Understanding OECD Peer Review Processes: What governments need to know about AEOI, EOIR, CARF and FHTP reviews — and what is at stake.

International tax transparency is not self-enforcing. The frameworks that require jurisdictions to collect and exchange tax information — the Common Reporting Standard, the Exchange of Information on Request standard, the Crypto-Asset Reporting Framework, and the Substantial Activities requirements under the Base Erosion and Profit Shifting Inclusive Framework — are only as effective as the peer review processes that hold jurisdictions accountable for implementing them. Understanding how those reviews work, what they assess, and what a weak rating actually means in practice is essential for any government navigating this space.

This post sets out the structure of the OECD Global Forum peer review process, the working groups responsible for each review, the ratings framework, and the consequences of poor performance.

Who oversees international tax transparency?

The Organisation for Economic Co-operation and Development (OECD), through the Global Forum on Transparency and Exchange of Information for Tax Purposes and the Forum on Harmful Tax Practices (FHTP), is responsible for monitoring, reviewing, and assisting jurisdictions in implementing international standards.

The mandate traces back to the G20 following the 2008 financial crisis: create global standards that make it significantly harder to hide assets offshore. The result was a suite of interlocking frameworks — each addressing a different dimension of the same problem. EOIR addresses direct requests between tax authorities. CRS mandates the automatic exchange of financial account information. FATCA, the US equivalent of CRS, operates in parallel. CARF extends the automatic exchange architecture to crypto-assets. And the FHTP's Substantial Activities requirements address profit-shifting by ensuring entities in no or nominal tax jurisdictions demonstrate genuine economic activity.

These are not voluntary guidelines. They carry real consequences for jurisdictions that fail to implement them effectively — reputational damage, financial sector restrictions, and potential placement on the EU list of non-cooperative jurisdictions for tax purposes.

Which working groups carry out peer reviews?

The Global Forum's peer review work is carried out through two dedicated working groups.

The AEOI Peer Review Group (APRG) oversees effectiveness reviews of the Common Reporting Standard and is responsible for agreeing the final ratings published in each jurisdiction's AEOI review report. The Peer Review and Monitoring Group (PRMG) performs the equivalent function for Exchange of Information on Request, managing the third round of EOIR reviews and ongoing enhanced monitoring of jurisdictions under observation.

Both groups operate under the authority of the Global Forum membership and are composed of peer jurisdiction representatives — meaning it is ultimately jurisdictions themselves, not the OECD Secretariat alone, that determine review outcomes and ratings. This matters. The deliberative process involves the assessment team, the relevant working group, and the broader membership before a rating is finalised. Reviewed jurisdictions receive draft reports before publication and have an opportunity to respond to findings, provide clarifications, and make formal interventions. Understanding this process — and engaging with it effectively — can meaningfully influence outcomes.

The review frameworks

Automatic Exchange of Information — AEOI (CRS)

The second round of AEOI effectiveness reviews is currently underway across all Global Forum member jurisdictions. Unlike the first round, which focused primarily on whether the legal and administrative framework was in place, the second round assesses whether that framework is actually working — whether compliance and enforcement activities are identifying non-compliant entities, whether the data being exchanged is complete and accurate, and whether the overall system is producing a genuine deterrent effect.

The review process is rigorous. It involves detailed questionnaire responses, peer input from exchange partner jurisdictions on data quality and exchange statistics, an onsite visit by a Global Forum assessment team, and a final report with a published rating agreed by the APRG and the Global Forum membership.

Exchange of Information on Request — EOIR

EOIR is the longest-established international tax transparency standard, predating the automatic exchange frameworks by more than a decade. The Global Forum's EOIR peer review process — now in its third round under the oversight of the PRMG — assesses whether jurisdictions can respond to information requests from treaty partners in a timely, complete, and legally sound manner.

The third round places particular emphasis on issues that have proven persistently problematic: availability and accessibility of beneficial ownership information, adequacy of accounting records, and timeliness of responses to requesting authorities. Enhanced monitoring applies to jurisdictions that have demonstrated improvement from a prior weak rating but remain under observation.

Crypto-Asset Reporting Framework — CARF

CARF is the OECD's newest tax transparency standard, requiring jurisdictions to collect and automatically exchange tax-relevant information on crypto-asset transactions. Developed in response to the rapid growth of the crypto-asset market and its potential use as a vehicle for tax evasion, CARF mirrors the architecture of CRS and is scheduled to begin its first exchanges in 2027. Effectiveness reviews have not yet commenced, but jurisdictions are already expected to have exchange mechanisms in place, a supporting legal framework, and adequate confidentiality and data safeguards ahead of that date.

Substantial Activities — FHTP

The Forum on Harmful Tax Practices assesses the implementation of Substantial Activities requirements across all no or only nominal tax jurisdictions under Action 5 of the BEPS Inclusive Framework. Particular emphasis is currently being placed on verification activities — including onsite audits of holding companies — classification issues surrounding entities that claim to be out of scope, and enforcement actions for identified non-compliance. Information on entities that fail to meet the requirements is exchanged spontaneously with jurisdictions that have opted in to receive it.

How are ratings determined?

Ratings are determined through a structured deliberative process and published in final peer review reports. The four-point scale applies to both AEOI and EOIR reviews.

Compliant: No material deficiencies identified. For EOIR, this rating may be granted even where minor recommendations were issued, provided no material deficiencies were found.

Largely Compliant: One or more material deficiencies identified that are likely to have limited impact in practice. For EOIR, the standard is implemented to a large extent but improvements are needed.

Partially Compliant: One or more material deficiencies with a significant impact identified. For EOIR, at least one material deficiency has had or is likely to have a significant effect on exchange of information in practice.

Non-Compliant: One or more material deficiencies with fundamental impact identified. For EOIR, fundamental deficiencies in implementation have been identified.

The target for any jurisdiction is Largely Compliant or above. Anything below that triggers consequences — and the lower the rating, the more serious those consequences become.

What are the consequences of a weak rating?

A rating of Partially Compliant or Non-Compliant is not an administrative finding. It carries material implications for the jurisdiction and, by extension, for its financial sector.

The most significant near-term risk is placement on the EU list of non-cooperative jurisdictions for tax purposes. The FHTP's process is directly linked to this list — where a jurisdiction is urged to address a deficiency (as opposed to merely encouraged), the likelihood of EU listing increases substantially. For financial centres, EU listing creates immediate friction with European counterparties and can prompt de-risking by global correspondent banks.

Beyond EU listing, weak ratings attract heightened scrutiny from international bodies, increased compliance requirements imposed by partner jurisdictions, and a remediation burden that consumes significant government resource. Enhanced monitoring status — applied to jurisdictions that have improved from a prior weak rating but remain under observation — also carries reputational weight, signalling to the market that the jurisdiction's compliance position remains unresolved.

Critically, deficiencies identified in one review process frequently intersect with another. Weaknesses in beneficial ownership frameworks affect both EOIR and AEOI reviews. Legal framework gaps identified under EOIR are considered as jurisdictional context in AEOI assessments. Addressing these issues in isolation — without a coordinated cross-framework view — risks resolving one finding while inadvertently exposing another.

Common implementation pitfalls

Across multiple review cycles and jurisdictions, certain issues recur with enough consistency to be worth identifying explicitly.

Gaps in the legal framework or in beneficial ownership and accounting records are the most fundamental. Where legislation does not meet the standard, the review will reflect it — and no volume of operational activity will offset a structural legal deficiency.

Operational resource constraints are consistently underestimated. A jurisdiction must demonstrate that its human and IT resources are adequate and appropriate given the size and complexity of its financial sector. That assessment is made relative to the jurisdiction — a small island jurisdiction is not held to the same absolute standard as a major financial centre — but the resources deployed must be defensible.

Lack of documented compliance verification and enforcement activities is a recurring finding. Demonstrating effective implementation requires evidence of regular compliance activity — both thematic and comprehensive reviews — and a credible penalty regime that deters non-compliance. Penalties that exist on paper but are rarely applied do not satisfy the standard.

Poor documentation of operational strategies and guidance material causes avoidable problems. Assessment teams expect risk assessments, compliance strategies, and internal policies to be documented and periodically reviewed. Many jurisdictions have this material in some form, but it is fragmented, outdated, or inaccessible to the assessment team when needed.

A note on the process

One thing that is often underappreciated by jurisdictions approaching a peer review for the first time is that the process is genuinely deliberative. The assessment team produces a draft report. The jurisdiction responds. Factual errors can be corrected. Context can be provided. Findings can be contested where the evidence supports a different conclusion. The final rating reflects that process — which means preparation, engagement, and the quality of a jurisdiction's submissions matter.

This is not a process where the outcome is fixed before the review begins. It is one where thorough preparation, accurate documentation, and well-considered responses to draft findings can, and regularly do, influence the result.

Craig Thomas is a co-founder of 3Rock Consulting and a former Head of Compliance at the Cayman Islands Department for International Tax Cooperation. He has served as an AEOI assessor on four second-round Global Forum peer reviews, was nominated to the AEOI Peer Review Group (APRG) by the Asia-Pacific Regional Group, and represented the Cayman Islands as a competent authority delegate at the OECD Global Forum.