applied full CRS controls, this represents a shift to the application of the same tax onboarding, validation, and reporting standards long applied by banks.
TL;DR
- What it does: Amends the OECD Common Reporting Standard and explicitly brings certain e money and digital account products into scope
- When it starts: Data must be collected under the amended rules from 1 January 2026. First reports covering the 2026 calendar year are due in 2027
- Who it affects: E money institutions and other financial institutions classified as Reporting Financial Institutions
- Why it matters: E-money institutions are required to apply the same tax residence data collection, validation, and reporting standards that have historically applied to banks
Key Definitions and How They Relate
| Term | What it means |
|---|---|
| CRS (Common Reporting Standard) | The OECD’s global standard for the automatic exchange of information on financial accounts. CRS applies to banks, investment firms, and now certain e-money and digital products. It sets the due-diligence and reporting requirements firms must follow. |
| CRS Amendments (often called “CRS 2”) | Updates issued by the OECD that expand CRS scope, increase data granularity, strengthen due-diligence expectations, and update reporting schemas. These amendments are what change obligations for e-money institutions from 1 January 2026. |
| CARF (Crypto-Asset Reporting Framework) | A separate OECD reporting framework for crypto-asset transactions. CARF applies to crypto firms and does not apply to traditional financial accounts or e-money products. |
| DAC8 | EU legislation that implements two OECD standards into EU law: CARF for crypto-asset reporting, and the amended CRS rules for financial accounts and certain digital money products. DAC8 is the EU legal mechanism through which these standards apply. |
Why CRS is New for Many EMIs
Under the original CRS framework, many e-money products sat outside scope because CRS was written for traditional bank accounts, not digital wallets. It focused on deposits and custodial accounts used for saving or investment, whereas e-money products are typically prepaid wallets, safeguarded rather than deposited, and used for payments.
The amended CRS closes that gap by:
- Explicitly bringing certain e-money and account-like digital products into scope
- Treating the holding of value and payment functionality as potential CRS triggers
- Requiring bank-grade due diligence, validation, and evidence
As a result, many EMIs are now clearly subject to CRS obligations for the first time.
What Data Must Be Captured Under the Amended CRS
The amended CRS raises the operational bar across onboarding, data quality, and reporting. For many e-money institutions, this requires applying CRS controls in practice for the first time.
| CRS change | What it means in practice |
|---|---|
| E-money and account-like digital products are now in scope | Certain e-money wallets and digital value products must be treated as reportable financial accounts. Many EMIs are required to apply CRS controls for the first time. |
| All tax residences must be captured and reported | Record every country where a customer is tax resident and report all declared tax residences, not just a single primary one. Ensure onboarding flows and systems support multiple tax residencies per customer. |
| More detailed customer information is required | Capture structured tax data at onboarding and obtain a valid tax self-certificate confirming tax residence. Collect a Tax Identification Number (TIN) for each declared tax residence, or record a valid reason where unavailable, and keep customer tax information current. |
| Stronger checks on customer information | Assess whether tax self-certifications and declared tax residences are consistent with KYC data, then investigate and resolve any inconsistencies. Retain evidence showing checks and reviews were performed. |
| Ongoing monitoring is required | Monitor customers for changes in circumstances that may affect tax residence and refresh self-certifications and tax data when changes are identified. Treat CRS as a continuous obligation rather than a one-off exercise. |
| Updated CRS reporting format | Prepare annual reports using the updated OECD CRS XML schema and map internal data accurately to reporting fields. Be ready to correct rejected or incomplete files. |
| Increased regulatory scrutiny | Expect closer review of onboarding, data quality, and evidence, and anticipate follow-up questions from tax authorities. Address gaps early to reduce audit and penalty risk. |
Who Must Comply, and When? (UK and EU)
CRS 2 applies to all Financial Institutions in the UK and EU, and now e-money institutions brought into scope for the first time.
Both regions follow a similar rollout timeline:
- From 1 January 2026:
Firms must collect and maintain all customer and account data in line with CRS 2 requirements. This includes updated onboarding forms, enhanced due-diligence checks, and expanded data capture. - From 2027 Reporting Year (filed in 2027/2028):
Firms mustreport using the new CRS 2 standards, relying entirely on the data collected under the 2026 rules.
In short: 2026 is the “data year.” 2027 is the “reporting year.”
Any organisation classified as a Financial Institution under CRS, including newly in-scope e-money providers, must be fully compliant by these dates.
What Happens if You Don’t Comply? (A Look at Penalties)
CRS requirements are enforceable from the point they apply. There is no grace period.
In the UK, legislation provides for financial penalties where CRS obligations are not met, including:
- Up to ÂŁ300 per instance for failures such as not obtaining a valid self-certification when required
- Up to ÂŁ100 per account holder or controlling person for due-diligence failures
- Daily default penalties where non-compliance continues after HMRC notification
In the EU, penalties are set by individual Member States but must be effective, proportionate, and dissuasive. This often means penalties in the hundreds or thousands of euros, depending on the nature and scale of the issue.
For EMIs, the risk is scale. Where the same issue affects large customer populations or persists across reporting cycles, the consequences can extend well beyond an isolated fine. In more serious cases, firms may face:
- Cumulative financial penalties running into six figures where systemic issues affect large volumes of accounts
- Regulatory investigations, leading to increased supervisory scrutiny and management distraction
- Reputational impact, particularly where a firm is viewed as a weak link in tax transparency controls
- Cross-border enforcement risk, as poor information exchanged under automatic exchange frameworks and CARF can trigger enquiries in other jurisdictions
These risks are not theoretical. HMRC have been clear that data collected under CRS 2 and CARF will be used to identify non-compliance and pursue enforcement action where necessary. Firms that delay preparation risk underestimating both the scale and complexity of the new requirements.
Understanding CARF
CARF, the Cryptoasset Reporting Framework, is the OECD standard for tax reporting on cryptoasset transactions. It can be thought of as the crypto equivalent of CRS for traditional financial accounts. CARF applies to crypto firms, not to banks, e-money institutions, or other traditional financial institutions, and requires transaction-level reporting on cryptoassets and users from 1 January 2026.
In the EU, CARF is implemented through DAC8. In the UK, it is implemented through domestic legislation. We cover CARF, who is in scope, and what crypto firms need to do in detail in our dedicated CARF guides.
How Complyfirst Supports CRS 2 Reporting
Complyfirst supports firms in implementing CRS 2 as a compliant, repeatable process, aligned with regulatory expectations.
What We Deliver
- CRS data mapping aligned to onboarding and refresh workflows
- Structured validation and consistency checks
- XML ready reporting processes aligned with OECD schemas
- Clear review, sign off, and audit trails
- Practical support through first reporting cycles
For a full snapshot of CRS2, you can watch the video snippet below from Fiona’s EU webinar session, or download a full PDF snapshot right here.
Conclusion
For many e-money institutions, the amended CRS rules mark a step change in how tax reporting obligations apply in practice.
From January 2026, CRS compliance must be embedded into onboarding, customer data management, and ongoing monitoring. Firms that integrate CRS controls into their day-to-day processes will be better prepared for reporting, regulatory review, and follow-up. Firms that delay risk identifying gaps only once reporting requirements are live, when remediation is more complex and costly.