CRS for EMIs: when an EMI is a Reportable Financial Institution
“CRS doesn’t apply to us — we’re an EMI” is one of the most expensive misreads in EU regulatory operations. The Common Reporting Standard catches more business models than its colloquial reputation suggests. The classification test is mechanical, the consequences of getting it wrong are real, and most EMIs that fall in scope discover it years late after a tax-authority enquiry. This piece walks through when an EMI becomes a Reportable Financial Institution, what the obligation actually requires, and how it sits alongside DAC8.
1. What CRS is
The Common Reporting Standard (CRS) is the OECD’s framework for the automatic exchange of financial-account information for tax purposes. It applies in the EU through Council Directive 2014/107/EU, known as DAC2 — the second Directive on Administrative Cooperation. Every EU member state has transposed it. Every “Reporting Financial Institution” must identify which of its account holders are tax-resident in another jurisdiction, gather defined data about those accounts, and report annually to its home tax authority — which then forwards to the foreign authority where the account holder is tax-resident.
CRS predates DAC8 by a decade. The two regimes share underlying architecture (definitions, due-diligence rules, XML schema) and feed the same automatic-exchange infrastructure — but DAC8 captures crypto activity, CRS captures fiat-account activity. An EMI authorised under MiCA and EMD2 can fall under both.
2. When an EMI becomes a Reportable Financial Institution
The CRS classification test runs through four entity-type buckets. An EMI typically lands in one of two:
- Depository Institution — accepts deposits in the ordinary course of a banking or similar business. EMIs that hold customer funds in named, individually-identifiable accounts (the typical e-money model under EMD2 safeguarding) fall here.
- Custodial Institution — holds financial assets for the account of others. Less common for pure e-money operators, more relevant for hybrid investment-services structures.
The classification is per-entity, not per-product. If your EMI offers both pooled prepaid cards (potentially out of scope) and named e-wallets (in scope), the entity is in scope as a whole, and the obligation extends to all reportable accounts.
3. Excluded accounts and excluded entities
CRS includes carve-outs that matter:
- Low-value pre-existing accounts with balances below USD 250,000 trigger lighter due-diligence at the documentation stage.
- Excluded accounts — limited categories defined by the home jurisdiction (typically certain qualified retirement accounts, escrow accounts, dormant accounts below a threshold).
- Excluded entities — limited categories such as Governmental Entities, International Organisations, Central Banks. EMIs almost never qualify for entity-level exclusion.
The carve-outs reduce the volume of due-diligence work, not the entity-level reporting obligation itself. An EMI cannot opt out of CRS classification by structuring its product set.
4. The due-diligence layer
CRS is built on customer-due-diligence procedures that overlap heavily with AML KYC but go further on tax-residence specificity:
- Self-certification at onboarding — every new individual or entity account holder declares their tax residence(s) and Taxpayer Identification Number (TIN) for each.
- Reasonableness check — the firm cross-references the self-certification against KYC data and other reliable indicia (address, phone country code, IP geolocation patterns). Inconsistencies require resolution.
- Change-in-circumstance triggers — material customer-data updates require re-certification.
- Pre-existing accounts — accounts opened before the entity entered CRS scope must be reviewed against indicia of foreign tax residence within defined timeframes.
- Record retention — typically six years from the end of the reportable period; jurisdiction-specific.
5. The reporting cycle
- Frequency: annually. Reportable period = previous calendar year.
- Format: the OECD CRS XML schema, with EU-DAC2 extensions adopted by the European Commission’s Directorate-General for Taxation and Customs Union (DG TAXUD).
- Channel: via the home member state’s tax-authority portal (AEAT in Spain, Belastingdienst in the Netherlands, DGFiP in France, Agenzia delle Entrate in Italy, BZSt in Germany, ACD in Luxembourg).
- Forwarding: the home tax authority forwards reportable accounts to the relevant foreign tax authorities through the OECD common transmission system.
6. What data is reported
Per reportable account, per year:
- Account-holder identification — name, address, jurisdictions of tax residence, TIN(s), date and place of birth (individuals)
- For entity account holders — controlling persons identification under defined “passive non-financial entity” rules
- Account number and the name and identifying number of the reporting institution
- Account balance or value as of the end of the reportable period
- Total gross amount of interest, dividends and other income paid or credited during the period
- For custodial accounts, total gross proceeds from the sale or redemption of financial assets
7. CRS, DAC2 and DAC8 — how they fit together
| Regime | Captures | Reportable activity |
|---|---|---|
| CRS / DAC2 | Financial accounts held by non-residents | Fiat balances, interest, dividends, asset proceeds |
| DAC8 | Crypto-asset transactions of EU users | Crypto acquisitions, disposals, transfers |
| FATCA | Accounts held by US tax persons | Same as CRS, US-only counterparty |
An EMI authorised in the EU and serving cross-border customers can be in scope of all three. The customer-due-diligence layers overlap — building one combined onboarding flow is materially cheaper than three separate ones.
8. Penalty regime
Each member state sets its own penalties under the EU “effective, proportionate and dissuasive” standard. Typical structures:
- Fines per missed return, escalating with delay
- Fines per misreported account, with caps
- Director-level fines for systemic failures
- Loss of CRS-compliant-FFI status (rare in practice but a regulatory tool)
The bigger commercial risk is correspondent-banking relationships: the home bank holding your safeguarding account will ask for evidence of CRS compliance. Failure here is more likely to disrupt the business than the headline fine.
9. FAQ
I’m a pure prepaid-card issuer with pooled customer funds. Am I in scope?
Generally no — pooled prepaid models without individually identifiable account holders typically fall outside the Depository-Institution definition. The classification is fact-specific; document the analysis.
I’m an EMI with named e-wallets. Am I in scope?
Almost certainly yes. Named, individually identifiable e-money accounts function as deposits for CRS purposes regardless of how the legal regime in your home state classifies them.
Does CRS apply to corporate customers?
Yes. Entity account holders trigger different due-diligence: classification of the entity (active NFE, passive NFE, financial institution) and identification of controlling persons for passive entities. The classification rules are detailed; corporate KYC needs to feed CRS.
What if a customer refuses to self-certify?
The firm should treat the account as undocumented and report it accordingly. Some jurisdictions allow account closure as a remediation; others require reporting to the home authority with a flag.
How does CRS interact with GDPR?
CRS is a legal obligation under EU law (DAC2 transposition). The legal basis for processing personal data is Article 6(1)(c) GDPR (compliance with a legal obligation). Customers have GDPR access rights to their reported data.
Do I need to register anywhere as a CRS reporter?
Most jurisdictions require notification to the home tax authority before the first filing. Some have a formal registration; others a simple onboarding step. Check the local guidance.
10. What to do, today
- Run the entity-classification analysis. Document the conclusion. Refresh on material business-model changes.
- Audit the onboarding flow against CRS self-certification requirements. Close the gaps.
- Map your tax-residence collection logic against your home authority’s specific implementation guidance — minor differences in TIN-validation rules across member states.
- If you also hold a CASP authorisation, plan CRS and DAC8 together — the customer-due-diligence layers overlap.
- Coordinate with your safeguarding-account bank — they will ask for evidence of CRS compliance as part of correspondent-banking due diligence.
Related: DAC8 — EU crypto reporting · Where to base your EMI · What is CESOP reporting?
