Common Reporting Standards and Data Protection
CRS enables automatic annual exchange of financial account information between tax jurisdictions to curb tax evasion. This article explains Kenya’s CRS framework and the data protection obligations and risks that come with cross-border transfer of personal data.
Author : Masara Gecheo
- [email protected]
- Rachier & Amollo LLP, Mayfair Center 5th Floor
Common Reporting Standards and Data Protection
Masara Gecheo
Article Overview
This insight explains the Common Reporting Standard (CRS) framework for the automatic annual exchange of financial account information between tax jurisdictions, and then examines how CRS intersects with Kenya’s data protection obligations. It outlines the Kenyan CRS legal framework, the categories of reportable persons and accounts, and the specific personal data that reporting financial institutions must collect and submit for onward exchange.
The article then highlights the confidentiality safeguards expected under OECD guidance and Kenya’s Data Protection Act, and flags practical compliance questions such as who bears data controller or processor obligations, when a data protection impact assessment is required, and what must be proven to lawfully transfer personal data outside Kenya.
Key takeaways
- What CRS is: an OECD-developed standard (developed in 2014, later updated) for automatic annual exchange of financial account information, without needing prior requests.
- Kenya’s CRS legal basis: implemented through Section 6B of the Tax Procedures Act and the Tax Procedures (Common Reporting Standards) Regulations, 2023.
- Who reports: Reporting Financial Institutions (RFIs) identify reportable persons and reportable accounts, file returns with the Commissioner, and the information is exchanged with participating jurisdictions.
- What data is exchanged: includes identifying details for individuals, entities, controlling persons (where relevant), plus account balance or value and related account information.
- Data protection relevance: CRS involves cross-border exchange of personal data, so collection, processing, and disclosure must align with Kenyan data protection principles.
- Confidentiality is central: OECD guidance emphasises confidentiality and limited use of exchanged information, with sanctions for intentional or accidental disclosures.
- Three safeguards highlighted: proper legal framework, information security management practices, and compliance monitoring with sanctions for breaches.
- Practical hurdles raised: uncertainty on who is the data controller vs processor in CRS reporting, who must conduct data protection impact assessments, and who must prove safeguards for cross-border transfers under Kenyan law.
- Bottom line: CRS supports tax compliance, but the institutions involved must assign responsibilities clearly so accountability for data rights violations can be determined.
About the author
Masara Gacheo is an Associate at Rachier & Amollo LLP. In this insight, she analyses CRS implementation in Kenya and the data protection compliance issues that arise when personal financial data is collected and exchanged across borders.