AEoI, DAC, and Information Exchange: A 2026 Reference

Why the information exchange architecture matters now more than ever

When the OECD published the Common Reporting Standard in 2014, the consensus among private wealth practitioners was that implementation would be slow and enforcement slower still. A decade later, that assessment looks badly wrong. The Global Forum on Transparency and Exchange of Information for Tax Purposes reported in its 2024 peer review cycle that over 113 jurisdictions have activated exchange relationships, with roughly 111 million financial accounts disclosed in the 2023 reporting year alone, covering an estimated EUR 11 trillion in assets. For family offices, this is not a background compliance matter. It is the operational framework within which every custodian relationship, every entity structure, and every cross-border payment now exists.

The architecture consists of two interlocking pillars: the Automatic Exchange of Information standard, known as AEoI, which provides the conceptual and legal basis, and the Directive on Administrative Cooperation sequence within the European Union, known as DAC, which translates that standard into binding EU law and extends it into domains the original OECD framework did not anticipate. Understanding how these two systems interact is the starting point for competent governance in any multi-jurisdictional family office.

AEoI and the Common Reporting Standard in practice

AEoI under CRS requires financial institutions—banks, custodians, certain investment funds, and in many jurisdictions trust companies and family office vehicles themselves—to identify the tax residency of their account holders and controlling persons, then report relevant financial account information to their local tax authority annually. That authority then exchanges the data automatically with the tax authority of each identified residency jurisdiction, provided a bilateral exchange relationship is active.

Entity classification: the first compliance decision

Before any reporting obligation can be assessed, every legal entity in a family structure must be classified under the CRS entity categorisation framework. The primary division is between Financial Institutions (FIs) and Non-Financial Entities (NFEs). FIs are further divided into Reporting FIs, Non-Reporting FIs (including certain trusts and holding companies meeting specific conditions), and Exempt FIs. NFEs are divided into Active NFEs—entities deriving less than 50% of gross income from passive sources and holding less than 50% of assets that produce passive income—and Passive NFEs, which are the residual category covering most family holding companies and asset-holding vehicles.

This classification has direct consequences. A Passive NFE is required to disclose its Controlling Persons to every financial institution at which it holds an account. Controlling Persons are defined broadly: any individual exercising ownership or control, with the standard threshold set at 25% beneficial ownership. In practice, most tier-one private banks apply a 10% threshold, and some Swiss institutions apply a 5% threshold for politically exposed persons, meaning families with complex share structures routinely find that multiple family members are captured across multiple jurisdictions simultaneously.

Entity classification under CRS is not a one-time exercise. A change in asset composition, a new investment, or a restructuring event can shift a vehicle from Active NFE to Passive NFE status mid-year, triggering immediate re-documentation obligations at every institution where the entity holds accounts.

Self-certification and the document lifecycle

The practical entry point into the CRS reporting chain is the self-certification form, which account holders and controlling persons complete at account opening and whenever a change in circumstances occurs. Financial institutions are legally required to obtain a valid self-certification before opening an account, and they must re-request documentation if they have reason to believe the original certificate is incorrect or outdated. In the UK, HMRC's International Exchange of Information Manual makes clear that a financial institution relying on an outdated self-certification following a known change of circumstance faces regulatory sanction irrespective of whether actual under-reporting occurred.

For family offices maintaining accounts across five to fifteen jurisdictions—a common profile for European multi-generational families—this creates a living document management obligation. A family member relocating from Switzerland to Portugal triggers re-certification at every institution holding accounts for entities in which that individual is a controlling person. If the family office has not mapped those relationships in advance, the cascading re-documentation requirement becomes visible only at the point of account review, which is precisely when institutions apply heightened scrutiny.

The DAC sequence: eight directives, one architecture

Within the European Union, the Directive on Administrative Cooperation provides the legal mechanism for information exchange among member states. What began as a relatively narrow instrument in 2011 has been amended seven times, each iteration expanding the scope of mandatory automatic exchange. Understanding the sequence is essential because each DAC layer imposes distinct documentation and reporting obligations that accumulate rather than replace one another.

DAC1 through DAC3: the foundation

DAC1 (Council Directive 2011/16/EU) established the framework for automatic exchange of five categories of income: employment income, director's fees, life insurance products not covered by other directives, pensions, and immovable property. DAC2 (2014) incorporated CRS into EU law, aligning member state obligations with the OECD standard and establishing the annual financial account reporting cycle that institutions now operate under. DAC3 (2015) added mandatory automatic exchange of advance cross-border rulings and advance pricing arrangements, a direct response to the LuxLeaks disclosures of 2014, which revealed that Luxembourg had issued thousands of tax rulings without any mechanism for sharing that information with other affected jurisdictions.

DAC4 and DAC5: country-by-country reporting and beneficial ownership access

DAC4 (2016) implemented BEPS Action 13 within the EU, requiring multinational enterprise groups with consolidated revenues exceeding EUR 750 million to file country-by-country reports disclosing revenues, profits, taxes paid, and employee numbers in each jurisdiction of operation. For family-owned businesses operating at this scale—and a meaningful minority of the families served by large single-family offices fall into this category—DAC4 compliance represents a significant annual reporting obligation with direct implications for BEPS Pillar Two exposure analysis. DAC5 (2016) required member states to give tax authorities access to anti-money laundering information, including beneficial ownership registers, enabling cross-referencing of reported financial account data with known ownership structures.

DAC6: the mandatory disclosure regime that changed deal structuring

DAC6 (Council Directive 2018/822/EU) introduced mandatory disclosure rules for cross-border arrangements with at least one of the hallmarks defined in Annex IV of the directive. Intermediaries—lawyers, accountants, tax advisors, and financial institutions—who design or implement qualifying arrangements must report to their competent authority within 30 days of the arrangement becoming available for implementation, becoming ready for implementation, or the first step being taken, whichever occurs first. Where the intermediary is protected by legal professional privilege, the reporting obligation shifts to the taxpayer.

For family offices, the most operationally significant hallmarks fall into Category C (cross-border arrangements involving deductible cross-border payments between associated enterprises where the recipient is resident in a jurisdiction with a zero or near-zero tax rate) and Category E (arrangements involving non-transparent legal and beneficial ownership chains). A family with a Cayman holding company paying management fees to a Luxembourg entity that in turn pays advisory fees to a UK advisory vehicle will typically trigger at least one Category C or E hallmark, requiring formal arrangement disclosure. The German Finance Ministry's DAC6 guidance, published in 2021, makes explicit that retroactive restructurings of existing arrangements can also trigger new disclosure obligations.

DAC7: platform operator reporting and the family business

DAC7 (2021) extended automatic exchange to digital platform operators, requiring platforms to report seller information and consideration received annually from 2023 onwards. The scope is broader than it appears for family offices: platforms are defined to include any software facilitating property rental, personal services, and sale of goods. Family businesses operating e-commerce channels or rental portfolios through digital intermediaries may find that those platforms are independently reporting transaction data to tax authorities, creating a parallel data stream that must reconcile with the family's own tax filings.

DAC8: crypto-assets and the closing of the last gap

DAC8 (Council Directive 2023/2226/EU), effective from 1 January 2026 with first exchange in 2027, incorporates the OECD's Crypto-Asset Reporting Framework (CARF) into EU law. Crypto-asset service providers (CASPs) regulated under MiCA will be required to report transactions in crypto-assets for EU tax residents, including transfers to non-custodial wallets above EUR 1,000. For family offices holding digital assets directly or through family members' personal accounts, DAC8 closes a reporting gap that has allowed crypto-asset holdings to remain partially invisible to exchange-of-information mechanisms. Families that have structured digital asset holdings assuming non-disclosure should treat 2025 as the last opportunity to align their tax reporting position before exchange begins.

Building a defensible document trail

The cumulative effect of the AEoI and DAC architecture is that tax authorities across 113 jurisdictions are receiving, cross-referencing, and increasingly acting upon financial account data, arrangement disclosures, beneficial ownership records, and platform transaction reports simultaneously. For a family office, the governance response is not to minimise reporting—which is both legally futile and counterproductive—but to ensure that the family's own records match, explain, and contextualise the data that authorities are receiving from third parties.

The four-layer documentation framework

A robust information exchange documentation framework operates on four layers. The first is entity classification records: a maintained register of every legal entity in the family structure, its CRS classification, its FATCA status, and the date on which that classification was last reviewed. The second is controlling person identification files: current self-certifications for every individual who meets the controlling person threshold at any institution, with version control tracking changes of circumstance. The third is arrangement disclosure logs: a chronological record of every cross-border arrangement assessed under DAC6 hallmarks, including the legal analysis supporting a conclusion that no hallmark applies, since a documented non-disclosure decision is far more defensible than silence. The fourth is annual CRS/FATCA reconciliation workpapers: a document reconciling the financial account data reported by institutions on the family's behalf with the family's own tax filings, identifying and explaining any discrepancies before an authority raises them.

This framework is not merely aspirational. Dutch tax authorities (Belastingdienst) have begun issuing information requests that explicitly reference CRS-reported data and ask taxpayers to confirm or explain discrepancies with filed returns. The German Bundeszentralamt für Steuern operates a dedicated CRS processing unit that cross-references incoming exchange data with domestic tax assessments. In both jurisdictions, the penalty for failure to maintain adequate records—independent of any underlying tax liability—can represent a substantial financial exposure. In Germany, administrative penalties for late or incomplete disclosure under the Abgabenordnung can reach 5% of the relevant asset value per year of non-compliance.

The document trail is not about creating paperwork. It is about ensuring that the narrative the family tells about its structure and transactions is the same narrative that 113 tax authorities are receiving independently from banks, custodians, platforms, and intermediaries.

Interaction with BEPS Pillar Two

Family offices operating businesses or investment structures in jurisdictions with effective tax rates below 15% must now consider how DAC and CRS-reported data interacts with Pillar Two qualified domestic minimum top-up tax (QDMTT) obligations. For family-owned groups above the EUR 750 million consolidated revenue threshold, Pillar Two exposure is direct. For smaller structures, the risk is indirect: tax authorities with access to CRS data and country-by-country reports are better positioned to identify arrangements that historically reduced effective tax rates, and they are increasingly using that data to initiate targeted audits rather than broad information requests. The intersection of Pillar Two compliance documentation and DAC4 country-by-country reporting means that the two workstreams should, in practice, be managed by the same team with a shared data set.

Practical priorities for 2025 and 2026

With DAC8 effective from January 2026, the immediate priority for family offices holding crypto-assets is a full inventory of digital asset positions, the custody arrangements under which they are held, and the tax reporting treatment applied to date. For families without current exposure to digital assets, the 2025-2026 window is the appropriate moment to conduct a comprehensive review of entity classifications and controlling person mapping across all custodians, specifically because the expansion of exchange relationships means that jurisdictions that were previously outside the active exchange network—including several Gulf Cooperation Council members that have now activated CRS relationships—are now receiving data. A structure designed in 2018 with reference to the then-current exchange map may be operating under assumptions that no longer hold.

The governance implication is straightforward: information exchange compliance belongs in the family office's formal governance calendar, reviewed annually alongside investment policy and risk reporting. The families that treat AEoI and DAC compliance as a one-time account-opening exercise are the ones most likely to face an uncomfortable letter from a tax authority holding data the family did not know had been exchanged.