Who supervises FATCA/CRS compliance in Australia?

For Australian financial institutions, FATCA and CRS due diligence and reporting are administered by the Australian Taxation Office (ATO). APRA supervises prudential aspects and governance for APRA-regulated institutions, AUSTRAC is responsible for AML/CTF supervision, and the IRS supervises the QI regime and FATCA from the US perspective under the Australia–US IGA.

What sanctions can apply for non-compliance?

The ATO may impose administrative penalties and interest for late, missing or incorrect FATCA/CRS information returns. APRA can issue supervisory findings and impose remedial measures that affect an institution's prudential assessment. AUSTRAC can require remediation, accept enforceable undertakings and, in serious cases, seek substantial civil penalties through the courts. From the US side, non-compliance with QI or FATCA can lead to remediation obligations, potential QI termination and, in severe cases, 30% withholding on certain US-source payments.

How can Australian financial institutions reduce supervision and enforcement risk?

Key elements include an integrated FATCA/CRS/QI compliance framework aligned with APRA and AUSTRAC expectations, robust onboarding and KYC processes that capture required tax information, strong data governance and reconciliations between KYC, AML and reporting systems, periodic testing and sample reviews, and timely remediation with clear audit trails for ATO, APRA, AUSTRAC and IRS reviews.

Australia — Supervision & Enforcement (FATCA, CRS/AEOI & QI)

Last updated: 24 Nov 2025

Australia — Supervision & Enforcement

Who checks what? Australian Taxation Office (ATO) for FATCA/CRS reporting, APRA for prudential supervision and governance, AUSTRAC for AML/CTF compliance, and the IRS for the QI regime – a high-level overview of review focus areas, measures, typical findings and sanction risks for Australian banks and other financial institutions.

1) Who supervises what in Australia?

Authority / Body	Primary Focus	Examples of Review Areas
Australian Taxation Office (ATO)	FATCA & CRS/AEOI reporting	Registration and classification of reporting financial institutions, application of the FATCA IGA and CRS rules, accuracy and completeness of XML reports, US TIN and foreign TIN collection, self-certification processes, consistency between account classification and reporting, filing deadlines and corrections.
APRA (for APRA-regulated FIs)	Prudential supervision, governance & risk management	Board and senior management oversight of regulatory and tax reporting, integration of FATCA/CRS/QI risks into the broader risk management framework (e.g. CPS 220), governance arrangements (e.g. CPS 510), internal control design, issues management, outsourcing and third-party risk.
AUSTRAC	AML/CTF compliance	Design and implementation of AML/CTF programs, customer due diligence and ongoing monitoring, beneficial ownership and politically exposed persons, transaction monitoring, suspicious matter and threshold transaction reporting, sanctions screening, follow-up of previous findings and remediation effectiveness.
IRS	QI regime & FATCA (US perspective)	Compliance with the QI Agreement, quality of W-8/W-9 documentation and “reason-to-know” reviews, withholding and reporting on Forms 1042/1042-S, FATCA obligations under the US–Australia IGA, periodic certifications and reviews, adequacy of remediation for material failures.

2) Possible measures and supervisory responses

ATO (FATCA/CRS) Desk and field reviews of FATCA/CRS implementation, written queries and information requests, requirements to correct or re-file reports, administrative penalties and interest for late or missing information returns or false and misleading statements, as well as closer ongoing monitoring of high-risk reporters.
APRA Supervisory findings and recommendations, requirements for formal remediation plans, increased supervisory intensity, conditions on licences or approvals, and – in serious cases – restrictions on activities where weaknesses in governance or risk management frameworks are material and persistent.
AUSTRAC Compliance assessments, enforceable undertakings, remedial directions and infringement notices, as well as civil penalty proceedings before the Federal Court that can result in very substantial AML/CTF penalties; AUSTRAC may also publicly name entities subject to enforcement action.
IRS (QI/FATCA) Remedial obligations (e.g. curing documentation, re-withholding and re-reporting), extended sample reviews, additional reporting requirements and, in severe cases, the risk of QI Agreement termination or non-participating FATCA status with associated 30% withholding exposure on certain US-source payments.

3) Typical findings (examples)

Documentation and TIN gaps: Missing or invalid US or foreign TINs, incomplete or out-of-date self-certifications, missing evidence of reasonable efforts to obtain required information, weak remediation processes for “undocumented” accounts.
Incorrect account classification: Mis-classification of entities (financial institution vs. active/passive NFE), incorrect residence or tax status, inconsistent application of indicia and cure procedures, misalignment between onboarding/KYC records and FATCA/CRS reporting.
Data and system inconsistencies: Breaks between customer master data, AML/CTF systems, FATCA/CRS reporting feeds and QI documentation; lack of reconciliations, unclear data ownership, limited documentation of data lineage.
Governance and control weaknesses: No single point of accountability for cross-border tax reporting, insufficient three-lines-of-defence structure, limited management reporting on error rates, overdue remediation actions, policies that do not reflect current ATO, AUSTRAC or IRS guidance.
Process and technical issues: Errors in FATCA/CRS XML files, failure to follow ATO technical specifications, late or missing submissions, manual workarounds with limited control evidence, ineffective change-management around system updates.
QI-specific deficiencies: Sample reviews identifying under-withholding, insufficient “reason-to-know” checks for documentation red flags, late or incomplete Forms 1042/1042-S, remediation steps not documented in a way that supports the Responsible Officer’s certifications.

4) Sanction risks (high-level)

Australian tax / reporting penalties: Administrative penalties and interest for late lodgement, failure to lodge or incorrect FATCA/CRS information returns, as well as potential criminal consequences for deliberate or fraudulent non-compliance under Australian tax law.
Prudential consequences: APRA findings that affect an institution’s overall supervisory assessment, stronger expectations around capital or risk management where control weaknesses are significant, and closer ongoing supervision until remediation is complete.
AML/CTF enforcement risk: AUSTRAC civil penalty orders that can reach very high amounts, particularly for systemic breaches (for example in the gambling and banking sectors), enforceable undertakings and public naming, leading to increased scrutiny from other stakeholders.
US-side QI/FATCA risks: 30% withholding on relevant US-source payments if a financial institution were treated as non-compliant under FATCA, restrictions or conditions under the QI regime, and – in extreme cases – loss of QI status with significant impact on business with US securities and clients.
Reputational impact: Publication of enforcement outcomes, media attention and investor or customer reactions where cross-border tax and AML/CTF issues intersect.

5) Prevention & remediation

Preventive measures

Maintain an integrated compliance program for FATCA, CRS and QI aligned with APRA governance and risk management expectations and AUSTRAC AML/CTF requirements.
Document and maintain data lineage and mappings from onboarding and customer master data through to FATCA/CRS reports; implement reconciliations, quality controls and test submissions in line with ATO specifications.
Operate TIN, GIIN and status validation routines, including checks against IRS lists and reasonableness checks on self-certifications; implement structured client outreach campaigns for missing data.
Align KYC/AML and tax onboarding so that one consistent process supports AUSTRAC, ATO and IRS requirements, with clear ownership for ongoing maintenance of client data.
Provide regular training for Front Office, Operations, Tax, Compliance, Risk and IT, including case studies from recent AUSTRAC and international enforcement actions.

When findings occur

Perform a structured root-cause analysis for each material issue and define a tracked remediation plan with priorities, accountable owners and target dates.
Maintain a clear audit trail covering identification, analysis, remediation, re-testing and closure, with documentation that can be shared with ATO, APRA, AUSTRAC and the IRS as needed.
Reconcile KYC/AML ↔ FATCA/CRS ↔ QI data sets to re-establish consistency after corrections, and embed improved controls into business-as-usual processes.
Use independent reviews (e.g. internal audit or external advisers) to test the effectiveness of enhancements and support senior management and Responsible Officer attestations.

6) Related Australia pages

Australia hub: US tax for banks in Australia – overview
Regulatory framework: Legal sources & responsibilities
Reporting & mechanics: Submission & technical aspects (ATO)

Talk to us Back to Australia hub page

Disclaimer: Specific expectations, penalties and measures depend on the facts of each case. The applicable Australian legislation, ATO/APRA/AUSTRAC guidance and – for QI/FATCA – current IRS requirements are decisive. Institutions should monitor updates and, where appropriate, seek professional advice.