👋🏼 Got a regulatory report due? Get free XML/XBRL generation and support on your first return. 🎉
ComplyFirst IconComplyFirst Icon
Use Cases
Reports
Customers
Resources
Company
Sign InGet a Demo
Sign InGet a Demo

Blog

JANUARY 22, 20265 MIN READ

CRS 2.0 Reporting Requirements for E-Money Firms and Financial Institutions Explained

Fiona Jelly

Fiona Jelly,
Founder & CEO of Complyfirst

EU & the UK flag

This applies to PIs/EMIs and Banks in the EU & the UK

Table of Contents
  1. What Is CRS 2.0 and What Changed in the Common Reporting Standard
  2. Key CRS Reporting Definitions: CRS, CARF and DAC8
  3. What Data Must Be Captured Under the Amended CRS
  4. Who Must Comply with CRS 2.0, and When? (UK and EU)
  5. What Are the Penalties for CRS 2.0 Non-Compliance?
  6. How Complyfirst Supports CRS 2.0 Reporting
  7. Conclusion

What Is CRS 2.0 and What Changed in the Common Reporting Standard

The OECD Common Reporting Standard is the global framework for the automatic exchange of financial account information between tax authorities. Banks and investment firms have reported under it for years.

CRS 2.0 is the OECD's first full review of that standard, and it pulls products that used to sit outside the net firmly inside it.

Why e-money and digital products are now in scope

Under the original CRS framework, many e-money products sat outside scope because CRS was written for traditional bank accounts, not digital wallets. It focused on deposits and custodial accounts used for saving or investment, whereas e-money products are typically prepaid wallets, safeguarded rather than deposited, and used for payments.

CRS 2.0 closes that gap. It explicitly brings certain e-money and account-like digital products in, treats the holding of value and payment functionality as a potential trigger, and expects bank-grade due diligence and evidence behind every reportable account. Many EMIs are now Reporting Financial Institutions for the first time.

CRS 2.0 versus the original CRS

The standard has not been rebuilt from scratch. The obligations are familiar to anyone who owned the reporting obligation at a bank. What has changed is the perimeter and the detail. More products in scope, more granular data per account, stronger checks linking tax self-certifications to KYC, and an updated XML schema for the reports themselves.

TL;DR

  • What it is: the amended OECD Common Reporting Standard, widening scope to e-money products, digital accounts, CBDCs and crypto-asset derivatives.
  • Two routes: HMRC regulations in the UK, DAC8 (Council Directive (EU) 2023/2226) in the EU. Same OECD standard underneath.
  • Four dates: register with HMRC by 31 December 2025, collect data under the new rules from 1 January 2026, first UK report by 31 May 2027, EU exchanges due in 2027 (by 30 September in most member states).
  • Who's newly caught: many e-money institutions and payment firms now classed as Reporting Financial Institutions.
  • Download the CRS 2.0 snapshot for a one-page version.

Key CRS Reporting Definitions: CRS, CARF and DAC8

Here is how CRS, CARF, and DAC8 all relate.

TermWhat it means
CRS (Common Reporting Standard)The OECD’s global standard for the automatic exchange of information on financial accounts. CRS applies to banks, investment firms, and now certain e-money and digital products. It sets the due-diligence and reporting requirements firms must follow.
CRS 2.0 (the CRS amendments)Updates issued by the OECD that expand CRS scope, increase data granularity, strengthen due-diligence expectations, and update reporting schemas. These amendments are what change obligations for e-money institutions from 1 January 2026.
CARF (Crypto-Asset Reporting Framework)A separate OECD reporting framework for crypto-asset transactions. CARF applies to crypto firms and does not apply to traditional financial accounts or e-money products.
DAC8EU legislation that implements two OECD standards into EU law: CARF for crypto-asset reporting, and the amended CRS rules for financial accounts and certain digital money products. DAC8 is the EU legal mechanism through which these standards apply.

What Data Must Be Captured Under the Amended CRS

This is where the work lands. CRS 2.0 raises the bar across onboarding, data quality and reporting. For many e-money institutions it means running CRS controls in practice for the first time. These are the grenades, the specific things to watch for.

CRS 2.0 changeWhat it means in practice
E-money and account-like digital products are now in scopeCertain e-money wallets and digital value products must be treated as reportable financial accounts. Many EMIs are required to apply CRS controls for the first time.
All tax residences must be captured and reportedRecord every country where a customer is tax resident and report all declared tax residences, not just a single primary one. Ensure onboarding flows and systems support multiple tax residencies per customer.
More detailed customer information is requiredCapture structured tax data at onboarding and obtain a valid tax self-certificate confirming tax residence. Collect a Tax Identification Number (TIN) for each declared tax residence, or record a valid reason where unavailable, and keep customer tax information current.
Stronger checks on customer informationAssess whether tax self-certifications and declared tax residences are consistent with KYC data, then investigate and resolve any inconsistencies. Retain evidence showing checks and reviews were performed.
Ongoing monitoring is requiredMonitor customers for changes in circumstances that may affect tax residence and refresh self-certifications and tax data when changes are identified. Treat CRS as a continuous obligation rather than a one-off exercise.
Updated CRS XML schemaPrepare annual reports using the updated OECD CRS XML schema and map internal data accurately to reporting fields. Be ready to correct rejected or incomplete files.
Closer regulatory scrutinyExpect closer review of onboarding, data quality, and evidence, and anticipate follow-up questions from tax authorities. Address gaps early to reduce audit and penalty risk.

Who Must Comply with CRS 2.0, and When? (UK and EU)

CRS 2.0 applies to all Reporting Financial Institutions in the UK and EU, including e-money institutions now brought in for the first time. The standard underneath is identical. The legal route differs by region, and so do the exact deadlines.

The UK timeline under HMRC

The UK applies CRS 2.0 through HMRC's International Tax Compliance regulations, updated for 2025. The dates a UK compliance lead needs on the wall:

  • By 31 December 2025: reporting financial institutions had to be registered with HMRC. If your firm came into scope and has not registered, treat that as overdue.
  • From 1 January 2026: collect and maintain customer and account data under the CRS 2.0 rules. Updated onboarding forms, enhanced due diligence, expanded data capture.
  • By 31 May 2027: file your first report covering the 2026 calendar year.

So 2026 is the data year. 2027 is the reporting year. Everything you file in 2027 rests on the data you are capturing right now.

The EU timeline under DAC8

The EU applies CRS 2.0 and CARF through DAC8, Council Directive (EU) 2023/2226. Member states had to transpose it into national law by 31 December 2025, and the rules apply from 1 January 2026. First exchanges are due in 2027, within nine months of the first reporting year ending. Most member states land on 30 September 2027, though some sit earlier at 30 June. Check the date in each jurisdiction you hold a licence in. We cover the crypto side in our DAC8 and crypto-asset reporting guide.

What Are the Penalties for CRS 2.0 Non-Compliance?

CRS obligations bite from the moment they apply. There is no grace period and no soft launch.

In the UK, legislation provides for financial penalties where CRS obligations are not met, including:

  • Up to £300 per instance for failures such as not obtaining a valid self-certification when required
  • Up to £100 per account holder or controlling person for due-diligence failures
  • Daily default penalties where non-compliance continues after HMRC notification

In the EU, penalties are set by individual Member States but must be effective, proportionate, and dissuasive. This often means penalties in the hundreds or thousands of euros, depending on the nature and scale of the issue.

For EMIs, the risk is scale. Where the same issue affects large customer populations or persists across reporting cycles, the consequences can extend well beyond an isolated fine. In more serious cases, firms may face:

  • Cumulative financial penalties running into six figures where systemic issues affect large volumes of accounts
  • Regulatory investigations, leading to increased supervisory scrutiny and management distraction
  • Reputational impact, particularly where a firm is viewed as a weak link in tax transparency controls
  • Cross-border enforcement risk, as poor information exchanged under automatic exchange frameworks and CARF can trigger enquiries in other jurisdictions

These risks are not theoretical. HMRC have been clear that data collected under CRS 2 and CARF will be used to identify non-compliance and pursue enforcement action where necessary. Firms that delay preparation risk underestimating both the scale and complexity of the new requirements.

How Complyfirst Supports CRS 2.0 Reporting

Complyfirst supports firms in implementing CRS 2.0 as a compliant, repeatable process, aligned with regulatory expectations.

What We Deliver
  • CRS data mapping aligned to onboarding and refresh workflows
  • Structured validation and consistency checks
  • XML ready reporting processes aligned with OECD schemas
  • Clear review, sign off, and audit trails
  • Practical support through first reporting cycles

For a full snapshot of CRS2, you can watch the video snippet below from Fiona’s EU webinar session, or download a full PDF snapshot right here.

FAQ about CRS 2.0

CRS 2.0 applies from 1 January 2026 in both the UK and the EU. That is the date firms must start collecting and maintaining data under the amended rules. The first reports covering 2026 data are due in 2027, by 31 May 2027 in the UK and within nine months of the reporting year end in the EU.

Yes, for many of them for the first time. The amended standard explicitly brings certain e-money wallets and account-like digital products into scope as reportable financial accounts. If your firm holds customer value or offers payment functionality through products that were previously outside CRS, you should assume you are now in scope until you have confirmed otherwise.

CRS 2.0 is the amended Common Reporting Standard for traditional financial accounts, including the e-money and digital products newly brought in. CARF is a separate OECD framework for crypto-asset transactions and applies to crypto firms. Both are written into EU law through DAC8, and into UK law through HMRC regulations, but they cover different firms and different products.

In the UK, the first report covering the 2026 calendar year is due by 31 May 2027. In the EU, first exchanges fall in 2027, with most member states setting a deadline of 30 September 2027 and some at 30 June. The exact date depends on the jurisdiction, so confirm it per licence rather than assuming one date covers all of them.

Conclusion

For many e-money institutions, the amended CRS rules mark a step change in how tax reporting obligations apply in practice.

From January 2026, CRS compliance must be embedded into onboarding, customer data management, and ongoing monitoring. Firms that integrate CRS controls into their day-to-day processes will be better prepared for reporting, regulatory review, and follow-up. Firms that delay risk identifying gaps only once reporting requirements are live, when remediation is more complex and costly.