Bermuda’s CRS independent reviews
A shift from compliance to control

Introduction
CRS compliance in Bermuda has entered a new phase with the rollout of Independent Compliance Reviews for selected financial institutions, one that places greater emphasis not just on compliance, but on demonstrable assurance.
The Corporate Income Tax Agency (CITA), as Competent Authority, has now operationalised a structured framework requiring selected Reporting Financial Institutions (RFIs) to undergo independent CRS reviews. While CRS itself is not new, the way Bermuda is enforcing and evidencing compliance represents a notable shift in approach.
At its core, this initiative reflects a broader regulatory evolution: moving from periodic reporting obligations to an expectation of continuous, evidence-backed compliance.
A distinctive Bermuda model
Bermuda’s framework stands out in the global CRS landscape. In most jurisdictions, CRS compliance reviews are conducted directly by the tax authority. In Bermuda, RFIs may instead engage approved independent reviewers to perform these assessments. This creates a hybrid model. Reviews are performed by independent third parties, but remain firmly under regulatory control. Independent reviewers must be formally approved, trained, and remain subject to the oversight of the Competent Authority throughout the lifecycle of the review.
More Important, the regulator retains a high degree of involvement:
- draft reports must be submitted for review and approval before they can be finalised
- the Competent Authority may conduct real-time oversight, including “shadowing” parts of the review process
- completed reviews may be subject to post-audit quality assessments
Taken together, this approach enables scale and flexibility while maintaining consistency and regulatory confidence.


Signals from the current enforcement approach
Several features of Bermuda’s framework provide insight into how CRS enforcement is evolving in practice. RFIs are selected for review based on a combination of risk indicators, such as data quality, reporting history, and business profile, supplemented by random selection.
This dual approach ensures that oversight is not limited to known areas of concern. Even institutions with strong compliance track records may be selected for review, reinforcing the expectation that compliance must be consistently demonstrable across the population.
From outputs to underlying processes
The scope of an independent review is deliberately comprehensive. It goes well beyond verifying submitted CRS filings, requiring detailed assessment of:
- account classification and monitoring processes
- due diligence procedures for both individuals and entities
- reporting systems and data integrity
- governance frameworks and organisational capabilities
Independent reviewers are expected to combine documentary analysis with stakeholder interviews, including discussions with senior management and operational teams.
This reflects a clear shift toward an audit-style methodology: not simply asking whether an institution reported correctly, but whether it can evidence that its processes are designed and operating effectively.


What independent reviews involve in practice
For many RFIs, the depth of these reviews may be greater than expected.
The review process typically includes:
- detailed testing of account populations through random sampling
- validation of self-certifications and supporting documentation
- reconciliation of underlying data to CRS filings
- assessment of how information flows from onboarding systems through to reporting outputs
Sampling rules are clearly defined, with minimum thresholds and requirements for independent selection of accounts, rather than reliance on samples provided by the RFI. The review culminates in a structured report that must:
- document the procedures performed
- present findings across all required compliance areas
- identify any gaps or deficiencies
- be supported by sufficient evidence to enable regulatory validation
In many respects, this mirrors the discipline and documentation expected in an internal audit or assurance engagement.
Governance is now in scope
The explicit inclusion of governance and organisational capability within the review framework signals a broader expectation. Regulators are increasingly interested in:
- how CRS responsibilities are allocated across the organisation
- whether sufficient resources are dedicated to compliance
- how staff are trained and supported
- the extent to which systems are automated versus manual
This elevates CRS from a technical reporting obligation to a core component of an institution’s control environment.


Preparation is no longer optional
With defined timelines, typically requiring completion of the review within 90 days following training, RFIs have limited time to mobilise once a notice is received.
Proactive readiness is therefore critical. Institutions that have already reviewed and strengthened their CRS frameworks are likely to be better positioned to manage the review process efficiently and avoid remediation challenges.
Looking ahead
Bermuda’s approach to CRS compliance reviews may also provide a glimpse into the future direction of international tax transparency regimes.
As the Global Forum continues to focus on the effectiveness of implementation, jurisdictions are under increasing pressure to demonstrate not only that rules are in place, but that they are applied consistently and effectively in practice.
In this context, Bermuda’s model, combining independent execution, strong oversight, and structured quality assurance, offers a compelling framework for scaling regulatory assurance while maintaining credibility.
For financial institutions, the message is clear: the focus of CRS compliance is evolving. The ability to evidence robust processes, governance, and controls is becoming as important as the accuracy of the data reported
Meet our experts: