FATCA and CRS: Audit Considerations

Why FATCA and CRS create audit risk at financial institutions

FATCA (the U.S. Foreign Account Tax Compliance Act, enacted in 2010, effective from 2014) and CRS (the OECD Common Reporting Standard, with first exchanges in 2017) impose due diligence and reporting obligations on financial institutions worldwide. A Dutch bank, insurer, or investment fund must identify accounts held by U.S. persons (under FATCA) and by tax residents of any CRS-participating jurisdiction (under CRS), then report those accounts annually to the Belastingdienst, which exchanges the information with the relevant foreign tax authorities.

The audit risk is not in the reporting itself (which is a data transmission exercise) but in the due diligence that precedes it. If the institution’s due diligence is incomplete or incorrect, the reporting will be incomplete or incorrect, and the institution faces penalties under both local law and the applicable intergovernmental agreement. In the Netherlands, the Wet op de internationale bijstandsverlening (WIB) implements both FATCA (via the Netherlands–U.S. IGA) and CRS, with penalties for non-compliance administered by the Belastingdienst.

For auditors, the question under ISA 250.13 is whether non-compliance with FATCA or CRS has a material effect on the financial statements. Direct penalties are one route to materiality. The other is reputational and operational: a financial institution that loses its FATCA-compliant status faces 30% withholding on all U.S.-source payments, which for a bank with a U.S. correspondent banking relationship could be operationally devastating. ISA 250.A6 requires you to consider the potential financial consequences of non-compliance, not just the current penalty exposure.

FATCA due diligence: what the IGA requires and what auditors test

The Netherlands operates under a Model 1 IGA with the United States. Under a Model 1 IGA, the financial institution reports to the local tax authority (the Belastingdienst), which then exchanges information with the U.S. Internal Revenue Service. The due diligence procedures the institution must follow are set out in Annex I of the IGA.

Annex I divides accounts into pre-existing and new, and further into individual and entity accounts. Each category has different due diligence requirements. Pre-existing individual accounts below a de minimis threshold ($50,000 for depository accounts) may be excluded from review. Pre-existing individual accounts above $1,000,000 require an enhanced review that includes a relationship manager inquiry. New individual accounts require a self-certification at account opening.

Your audit procedure for FATCA due diligence follows the structure of Annex I. For a sample of accounts in each category, you verify that the institution applied the correct due diligence procedure. For new accounts: was a self-certification obtained at or before account opening? Does it include the account holder’s name, address, jurisdiction of residence, and taxpayer identification number (TIN)? Is the self-certification consistent with the other information the institution holds (the “reasonableness test” under Annex I, Section III.B)?

For pre-existing accounts: did the institution perform an electronic records search for U.S. indicia (U.S. place of birth, U.S. address, U.S. telephone number, standing instructions to transfer funds to a U.S. account, a power of attorney or signatory authority granted to a person with a U.S. address, a hold mail or in-care-of address that is the sole address on file)? If indicia were found, did the institution either obtain a curing document (such as a W-8BEN or W-9 and a reasonable explanation) or treat the account as reportable?

The six U.S. indicia are the core of the FATCA electronic search. Your testing should confirm that the institution’s system is programmed to flag all six, not just the most common ones. A system that catches U.S. addresses but not U.S. telephone numbers will miss accounts.

CRS due diligence: the parallel framework with wider scope

CRS follows a similar structure to FATCA but with two important differences that affect your audit approach. First, CRS has no de minimis threshold for individual accounts (CRS Section III.A). Every account held by a non-resident individual is reportable, regardless of balance. Second, CRS requires reporting on accounts held by tax residents of any participating jurisdiction, not just one country. A single account holder who is tax resident in both France and Italy generates two reporting obligations.

The due diligence procedures are in Sections II through VII of the CRS Standard. For new individual accounts, CRS Section IV requires a self-certification that includes the account holder’s jurisdiction(s) of tax residence and TIN for each jurisdiction. For pre-existing accounts, the institution performs an electronic records search and, for high-value accounts ($1,000,000 or more), a paper records search and a relationship manager inquiry (CRS Section III.C).

The wider scope of CRS creates a specific audit risk: multi-jurisdiction tax residence. An account holder with dual French-Italian tax residence must have both jurisdictions recorded and reported. Your test is to select a sample of accounts where the self-certification indicates residence in more than one jurisdiction and verify that the institution reported to each jurisdiction separately.

For entity accounts, CRS Section V requires the institution to determine whether the entity is a Reportable Person, a passive Non-Financial Entity (NFE) with controlling persons who are Reportable Persons, or an Active NFE (which is not reportable). The classification of passive versus active NFE is one of the most error-prone areas in CRS compliance. Your testing should include a sample of entities classified as Active NFE, verifying that the classification is supported by evidence (financial statements showing that less than 50% of income is passive income and less than 50% of assets are held for producing passive income, per CRS Section VIII.D.9).

The self-certification gap: the single biggest compliance failure

The most common finding in FATCA and CRS audits is incomplete self-certification. The institution opened accounts, collected some self-certifications, but has gaps. For new accounts opened after the CRS effective date (1 January 2016 in most jurisdictions), the self-certification is mandatory at account opening (CRS Section IV.A). An account opened without a self-certification is non-compliant from day one.

For pre-existing accounts, the institution was required to complete due diligence within a specified timeframe (generally two years from the CRS effective date for lower-value accounts). If that window has passed and accounts still lack documentation, the institution has a backlog of non-compliant accounts.

Your procedure: request the institution’s self-certification completion rate by account category (new individual, pre-existing individual, new entity, pre-existing entity). For any category below 100% for new accounts, select a sample of accounts without self-certifications and evaluate the institution’s remediation process. Is the institution actively pursuing missing certifications? Is it treating undocumented accounts as reportable (as CRS Section III.C.6 requires for pre-existing accounts that remain undocumented after the due diligence period)?

The penalty exposure varies by jurisdiction. In the Netherlands, the WIB authorises administrative penalties for failure to comply with due diligence and reporting obligations. Quantify the population of non-compliant accounts and assess whether the potential penalty exposure (combined with any operational consequences) is material under ISA 250.A6. If 26% of accounts lack valid self-certifications, the institution’s compliance programme has a systemic weakness that may require disclosure.

Reporting completeness and accuracy

The reporting obligation requires the institution to file an annual return with the Belastingdienst containing specified data elements for each reportable account. For CRS, the data elements are listed in CRS Section I and include: the name, address, jurisdiction of residence, and TIN of each reportable person, the account number, the account balance or value at year-end (or at closure), and the total gross amount of interest, dividends, other income, and gross proceeds credited to the account during the calendar year.

Your audit procedure for reporting completeness has two components. First, verify that every account the institution identified as reportable during due diligence was included in the reporting file submitted to the Belastingdienst. Second, for a sample of reported accounts, verify that the data elements in the report match the institution’s underlying records. Common errors: the TIN field is blank (because the institution collected the jurisdiction of residence but not the TIN), the account balance reflects the average balance rather than the year-end balance, or the income categorisation is wrong (gross proceeds reported as interest).

Obtain the XML reporting file the institution submitted and reconcile the total number of reported accounts against the institution’s internal reportable account register. Any difference requires investigation. Reconcile the aggregate balances in the file to the institution’s general ledger or sub-ledger totals for the relevant account population.

Entity classification: the area most likely to be wrong

Entity accounts present the highest classification risk under both FATCA and CRS. Under FATCA, the institution must determine whether an entity is a Financial Institution, an Active NFFE (Non-Financial Foreign Entity), a Passive NFFE, an Exempt Beneficial Owner, or a Direct Reporting NFFE. Under CRS, the equivalent classifications are Financial Institution, Active NFE, Passive NFE, and various excluded categories.

The classification determines the reporting obligation. A Passive NFE with controlling persons who are Reportable Persons is reportable: the institution must look through to the natural persons who control the entity and report their details. An Active NFE is not reportable (though the entity itself may still be reportable if it is a Reportable Person in its own right).

The most common classification error is treating a Passive NFE as an Active NFE. This happens when the institution accepts a self-certification stating “Active NFE” without verifying the underlying conditions. Your test: select a sample of entities classified as Active NFE and request the supporting evidence. Check the “less than 50% passive income” condition (CRS Section VIII.D.9) by requesting the entity’s income statement. For the “publicly traded” exemption, verify the listing. Governmental entity or international organisation classifications require verification of the legal basis.

Where entity structures involve multiple layers (a holding company owning an operating subsidiary owning a property SPV), the controlling person determination requires looking through each layer. ISA 620.7 applies here: if the entity structure involves offshore jurisdictions, trust arrangements, or nominee shareholders, you may need a tax specialist to evaluate whether the institution’s classification is correct. Document the ISA 620.9 evaluation if you engage one.

The controlling person identification is distinct from the UBO determination under anti-money laundering rules, though they often produce the same result. Under CRS Section VIII.D.6, a controlling person of an entity is the natural person exercising control, determined in a manner consistent with the FATF Recommendations. For a corporate entity, this typically means the natural person holding more than 25% of ownership interests. For a trust, it means the settlor, trustees, protector, beneficiaries, and any other natural person exercising ultimate effective control. If the institution has misidentified the controlling persons, the reporting is incomplete even if the entity classification is correct.

Use the ciferi Transfer Pricing Calculator for related entity analysis when the account holder is part of a multinational group.

Worked example: Linden Bank N.V.

Client profile: Linden Bank N.V. is a mid-sized Dutch retail and commercial bank. Total assets: €2.8 billion. The bank holds 22,000 individual accounts and 3,400 entity accounts. Revenue: €94M. The bank reports under both FATCA (Netherlands–U.S. Model 1 IGA) and CRS. The compliance department has four staff members dedicated to FATCA/CRS.

1. Assess the compliance framework under ISA 250.13

Linden Bank’s FATCA/CRS compliance is managed through an automated system (a third-party regulatory reporting platform) that flags accounts based on self-certification data and electronic indicia searches. The bank performs annual reviews of high-value pre-existing accounts. You evaluate: does the system cover all required due diligence procedures for each account category? Request the system specification document and compare the logic rules against Annex I of the IGA (FATCA) and Sections II–VII of the CRS Standard.

2. Test self-certification completeness

Request the bank’s self-certification completion report. Results: new individual accounts (opened after 1 January 2016): 96% have valid self-certifications on file. New entity accounts: 88%. Pre-existing individual accounts: 79%. Pre-existing entity accounts: 71%.

Procedure for the 4% gap on new individual accounts: select 25 accounts from the 880 accounts (4% of approximately 22,000) without self-certifications. For each, determine: when was the account opened? Was a self-certification requested? Why is it missing? In 18 of 25 cases, the account was opened through a digital onboarding channel that collected the self-certification but a system error prevented it from being stored in the compliance database. The data exists in the onboarding system but was not migrated. This is a system integration deficiency, not a due diligence failure, but the compliance database is the system of record for reporting purposes. Until the data is migrated, these accounts are functionally undocumented.

3. Test entity classification for the commercial portfolio

Select 30 entities from the 3,400 entity accounts. Focus the sample on entities classified as Active NFE (the classification that results in no look-through reporting). Of the 30, request the supporting evidence for the Active NFE classification.

Results: 22 entities have income statements on file showing less than 50% passive income. Four entities are classified as Active NFE based on the “regularly traded” exemption but the bank holds no evidence of listing status. Two entities are holding companies with self-certifications stating “Active NFE” but the income statements show 100% dividend income (passive). Two entities have no supporting documentation at all.

The four entities without listing evidence and the two holding companies with 100% passive income are potential misclassifications. If these entities have controlling persons who are Reportable Persons, they should have been reported. Quantify: the combined account balances of these six entities total €4.2M. If the controlling persons are reportable, the bank has under-reported. The penalty exposure under the WIB and the reputational risk of incorrect reporting to the Belastingdienst are the financial statement considerations.

4. Test reporting completeness

Obtain the CRS XML file submitted to the Belastingdienst for the reporting year. Reconcile: the file contains 1,847 reportable individual accounts and 312 reportable entity accounts. Compare against the bank’s internal reportable account register. The register shows 1,851 reportable individual accounts. Four accounts appear in the register but not in the reporting file. Investigate: two were closed between the register extraction date and the file submission date (legitimate exclusion). Two were excluded due to a system filter error. These two accounts should have been reported.

For a sample of 40 reported accounts, verify the data elements: name, address, TIN, account balance at year-end, income amounts. In the sample: two accounts have a blank TIN field. The bank collected the jurisdiction of residence but not the TIN. CRS Section I.A requires the TIN “subject to the availability of the TIN.” The bank must demonstrate it made reasonable efforts to obtain the TIN. Request the correspondence records.

The completed file documents every due diligence test against the specific IGA and CRS provision, quantifies the compliance gaps, and supports the ISA 250.13 assessment of whether the non-compliance has a material financial statement effect.

Practical checklist for your next FATCA/CRS engagement

1. Obtain the applicable IGA (for FATCA) and confirm which version of the CRS the jurisdiction has implemented. The due diligence requirements differ between Model 1 and Model 2 IGAs, and between CRS jurisdictions that have adopted the wider approach to due diligence.
2. Request self-certification completion rates broken down by all four account categories (new individual, new entity, pre-existing individual, pre-existing entity). Any rate below 100% for new accounts opened after the CRS effective date is a compliance deficiency.
3. Pull a targeted sample of Active NFE entities and request the supporting evidence for the classification. Do not accept the self-certification alone without corroborating the underlying conditions (income composition, listing status, governmental status).
4. Obtain the XML reporting file submitted to the local tax authority and reconcile the account count against the institution’s internal reportable account register. Investigate every discrepancy.
5. Verify data elements for a sample of reported accounts against the institution’s source records. Pay particular attention to the TIN field (frequently blank), the account balance (year-end, not average), income categorisation (interest vs. dividends vs. gross proceeds), and the correct jurisdiction code.
6. Assess the financial statement impact of any identified non-compliance under ISA 250.A6, including penalty exposure under local law, the risk of FATCA non-compliant status (and the resulting 30% U.S. withholding), and any required disclosures or provisions under IAS 37.14.

Common mistakes regulators flag

• Testing FATCA and CRS due diligence as a single combined process without recognising the structural differences. FATCA has de minimis thresholds and targets only U.S. persons. CRS has no de minimis and covers all non-resident account holders. An account that passes FATCA due diligence may still fail CRS due diligence, and vice versa.
• Accepting an entity’s self-certification of “Active NFE” without verifying the underlying income and asset composition. The Dutch Authority for the Financial Markets (AFM) has flagged insufficient verification of entity classifications in its supervisory communications to banks, noting that reliance on self-certifications alone does not satisfy the due diligence standard.
• Failing to test whether the institution’s automated system captures all required indicia. Systems that search for U.S. addresses but omit U.S. telephone numbers, standing transfer instructions to U.S. accounts, or powers of attorney with U.S. addresses will systematically miss reportable accounts.

Related content

Frequently asked questions

Further reading and source references

• FATCA, U.S. Foreign Account Tax Compliance Act: Intergovernmental Agreement Annex I on due diligence procedures.
• CRS, OECD Common Reporting Standard: Sections I–VIII on due diligence, reporting, and entity classification.
• ISA 250, Consideration of Laws and Regulations in an Audit of Financial Statements: paragraphs 13–14 on non-compliance assessment.
• Wet op de internationale bijstandsverlening (WIB): Dutch implementation of FATCA and CRS reporting obligations.
• ISA 620, Using the Work of an Auditor’s Expert: paragraphs 7–12 on evaluating specialists for cross-border tax classification.