Updated Luxembourg CRS FAQ reinforce importance of compliance records

The Luxembourg tax authorities have released an updated version of their CRS FAQ, providing some welcome clarifications with respect to the so-called “Register of Actions”, oversight responsibilities and retention obligations. In addition, the updated document provides additional insights on the different types of compliance controls the tax authorities perform and on the process for in-depth audits. 

On 29 October 2025, the Luxembourg Tax Authorities (LTA) published an updated version of their CRS Frequently Asked Questions (FAQ). This latest release offers further guidance to support Luxembourg Financial Institutions (FIs) in fulfilling their Common Reporting Standard (CRS) obligations and maintaining accurate documentation.

In recent years, the LTA have stepped up their FATCA/CRS compliance controls. The recently updated CRS FAQ offer enhanced transparency by outlining the various types of compliance controls conducted. The timing of its publication suggests that the LTA have incorporated observations made during recent in-depth audits. These clarifications provide valuable direction on the LTA’s expectations regarding governance frameworks, documentation standards, and record-keeping practices.

While the FAQ primarily address CRS, the LTA encourage FIs to apply the same principles to FATCA compliance, given the similarities between the two regimes, unless explicitly stated otherwise. This approach supports a consistent and harmonised implementation across both frameworks. For instance, in terms of reporting, the FAQ strongly recommend filing reports at the legal entity level (umbrella level), rather than submitting separate reports for each sub-fund or compartment. This guidance is intended to apply to both CRS and FATCA filings.

Content of the “Register of Actions”

The updated FAQ provide further clarity on what is meant by the “Register of Actions”. While there is no prescribed format or official template for this register, it should comprehensively document the specific actions taken to ensure FATCA/CRS compliance during the relevant fiscal year.

These actions may include:

1.  Updates to written procedures and policies
2.  Deficiencies identified through internal controls or (internal or external) audits, along with the corrective measures implemented
3.  Any incidents detected during the reporting or due diligence processes, and the corresponding remedial actions taken
4.  Training sessions conducted to support compliance efforts
5.  A description of controls performed, and the results obtained, when FATCA/CRS obligations are outsourced to third-party service providers

Required oversight on delegated functions

The updated FAQ reaffirm that even when FATCA/CRS obligations are outsourced, ultimate responsibility remains with the Financial Institution. This means that FIs must actively review and monitor the services provided by third-party providers to ensure fulfilment of the obligations. In addition, FIs are required to retain evidence of the result of the work performed by the service provider(s) as well as evidence of the controls carried out on that work.

This also includes maintaining copies of all reports – whether initial submissions, additions, cancellations, and corrections – as well as the validation feedback issued by the LTA. Importantly, mere confirmation of timely filing is not sufficient. FIs must be able to demonstrate the quality and completeness of the reporting and due diligence processes.

Retention obligations

Under Article 2(1) of the Luxembourg CRS Law, all relevant documentation must be retained for a period of 10 years. The updated FAQ clarify that these obligations apply to client files (including valuation of financial positions), the Register of Actions, a copy of the written procedures and policies, copies of submitted reports and validation feedback for the relevant fiscal year and any other evidence that demonstrates compliance with due diligence and reporting procedures. This documentation must also be readily available in the event of an audit.

Compliance controls performed by the LTA

In this respect, there are three types of controls that the LTA perform to ensure proper compliance with due diligence and reporting obligations in accordance with FATCA and CRS regulations:

1. Classification checks to identify Financial Institutions
   
   Based on an information request, the LTA will assess whether an entity has chosen a FATCA/CRS status that is consistent with its activity.
   
   In this respect, the updated FAQ strongly recommend that Luxembourg FIs inform the LTA of any change to their CRS classification that impacts their reporting obligations. This notification should be done before the reporting deadline of 30 June following the affected year, and FIs should state their new CRS status, all the facts and circumstances that led to the reclassification as well as the fiscal year from which the new status should be applicable; ideally, they should also provide proof that the new status has been communicated to financial intermediaries.
   
2. Thematic controls
   
   The second category of control targets specific compliance issues identified across one or more fiscal years relating to due diligence and/or reporting procedures. Examples include accounts that are no longer reported despite not being formally closed.
   
   With the implementation of DAC 8 from 1 January 2026, FIs will be required to report more granular data for CRS purposes. This increased data availability may lead to more frequent and automated controls. For instance, the presence of a newly opened account without a Tax Identification Number (TIN) may suggest that the Reporting FI failed to obtain a valid self-certification from the account holder – even if the CRS report indicates otherwise.
   
   Considering this, the updated FAQ encourage Luxembourg FIs to include the date of data collection/data processing on all documentation obtained.
   
   Furthermore, if a valid self-certification is not received within 90 days, clear evidence should be retained in the client file. This may include screenshots showing account blocking or documentation confirming relationship refusal and account closure.
3. In-depth controls to assess compliance with all due diligence, reporting, and retention obligations
   
   In-depth audits on an entity or group of entities that are FIs and are all managed by the same Luxembourg FI are generally performed over a three-year period and consist of several steps: 

• Initial contact: The FI receives a request for information by regular mail.
• Document submission: A list of documents (including written procedures and the Register of Actions,) and financial accounts (reportable, non-reportable, excluded) must be provided within approximately six weeks.
• Preliminary interview: A two-to-three-hour meeting at the FI’s premises introduces the audit process, the FI’s activity and services/products in Luxembourg and implementation of FATCA/CRS in the FI’s organisation.
• Account extraction presentation: The FI explains how financial account lists are generated.
• Governance and compliance review: An on-site interview, held over one to two days, assesses governance, due diligence, reporting, and record-keeping practices.
• On-site file and system review: A review of client files and IT systems takes place over two to four weeks.

After completing the information-gathering phase, the FI receives an initial findings report summarising observations for review and feedback. The in-depth review concludes with a letter of recommendations outlining potential actions to be taken. This letter will also be shared with the regulator.

With this additional guidance, Luxembourg FIs must ensure the implementation of an annual Register of Actions and maintain robust oversight of delegated functions, supported by thorough documentation. All evidence of compliance should be retained for the statutory retention period and be readily accessible for audit purposes.

Our subject-matter experts are here to support you in navigating these updates and strengthening your governance framework. We offer tailored assistance with:

• Reviewing client/investor self-certifications and documenting completeness & reasonableness checks.
• Conducting due diligence on service providers.
• Drafting or reviewing procedures and control matrices.
• Establishing annual Registers of Actions and audit trails of actions performed.
• Performing health checks and gap assessments to prepare for potential audits.