© 2026 Macro Global. All Rights Reserved.
Traverse the article
HMRC’s 29 April 2026 update to the International Exchange of Information Manual is not the kind of regulatory change that looks dramatic at first sight.
There is no wholesale rewrite of CRS. No new filing deadline. No major change to the XML schema for the May 2026 submission.
But for Financial Institutions preparing their CRS return, the update still matters.
HMRC has made two CRS-relevant changes that reporting teams should pay close attention to. The first is an update to the CRS reportable jurisdiction list. The second is a set of penalty-related updates, including how penalties are applied and how due diligence failures are treated for Preexisting and New Accounts. HMRC lists these under its 29 April 2026 amendments as Reportable Information: Reportable Jurisdictions, Compliance: Penalties, and Penalties for Failure to Apply Due Diligence Procedures.
From a CRS/FATCA reporting consultant’s perspective, the message is straightforward: this is not just a list update. It is a test of whether a firm’s reporting process can respond to regulatory change close to deadline without losing control of the file, the evidence trail or the final reporting position.
That is where many institutions still have work to do.
What HMRC Changed in the Reportable Jurisdiction List
For the 2026 reporting year, in respect of 2025 reportable accounts, HMRC has updated the list of jurisdictions whose tax residents must be reported by Financial Institutions under CRS.
The practical change is clear: Cameroon and Morocco have been removed from the list for reporting to HMRC in May 2026. HMRC says reports sent by Financial Institutions should therefore not include financial accounts held by tax residents of Cameroon or Morocco.
That is the immediate operational point.
If the CRS file has not yet been finalised, firms should check whether any account holders or controlling persons with Cameroon or Morocco tax residency are sitting in the May 2026 reportable population. Where they are, those records should be removed from the submission, the XML regenerated, and the revised file validated before filing.
HMRC has also recognised the timing problem. The change has come close to the 31 May reporting deadline. HMRC says some Financial Institutions may already have compiled their files and may not be able to remove those accounts in time. In that situation, firms should not delay reporting to HMRC. HMRC says it will remove the Cameroon and Morocco data before exchange with reportable jurisdictions. (GOV.UK)
That point is important. HMRC is giving firms a practical route through a late-cycle change. But that should not be mistaken for a reason to leave the decision undocumented.
A firm that cannot remove the records before submission should still keep a clear record of what happened: when the update was identified, how many records were affected, why removal was not feasible before deadline, which HMRC guidance was relied on, and who approved the decision to proceed.
The filing may be operationally acceptable. The process still needs to be defensible.
Do Not Remove Cameroon and Morocco From the Wrong Places
There is another detail in HMRC’s wording that firms should not overlook.
HMRC says that although Cameroon and Morocco are not Reportable Jurisdictions for the 2026 reporting year, arrangements with those jurisdictions remain in place.
That means this is not a blanket instruction to strip Cameroon and Morocco out of every CRS-related process.
The change applies to the May 2026 reporting scope to HMRC. It does not mean firms can disregard tax residency information, due diligence records, self-certifications or controlling person data connected to those jurisdictions.
That distinction matters more than it may seem.
In practice, firms need to separate two things:
- First, reportable population logic.
This determines whether an account is included in the May 2026 CRS XML file. - Second, due diligence and tax residency data management.
This determines whether the firm continues to capture, retain and review tax residency information correctly.
A well-run CRS process should be able to make that distinction cleanly. A weaker process often cannot. If jurisdiction rules are maintained in spreadsheets, local lookup tables or undocumented manual adjustments, a two-country change can easily create confusion: what changed, where it changed, who changed it, and whether the final XML reflects the latest HMRC position.
This is why jurisdiction scope should be treated as controlled regulatory configuration, not just a reference table.
The Real Issue: Can the Firm Prove What it Did?
The removal of Cameroon and Morocco is narrow. The control implications are not.
A jurisdiction update can affect account inclusion, controlling person reporting, review queues, validation outcomes and final XML generation. It can also affect internal sign-off, especially where the file has already been compiled.
A strong CRS/FATCA process should be able to answer some basic questions without a scramble:
- When did we identify the HMRC update?
- Which records were affected?
- Had the XML already been generated?
- Was the file regenerated after the change?
- If not, why not?
- Did we document HMRC’s instruction not to delay reporting?
- Who signed off the final position?
These are not “nice to have” governance questions. They are the questions that show whether the reporting process is controlled or merely dependent on people remembering what to fix at the end of the cycle.
That is the consultant’s view of this update. The problem is not that Cameroon and Morocco are difficult to remove. The problem is that late-cycle regulatory changes expose how fragile some reporting processes still are.
A firm may get the XML submitted on time. That does not automatically mean it can evidence the process behind the submission.
HMRC’s Latest CRS Update Is Really a Test of Reporting Governance
Financial Institutions need stronger visibility across due diligence, validation, exception management, and reporting workflows.
The Penalty Update Changes the Conversation
The second part of HMRC’s update is about penalties.
HMRC’s Compliance: Penalties guidance says the International Tax Compliance Regulations 2015 set out penalties where a Reporting Financial Institution fails to comply with due diligence, record-keeping, reporting, notification and registration obligations. HMRC also makes an important point: penalties are not applied automatically. HMRC will consider the facts and circumstances, including whether there is a reasonable excuse. If there is a reasonable excuse, no penalty will be charged; otherwise HMRC may consider mitigation.
That wording matters.
HMRC is not saying every error will result in a penalty. But it is making clear that CRS/FATCA compliance is wider than producing an XML file. The surrounding process matters: due diligence, records, reporting accuracy, notifications, registration, evidence and reasonable care.
HMRC also states that the revised penalty framework introduced by the International Tax Compliance Amendment Regulations 2025 applies to failures occurring on or after 16 July 2025. Its example makes clear that the timing of the underlying failure matters, not simply the date on which an amended return is later submitted.
That is an important operational point.
If a reporting issue is discovered in 2026, the firm still needs to ask when the underlying failure happened. Was it a 2026 reporting issue? Or did it originate earlier through onboarding, classification, self-certification handling, tax residency review or remediation?
That is where penalty analysis starts to become a control review, not just a filing review.
Due Diligence Exceptions are not Harmless Backlog
HMRC’s updated guidance on Penalties for Failure to Apply Due Diligence Procedures deserves close attention from CRS and FATCA teams.
HMRC says Reporting Financial Institutions must carry out due diligence for all Account Holders to determine their jurisdiction or jurisdictions of tax residence. A penalty of up to £100 for each Account Holder or Controlling Person may apply where the required due diligence procedures have not been carried out. Where the failure is to obtain a valid self-certification required by CRS or FATCA, the penalty may be up to £300 for each Account Holder or Controlling Person. These penalties apply to failures occurring on or after 16 July 2025.
That should make firms look again at their exception queues.
A missing self-certification is not just an admin gap.
An unresolved tax residency conflict is not just a data-quality issue.
An incomplete controlling person record is not just an onboarding defect.
Each one can affect reportability, accuracy and the firm’s ability to show reasonable care.
HMRC also gives important nuance on Preexisting and New Accounts. For Preexisting Individual Accounts, HMRC says the penalty for failing to obtain a valid self-certification does not apply, because CRS and FATCA due diligence procedures do not require self-certifications for those accounts. But for certain Preexisting Entity Accounts and Controlling Persons, where the due diligence rules require self-certification and the failure occurs on or after 16 July 2025, a penalty may apply. (GOV.UK)
For New Accounts, HMRC says that where, exceptionally, a Reporting Financial Institution opened a New Account between 1 January 2016 and 15 July 2025 and failed to obtain a valid self-certification, a penalty under regulation 22A(2) will not apply. But HMRC also says a penalty for inaccurate or incomplete reporting may apply for returns submitted after 16 July 2025, for example where account holders are reported without a TIN or correct tax residence, or incorrectly excluded because a valid self-certification was absent. (Refer to GOV.UK)
That is the point firms should take away: do not apply blanket assumptions.
The question is not, “Do we have self-certifications for everyone?”
The better question is, “Where do the CRS/FATCA rules require a valid self-certification, and can we prove that we handled those cases correctly?”
That is a very different standard.
Inaccurate or Incomplete Reporting Remains a Live Risk
HMRC’s inaccurate or incomplete returns guidance also remains relevant.
HMRC says Reporting Financial Institutions must report complete and accurate information. A penalty of up to £100 for each Account Holder or Controlling Person may be charged where incorrect or incomplete information is provided and the inaccuracy or incompleteness is deliberate, due to a failure to take reasonable care, or discovered later without reasonable steps being taken to inform HMRC.
This should be read carefully alongside the Cameroon and Morocco update.
Where an FI cannot remove Cameroon and Morocco records before the 31 May 2026 deadline, HMRC has provided a practical route: do not delay reporting, and HMRC will remove the data before exchange. The firm should still document its impact assessment, operational constraint and reliance on HMRC’s guidance.
That distinction is important. The issue is not that HMRC has created a penalty trap for firms that cannot remove the data in time. HMRC has clearly provided a practical position. The issue is that firms still need to show how they handled the update.
HMRC also says that where a Reporting Financial Institution might otherwise be liable to more than one penalty for the same act or omission, it will not receive more than one penalty for that same act or omission. HMRC will apply the penalty it considers appropriate in the circumstances. (Refer to GOV.UK)
Again, the focus is on the underlying facts.
What Financial Institutions Should do Now
Financial Institutions preparing or reviewing the May 2026 CRS submission should take a practical, evidence-led approach.
- Check the reporting population
Identify whether any account holders or controlling persons with Cameroon or Morocco tax residency are included in the May 2026 CRS reportable population. - Remove records where there is still time
Where the file has not been finalised, remove the affected records from the May 2026 submission, regenerate the XML and rerun validation checks. - Do not delay reporting where removal is not feasible
If the file has already been compiled and removing the records would risk missing the deadline, follow HMRC’s guidance and do not delay reporting. But document the decision properly. - Update the jurisdiction matrix carefully
Do not simply delete Cameroon and Morocco from every CRS workflow. Update the jurisdiction matrix to reflect the May 2026 reporting position while preserving the fact that arrangements with those jurisdictions remain in place. - Review due diligence exceptions
Use the penalty update as a reason to review missing or invalid self-certifications, unresolved tax residency indicators, incomplete TINs, entity classification issues and controlling person records. - Keep evidence of reasonable care
Reasonable care should not depend on memory. Firms should keep review notes, configuration logs, exception reports, validation results, approval records and submission evidence. - Reassess the reporting framework
A CRS/FATCA process that relies on spreadsheet fixes and last-minute manual adjustments will always be difficult to defend. Firms should assess whether their reporting framework can absorb regulatory updates, validate data, manage exceptions and preserve evidence without turning every reporting cycle into a clean-up exercise.
This is where a governed platform can help. Macro Global’s CRS Stride is positioned as an HMRC CRS & FATCA reporting solution that supports end-to-end reporting control, data management, audit checks, self-certification workflows, validation and XML file preparation.
The point is not that technology replaces regulatory judgement. It does not.
The point is that regulatory judgement needs a controlled operating model behind it: clean data, configurable reporting rules, validation, workflow, review evidence and audit trail.
Consultant’s View: This is a Control Event, Not a List Update
This HMRC update is narrow, but it is revealing.
It shows whether a firm can respond to a late regulatory change without losing sight of the reporting population, the XML position and the evidence trail. It also comes alongside penalty guidance that puts renewed emphasis on due diligence, self-certification, accurate reporting and reasonable care.
A strong FI response should look calm and structured:
- Identify the update;
- Assess affected records;
- Remove data where feasible;
- Document reliance on HMRC guidance where removal is not feasible;
- Review due diligence exceptions;
- Validate the final output;
- Retain evidence.
A weak response looks different. It relies on spreadsheet edits, individual judgement, unclear ownership and a final file that may be submitted on time but is hard to explain later.
That is the real risk.
Final Takeaway
HMRC’s April 2026 CRS update gives Financial Institutions two clear messages.
First, Cameroon and Morocco should not be included in the May 2026 CRS submission to HMRC where they can be removed in time. Where removal is not feasible without delaying submission, HMRC has said firms should not delay reporting and that HMRC will remove the relevant data before exchange.
Second, the penalty updates reinforce the importance of due diligence, self-certification, accurate reporting and evidence of reasonable care. CRS/FATCA compliance is not just about generating an XML file. It is about being able to explain and evidence the process that produced it.
The best response is not simply to update a list.
The best response is to strengthen the CRS/FATCA reporting framework behind the submission.
For firms still relying on manual workarounds, fragmented data and late-stage remediation, this is a good moment to step back and ask a harder question:
Can we defend the file — or can we only submit it?
In CRS/FATCA reporting, that distinction matters more every year.
FAQs
What changes did HMRC introduce in the April 2026 CRS update?
HMRC removed Cameroon and Morocco from the May 2026 CRS reporting scope and updated guidance around penalties, due diligence obligations, self-certifications, and reporting accuracy requirements.
Do firms still need to retain tax residency and due diligence records for Cameroon and Morocco?
Yes. Although Cameroon and Morocco are no longer reportable for the May 2026 CRS submission, firms must still maintain relevant tax residency, due diligence, and self-certification records linked to those jurisdictions.
What should Financial Institutions do if Cameroon or Morocco records are already included in the CRS XML file?
Where possible, firms should remove the records and regenerate the XML file before submission. If removal is not feasible before the filing deadline, HMRC says firms should still submit on time and retain evidence supporting the decision.
Why are HMRC’s latest CRS penalty updates important for Financial Institutions?
The updated guidance reinforces that CRS compliance is not only about submitting the XML file. Firms must also demonstrate reasonable care through accurate reporting, proper due diligence, valid self-certifications, and audit-ready evidence.
What evidence should firms retain to demonstrate defensible CRS reporting?
Financial Institutions should retain validation results, review notes, approval records, exception reports, and documentation showing how reporting decisions and regulatory changes were managed during the reporting cycle.
Strengthen Your CRS/FATCA Reporting Framework
CRS Stride helps Financial Institutions improve HMRC CRS & FATCA reporting through stronger data validation, self-certification support, exception management, XML preparation and audit-ready evidence.
Reporting Accuracy Depends on More Than the Final XML File
Firms need controlled reporting processes that can absorb regulatory updates without disrupting compliance oversight or audit readiness.
Related Resources
CASE STUDY
CRS Compliance: Re-engineering Bank’s Approach on Data Orchestration
BLOG