Ad.

1. The Action 13 Report introduced a three-tiered approach to transfer pricing documentation, consisting of a master file containing standardised information relevant for all members of a multinational group; a local file referring specifically to material transactions of the local taxpayer; and a Country-by-Country Report (CbC Report) containing certain information relating to the global allocation of the group’s income and taxes, together with indicators of the location of economic activity within the group (CbCR information).
2. Where Country-by-Country Reporting (CbC Reporting) applies, the ultimate parent entity (UPE) of a group with annual consolidated group revenue equal to or higher than EUR 750 million (or near equivalent in domestic currency as of January 2015) in the preceding fiscal year is required to file a CbC Report on behalf of the group with its local tax authority. The deadline for filing the CbC Report is by no later than 12 months after the last day of the group’s reporting fiscal year. A jurisdiction may set an earlier filing deadline than this, but this is not required or recommended. The tax authority with which the CbC Report is filed will exchange the CbC Report with the tax authority in other
   jurisdictions where the group has operations, under bilateral or multilateral tax treaties or tax information exchange agreements (TIEAs) that permit the automatic exchange of information. This is subject to conditions, including the jurisdictions having a legal framework for CbC Reporting in place and meeting conditions concerning confidentiality, consistency and the appropriate use of CbCR information. Implementation of CbC Reporting is one of the four minimum standards within the Base Erosion and Profit Shifting (BEPS) Action Plan, and will be implemented by all jurisdictions that are members of the OECD Inclusive Framework on BEPS.
3. The terms of CbC Reporting are described in the Action 13 Report, which is supplemented by guidance on specific elements of the design, operation and implementation of the regime. In addition, Annex IV to Chapter V of the Action 13 Report includes an implementation package to assist countries, which includes a model for domestic legislation, a model multilateral competent authority agreement (CAA) for jurisdictions exchanging CbC Reports under the Convention on Mutual Administrative Assistance in Tax Matters (the Multilateral Convention) and model bilateral CAAs for jurisdictions exchanging CbC Reports under Double Tax Conventions (DTCs) or TIEAs. The model multilateral CAA was used as the basis for the OECD CbC multilateral CAA (the multilateral CAA), which is used by many countries to operationalise the automatic exchange of CbC Reports. It is not required that jurisdictions use these models in implementing CbC Reporting, but they are useful reference tools to ensure key elements are covered in a consistent manner. Elements of these instruments are described in this guidance.
4. The ability of a jurisdiction to obtain and use CbC Reports is conditional upon it using CbCR information appropriately. This condition is described in paragraphs 25 and 59 of the Action 13 Report, and is given effect through Article 6(1) of the model legislation and paragraph 2 of Section 5 of the multilateral and model bilateral CAAs. For these purposes, appropriate use is restricted to: high level transfer pricing risk assessment, assessment of other base erosion and profit shifting related risks, economic and statistical analysis, where appropriate.
5. The Action 13 Report includes two paragraphs which clarify what would not be considered appropriate use. This text is substantially repeated in Section 5 of the multilateral and model bilateral CAAs (“the information in the Country-by-Country Report should not be used as a substitute for a detailed transfer pricing analysis of individual transactions and prices based on a full functional analysis and a full comparability analysis. The information in the Country-by-Country Report on its own does not constitute conclusive evidence that transfer prices are or are not appropriate. It should not be used by tax administrations to propose transfer pricing adjustments based on a global formulary apportionment of income” -Paragraph 25- and “Jurisdictions should not propose adjustments to the income of any taxpayer on the basis of an income allocation formula based on the data from the Countryby-Country Report. […] This does not imply, however, that jurisdictions would be
   prevented from using the Country-by-Country Report data as a basis for making further enquiries into the MNE’s transfer pricing arrangements or into other tax matters in the course of a tax audit -Paragraph 59-).
6. It is therefore clear that information contained in CbC Reports may be used for high level transfer pricing risk assessment, but should not be used by itself as a basis for proposing changes to transfer prices or adjusting a taxpayer’s income using global formulary apportionment. However, there is nothing to prevent a tax authority from using CbCR information in planning a tax audit or as the basis for making further enquiries, into the group’s transfer pricing arrangements or other tax matters, in the course of an audit. There is no commitment that these enquiries must relate specifically to potential risks identified through the use of CbCR information. For example, CbCR information may be used as the basis for making enquiries into tax matters identified using other data sources or arising during the course of a tax audit. The OECD Forum on Tax Administration has prepared a handbook to support tax authorities in making effective use of CbCR information for the purposes of tax risk assessment.
7. The Action 13 Report does not contain guidance with respect to the ability of tax authorities to use information in CbC Reports for assessing other BEPS-related risks or for economic and statistical analysis. CbCR information may be used for economic and statistical analysis, where appropriate (e.g. such use is not appropriate where it is not permitted under the relevant tax convention or TIEA) but no other details on this are provided. The Action 13 Report also does not define the term “BEPS-related risks”.
8. The introduction to the February 2013 Report Addressing Base Erosion and Profit Shifting (the BEPS Report, OECD 2013) refers to the challenge faced by countries as “planning aimed at shifting profits in ways that erode the taxable base to locations where they are subject to a more favourable tax treatment”. The report goes on to state that: “While the specific goals will vary among MNEs, in particular with respect to companies headquartered in different jurisdictions, broadly speaking BEPS focuses on moving profits to where they are taxed at lower rates and expenses to where they are relieved at higher rates. Specific strategies may also be put in place to make use of existing “tax attributes” such as tax credits, loss-carry forwards, etc. These generic goals are often achieved in a way that aligns with the overall management of the treasury operations of the group, e.g. in terms of cash management, management of foreign exchange risks and efficient repatriation strategies”.
9. The BEPS Report gives a number of examples of how tax rules in place at the time could be used to achieve low or no taxation, based around existing rules on jurisdiction to tax, transfer pricing, the tax treatment of debt and anti-avoidance rules. These include the use of a low-taxed branch of a foreign company, hybrid entities, hybrid financial instruments, conduit companies, the use of derivatives to avoid withholding taxes, and profit shifting using the contractual allocation of risk and the pricing of intangibles.
10. The Action Plan on Base Erosion and Profit Shifting (the BEPS Action Plan,
    OECD 2013), released in July 2013, does not change this broad definition of BEPS, but identifies actions needed to address BEPS and the methodology to implement those actions. A number of the 15 Action Items set out in the BEPS Action Plan target specific arrangements (e.g. hybrid mismatch arrangements in Action 2 and treaty abuse in Action 6),
    but this is not the case for all of the Action Items. However, taken together and implemented consistently, the 15 Action Items represent a comprehensive response to the BEPS risks faced by countries, by improving coherency and transparency in the international tax system, and ensuring that the location of a group’s taxable profit corresponds with the location of its substantial economic activity.
11. Thus, consistent with the BEPS Report, the term “assessment of other BEPS-related risks”, should be understood to refer to the high level assessment of tax risks that may result in the erosion of a country’s tax base. In practice, while CbC Reports may be used to identify indicators of possible tax risk, it will usually only be possible to understand the arrangements giving rise to that risk once further enquiries have been conducted. It remains key that CbCR information should be limited to use in risk assessment and as a basis for making further enquiries in the course of a tax audit (and economic and statistical analysis, where appropriate). In the same way that CbCR information on its own does not constitute conclusive evidence that transfer prices are not appropriate, it also does not constitute conclusive evidence that a group is engaged in other forms of BEPS.
12. The Action 13 Report includes a number of consequences for a jurisdiction resulting from non-compliance, or possible non-compliance with the appropriate use condition, which are given effect through the model CAAs where these are used in implementing CbC Reporting. (I) Appropriate use as a condition for receiving and using CbC Reports. (II) A commitment by competent authorities to disclose breaches of appropriate use, to the Co-ordinating Body Secretariat (for exchanges pursuant to the multilateral CAA) or other competent authority (for exchanges pursuant to the model bilateral CAAs). (III) A commitment by competent authorities to promptly concede inappropriate adjustments in competent authority proceedings. (IV) The ability of competent authorities to temporarily suspend exchange of CbC Reports following consultation in cases of non-compliance.
13. In addition, there is a serious risk that inappropriate use of CbC Reports could result in entities being issued incorrect tax assessments. Appropriate use as a condition to receiving and using CbC Reports
14. Paragraph 56 of the Action 13 Report describes the appropriate use of CbCR information as one of three conditions underpinning the obtaining and use of CbC Reports (together with confidentiality and consistency). The appropriate use condition is given effect through paragraph 2 of Section 5 of the multilateral and model bilateral CAAs. This provides that information received by means of the CbC Report will be used for assessing high-level transfer pricing, base erosion and profit shifting related risks, and, where appropriate, for economic and statistical analysis.
15. Under the recitals to the multilateral and model bilateral CAAs, jurisdictions indicate that they have, or expect to have, in place by the time the first exchange of CbC Reports takes place, appropriate safeguards to ensure that information received is used for the purposes of assessing high-level transfer pricing risks and other BEPS-related risks, as well as for economic and statistical analysis, where appropriate. Further, under paragraph 1(d) of Section 8 of the multilateral CAA, a jurisdiction’s competent authority must provide notification to the Co-ordinating Body Secretariat “that it has in place the necessary legal framework and infrastructure to ensure […] the appropriate use of the
    information in the CbC Reports”. As such, tax authorities will not exchange CbC Reports until this condition is met and, under the multilateral CAA, until such notification has been provided. Similarly, under the Action 13 minimum standard, a jurisdiction may not require a CbC Report to be submitted by an entity that is not the UPE of its group (also referred to as local filing), unless that jurisdiction satisfies the appropriate use condition and the other conditions for local filing in the Action 13 Report are met. Where a jurisdiction imposes local filing in circumstances that are not permitted under the Action 13 Report, this will be identified during the jurisdiction’s peer review evaluation.
16. The multilateral and model bilateral CAAs provide at paragraph 3 of Section 5 that, to the extent permitted under applicable law, a competent authority will notify the Co-ordinating Body Secretariat (where exchange occurs pursuant to the multilateral CAA) or the other competent authority (where exchange occurs pursuant to the model
    bilateral CAAs) immediately of any cases of non-compliance with respect to the appropriate use condition (as well as the conditions of confidentiality and consistency), together with any remedial actions and measures taken in respect of the non-compliance. Where this notification is made to the Co-ordinating Body Secretariat, the Secretariat will notify all competent authorities which have an exchange relationship under the multilateral CAA with the competent authority that provided notice of the noncompliance.
17. The appropriate use condition does not permit a tax authority to make an adjustment to the income of any taxpayer on the basis of a global formulary apportionment of income based on the data from the CbC Report. All adjustments should be supported by appropriate documentation. Paragraph 59 of the Action 13 Report further provides that: [jurisdictions] will further commit that if such adjustments based on Countryby-Country Report data are made by the local tax administration of the jurisdiction, the jurisdiction’s competent authority will promptly concede the adjustment in any relevant competent authority proceeding.
18. Paragraph 2 of Section 5 of the multilateral and model bilateral CAAs implements this commitment and extends it to cover competent authority proceedings concerning any adjustment made in non-compliance with the appropriate use condition.
19. Section 8 of the multilateral and model bilateral CAAs makes it clear that any non-compliance with the appropriate use condition will be considered “significant noncompliance”. Where a competent authority determines that there is or has been significant non-compliance in another jurisdiction, it may temporarily suspend the exchange of CbC
    Reports by giving notice in writing. This determination may, for example, be based upon the outcomes of a jurisdiction’s peer review evaluation of appropriate use, building on the objective criteria contained in this guidance. However, in any case, before suspending the exchange of CbC Reports, the competent authority should consult with the competent
    authority in the other jurisdiction on whether significant non-compliance has occurred.
20. CbC Reports contain aggregated data on the location of a group’s income, taxes and business activities by jurisdiction. They also list the main business activities for each constituent entity in the group. Where a group includes more than one entity in a jurisdiction, its CbC Report does not contain detailed information on a particular entity’s income and expenditure or transactions it has entered into with third parties or related parties. CbC Reports do not include information on risk allocations between entities in a group and do not describe the functions performed or the assets employed by these entities. Therefore, while the information contained in a CbC Report can be valuable in indicating potential risks for further investigation, this is not sufficient by itself to allow a tax administration to draw reliable conclusions as to the precise fact pattern that gives rise to those risk indicators. Therefore, where a tax authority proposes tax adjustments based solely on information contained in a CbC Report, there is a significant risk that these adjustments will be based on inaccurate assumptions. This could result in an incorrect tax assessment being issued, and possibly double taxation if this cannot be corrected.
21. As a checklist, a jurisdiction should be able to answer yes to six basic questions, or should expect to be able to do so before the first exchange of CbC Reports takes place.
    • Do the multilateral and/or bilateral competent authority agreements. Concerning CbC Reporting signed by your jurisdiction include the appropriate use of information contained in CbC Reports, as a condition of obtaining and using CbC Reports?
    • Does your tax authority have a clear written policy in place governing the use of CbC Reports, including guidance on appropriate use?
    • Is this policy effectively communicated to all staff likely to have access to CbC Reports in the course of their work?
    • Is the use of CbC Reports controlled or monitored to ensure appropriate use, which may include:
      i) imposing restrictions on access to CbC Reports, and/or
      ii) ensuring that appropriate use is adequately evidenced?
    • Is guidance or training provided to appropriate tax authority staff in your jurisdiction that clearly sets out their commitments:
      i) to notify the Co-ordinating Body Secretariat (for exchanges
      pursuant to the multilateral CAA) or other competent authority (for exchanges pursuant to the model bilateral CAAs) immediately of any cases of non-compliance with the appropriate use condition;and
      ii) to promptly concede any competent authority proceeding that involves a tax adjustment using an income allocation formula
      based on CbCR information?
    • Are there measures in place to ensure controls are reviewed and updated as required, and the outcomes of these reviews documented?
22. Although all jurisdictions should be able to answer yes to these questions, or expect to be able to do so before the first exchange of CbC Reports take place, jurisdictions may differ in the specific measures and controls they implement, depending upon, among other things, the model for risk assessment adopted. For example, in terms of monitoring the use of CbCR information, a tax authority that operates a centralised model with a specialised risk assessment team may place significant reliance on controls over access to CbC Reports or may place greater emphasis on requirements for tax adjustments to be fully documented and subject to review to ensure that CbCR information has not been used inappropriately. On the other hand, controls over access to CbCR information are less likely to provide comfort as to appropriate use where a tax authority operates a de-centralised model with risk assessments conducted within tax compliance teams. In this case, greater reliance may be placed on measures to ensure that tax adjustments are fully documented and supported. There is no restriction under Action 13 to prevent a jurisdiction from allowing tax compliance staff access to CbC Reports, so long as information contained in the reports is used appropriately and kept confidential in accordance with the applicable tax convention or TIEA.
23. This section includes a description of some of the measures jurisdictions may implement in order to be able to answer yes to each of the above questions, as examples. In practice, jurisdictions may be able to rely on existing policies and procedures (such as those concerning current tax risk assessment processes, the handling of information exchanged under tax conventions and TIEAs, or the management of transfer pricing cases), and it will simply be a case of ensuring that CbCR information is covered by these. In general, where a tax authority currently has robust processes in place to ensure that tax adjustments are supported by a thorough tax audit including consideration of all available data, it is expected that the additional steps required to ensure compliance with
    the appropriate use condition (e.g. to put in place written procedures on the use of CbCR information and to ensure CbC Reports are covered by existing security measures) should be reasonably modest. A policy to ensure the appropriate use of CbCR information may be further supported where the tax authority ensures that relevant taxpayers in the
    jurisdiction (i.e. entities in large corporate groups) are aware of this policy, enabling them to recognise and report cases of possible non-compliance. Nothing in this section is intended to prevent tax authorities using intelligence obtained from CbC Reports for the purposes of planning tax audits or other compliance actions, or as a basis for making
    further enquiries to taxpayers or to other tax authorities. Further enquiries directed to another tax authority must meet the foreseeable relevance standard.
24. Although the Action 13 Report contains a description of the commitment by jurisdictions to use CbCR information appropriately, in practice the commitment and the consequences of non-compliance will be contained in the multilateral and bilateral CAAs used by a jurisdiction for exchanging CbC Reports. For example, the commitment that use of information will be limited to “assessing high-level transfer pricing risk, base erosion and profit shifting risks and, where appropriate, for economic and statistical analysis” is set out in paragraph 2 of Section 5 of the model bilateral CAAs in the implementation package.
25. In order to ensure that the appropriate use condition is implemented effectively, it is important that jurisdictions include this condition within the CAAs they use for CbC Reporting. This condition is included in the multilateral CAA now signed by many jurisdictions. Where a jurisdiction uses bilateral CAAs, it should include in the CAAs it negotiates the same condition on appropriate use, as well as the same consequences from non-compliance. This may be supported by operational and administrative measures such as those detailed elsewhere in this guidance.
26. A jurisdiction’s tax authority should have a written policy in place setting out clearly that CbCR information must only be used for appropriate purposes, including a description of what is meant by appropriate use. This could be set out in a separate policy document or, for example, added to existing guidance on the use of transfer pricing documentation.
27. To help staff in understanding and interpreting this policy, tax authorities should consider including more detailed explanations and examples as to what would be considered appropriate use and/or what would not be considered appropriate. The policy may also include guidance as to what staff should do if they have questions regarding appropriate use or if they suspect CbCR information has been used inappropriately.
28. Tax authority staff likely to have access to CbC Reports in the course of their work should be aware of the restrictions on use of CbCR information under domestic law and commitments under CAAs, while being positively encouraged to use information contained in CbC Reports within the scope of these restrictions. This may be done for example by including the tax authority’s written policy in a manual which is provided to staff when they first have access to CbC Reports, but which is also readily available to all staff, as well as on a relevant page of the tax authority’s intranet site. A reminder of this policy could also be given when staff access electronic copies of CbC Reports. This policy should be translated into all official languages in the jurisdiction, and other languages commonly used by members of staff.
29. The effectiveness of controls to ensure awareness of this policy can be improved by providing training to assist staff in understanding the commitment concerning appropriate use, including the consequences of non-compliance, which could be in the form of seminars, written materials or online tools. This could be specific to the topic of appropriate use, or built into wider staff training. For example, where staff members receive training on the effective use of CbCR information for risk assessment, this could include a section on appropriate use. All tax authorities should consider using training tools to ensure staff understand the limits on the use of CbCR information, but this is particularly important where CbC Reports are made available to staff involved in compliance activity such as tax audits, as in this case the potential for inappropriate use is increased if staff are not adequately aware of their commitments.
30. Tax authorities may also introduce physical reminders of the limits on use of CbCR information, for example by applying a stamp or other mark to each page of a group’s CbC Report and also to any reports or analyses prepared using CbCR information. Similar ‘digital stamps’ could be applied to electronic versions of CbC Reports and analyses. This would reduce the risk that CbCR information is accidentally used inappropriately, if a member of staff is not aware that an analysis is based on information taken from a CbC Report.
31. Jurisdictions may apply different approaches to ensure that staff is supported in using CbCR information appropriately, while including measures to control or monitor the use of CbC Reports to minimise the risk of inappropriate use. In particular, these may include measures to restrict access to CbC Reports and/or measures to ensure that appropriate use is adequately evidenced. In many cases, this may be done through processes that are already in place and it will not be necessary for jurisdictions to introduce additional measures specific to CbC Reports.
32. Tax authorities operate different models for tax risk assessment, including centralised structures with a dedicated risk assessment team (which may be a single national team or a number of regional teams), and de-centralised structures where risk assessment is conducted by staff within the compliance team including tax auditors. In some cases, a tax authority may operate both models in parallel (e.g. a centralised process for the largest groups in the jurisdiction, and a de-centralised process for other groups). A number of tax authorities have revised their risk assessment models and moved towards a centralised process for the handling of CbC Reports, but different models continue to exist. Tax
    authorities should consider introducing controls, or expanding existing controls, to ensure that CbC Reports are available to staff involved in activities covered by the appropriate use condition, but to restrict access to other staff. Mechanisms may also be used to monitor or record which staff access CbCR information. These measures will vary depending on the risk assessment model adopted by a tax authority.
33. Where a tax authority operates a centralised risk assessment model, access to CbC Reports may in the first instance be restricted to staff involved in the risk assessment process. Controls to ensure this could include a written policy setting out the restrictions on providing access to CbCR information to other staff, the use of password protected computers to access electronic data, and physical security measures such as locating risk assessment and compliance staff separately and ensuring that physical copies of CbC Reports are stored in locked rooms or locked filing cabinets. CbCR information (including complete CbC Reports, extracts from CbC Reports or analyses based on CbC Reports) may be provided to staff in the compliance function, to the extent this is covered by the appropriate use condition. For example, compliance staff may be involved in determining whether a potential risk identified during the risk assessment process can be explained or whether compliance action is required. In this case, the risk assessment team may maintain a record of what information was shared, the reason for sharing it, and the staff with whom it was shared.
34. Where risk assessments are conducted directly by the compliance team, the controls which may be appropriate to restrict and monitor access to CbCR information vary. Where only certain members of a compliance team are involved in risk assessment, the tax authority could introduce measures similar to those described above with respect to a centralised risk assessment team (e.g. use of passwords and physical security) to limit access to those engaged in appropriate use. However, where all or most of a compliance team is involved in a group’s risk assessment, these controls are unlikely to offer material comfort that CbCR information is used appropriately (although they would still be relevant for ensuring CbCR information is held confidentially). In this case, a jurisdiction may place more emphasis on monitoring the use of CbCR information and ensuring appropriate use is adequately evidenced.
35. CbCR information may also be used for the purposes of economic and statistical analysis where appropriate (e.g. to the extent this is permitted under the relevant tax treaty or TIEA, the conditions of which will protect the confidentiality of the information exchanged and prevent the information from being published). Where a tax authority proposes to use CbCR information in this way, the controls described above should also ensure that access is available to staff engaged in conducting or reviewing these analyses.
36. Measures to monitor the use of CbCR information are useful in ensuring that the appropriate use condition is met. These should ensure that, as a question of fact, information contained in CbC Reports is only used for the three purposes specified in the Action 13 Report.
37. Controls to monitor the use of CbCR information could include a requirement on compliance teams to document the specific actions they take with respect to taxpayers in large groups. This could include recording a detailed tax audit trail including correspondence with the taxpayer group, review of the master file, local file and other transfer pricing documentation, as well as additional information and evidence the group has been asked to provide, and any further analyses and calculations conducted by the compliance team to support proposed tax adjustments.
38. Tax authorities should incorporate the appropriate use condition into their existing review mechanisms, or introduce such mechanisms if they do not already exist, recognising that this may be of less significance in the context of a jurisdiction that relies on the tight restriction of access to CbC Reports. These may apply at different levels of the tax administration (e.g. within the compliance team and at a more senior level). For instance, the final review of material tax adjustments could be conducted by senior staff, independent of the compliance team proposing the adjustment. In order to ensure that CbCR information
    has not been used inappropriately, this review would confirm that proposed adjustments have been determined by applying the jurisdiction’s domestic tax law and tax treaties to evidence provided by the taxpayer or obtained as a result of compliance activity (e.g. a review should confirm that sufficient evidence is held on the audit file to objectively support the proposed adjustments). Specifically, tax authorities should have measures in place to establish that information contained in CbC Reports has not been used as conclusive evidence that transfer prices are incorrect, and the adjustment is not based on
    global formulary apportionment of income using CbCR information. The mere fact that CbCR information has been used as the basis for making further enquiries does not imply that CbC Reports have not been used appropriately.
39. A tax authority may also introduce a more detailed review of a specific tax audit in cases where a taxpayer challenges a tax adjustment or makes an appeal against a tax assessment, and the taxpayer claims that the adjustment is based on an inappropriate use of information contained in the group’s CbC Return.
40. The Action 13 Report includes two specific commitments concerning a jurisdiction’s competent authorities with respect to the use of CbCR information.
    • If a tax administration adjusts the income of a taxpayer using an income allocation formula based on data from a CbC Report, the jurisdiction’s competent authority will promptly concede the adjustment in any relevant competent authority proceeding.
    • To the extent permitted under applicable law, a competent authority will notify the Co-ordinating Body Secretariat (where a CbC Report was exchanged pursuant to the multilateral CAA) or the other competent authority (where a CbC Report was exchanged pursuant to the model bilateral CAAs) immediately of any cases of noncompliance with the appropriate use condition, including any remedial actions as well as any measures taken in respect of the non-compliance.
41. Tax authorities should provide clear guidance or training to competent authorities to ensure they are aware of these commitments and to ensure that they are able to comply with them promptly. In addition, tax authorities and other governmental bodies should not introduce any obligations or restrictions on competent authorities that would prevent them complying with these commitments, or would unnecessarily delay them in complying.
42. Jurisdictions should have in place procedures to ensure that any measures they introduce are complied with and operate effectively. For example, a specific official or body within the tax administration, ideally one which is independent of the tax compliance function, may be responsible for ensuring compliance with the tax authority’s commitments under the appropriate use condition (possibly together with other commitments under Action 13).
43. A tax authority should consider conducting periodic checks on whether there has been a breach of its policies to ensure appropriate use. These may vary depending on the measures introduced, but could include checks on whether all staff using CbCR information have participated in suitable training; on whether controls over access to CbC Reports are
    effective; and reviews of tax audit files for groups where CbC Reports are available to ensure they are complete and the outcomes of audits are fully documented and evidenced.
44. Where it is found that there has been a breach of the commitment to use CbCR information appropriately, the tax authority should consider applying sanctions or administrative measures which are appropriate to the nature of the breach but which are sufficient to reduce the likelihood of further non-compliance in the future. This should be accompanied by consideration of whether the controls in place were operating effectively in detecting the breach, or if changes to procedures need to be introduced (e.g. taking into account how quickly the breach was detected and dealt with).
45. It is anticipated that, where a jurisdiction has measures in place that enable it to answer yes to each of questions 1-6, it should have comfort that it has the necessary legal framework and infrastructure in place to ensure CbC Reports are used appropriately. It should also enable the jurisdiction to satisfy the recital to the multilateral and model bilateral CAAs that refers to appropriate use and, if the multilateral CAA is being used, enable its competent authority to provide notification of this to the Co-ordinating Body Secretariat. However, jurisdictions may have measures in place that are not covered by the above questions, which provide additional comfort. Where these measures are effective in ensuring appropriate use, they may be incorporated into future updates.