Your client is a mid-sized Dutch bank with 14,000 retail accounts. The compliance team tells you their FATCA and CRS classification and reporting is “fully automated.” You ask to see the logic rules in the system. Self-certification collection rate: 74%. The remaining 26% of accounts have either no self-certification on file or one that expired more than two years ago. That 26% is your audit problem, and the bank may not realise it has one.

FATCA and CRS audit procedures require you to evaluate whether a financial institution (FI) has correctly identified reportable accounts through due diligence, applied the correct classification to account holders and controlling persons, and reported accurate information to the local tax authority. The file should tell a story: for each reportable account, there must be documentary evidence supporting each classification and reporting decision.

Dutch bank, 14,000 retail accounts
26%
Share of accounts with no valid self-certification on file — the audit problem the bank may not realise it has.

Key Takeaways

  • How to test FATCA due diligence procedures against the requirements in Annex I of the applicable Intergovernmental Agreement (IGA) and the parallel CRS due diligence requirements in Section II-VII of the CRS Standard
  • What documentary evidence a financial institution must hold under CRS Section VI.D and FATCA IGA Annex I.VI to support each account classification
  • How to evaluate the completeness of reporting to the local tax authority under CRS Section I and FATCA IGA Article 2
  • When to involve a tax specialist under ISA 620.7 for cross-border classification questions involving entities with complex ownership structures

Contents

Why FATCA and CRS create audit risk at financial institutions

FATCA (the U.S. Foreign Account Tax Compliance Act, enacted in 2010, effective from 2014) and CRS (the OECD Common Reporting Standard, with first exchanges in 2017) impose due diligence and reporting obligations on FIs worldwide. A Dutch bank, insurer, or investment fund must identify accounts held by U.S. persons (under FATCA) and by tax residents of any CRS-participating jurisdiction (under CRS), then report those accounts annually to the Belastingdienst, which exchanges the information with the relevant foreign tax authorities.

Audit risk here sits not in the reporting itself (which is a data transmission exercise) but in the due diligence that precedes it. If the institution’s due diligence is incomplete or incorrect, the reporting will be incomplete or incorrect, and the FI faces penalties under both local law and the applicable intergovernmental agreement (IGA). In the Netherlands, the Wet op de internationale bijstandsverlening (WIB) implements both FATCA (via the Netherlands-U.S. IGA) and CRS, with penalties for non-compliance administered by the Belastingdienst.

For auditors, the question under ISA 250.13 is whether non-compliance with FATCA or CRS has a material effect on the financial statements. Direct penalties are one route to materiality. The other is operational: an FI that loses its FATCA-compliant status faces 30% withholding on all U.S.-source payments. For a bank with a U.S. correspondent banking relationship, that can be existentially damaging. ISA 250 .A6 requires you to consider the potential financial consequences of non-compliance, not just the current penalty exposure.

FATCA due diligence: what the IGA requires and what auditors test

The Netherlands operates under a Model 1 IGA with the United States. Under a Model 1 IGA, the FI reports to the Belastingdienst, which then exchanges information with the U.S. Internal Revenue Service (IRS). Due diligence procedures the institution must follow are set out in Annex I of the IGA.

Annex I divides accounts into pre-existing and new, and further into individual and entity accounts. Each category has different due diligence requirements. Pre-existing individual accounts below a de minimis threshold ($50,000 for depository accounts) may be excluded from review. Pre-existing individual accounts above $1,000,000 require an enhanced review that includes a relationship manager inquiry. New individual accounts require a self-certification at account opening.

Your audit procedure for FATCA due diligence follows the structure of Annex I. For a sample of accounts in each category, you verify that the institution applied the correct procedure. For new accounts: was a self-certification obtained at or before account opening? Does it include the account holder’s name, address, jurisdiction of residence, and taxpayer identification number (TIN)? Is the self-certification consistent with the other information the institution holds (the “reasonableness test” under Annex I, Section III.B)?

For pre-existing accounts: did the institution perform an electronic records search for U.S. indicia? These are U.S. place of birth, U.S. address, U.S. telephone number, standing instructions to transfer funds to a U.S. account, a power of attorney or signatory authority granted to a person with a U.S. address, and a hold mail or in-care-of address that is the sole address on file. If indicia were found, did the institution either obtain a curing document (such as a W-8BEN or W-9 with a reasonable explanation) or treat the account as reportable?

Those six U.S. indicia are the core of the FATCA electronic search. Your testing should confirm that the institution’s system is programmed to flag all six, not just the most obvious ones. A system that catches U.S. addresses but not U.S. telephone numbers will miss accounts.

CRS due diligence: the parallel framework with wider scope

CRS follows a similar structure to FATCA but with two important differences that affect your audit approach. First, CRS has no de minimis threshold for individual accounts (CRS Section III.A). Every account held by a non-resident individual is reportable, regardless of balance. Second, CRS requires reporting on accounts held by tax residents of any participating jurisdiction, not just one country. A single account holder who is tax resident in both France and Italy generates two reporting obligations.

Due diligence procedures are in Sections II through VII of the CRS Standard. For new individual accounts, CRS Section IV requires a self-certification that includes the account holder’s jurisdiction(s) of tax residence and TIN for each jurisdiction. For pre-existing accounts, the institution performs an electronic records search and, for high-value accounts ($1,000,000 or more), a paper records search and a relationship manager inquiry (CRS Section III.C).

CRS’s wider scope creates a specific audit risk: multi-jurisdiction tax residence. An account holder with dual French-Italian tax residence must have both jurisdictions recorded and reported. Your test is to select a sample of accounts where the self-certification indicates residence in more than one jurisdiction and verify that the institution reported to each jurisdiction separately.

For entity accounts, CRS Section V requires the institution to determine whether the entity is a Reportable Person, a passive Non-Financial Entity (NFE) with controlling persons who are Reportable Persons, or an Active NFE (which is not reportable). In my experience, the classification of passive versus active NFE is the most error-prone area in CRS compliance. Your testing should include a sample of entities classified as Active NFE, verifying that the classification is supported by evidence (financial statements showing that less than 50% of income is passive income and less than 50% of assets are held for producing passive income, per CRS Section VIII.D.9).

Self-certification gaps: the single biggest compliance failure

Incomplete self-certification is the most common finding in FATCA and CRS audits. The institution opened accounts, collected some self-certifications, but has gaps. For new accounts opened after the CRS effective date (1 January 2016 in most jurisdictions), self-certification is mandatory at account opening (CRS Section IV.A). An account opened without one is non-compliant from day one.

For pre-existing accounts, the institution was required to complete due diligence within a specified timeframe (generally two years from the CRS effective date for lower-value accounts). If that window has passed and accounts still lack documentation, the institution has a backlog of non-compliant accounts.

Your procedure: request the institution’s self-certification completion rate by account category (new individual, pre-existing individual, new entity, pre-existing entity). For any category below 100% for new accounts, select a sample of accounts without self-certifications and evaluate the institution’s remediation process. Is the FI actively pursuing missing certifications? Is it treating undocumented accounts as reportable (as CRS Section III.C.6 requires for pre-existing accounts that remain undocumented after the due diligence period)?

Penalty exposure varies by jurisdiction. In the Netherlands, the WIB authorises administrative penalties for failure to comply with due diligence and reporting obligations. Quantify the population of non-compliant accounts and assess whether the potential penalty exposure (combined with any operational consequences) is material under ISA 250 .A6. If 26% of accounts lack valid self-certifications, the institution’s compliance programme has a systemic weakness that may require disclosure.

Reporting completeness and accuracy

Reporting requires the institution to file an annual return with the Belastingdienst containing specified data elements for each reportable account. For CRS, these elements are listed in CRS Section I and include: name, address, jurisdiction of residence, and TIN of each reportable person; account number; account balance or value at year-end (or at closure); and total gross amounts of interest, dividends, other income, and gross proceeds credited during the calendar year.

Your audit procedure for reporting completeness has two components. First, verify that every account the institution identified as reportable during due diligence was included in the reporting file submitted to the Belastingdienst. Second, for a sample of reported accounts, verify that the data elements in the report match the institution’s underlying records. Common errors include a blank TIN field (because the institution collected the jurisdiction of residence but not the TIN), an account balance reflecting the average rather than the year-end figure, an incorrect income categorisation (gross proceeds reported as interest), and a jurisdiction code that does not match the self-certification.

Obtain the XML reporting file the institution submitted and reconcile the total number of reported accounts against its internal reportable account register. Any difference requires investigation. Reconcile aggregate balances in the file to the institution’s general ledger or sub-ledger totals for the relevant account population.

For the distinction between TIN validation and TIN collection, see the ciferi glossary entry on CRS reporting.

Entity classification: the area most likely to be wrong

Entity accounts present the highest classification risk under both FATCA and CRS. Under FATCA, the institution must determine whether an entity is a Financial Institution, an Active NFFE (Non-Financial Foreign Entity), a Passive NFFE, an Exempt Beneficial Owner, or a Direct Reporting NFFE. Under CRS, the equivalent classifications are Financial Institution, Active NFE, Passive NFE, and various excluded categories.

Classification determines the reporting obligation. A Passive NFE with controlling persons who are Reportable Persons is reportable: the institution must look through to the natural persons who control the entity and report their details. An Active NFE is not reportable (though the entity itself may still be reportable if it is a Reportable Person in its own right).

By far the most common classification error is treating a Passive NFE as an Active NFE. This happens when the institution accepts a self-certification stating “Active NFE” without verifying the underlying conditions. Your test: select a sample of entities classified as Active NFE and request the supporting evidence. Check the “less than 50% passive income” condition (CRS Section VIII.D.9) by requesting the entity’s income statement. For the “publicly traded” exemption, verify the listing. Governmental entity or international organisation classifications require verification of the legal basis.

Where entity structures involve multiple layers (a holding company owning an operating subsidiary owning a property SPV), the controlling person determination requires looking through each layer. ISA 620.7 applies here: if the structure involves offshore jurisdictions, trust arrangements, or nominee shareholders, you will likely need a tax specialist to evaluate whether the institution’s classification is correct. Document the ISA 620.9 evaluation if you engage one.

Controlling person identification is distinct from the UBO determination under anti-money laundering (AML) rules, though they often produce the same result. Under CRS Section VIII.D.6, a controlling person is the natural person exercising control, determined in a manner consistent with the FATF Recommendations. For a corporate entity, this typically means the natural person holding more than 25% of ownership interests. For a trust, it means the settlor, trustees, protector, and beneficiaries. If the institution has misidentified the controlling persons, the reporting is incomplete even if the entity classification is correct.

Use the ciferi Transfer Pricing Calculator for related entity analysis when the account holder is part of a multinational group.

Worked example: Linden Bank N.V.

Client profile: Linden Bank N.V. is a mid-sized Dutch retail and commercial bank. Total assets: €2.8 billion. It holds 22,000 individual accounts and 3,400 entity accounts. Revenue: €94M. The bank reports under both FATCA (Netherlands-U.S. Model 1 IGA) and CRS. Its compliance department has four staff members dedicated to FATCA/CRS.

Assess the compliance framework under ISA 250.13

Linden Bank’s FATCA/CRS compliance is managed through an automated system (a third-party regulatory reporting platform) that flags accounts based on self-certification data and electronic indicia searches. The bank performs annual reviews of high-value pre-existing accounts. You evaluate: does the system cover all required due diligence procedures for each account category? Request the system specification document and compare the logic rules against Annex I of the IGA (for FATCA) and Sections II-VII of the CRS Standard.

Documentation note: record the compliance system name and version, the date of the last system update, the comparison of system logic to IGA Annex I and CRS Section requirements, and any gaps identified.

Test self-certification completeness

Request the bank’s self-certification completion report. Results: new individual accounts (opened after 1 January 2016): 96% have valid self-certifications on file. New entity accounts: 88%. Pre-existing individual accounts: 79%. Pre-existing entity accounts: 71%.

Procedure for the 4% gap on new individual accounts: select 25 accounts from the 880 (4% of approximately 22,000) without self-certifications. For each, determine: when was the account opened? Was a self-certification requested? Why is it missing? In 18 of 25 cases, the account was opened through a digital onboarding channel that collected the self-certification, but a system error prevented it from being stored in the compliance database. The data exists in the onboarding system but was not migrated. This is a system integration deficiency, not a due diligence failure. But the compliance database is the system of record for reporting purposes, and until the data is migrated, these accounts are functionally undocumented.

Documentation note: record the self-certification rates by category, the sample selected, the root cause analysis for each gap category, and the estimated remediation timeline provided by the bank.

Test entity classification for the commercial portfolio

Select 30 entities from the 3,400 entity accounts. Focus the sample on entities classified as Active NFE (the classification that results in no look-through reporting). Of the 30, request the supporting evidence for the Active NFE classification.

Results: 22 entities have income statements on file showing less than 50% passive income. Four are classified as Active NFE based on the “regularly traded” exemption, but the bank holds no evidence of listing status. Two are holding companies with self-certifications stating “Active NFE” despite income statements showing 100% dividend income (passive). Two have no supporting documentation at all.

Those four entities without listing evidence and the two holding companies with 100% passive income are potential misclassifications. If these entities have controlling persons who are Reportable Persons, they should have been reported. Quantify: combined account balances of these six entities total €4.2M. Six misclassified entities out of thirty is a 20% error rate in the sample. That is not a minor data quality issue. Penalty exposure under the WIB and the reputational risk of incorrect reporting to the Belastingdienst are the financial statement considerations.

Documentation note: record the sample, the classification evidence obtained for each entity, the misclassification findings, the estimated penalty exposure, and management’s remediation plan.

Test reporting completeness

Obtain the CRS XML file submitted to the Belastingdienst for the reporting year. Reconcile: the file contains 1,847 reportable individual accounts and 312 reportable entity accounts. Compare against the bank’s internal reportable account register, which shows 1,851 reportable individual accounts. Four accounts appear in the register but not in the reporting file. Investigate: two were closed between the register extraction date and the file submission date (legitimate exclusion). Two were excluded due to a system filter error and should have been reported.

For a sample of 40 reported accounts, verify the data elements: name, address, TIN, account balance at year-end, income amounts. In the sample: two accounts have a blank TIN field. The bank collected the jurisdiction of residence but not the TIN. CRS Section I.A requires the TIN “subject to the availability of the TIN.” The bank must demonstrate it made reasonable efforts to obtain the TIN. Request the correspondence records.

Documentation note: record the reconciliation between the internal register and the submitted file, the investigation of discrepancies, the data element testing results, and the TIN collection deficiency.

Practical checklist for your next FATCA/CRS engagement

Common mistakes

  • Testing FATCA and CRS due diligence as a single combined process without recognising the structural differences. FATCA has de minimis thresholds and targets only U.S. persons. CRS has no de minimis and covers all non-resident account holders. An account that passes FATCA due diligence may still fail CRS due diligence, and vice versa.
  • Accepting an entity’s self-certification of “Active NFE” without verifying the underlying income and asset composition. The AFM has flagged insufficient verification of entity classifications in its supervisory communications to banks, noting that reliance on self-certifications alone does not satisfy the due diligence standard.
  • Failing to test whether the institution’s automated system captures all required indicia. Systems that search for U.S. addresses but omit U.S. telephone numbers, standing transfer instructions to U.S. accounts, or powers of attorney with U.S. addresses will systematically miss reportable accounts.
  • Treating the reporting file as a black box. If you reconcile only the total account count but do not test individual data elements (TIN, year-end balance, income categorisation, jurisdiction code), you will miss the most common reporting errors.

Related content

Get practical audit insights, weekly.

No exam theory. Just what makes audits run faster.

290+ guides published20 free toolsBuilt by practicing auditors

No spam. We’re auditors, not marketers.

Related content

Transfer Pricing Calculator
Related entity analysis for multinational structures
ISA 320 Materiality Calculator
Assess materiality of penalty exposure
CRS Reporting Obligations (Glossary)
Full framework of data elements and filing deadlines

Frequently asked questions

What is the difference between FATCA and CRS due diligence?

FATCA targets only U.S. persons and has de minimis thresholds (e.g., $50,000 for depository accounts). CRS has no de minimis threshold for individual accounts and covers tax residents of any participating jurisdiction. A single account holder with dual tax residence generates two CRS reporting obligations. An account that passes FATCA due diligence may still fail CRS due diligence, and vice versa.

What is the most common compliance failure in FATCA and CRS audits?

Incomplete self-certification is the most common finding. For new accounts opened after the CRS effective date, a self-certification is mandatory at account opening. An account opened without one is non-compliant from day one. For pre-existing accounts, institutions were required to complete due diligence within a specified timeframe. If that window has passed and accounts still lack documentation, the institution has a backlog of non-compliant accounts.

How do you test entity classification under CRS?

Select a sample of entities classified as Active NFE and request supporting evidence. Check the “less than 50% passive income” condition (CRS Section VIII.D.9) by requesting the entity’s income statement. For the “publicly traded” exemption, verify the listing. Do not accept the self-certification alone without corroborating the underlying conditions. The most common error is treating a Passive NFE as an Active NFE.

What are the six U.S. indicia under FATCA?

The six U.S. indicia are: U.S. place of birth, U.S. address, U.S. telephone number, standing instructions to transfer funds to a U.S. account, a power of attorney or signatory authority granted to a person with a U.S. address, and a hold mail or in-care-of address that is the sole address on file. The institution’s system must be programmed to flag all six, not just the most obvious ones.

Can FATCA or CRS non-compliance have a material financial statement impact?

Yes. Under ISA 250 .A6, the auditor must consider potential financial consequences of non-compliance. Direct penalties under local law (such as the Dutch WIB) are one route to materiality. The other is operational: a financial institution that loses its FATCA-compliant status faces 30% withholding on all U.S.-source payments, which for a bank with a U.S. correspondent banking relationship could be operationally devastating.

Further reading and sources

  • FATCA, U.S. Foreign Account Tax Compliance Act: Intergovernmental Agreement Annex I on due diligence procedures.
  • CRS, OECD Common Reporting Standard: Sections I–VIII on due diligence, reporting, and entity classification.
  • ISA 250 , Consideration of Laws and Regulations in an Audit of Financial Statements: paragraphs 13–14 on non-compliance assessment.
  • Wet op de internationale bijstandsverlening (WIB): Dutch implementation of FATCA and CRS reporting obligations.
  • ISA 620 , Using the Work of an Auditor’s Expert: paragraphs 7–12 on evaluating specialists for cross-border tax classification.

This guide reflects the FATCA IGA framework, the OECD CRS Standard, ISA 250 , and ISA 620 as currently applicable. National implementations may include additional requirements. Tax legislation changes frequently; always verify the current status of the applicable IGA and CRS implementation in the relevant jurisdiction. This content is for educational purposes and does not constitute legal or professional advice.

Last reviewed: March 2026