Sub-Custodian Networks and CRS: Mapping Liability for Incomplete Reporting in Global Custody Chains

The global custody industry processed over $182 trillion in cross-border assets under administration in early 2026, with nearly 94% of those assets held through multi-tiered sub-custodian networks. The OECD’s Common Reporting Standard (CRS) now spans more than 120 jurisdictions, and the latest peer review data from the Global Forum on Transparency and Exchange of Information for Tax Purposes indicates that custody chain reporting deficiencies remain the second most frequent cause of non-compliance findings. For global custodians, the question is no longer whether CRS obligations extend through the custody chain—it is how far liability reaches when a sub-custodian’s reporting fails.

The regulatory expectation has shifted decisively. Tax authorities in the United Kingdom, Germany, and Australia have issued public enforcement actions in the past eighteen months where incomplete CRS filings were traced directly to sub-custodian data gaps. This article maps the precise contours of that liability, examining delegated due diligence, the legal architecture of sub-custody agreements, and the practical steps global custodians must take to insulate themselves from reporting failures deep in the custody chain.

The Architecture of Sub-Custodian CRS Obligations

A global custodian rarely holds client assets directly in every market. Instead, it appoints a network of sub-custodians—local banks, central securities depositories, or regional custodians—that maintain the actual custody accounts. Under the CRS framework, the Reporting Financial Institution is the entity that maintains the Financial Account for the Account Holder. When a global custodian contracts with a sub-custodian, the legal question becomes: who maintains the account for CRS purposes?

The OECD CRS Commentary, updated in 2025, clarifies that a global custodian remains the Reporting Financial Institution even when it uses a sub-custodian to hold assets, provided the contractual relationship with the end investor sits with the global custodian. The sub-custodian typically holds a pooled omnibus account in its own name, with the global custodian as its client. This means the sub-custodian generally has no direct CRS reporting obligation vis-à-vis the underlying investors. However—and this is where liability crystallises—the global custodian cannot report accurately unless the sub-custodian provides complete and correct account-level data, including income, gross proceeds, and account balance information.

The Pooled Account Problem

When a sub-custodian holds assets in a pooled omnibus account, the income and sale proceeds flow through that single account. The sub-custodian may only provide the global custodian with aggregate figures. The global custodian must then allocate those amounts to individual underlying investors. If the sub-custodian’s tax withholding or income classification is incorrect at source, the global custodian’s CRS reporting becomes inaccurate by extension. The OECD’s 2026 implementation handbook explicitly states that reliance on a sub-custodian does not relieve the Reporting Financial Institution of its obligation to ensure the accuracy of reported information. This principle—that delegation is not abdication—forms the bedrock of sub-custodian CRS liability.

Delegated Due Diligence: Where the Liability Chain Begins

CRS due diligence requires Financial Institutions to identify reportable accounts, determine the tax residence of account holders, and collect the relevant financial data. For a global custodian operating across forty or fifty markets, performing this due diligence directly in each jurisdiction is operationally impractical. The natural response is to delegate certain due diligence functions to the sub-custodian. This delegation, however, carries significant legal risk.

The CRS framework permits reliance on service providers for due diligence procedures, but the Commentary is unequivocal: the Reporting Financial Institution remains ultimately responsible for compliance. In 2025, the Swiss Federal Tax Administration issued guidance confirming that a Swiss-based global custodian was liable for reporting gaps caused by a Southeast Asian sub-custodian’s failure to identify U.S. indicia on certain accounts, even though the sub-custodian had contractually agreed to perform those checks. The Swiss authority reasoned that the global custodian had failed to verify the sub-custodian’s procedures adequately before relying on them.

Contractual Protections and Their Limits

Most global custody agreements include indemnity clauses whereby the sub-custodian agrees to bear the cost of penalties arising from its own errors or omissions. In practice, enforcing these indemnities is fraught with difficulty. The sub-custodian may be a small local bank with limited capital. The penalty may be imposed in a jurisdiction where the sub-custodian has no assets. Even where recovery is possible, the reputational damage to the global custodian—which faces direct scrutiny from its home regulator and the tax authorities of its clients’ jurisdictions—cannot be indemnified away.

A more robust approach involves contractual audit rights. Leading global custodians now insist on the right to conduct annual CRS-specific audits of their sub-custodians’ systems, data extraction processes, and reporting outputs. These audits go beyond standard SOC 1 or ISAE 3402 reports, which focus on internal controls over financial reporting. A CRS-specific audit examines whether the sub-custodian’s tax classification logic, income characterisation rules, and account balance calculations align with the CRS schema requirements of the global custodian’s reporting jurisdiction.

Jurisdictional Divergence in CRS Reporting Standards

One of the most persistent challenges in sub-custodian networks arises from the fact that CRS is implemented through local law in each participating jurisdiction. While the OECD provides model rules and a standardised schema, domestic variations are common. A sub-custodian in Market A may classify certain investment vehicles as Non-Reporting Financial Institutions under its local CRS regulations, while the global custodian’s home jurisdiction in Market B classifies the same vehicles as Passive Non-Financial Entities subject to full reporting.

This divergence creates a data translation problem. The sub-custodian provides information based on its own domestic CRS classification rules. The global custodian must then map that information onto its own reporting framework. In 2026, the OECD’s CRS Schema version 3.0 introduced additional validation fields designed to flag such classification mismatches, but the responsibility for resolving them remains with the Reporting Financial Institution.

The Look-Through Obligation

Where the sub-custodian holds assets through a chain of intermediaries—a local custodian, a central securities depository, and a registrar—the global custodian’s CRS obligations may require looking through each layer. Consider a global custodian that uses a regional sub-custodian in Hong Kong to hold shares in a Singapore-incorporated company. The regional sub-custodian, in turn, uses a local custodian in Singapore. The Singapore company pays dividends. For CRS purposes, the global custodian must report the dividend income paid to each underlying account holder. This requires accurate dividend data to flow from the Singapore company, through the local custodian, through the regional sub-custodian, to the global custodian. A single break in the data chain renders the entire reporting incomplete.

The OECD’s 2026 peer review methodology now specifically examines whether jurisdictions require Reporting Financial Institutions to document their full custody chains and assess CRS compliance at each tier. Jurisdictions that do not impose such requirements risk a downgrade in their Global Forum rating, which in turn can trigger defensive filing obligations from counterparty jurisdictions.

Systemic Gaps: Technology, Data Standards, and Human Error

Beyond legal and contractual issues, sub-custodian CRS reporting is vulnerable to systemic operational gaps. Many sub-custodians, particularly in smaller markets, operate legacy custody systems that were not designed with CRS data extraction in mind. Their systems may capture income at the omnibus account level but lack the functionality to attribute income to specific underlying investors in the format required by the global custodian.

Data standards present another layer of complexity. The global custodian may require data in ISO 20022 format with specific CRS extension fields. The sub-custodian may only be able to provide data in a proprietary flat-file format that does not map cleanly to the CRS schema. The resulting manual reconciliation process introduces a high risk of error. A 2025 survey by a major custody industry association found that 38% of global custodians had identified at least one material CRS reporting error in the preceding year that originated from a sub-custodian’s data formatting issue.

Corporate Actions and Income Reclassification

Corporate actions pose a particular risk. When a sub-custodian processes a corporate action—a stock split, a return of capital, a scrip dividend—it must classify the resulting payment or distribution for tax purposes. This classification directly affects CRS reporting. A return of capital, for instance, may be reportable as a gross proceeds event rather than dividend income. If the sub-custodian misclassifies the corporate action, the global custodian’s CRS report will mischaracterise the payment to the account holder. In 2026, with interest rates remaining elevated and corporate restructuring activity high, the volume of complex corporate actions has increased, amplifying this risk.

Regulatory Enforcement: The Shifting Landscape in 2026

Tax authorities have moved beyond issuing guidance and are now actively penalising CRS reporting failures. The United Kingdom’s HM Revenue & Customs issued 14 penalties for CRS non-compliance in the 2025 calendar year, with the largest single penalty exceeding £1.2 million. At least five of those cases involved sub-custodian reporting deficiencies that the global custodian failed to detect and correct before filing.

The Australian Taxation Office has taken a particularly assertive stance. In a 2026 compliance update, the ATO stated that it would hold Australian-based global custodians strictly liable for CRS errors originating from their sub-custodian networks, regardless of whether the sub-custodian was located in a jurisdiction with weaker regulatory oversight. The ATO’s position reflects a broader international trend: tax authorities are increasingly treating the global custodian as the guarantor of CRS accuracy throughout the custody chain.

Criminal Exposure for Wilful Blindness

Most CRS penalty regimes include both civil and criminal provisions. Civil penalties typically apply to negligent or careless errors. Criminal liability generally requires wilful conduct or recklessness. The critical question for global custodians is whether a pattern of ignoring known sub-custodian reporting gaps could constitute wilful blindness—a legal doctrine under which a defendant who deliberately avoids confirming a fact can be treated as having knowledge of that fact.

In 2025, a German court upheld a criminal conviction against a senior compliance officer at a mid-sized custodian bank who had received multiple internal audit reports flagging sub-custodian data quality issues but had taken no corrective action. The court found that the officer’s failure to act, combined with the bank’s continued CRS filings, amounted to reckless misrepresentation. While this case involved a domestic custodian rather than a global network, the legal principle applies with equal force to global custody chains.

Mitigation Strategies: Building a Defensible CRS Framework

Given the liability risks, global custodians must implement a structured framework for managing sub-custodian CRS compliance. This framework rests on four pillars: contractual governance, operational controls, audit and testing, and regulatory engagement.

Contractual Governance

Standard sub-custody agreements are no longer sufficient. Global custodians should negotiate CRS-specific schedules that define the sub-custodian’s obligations in granular detail. These schedules should specify the exact data fields required, the format and frequency of data delivery, the classification rules to be applied, and the sub-custodian’s obligation to notify the global custodian of any changes in local CRS regulations that could affect reporting. The schedule should also include service level agreements with defined accuracy thresholds and remediation timelines.

Critically, the agreement should grant the global custodian a direct right of action against the sub-custodian for CRS penalties incurred as a result of the sub-custodian’s failure, with the governing law and dispute resolution mechanism chosen to maximise enforceability. Some global custodians are now requiring sub-custodians to carry professional indemnity insurance that specifically covers CRS-related liabilities.

Operational Controls

On the operational side, global custodians should implement a data validation layer between the sub-custodian’s data feed and their own CRS reporting engine. This validation layer should run automated checks on incoming data, including reconciliation of income totals against independent market data sources, verification of tax classification codes against a centralised rules engine, and flagging of missing or anomalous data points. The validation layer should generate a data quality score for each sub-custodian on each reporting cycle, allowing the global custodian to identify deteriorating performance before it causes a reporting failure.

Audit and Testing

Annual CRS-specific audits of high-risk sub-custodians are essential. These audits should test the sub-custodian’s systems against a defined set of CRS control objectives, including the accuracy of account holder classification, the completeness of income data extraction, and the correct application of look-through rules. The audit scope should be risk-based, with sub-custodians in jurisdictions with weak regulatory oversight or complex local CRS rules subject to more intensive scrutiny.

In addition to sub-custodian audits, global custodians should conduct end-to-end testing of their own CRS reporting process at least annually. This testing should trace a sample of transactions from the underlying issuer through the entire custody chain to the final CRS report, verifying that each data transformation point preserves accuracy and completeness.

Regulatory Engagement

Proactive engagement with tax authorities can mitigate penalty risk. Where a global custodian identifies a sub-custodian reporting gap that has caused historical CRS errors, voluntary disclosure to the relevant tax authority is often the most prudent course. Most jurisdictions operate voluntary disclosure programmes that reduce or eliminate penalties for taxpayers who come forward before an audit begins. The key is to make the disclosure before the tax authority detects the error through its own data-matching processes.

Global custodians should also participate in the OECD’s CRS consultative processes and industry working groups. These forums provide advance notice of schema changes, peer review findings, and emerging best practices. In 2026, the OECD launched a dedicated workstream on custody chain reporting, signalling that this issue is a priority for international tax policymakers.

FAQ

If a sub-custodian in a non-CRS jurisdiction holds assets on behalf of a global custodian, does the global custodian still have CRS reporting obligations?

Yes. The global custodian’s CRS obligations are determined by its own jurisdiction’s implementation of CRS, not the sub-custodian’s jurisdiction. Even if the sub-custodian is located in a jurisdiction that has not adopted CRS—of which there were approximately 12 significant financial centres as of mid-2026—the global custodian must still report on the accounts it maintains for its clients. The global custodian must obtain the necessary income and balance data from the non-CRS sub-custodian through contractual means. If the sub-custodian cannot or will not provide the data, the global custodian faces a difficult choice: either find an alternative custody arrangement in that market or file incomplete reports and accept the resulting liability exposure.

What is the typical penalty range for CRS reporting failures attributable to sub-custodian errors?

Penalty regimes vary significantly by jurisdiction, but 2026 data indicates that civil penalties for material CRS errors typically range from €5,000 to €1.5 million per reporting period, depending on the severity, the number of accounts affected, and whether the error was negligent or intentional. The United Kingdom’s penalty framework, for example, imposes a base penalty of £300 to £5,000 per account for careless errors, with higher penalties for deliberate failures. Where a sub-custodian error affects thousands of accounts across multiple reporting periods, the aggregate penalty can be substantial. In addition to financial penalties, tax authorities in at least eight jurisdictions now publish the names of Financial Institutions that have been penalised for CRS non-compliance, creating significant reputational risk.

How can a global custodian verify that its sub-custodian is correctly applying CRS classification rules to complex corporate actions?

Verification requires a multi-layered approach. First, the global custodian should maintain a centralised corporate actions classification matrix that maps common corporate action types to their correct CRS treatment under the global custodian’s home jurisdiction rules. Second, the global custodian should require sub-custodians to provide detailed corporate action notices that specify the tax classification applied. Third, the global custodian should run automated checks comparing the sub-custodian’s classification against the centralised matrix, flagging any discrepancies for manual review. Fourth, the global custodian should conduct periodic sample-based testing, pulling the original corporate action documentation from the issuer or market infrastructure and tracing it through the sub-custodian’s processing to the final CRS report. This testing should cover at least 50 corporate action events per sub-custodian per year, with a focus on complex events such as returns of capital, scrip dividends with cash alternatives, and reorganisations involving multiple tax jurisdictions.

参考资料

OECD, “Common Reporting Standard Implementation Handbook,” Second Edition, OECD Publishing, Paris, 2026. This handbook provides the most current OECD guidance on CRS due diligence and reporting obligations, including a dedicated chapter on custody chain arrangements and the responsibilities of Reporting Financial Institutions that rely on sub-custodians.
Global Forum on Transparency and Exchange of Information for Tax Purposes, “Peer Review of the Automatic Exchange of Financial Account Information: 2026 Update,” OECD, Paris, 2026. This report summarises the findings of the Global Forum’s peer reviews of CRS implementation across participating jurisdictions, with specific attention to deficiencies in custody chain reporting identified during the review cycle.
HM Revenue & Customs, “Compliance Bulletin: Common Reporting Standard Penalties and Enforcement Outcomes for the 2025 Calendar Year,” HMRC, London, 2026. This bulletin provides detailed statistics on CRS penalties issued by HMRC, including case summaries of enforcement actions arising from sub-custodian reporting failures.
Australian Taxation Office, “CRS Compliance Approach: Global Custodians and Sub-Custodian Networks,” ATO, Canberra, 2026.