FATCA and CRS Compliance: How the Standard Has Evolved Since 2021

When FATCA and CRS were first implemented, the priority was simply getting institutions into the framework. Registration, basic classification, and annual reporting were the milestones that mattered. The guidance was broad, the supervisory expectations were relatively accommodating, and the operational reality in many institutions was a combination of spreadsheets, informal processes, and documentation that existed in name more than in practice.

That era is over. The past five years have seen a fundamental shift in what regulators expect, how they assess compliance, and what the consequences of falling short look like. Across every jurisdiction where FATCA and CRS have been in force for any significant period, the same pattern is visible: the framework has matured, the guidance has deepened, and the bar has been raised consistently and deliberately.

From broad obligations to detailed standards

The earliest iterations of FATCA and CRS guidance were framework documents. They established the principles, defined the key concepts, and set out the broad architecture of due diligence and reporting. What they did not do, in most jurisdictions, was prescribe in detail how institutions should operationalise those obligations.

That has changed substantially. Guidance documents that began as general frameworks have been through multiple update cycles, with each version introducing greater specificity around procedural expectations, data requirements, and the standards against which compliance will be assessed. Version numbers on national guidance documents now run into double digits in several jurisdictions. The evolution from a broad statement of principle to a detailed operational standard is one of the most significant shifts of the past five years, and institutions that have not kept pace with successive updates are not simply behind. They are operating on the basis of a standard that no longer exists.

From informal processes to documented governance

The early years of FATCA and CRS tolerated a degree of informality in how institutions managed their obligations. Spreadsheet-based reporting, undocumented classification decisions, and processes that existed in practice but not on paper were commonplace, and regulators were focused on achieving basic compliance rather than scrutinising how it was achieved.

That tolerance has been withdrawn. Regulators now expect financial institutions to maintain written policies and procedures that are proportionate to their business model, tailored to their specific classification and reporting obligations, and demonstrably applied in practice on a consistent basis. Documentation is no longer a formality that sits alongside the real work of compliance. It is itself a compliance requirement, and its absence is treated as a governance failure rather than an administrative gap.

The shift extends to how decisions are made and recorded. Classification decisions, due diligence determinations, and responses to changes in circumstance are now expected to be supported by documented rationale and verifiable evidence. An institution that can produce a return but cannot reconstruct the decisions behind it is not, in the eyes of most regulators, compliant.

From administrative function to board-level responsibility

The governance expectations around FATCA and CRS have risen significantly. What was once treated as an operational compliance matter, managed by a team and reported upward only when something went wrong, is now framed as a board-level responsibility. Directors and senior managers are explicitly accountable for the quality and completeness of what is filed, regardless of whether the practical work has been delegated to a service provider or an internal team.

This has direct implications for how oversight is structured. Delegation arrangements that existed primarily as contractual provisions, without meaningful monitoring or challenge, are no longer sufficient. Regulators expect institutions to exercise genuine oversight over any third party performing FATCA or CRS functions, and to be able to demonstrate that oversight through documented review, challenge, and escalation where deficiencies are identified. The responsibility cannot be contracted away, and the filing cannot be signed off without the board having satisfied itself that what is being submitted reflects an adequately governed process.

From filing to data quality

One of the most significant shifts in regulatory focus over the past five years has been the move from assessing whether institutions are filing to assessing what they are filing. The question regulators are increasingly asking is not whether a return was submitted on time, but whether the data in it is accurate, complete, and properly documented.

This has placed data quality at the centre of the compliance conversation in a way that was not the case in the early years of the framework. Tax identification numbers, self-certification currency, classification methodology, and the treatment of changes in circumstance are all active areas of supervisory scrutiny. Regulators are using the data they receive to identify inconsistencies, year-on-year anomalies, and patterns that suggest systemic rather than isolated errors. Institutions that have treated reporting as a mechanical exercise, processing what is in the system without applying critical judgment to whether it is correct, are increasingly exposed.

From parallel frameworks to integrated scrutiny

FATCA and CRS have always existed alongside AML and KYC obligations, but for much of their history the two sets of frameworks were managed in parallel rather than in an integrated way. AML teams identified UBOs. AEOI teams identified controlling persons. The two exercises used different definitions, produced different outputs, and were rarely cross-referenced.

Regulators have identified this disconnect as a source of error and a supervisory risk, and they are addressing it in two ways. First, guidance in multiple jurisdictions now explicitly requires institutions to cross-reference AML and AEOI information, to apply the reason to know standard when information in the AML file contradicts a self-certification, and to treat inconsistencies between the two frameworks as triggers for further review rather than administrative anomalies to be set aside.

Second, and perhaps more significantly, AML supervisory authorities and tax authorities are increasingly coordinating their activities and sharing information with each other. The days when a finding from an AML review had no implications for an institution's AEOI compliance posture, and vice versa, are ending. Memoranda of understanding between supervisory bodies in multiple jurisdictions have formalised this cooperation, and institutions should expect that a weakness identified in one supervisory context will be visible in another.

From theoretical to enforced: data protection

The intersection of FATCA and CRS with data protection obligations has always existed in principle. In practice, it was treated as a secondary consideration by most institutions, particularly in the early years when regulators were focused on achieving basic reporting coverage rather than scrutinising the processes surrounding it.

That has changed. The obligation to inform individuals that their data will be collected and potentially disclosed to foreign tax authorities now arises at the point of data collection, not at the point of reporting, and several jurisdictions have introduced specific penalty regimes for failures in this area. The pre-reporting notification obligation, which gives individuals sufficient time to exercise their rights before their data is transmitted, is now an active compliance requirement rather than a theoretical one. And over-reporting, meaning the disclosure of data relating to individuals who are not in fact reportable, is increasingly recognised as not merely an AEOI error but a data protection breach, with its own regulatory and reputational consequences.

Enhanced expectations for higher-risk categories

The past five years have also seen the emergence of specific procedural requirements for categories of account holder that were previously treated under the standard due diligence framework. Citizenship-by-Investment and Residency-by-Investment programme participants, dual tax residents, and account holders whose documentation raises questions about the accuracy of their declared tax residency are now subject to enhanced scrutiny requirements that are explicitly set out in guidance across multiple jurisdictions. These are not discretionary enhancements. They are expected as a baseline for institutions with any meaningful exposure to these categories.

What this means for institutions in 2026

The cumulative effect of these developments is that the standard expected of a FATCA and CRS compliant institution in 2026 is materially higher than it was in 2021, and substantially higher than it was when most institutions first implemented the frameworks. Procedures that were adequate at the time they were written may now be incomplete, outdated, or misaligned with current regulatory expectations in ways that are not immediately visible but will become apparent when a regulator looks closely.

The question for any institution is not whether things have changed. They have, consistently and across every relevant jurisdiction. The question is whether the institution has kept pace, and whether its documentation, governance, and operational practice reflect where the standard now sits rather than where it was when the procedures were last updated.