Who supervises FATCA/CRS compliance in Canada?

For Canadian financial institutions, FATCA (Part XVIII) and CRS (Part XIX) due diligence and reporting are administered by the Canada Revenue Agency (CRA). OSFI supervises prudential aspects and governance for federally regulated financial institutions, FINTRAC oversees AML/ATF compliance, and the IRS supervises the QI regime and FATCA from the US perspective.

What sanctions can apply for non-compliance?

CRA may impose administrative penalties and interest for late or missing Part XVIII/XIX information returns. OSFI can issue supervisory findings and impose remedial measures. FINTRAC can levy administrative monetary penalties and publicly name entities that breach AML/ATF obligations. From the US side, non-compliance with QI or FATCA requirements can result in remedial obligations, potential QI termination and, in severe cases, 30% withholding on certain US-source payments.

How can Canadian financial institutions reduce supervision and enforcement risk?

Key elements include an integrated FATCA/CRS/QI compliance framework aligned with OSFI and FINTRAC expectations, robust onboarding and KYC processes that capture required tax information, strong data governance and reconciliations between KYC, AML and reporting systems, periodic testing and sample reviews, and timely remediation with clear audit trails for CRA, OSFI, FINTRAC and IRS reviews.

Canada — Supervision & Enforcement (FATCA, CRS/AEOI & QI)

Last updated: 24 Nov 2025

Canada — Supervision & Enforcement

Who checks what? Canada Revenue Agency (CRA) for FATCA/CRS reporting, OSFI for prudential supervision and governance, FINTRAC for AML/ATF, and the IRS for the QI regime – high-level overview of review focus areas, measures, typical findings and sanction risks for Canadian financial institutions.

1) Who supervises what in Canada?

Authority / Body	Primary Focus	Examples of Review Areas
Canada Revenue Agency (CRA)	FATCA (Part XVIII) & CRS/AEOI (Part XIX) reporting	Accuracy and completeness of Part XVIII/XIX information returns (slips & summaries), due diligence procedures, US TIN / foreign TIN collection, reasonableness of self-certifications, consistency between account classification and reporting, timeliness of filing and corrections.
OSFI (federally regulated FIs)	Prudential supervision, governance, risk management	Board and senior management oversight of regulatory and tax compliance, roles and accountabilities, internal control framework, integration of FATCA/CRS/QI into risk management, outsourcing / third-party risk management, IT and data architecture supporting reporting.
FINTRAC	AML/ATF compliance and reporting	KYC/CDD processes, ongoing monitoring, beneficial ownership identification, politically exposed persons, suspicious and large transaction reporting, sanctions-related monitoring, adequacy of AML controls and training, remediation of previously identified deficiencies.
IRS	QI regime & FATCA (US perspective)	QI Agreement compliance, W-8/W-9 documentation and “reason-to-know” standards, withholding and reporting on Forms 1042/1042-S, FATCA obligations under the IGA, periodic certifications and reviews, remediation of material failures.

2) Possible measures and responses

CRA (FATCA/CRS) Desk and on-site audits of Part XVIII/XIX compliance; written observations and requests for corrective actions; requirement to file amended information returns; administrative penalties for late filing or failure to file Part XVIII/XIX information returns; interest on unpaid amounts.
OSFI Supervisory letters and findings, requirements for remediation plans and progress reporting, additional capital or liquidity expectations where control weaknesses are significant, restrictions on business activities in serious cases.
FINTRAC Compliance examinations, detailed remediation expectations, administrative monetary penalties (AMPs) for non-compliance with the PCMLTFA and regulations, public naming of entities subject to AMPs, and – under recent reforms – potentially higher penalties and mandatory compliance agreements.
IRS (QI/FATCA) Remediation obligations (e.g. curing documentation, re-performing withholding, error corrections in reporting), expansion of sample reviews, periodic review findings impacting Responsible Officer certifications; in severe or persistent cases, risk of QI Agreement termination or non-compliant FATCA status with associated 30% withholding exposure on US-source payments.

3) Typical findings (examples)

TIN and documentation gaps: Missing or invalid US TINs or foreign TINs, incomplete or outdated self-certifications, no robust follow-up or remediation process.
Misclassification of accounts: Inaccurate classification of entities (e.g. financial institution vs. active NFE), incorrect residence or tax status, inconsistencies between onboarding/KYC data and FATCA/CRS reporting.
Data inconsistencies between customer master data, AML/KYC systems, FATCA/CRS reporting files and QI documentation; lack of end-to-end data lineage and reconciliations.
Weak governance and control design: No clear ownership for cross-border tax reporting, insufficient three-lines-of-defence model, limited management information (MI) on error rates and findings, missing or outdated policies and procedures for FATCA/CRS/QI.
Technical and process issues: Schema or business-rule errors in FATCA/CRS filings, inadequate testing prior to submission, delayed corrections, manual workarounds without proper controls.
QI-specific weaknesses: Sample reviews revealing under-withholding or over-reliance on undocumented accounts, insufficient evidence of “reason-to-know” reviews, late or incomplete Forms 1042/1042-S, remediation steps not documented in a way that supports the Responsible Officer certification.

4) Sanction risks (high-level)

Canadian tax / reporting penalties: Administrative penalties for late or missing Part XVIII/XIX information returns, interest charges, and – in extreme cases – potential criminal consequences for deliberate non-compliance.
Prudential and AML/ATF consequences: OSFI findings impacting the overall supervisory rating; FINTRAC AMPs that can reach into the multi-million Canadian dollar range for serious or repeated violations, publication of penalties and more intensive follow-up examinations.
US-side risks (QI/FATCA): Risk of 30% US withholding on US-source payments if a Canadian FI were treated as non-compliant under FATCA; QI-specific sanctions such as restrictions, additional reporting requirements or even termination of QI status impacting access to US markets and clients.
Reputational risk: Public AMPs and supervisory communications, combined with client notifications and media coverage, can impact trust in the institution’s control environment and governance.

5) Prevention & remediation

Preventive measures

Maintain an integrated compliance plan for FATCA, CRS and QI that aligns with broader OSFI and FINTRAC expectations, including clear milestones and owners.
Document data lineage and mappings from source systems to FATCA/CRS reports; implement reconciliations and test submissions where possible.
Operate periodic TIN, GIIN and status controls (e.g. checks against IRS lists, validation of self-certifications, proactive client outreach).
Align KYC/AML and tax documentation processes so that one onboarding process consistently supports FINTRAC, CRA and IRS requirements.
Provide regular training for Front Office, Operations, Tax, Compliance and IT, including lessons learned from internal testing and external findings.

When findings occur

Perform a rapid root-cause analysis and define a remediation plan with priorities, responsibilities and realistic timelines.
Ensure a clear audit trail for each issue (identification → analysis → fix → re-test → closure), including evidence for supervisors.
Reconcile KYC/AML ↔ FATCA/CRS ↔ QI data to restore consistency and prevent repeat issues in future reporting cycles.
Consider independent reviews (internal audit or external advisers) to test key controls and support Responsible Officer and senior management attestations.

6) Related Canada pages

Canada hub: US tax for banks in Canada – overview
Regulatory framework: Legal sources & responsibilities
Reporting & mechanics: Submission & technical aspects (CRA)

Talk to us Back to Canada hub page

Disclaimer: Specific supervisory expectations, penalties and measures depend on the facts of each case. The applicable Canadian legislation, CRA/OSFI/FINTRAC guidance and – for QI/FATCA – current IRS requirements are decisive. Institutions should monitor updates and, where appropriate, seek professional advice.