Monthly Archives: March 2017

The Treatment of Trusts under the Common Reporting Standard: A Brief Overview

In general, a trust is affected by the Common Reporting Standard (CRS) when it is categorized as either a reporting financial institution (FI) or a non-financial entity (NFE) that maintains a financial account with a reporting FI. Reporting FIs have a duty to report either their “account holders” or the “controlling persons” if their account holders are passive NFEs, as defined by the CRS.

The CRS provides a methodology for its application to a trust. This is summarized in the following five steps that FIs (broadly comprising depositary institutions, custodial institutions, specified insurance companies and investment entities) must follow in order to ensure that the relevant information is collected and reported: (i) identification of the reporting FI; (ii) review of its financial accounts; (iii) identification of its reportable accounts; (iv) application of due diligence rules; and (v) reporting of the relevant information.

This methodology is followed below, firstly in the case of trusts that are FIs and secondly in the case of trusts that are NFEs.

A Trust as a Reporting Financial Institution (FI)

Most often, a trust will be a FI if it has gross income primarily (more than 50%) attributable to investing, reinvesting, or trading in Financial Assets and is managed by another Entity that is a FI. The words “managed by” imply that the FI has some discretionary authority to manage the assets of the trust, either in whole or in part.

In practice the words “primarily attributable to investing…” imply that the gross income attributable to the said activities of the trust should amount to 50% or more of the trust’s gross income during the shorter of:

  1. The three-year period ending on 31 December of the year preceding the year in which the determination is made, or
  2. The period during which the trust has been in existence.

A trust categorized as an FI will qualify as a reporting FI (i.e. it will have reporting obligations in respect of its account holders) if its trustees are resident in one or more participating jurisdictions, provided that these trustees are not a reporting FI themselves. In this latter case, the trustees and not the trust itself is responsible for reporting. Also, a trust categorized as a FI may not be a reporting FI in the case of retirement funds, whether broad- or narrow- participation.

A trust which is a reporting FI will have reporting obligations as far as the account holders or the controlling persons (those who hold the relevant financial accounts) are concerned. Financial accounts are defined by the CRS as “a debt or equity interest” in the trust; whilst “debt interest” is not defined in the CRS, “equity interest” effectively covers the settlors and beneficiaries plus any other natural person exercising ultimate effective control over the trust. This definition is wide enough to additionally cover the trustees(s) and even – somewhat paradoxically – the protector(s). Importantly, a discretionary beneficiary (defined as one who has no right to receive mandatory distributions) will only be treated as an account holder in the years during which it receives discretionary distributions from the trust.

The above financial accounts will be reportable if the debt and equity interests of the trust are held by a person resident in a participating or reportable jurisdiction. The due diligence rules stipulated under the CRS will need to be applied in order to identify the account holders and the jurisdiction in which they are resident. In a case where the account holder is an entity, the trust is required to identify and report the controlling person of this entity and, therefore, appropriate KYC/ AML procedures will need to be undertaken.

A trust which is a reporting FI will report the name and identification number of the trust, information about all the reportable persons. These are, typically, their name, address, tax residence, date of birth, tax identification number (TIN) and account number, the account balance (the total value of trust property – nil for discretionary beneficiaries) and any financial activity carried out during the year (value of payments or distributions made in the reporting period).

A Trust as a Non-Financial Entity (NFE)

 If a trust is not a FI, it will be a NFE. NFEs are categorised as either active NFEs (e.g. trading trusts or regulated charities) or passive NFEs, depending on their activities.

The account of a trust which is a passive NFE and which has a financial account with a reporting FI will be reportable either if (i) the trust is a reportable person or (ii) the trust has one or more controlling persons that are reportable persons.

In the event of a trust being a reportable person, the reporting FI is required to report the name and identification number of the reporting financial institution plus information about each reportable person (name, address, tax residence, TIN, date of birth and account number). Where a trust is a passive NFE, the reporting FI will report the controlling persons of the trust, as defined above.

For each of the controlling persons, the reporting FI will report the total account balance or value and the gross payments made or credited to their account. In case the financial account held by the trust is closed during the year, the fact of closure and not the financial activity will need to be reported.

A settlor is always reported, irrespective of whether the trust is revocable (i.e. where the settlor has maintained some interest or rights in the trust) or irrevocable. Unlike the case of a trust that is a FI, beneficiaries are also always reported regardless of whether they are mandatory or discretionary. However, reporting FIs may have the option to report discretionary beneficiaries in the year in which they receive distributions from the trust.

Where the controlling persons are themselves entities, the reporting FI must identify the natural persons that are ultimate controlling persons. Only a controlling person resident in a participating jurisdiction – but not the same jurisdiction as the reporting FI – is reported.

The reporting FI must carry out appropriate due diligence measures for AML/ KYC purposes in order to determine whether the account held by the trust is reportable.

More detailed guidance is given in “The CRS Implementation Handbook”, published by the Organization for Economic Co-operation and Development (OECD) with a view to assisting in the understanding and implementation of the standard. It is expected that the Cyprus Tax Department (CTD), which has been working for some time on drafting Cyprus-specific CRS provisions, will soon issue its own guidelines.


Michalis Loizou
Manager & Compliance Officer, E. Neocleous Trust Company Limited
Member of the CFA AML & Compliance Affairs Committee

Personal Data Protection: Why All the Fuss?

Data protection has become a major challenge for all kinds of organisations, both private and public, and it is one that needs to be addressed diligently. We now live in an era in which data are collected, stored, processed and used on an unprecedented scale, enabling individuals and organisations alike to carry out their day-to-day functions more efficiently. Therefore, individuals need to protect their privacy and personal data more than ever before.

Personal data relates to any type of personal information that can be used to establish your identity, either directly or indirectly. Examples of personal data are a persons’ name, passport number, e-mail address, place and date of birth. Personal data protection aims to protect the individual from the unauthorised collection and processing of such data.

In Cyprus, the Processing of Personal Data (Protection of Individuals) Law of 2001 transposes the provisions of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. In May 2016, a comprehensive package of two EU data protection Acts came into force: the General Regulation (EU) 2016/679 which repeals Directive 95/46/EC (the GDPR) and Directive 2016/680, which applies specific data protection rules in the area of law enforcement. The Regulation will be implemented as of 25 May 2018 and the Directive must be transposed into national legislation by 6 May 2018.

How Are Administrative Service Providers (ASPs) Affected?

In their everyday work, ASPs inevitably collect and process the personal data of employees, clients or other individual business associates. For the purposes of the Processing of Personal Data Law, ASPs processing personal data are considered to be Data Controllers, whose obligations include ensuring that:

  • Personal data is collected for specified and legitimate purposes and that it is not further used for incompatible purposes;
  • This data is necessary and proportional to the purposes of ASPs;
  • Personal data remains accurate and up-to-date and only for the period necessary;
  • Confidentiality and security of the processing;
  • The Commissioner for Personal Data Protection is notified of the processing of such data;
  • A license is obtained from the Commissioner before any transfer of personal data takes place to third countries outside the EU and the EEA and to countries with an adequate level of protection.[1]

How Do ASPs Ensure Compliance With Current Legislation?

For ASPs that simply collect personal data and keep a register:

  • In these cases, the Commissioner of Personal Data Protection needs to be notified in writing of the keeping of such a register.
    • The form found in Appendix I must be used for this purpose and all the details required on the form must be provided.
  • For ASPs that, in addition to the keeping of a register as identified above, process data due to the nature of their work outside the EU or EU equivalent countries (e.g., providing passport copies of individuals for the opening and managing of a bank account),
    • They must apply to the Commissioner of Personal Data Protection for the granting of a licence.
    • The form found in Appendix II must be used for this purpose and all the details required on the form must be provided.
    • A separate application needs to be made if the data is to be transferred to the USA. The form found in Appendix II is used.
    • The license will usually only be granted if the Commissioner considers that the countries ensure an adequate level of protection for the individuals.
  • A fee of €42.50 per application is payable to the Commissioner once permission is granted. The license has an expiry date where a renewal application needs to be filed accompanied by the fee of €42.50.
  • In cases where the personal data of employees is being transmitted by the ASP, the ASP can request the employee’s consent, although this consent may not be accepted in court in the course of legal action. (Please refer to Appendix III for a specimen consent form.)
  • It is also recommended that ASPs include special clauses on personal data protection in their employment contracts for new recruits, thus removing the need for written consent. Similar clauses can be also included in Customer Services agreements or engagement letters for new customers.

Your Rights As An Individual

The Law grants individuals the following rights (amongst others):

  • The right to know that your personal data is being processed;
  • The right of access to your personal data;
  • The right to correct your personal data;
  • The right to file a complaint with the Commissioner for Personal Data Protection.

The current Commissioner for Personal Data Protection is Mrs Irene Loizidou Nicolaidou. She may be contacted at:

1, Iasonos Street., 1082 Nicosia
P. O. Box 23378, 1682 Nicosia
Tel: (+357) 22818456
Fax: (+357) 22304565

[1] According to the European Commission, the EU equivalent countries are the following: Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.

Appendix 1

Appendix 2

Appendix 3


The information provided in this paper is for general guidance. While the author has made every attempt to ensure the accuracy of the information, the CFA and the author is not responsible for any errors, omissions or for the results obtained from the action taken from this paper. For a more detailed provision of the law, please refer to “The Processing of Personal Data (Protection of the Individuals) Law 138(I) 2001”.   


Maria Hadjivassiliou
Compliance Director, First Names (Cyprus) Ltd
Member of the CFA AML & Compliance Affairs Committee