Executive summary

On 3 November 2025, the Luxembourg tax administration published an updated set of FAQs regarding the Common Reporting Standard (CRS) as implemented in Luxembourg by the Law of 18 December 2015 (CRS Law).

The revised FAQs recommend that Reporting Financial Institutions, as defined in Appendix I, Section VIII of the CRS Law, notify the Luxembourg tax administration of any changes in their CRS status before 30 June of the year following the change. Additionally, the update clarifies the information that must be documented in the record of steps, reminds taxpayers of their record-keeping obligations under the CRS Law and outlines which types of audits may be conducted by the tax administration.

Note too that the draft law transposing into Luxembourg law the European Union's (EU) Directive 2023/2226 of 17 October 2023 (DAC8) is presently going through the legislative process. DAC8 will reinforce requirements for CRS and introduce the Crypto Assets Reporting Framework (CARF). With adoption anticipated before the end of 2025 and an effective date of 1 January 2026, all affected stakeholders should proactively assess and initiate the necessary adaptations to ensure full compliance with the forthcoming requirements.

The tax authorities have intensified their scrutiny of compliance and reporting obligations. Noncompliance with legal requirements under CRS, CARF or other exchange of information provisions may result in substantial monetary penalties.

Updated FAQ topics

Notification of entity status changes

Reporting Financial Institutions should notify the Luxembourg tax administration of any change in their status that affects their reporting obligations by 30 June of the year following the change, the deadline for the CRS reporting.

The updated FAQs further advise that entities should provide evidence confirming that the new status was communicated in due time to the relevant financial intermediaries, typically by renewing or amending self-certification forms. A key objective of this recommendation is to ensure that the status change does not result in non-reporting for reportable persons during the applicable tax year.

Record-keeping requirements

Article 2 of the CRS Law requires Reporting Financial Institutions to maintain any evidence relied upon in fulfilling the reporting and due diligence procedures prescribed by the CRS Law.

The FAQs clarify that the record-keeping obligation covers:

1. Client files, including the valuation of financial positions held by account holders
2. The record of steps undertaken
3. Written procedures and policies
4. Copies of all submitted CRS reports (i.e., initial submission, addition of data, cancellation and correction of data) and feedback from the tax administration
5. Any other supporting evidence necessary to prove the proper execution of reporting and due diligence procedures

When due diligence and/or reporting obligations are outsourced, Reporting Financial Institutions must review the service provider's work and retain evidence of both the provider's activities and the institution's oversight.

Record keeping and data processing are to be performed in accordance with the requirements of Regulation (EU) 2016/679 of the European Parliament and European Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of this data (General Data Protection Regulation).

Record of steps undertaken

The updated FAQs provide information on the record of steps undertaken. Because the law does not prescribe a specific format, the FAQs recommend that the record document concrete actions carried out during the relevant tax year, rather than merely outlining general procedures.

Examples of actions to be maintained in the record of steps include:

• Update of procedures and policies
• Strategic decisions that may impact CRS
• Issues and attention points identified or reported by internal controls, internal or external audits, as well as implemented corrections
• Any exception identified at the review of account holder classification, due diligence or acceptance and review of self-certification forms
• Incidents observed upon the preparation and submission of reports, as well as related corrections
• Comments and requests received from individuals after sending the yearly notification prior reporting
• Training related to CRS activities offered to the employees
• List of controls and outcome of oversight performed on third-party service provider

Audits conducted by the tax administration

The tax administration performs three types of audits:

1. Classification audits aim to identify, generally through an information request, Luxembourg Financial Institutions within the meaning of the CRS Law.
2. Thematic audits generally take the form of requests for information on a specific issue identified over one or more fiscal years relating to due diligence and/or reporting procedures.
3. In-depth audits seek to assess compliance with all due diligence, reporting and record-keeping obligations of one or more Luxembourg Financial Institutions.

An entity selected for an in-depth review will receive a written request from the tax administration to provide, typically within six weeks, a list of documents (including written policies and procedures, a description of the IT systems and the record of steps undertaken) and a list of financial accounts held (declared, non-declared and excluded) during the period under review (which generally covers three years).

The audit process commences with a preliminary meeting, followed by interview sessions to discuss the entity's governance framework and to assess the effective and adequate implementation of due diligence, reporting and record-keeping obligations in the context of CRS and the Foreign Account Tax Compliance Act (FATCA) (see the Law of 24 July 2015 approving FATCA). The information-gathering phase of the in-depth review concludes with an on-site review — lasting two to four weeks — of client files and IT systems used in the effective implementation of obligations under the FATCA and CRS laws.

Upon completion of the information-gathering phase, the entity will receive for review and comment an initial conclusion report summarizing the observations made by the tax administration. The audit concludes with a letter of recommendation, including any actions to be taken.

New information in the FAQs on audits demonstrates that one can expect increased scrutiny from the Luxembourg tax administration. As per CRS Law, if an audit reveals that a Reporting Financial Institution has not fulfilled its legal obligations, it may be subject to a fine of up to €250k. Additionally, if a Reporting Financial Institution fails to report any information on reportable accounts or reports amounts lower than required, the penalty can be increased by up to 0.5% of the unreported amounts for the affected reportable accounts.

DAC8: CRS extension and Crypto Assets Reporting Framework

The draft law introducing national provisions to transpose DAC8 into Luxembourg tax law is currently going through the legislative process. It is expected to be adopted this year with an entry into force on 1 January 2026.

Among other things, the reporting requirements under CRS have been expanded to include reporting the role(s) in which the reportable person is a "controlling person." In light of this, Reporting Financial Institutions will need to evaluate the extent to which they possess such information or to actively request it from their clients. Reporting Financial Institutions will also need to report (1) whether valid self-certification has been provided for each reportable person, (2) whether the account is a joint account including the number of joint account holders, (3) the type of account and (4) whether the account is a preexisting or new account.

The draft law also introduces specific registration, due diligence and reporting duties on Crypto-Asset Service Providers and Crypto-Asset Operators, as defined in Section III of the Appendix to the draft law, and extends the automatic and mandatory exchange of information on income derived from life insurance products and on certain advance cross-border rulings granted to individuals.

With the 1 January 2026 deadline approaching, affected stakeholders should initiate a timely assessment of required changes in customer onboarding and communication processes, as well as compliance and operations processes, and begin implementation efforts as soon as possible. For Reporting Financial Institutions, substantial CRS data uplift requirements will likely need to be met to comply with reporting changes and new data elements. Crypto-Asset Service Providers should assess the provisions of the draft law in a holistic manner to discern the impact on their business models and governance.

For a detailed overview of the draft law provisions, see EY Global Tax Alert, Luxembourg to transpose DAC8, extending automatic information exchange on crypto assets, life insurance income, tax rulings for individuals and digital currencies, dated 19 August 2025.

Implications

In light of the stringent requirements, managing risks related to automatic exchange of information is key. As stakeholders gain more experience, tax authorities' scrutiny also intensifies. Affected financial institutions, investment funds, insurance companies and service providers should therefore assess their compliance with the more detailed requirements and initiate the necessary adaptations to their data collection and handling processes.