The Foreign Account Tax Compliance Act (FATCA) and the Common Reporting Standard (CRS) are key global mandates steering how financial institutions address tax compliance. These frameworks require banks, fund managers, and service providers to identify and report the tax residency of account holders to tax authorities.
Why does this matter? Because non-compliance can spark crippling fines, reputational damage, and regulatory audits that persist beyond a penalty notice. For cross-border financial institutions, these structures are foundational to doing business, not optional.
In this checklist, we break down the key steps your firm needs to adhere to stay compliant, minimize exposure, and develop a defensible FATCA/CRS system.
But first, a quick overview of FATCA vs CRS.
Quick Overview: FATCA vs CRS
FATCA, enacted in the United States in 2010, is focused on collecting tax information for the Internal Revenue Service (IRS) about the assets of U.S. persons. FATCA blocks and detects U.S. tax evasion, fostering tax compliance.
The CRS, on the other hand, is concerned with the exchange of global financial information between tax authorities. CRS charges financial institutions (FIs) to gather information for all their account holders and provide that information alongside particular account information to the tax authority of the country in which the account holder is a tax resident.
Here are the key differences between FATCA and CRS at a glance.
| Feature | FATCA (U.S.) | CRS (Global/OECD) |
|---|---|---|
| Origin | U.S. Internal Revenue Code | OECD Initiative |
| Primary Target | U.S. persons (citizens, residents, and entities with substantial U.S. ownership) | Tax residents of CRS-participating jurisdictions |
| Jurisdictions Involved | U.S. + countries with Intergovernmental Agreements (IGAs) | 100+ jurisdictions worldwide |
| Reporting Mechanism | IRS or local tax authorities (under IGA) | Local tax authority with international exchange |
| Withholding Requirements | Yes (30% on U.S.-source income for non-compliance) | No withholding |
| Standardized Forms | Yes (W-9, W-8 series) | Varies (CRS self-certification; no global standard) |
10 FATCA/CRS Compliance Checklist
To remain compliant with FATCA/CRS, your financial institution must have a standardised, end-to-end approach. Below is a 10-point checklist to augment your compliance path.
1. Entity classification
You want to classify your entity based on its activities. The kind of classification may determine additional requirements such as investor due diligence and submitting annual reports.
FATCA classifies entities into two major brackets:
- ・Foreign Financial Institution (FFI): Depository institution, a custodial institution, an investment entity, or a designated insurance company.
- ・Non-Financial Foreign Entity (NFFE): Any foreign entity other than an FFI.
Under the CRS, entities are classified into:
- ・Financial Institution (FI): Includes custodial institutions, depository institutions, investment entities, and specified insurance companies.
- ・Non-Financial Entity (NFE): Entities not meeting the FI definition.
An NFE can be classified as either active or passive.
- ・Active NFE: As defined under the applicable IGA. This typically includes entities that earn less than 50% passive income and hold less than 50% passive assets, or are publicly listed, government entities, or other specified categories.
- ・Passive NFE: Any NFE that does not meet the criteria for Active NFE. These entities must disclose information on their controlling persons, as applicable.
“Each jurisdiction may issue local classification rules or guidance. Always refer to the relevant tax authority’s standards to ensure alignment and compliance.”
2. Registration and GIIN acquisition (FATCA-specific)
If your entity is classified as a Foreign Financial Institution (FFI), it must register with the IRS via the FATCA registration portal to obtain a Global Intermediary Identification Number (GIIN).
Although registration for Model 1 IGA nations is still necessary for obtaining a GIIN, reporting is done to the local tax authority.
After registration, you receive a GIIN, a 19-character identification number, for:
- ・Identifying your entity when reporting
- ・Your entity to be included on the IRS’s monthly FATCA FFI list
- ・Displaying compliance to withholding agents and counterparties.
Your entity must maintain correct contact details and classifications and update any changes in status within the IRS portal.
3. Customer due diligence (CDD)
For both frameworks, your entity must identify account holders and examine their tax residency or U.S status. You can achieve this through vigorous due diligence processes when onboarding new accounts and during account maintenance.
Your onboarding procedures should incorporate FATCA and CRS requirements, and flag financial accounts that require due diligence based on your entity or individual profile.
Be keen to include these relevant self-certification forms:
- ・FATCA: Form W-9 for U.S. persons and W-8 BEN-E for non-U.S. persons/entities
- ・CRS: Country-specific self-certification forms that include information on tax residency and Taxpayer Identification Numbers (TINs)
In addition, ensure you identify tax residence and U.S. indicia for:
- ・FATCA: Identify U.S. citizenship or residency, birthplace, address or phone number, and standing directives to direct funds to a U.S. account
- ・CRS: Ascertain jurisdiction(s) of tax residence for individuals and entities
Next, validate the reasonableness of the provided information by comparing self-certifications against KYC data. If the test fails, request an updated recommendation or consider the account as reportable.
4. Data collection and maintenance
You must capture, preserve, and update particular data components to support FATCA and CRS classification, due diligence, and reporting requirements. Precise and detailed data is vital in minimizing your entity’s non-compliance risk.
A robust system helps your entity gather and retain key data points. These include TINs, GIINs, and account information, such as balances, the full details of holders, entity classification, and more.
Your system should also allow periodic data review, record updates, and flag and escalate incomplete or invalid information. If possible, automate data capture using API-integrated platforms or compliance tools to minimize manual errors.
5. Reporting obligations
You’re required to submit annual reports revealing information about reportable accounts and required fields.
For FATCA countries, you should submit reports in Model 1 IGA to the local tax authority. Forward the reports in Model 2 or non-IGA jurisdictions to the IRS.
For CRS, submit the reports to the local tax authority, which then exchanges them via the OECD’s common transmitting system (CTS).
Ensure the FATCA and CRS reports are in the correct XML Schema, as errors in file structure may result in rejection or non-compliance penalties. After submission, retain copies of the reports and proof of timely submission.
6. Documentation and record keeping
Maintain standardized and complete documentation to demonstrate compliance with FATCA and CRS, especially during audits, enquiries, or reviews.
Ensure you preserve copies of:
- ・Self-certification CRS and FATCA forms
- ・Evidence of your entity classification
- ・Review of customer due diligence
- ・FATCA/CRS reports and submission confirmations
Additionally, encrypt sensitive data, allow only role-based access, and track system logins to monitor data access and changes.
Although data retention periods differ per jurisdiction, many tax authorities require at least 5 to 7 days of record retention. You should check and comply with local regulations, including aligning with broader data governance policies.
7. Policies and procedures
You need standardized internal policies and processes to ensure your institution routinely aligns with FATCA and CRS rules and adjusts swiftly to regulatory updates.
Start by developing written policies that outline classification, onboarding, due diligence, and data collection and validation. Ensure these policies align with the requirements of the OECD, IRS, and local tax authorities. Then, assign reporting roles and schedules to specific individuals within your institution.
Regularly monitor for any new regulatory guidance and policy updates and promptly revise your procedures to avoid outdated practices.
8. Staff training and awareness
Even well-crafted policies are fruitless if your staff aren’t adequately trained to apply them. Provide role-based training for front-line staff, compliance teams, and operational and IT on FATCA/CRS requirements and processes.
Conduct refresher sessions annually, when new regulatory updates are announced, or when an internal audit reveals process or knowledge gaps. Use also case studies or simulated reviews to augment learning.
Maintain a log of training sessions and attendance as evidence to regulators that your entity continually updates and maintains the competence of its staff.
9. Audit and internal reviews
Internal reviews confirm implementation, reveal gaps, and strengthen the integrity of your FATCA/CRS compliance structure. They also offer valuable documentation to support your institutions during regulatory scrutiny.
Conduct periodic internal audits (annually or semi-annually) of FATCA/CRS compliance. If possible, use independent personnel or external auditors for objective oversight.
Document your audit findings, including gaps and errors. Then, remediate by updating your procedures or training, system changes or automation fixes, or restatements where required.
Keep a complete record of the audit trail and corrective actions, as regulators may request this when reviewing your compliance assurance.
10. Adopt technology for compliance
Manual procedures are susceptible to delays, errors, and compliance gaps. Capitalize on the appropriate technology to ensure speed, accuracy, and auditability at each step of your compliance cycle.
Implement platforms like RAISE to support FATCA/CRS in:
- ・Your entity classification and validating self-certification
- ・Protecting data gathering and document preservation
- ・Automating XML reports generation
- ・Built-in updates for real-time regulatory changes
Integrate this with your entity’s KYC and onboarding systems to ensure a seamless connection between databases, workflows, and due diligence processes. This also reduces duplication and promotes consistent customer data across your systems.
Stay Ahead in FATCA and CRS Compliance
FATCA and CRS compliance is a continuous process that requires vigilance, collaboration, and ongoing improvement. You must adopt a proactive, process-driven approach to manage risk and stay abreast of international regulatory requirements.
To refine this process and sustain your tax transparency endeavor, use customized solutions like the RAISE platform. Get a free consultation today and find out how you can streamline the compliance process.
