Who reviews FATCA/CRS in the United Kingdom?

HMRC reviews FATCA and CRS/AEOI reporting. The FCA and PRA supervise organisation, governance and AML/KYC. For QI, the IRS is the primary supervisor.

What sanctions can apply?

Potential consequences include national penalties and remediation for FATCA/CRS breaches, regulatory measures by the FCA/PRA, and US-side risks such as 30% withholding or QI remediation requirements in serious cases.

How can institutions reduce the risk?

By defining clear responsibilities, implementing TIN/GIIN controls, planning testing and trial submissions, maintaining robust correction processes and ensuring consistency between KYC, FATCA/CRS and QI documentation and reporting.

United Kingdom — Supervision & penalties (FATCA, CRS/AEOI & QI)

Last updated: 18 Oct 2025

United Kingdom — Supervision & penalties

Who reviews what? HMRC (FATCA/CRS), FCA/PRA (organisation/AML), IRS (QI) — overview of review areas, measures and typical findings, including risks in case of non-compliance.

1) Who supervises what?

Authority/body	Focus	Examples of review areas
HMRC	FATCA & CRS/AEOI reporting	Accuracy/completeness of XML reports, US TIN rates, GIIN information, corrections, timeliness, data consistency.
FCA / PRA	Organisation, governance, AML/KYC and systems & controls	KYC processes, roles & responsibilities, internal controls, documentation, IT/data security, outsourcing/third parties.
IRS	QI regime (US withholding tax)	W-8/W-9 documentation, “reason-to-know”, beneficial owner determination, withholding/reporting (Forms 1042/1042-S), Periodic Review.

2) Possible measures

HMRC Requests for corrections, formal notices, penalties and more intensive follow-up where material issues persist.
FCA/PRA Requirements to improve organisation/IT/AML, remediation plans, enforcement action including administrative fines.
IRS (QI/FATCA) Remediation requirements, mandatory improvements in documentation/withholding/reporting; in severe cases QI risks up to termination. Under FATCA, additional risk of 30% withholding where “non-participating” status is triggered vis-à-vis US payors.

3) Typical findings (examples)

TIN gaps: missing/invalid US TINs without a robust remediation process.
GIIN issues: outdated GIIN status or mismatches versus the IRS FATCA FFI list.
Inconsistent data between KYC, FATCA/CRS reporting and QI documentation.
Weak governance: unclear roles, lack of four-eyes principle, no defined escalation paths.
Technical errors: schema/business rule failures, late corrections, insufficient testing before filing.

4) Sanction risks (high level)

Tax/reporting: warnings, penalties and remediation work for breaches of UK FATCA/CRS obligations.
Regulatory: measures under the UK regulatory framework (for example enforcement actions, fines, heightened supervisory attention).
US-side (QI/FATCA): withholding tax risks (30%) where FATCA compliance is not maintained; QI sanction framework for serious or persistent deficiencies.

5) Prevention & remediation

Preventive measures

Annual compliance plan for FATCA/CRS/QI with deadlines & accountable owners.
Document data lineage & mapping; include testing cycles and, where possible, test submissions.
TIN & GIIN controls (list checks, reminder processes, periodic reconciliations).
Regular training (front/KYC, tax operations, IT/data).

In case of findings

Prompt root cause analysis and remediation plan with clear timelines.
Traceable audit trail (issue → fix → re-test → closure).
Reconciliation KYC ↔ FATCA/CRS ↔ QI to restore and evidence consistency.

6) Related pages

United Kingdom hub: UK overview page
Regulatory framework: Legal sources & responsibilities
Reporting mechanisms: Submission & technology (HMRC)

Talk to us Back to UK hub page

Note: Concrete sanctions and measures depend on the specific case. The applicable legal framework, official guidance and — for QI — IRS requirements in their latest form are decisive.