This month I will discuss the important topic for the anti-money laundering compliance officer, wherein the AML systems overlap with the requirement for tax compliance, and that tax compliance requirement requires tax self certification from each customer of a financial institution.

I will provide insight about five topics:

  1. The Panama Papers
  2. FATCA and its related reporting and tax self certification forms, such as the W-8 series
  3. The OECD Common Reporting Standard, also known by the acronym CRS, differences with FATCA that compliance officers should be aware of
  4. The FinCEN Proposed Rule of 2014 regarding Customer Due Diligence Requirements for Financial Institutions, and finally
  5. The Incorporation Transparency and Law Enforcement Assistance Act of 2016, that in essence seeks to push FinCEN to issue the final rule of the above topic

For a detailed analysis of the overlapping AML and tax compliance issues, an analysis of the W-8 self-certification forms, and suggested guidance for developing or amending a financial institutions internal W-8 policy, see my free SSRN FATCA 118-page download.

Below I explore the impact of the Panama Papers on the compliance officer, as well as offer guidance to navigate the intricacies of self-certification.  It is well understood that AML compliance now includes tax compliance.  This relationship is explicitly understood by compliance officers because of the nearly 100 non-prosecution agreements against Swiss financial institutions the past five years, and also because FATCA explicitly requires the overlapping use of the AML system for tax compliance purposes.  It bears mentioning that the FBAR – FinCEN 101 Form – is an AML form but its enforcement is by the IRS, and it has become the primary tool to punish non tax compliance and obtain confiscation of assets related thereto.

To grossly simplify the impact of FATCA, FATCA has pushed the burden of collection and  validation of tax identification self-declarations for U.S. purposes unto all financial institutions and financial firms of the 244 countries and dependencies of the world recognized by the United States.  That is – pursuant to FATCA and its accompanying regulations, nearly all financial institutions, both U.S. and foreign ones, must obtain a signed tax self-declaration from the owner or owners of an account.  Foreign individual must fill in and sign a Form W-8BEN and foreign entities a Form W-8BEN-E.  U.S. taxpayers must complete and sign a Form W-9.

In addition to the FATCA requirement to collect signed tax self certification forms, over 100 countries governments have agreed to require a similar tax self certification form be collected pursuant to the OECD developed Common Reporting Standard.  In general, financial institutions are now combining the U.S. form requirements with those of the OECD to create one form to collect the information necessary to comply with both.

Ironically, the U.S. has not accepted to be liable to collect the same information that it has mandated from every other country.  However, as a result of the impact of the now infamous Panama Papers, 2016 will see this situation change.  The change will come in the form of FinCEN soon finalizing its 2014 proposed rule that US financial institutions begin to collect information on the ultimate beneficial owners of accounts.  The FinCEN final rule will require that U.S. financial institutions look through any legal persons or relationships such as corporate entities and trusts, until the final individual owner or owners are identified and their information collected to share with the US treasury.  U.S. Treasury in turn will share these beneficial owners and their information with foreign governments – automatically.  This soon-to be enacted FinCEN rule has popular support in Congress as evidenced by the February 26 “Incorporation Transparency and Law Enforcement Assistance Act (ITLEA) proposed in both the House and Senate.”

Moreover, the European Union is now working to establish an international protocol that will allow foreign government and even public access to such beneficial ownership information, probably starting in 2017.  It’s a brave new, transparent world for compliance officers of financial firms.

The form W-8BEN-E and its OECD equivalent, at 12 pages, can be quite difficult for many taxpayers or their representatives to complete and correspondingly for compliance officers to validate.  These forms are requiring substantial time of compliance officers and are leading to many mistakes.  To put the numbers in perspective, industry is currently estimating that 900 million tax self-certifications need collecting and validating by compliance officers around the world by 2018 when nearly all the old forms on file and in data systems will have expired.  My two colleagues on this webinar today are practitioners and will have a couple very busy years ahead of them helping clients manage these compliance risks.

As renown chef Emiril LaGasse of New Orleans says: “Let’s take it up a notch!”  The United States Treasury has agreed with over 100 countries through intergovernmental agreements (called IGAs) that allow variances in definitions for completing the required tax self certification forms.  These variances are contained not in the IGA itself but in foreign revenue department’s “controlling” guidance, which adds another level of complexity and thus challenge for compliance officers.

Since the original 10 pages of the year 2010 enactment of FATCA, the U.S. government has issued 2,000 pages of regulations and guidance in the form of the actual FATCA regulations, FATCA notices, the instructions for the new W-8 series, the 112 new IGAs and the 2 new FATCA competent authority agreements called CAAs, and then compliance officers need to be aware of the equivalent amount of pages for the OECD CRS and foreign government guidance.  The amount of reading is mind boggling, even for me – an academic.

Why so long?  What do these 2,000 plus pages contain?  Let me provide you an example.  The determination of the status of an entity for FATCA purposes is proving to be difficult because FATCA contains 129 new terms that can apply to this determination, many terms requiring definitions within the regulations to explain what a term means and how it should be applied by a compliance officer.

Let me now pivot to refer to the April release of the millions of documents known as the Panama Papers. At the heart of the Panama Papers is a Panamanian law firm and company service provider Mossack Fonseca.  The United States Federal Prosecutor for New York has announced that he has already launched several investigations based on the released data. Instead of Mossack Fonseca’s alleged involvement in its client laundering of corruption or other criminal activities like the proceeds of the UK’s Great Train Robbery, I want to discuss  the tax compliance issues that will soon come to light as the investigations continue.

The United States is a self-reporting and assessment system whereby each year 150 million taxpayers fill in their 1040 with their worldwide income.  It is reasonably estimated by various government sources such as the state department and the Treasury department that 10 million of these taxpayers have reporting obligations regarding either their foreign income and / or their foreign accounts.

Unfortunately, less than 20% of Americans with international income or asset exposure are compliant with at least filing the dreaded, but very simple, FBAR form that requires reporting of signatory authority over accounts if the collective balance exceeds $10,000.

Only approximately 800,000 FBARs were filed for the year 2012 for that group of potentially 10 million American taxpayers.  With so little FBAR reporting, it’s no wonder that Congress and the IRS suspect that hundreds of billions of American’s foreign income goes unreported on the 1040 each year.   Absent alternative information sources, the IRS does not have a scalable method to verify 1040s and select for audit the returns of potential tax evaders.

This past week I examined the year 2013 IRS tax statistics which confirm the continuing low tax compliance rate.  By example, US persons only filed 470,000 returns claiming the foreign-income exclusion.  But the US State Department estimates that more than 7 million US persons reside overseas.  One could look at this low number and interpret it to mean that far less than 10% of Americans living overseas claim to have employment income.

Here’s another startling IRS statistic to compare against the 800,000 FBAR filings.  7.5 million Americans claimed a foreign tax credit on their return, in the total amount of over $20 billion dollars.  The tax credit requires either owning foreign assets or earning foreign income.  But less than one million Americans filed the FBAR.  And recall – the FBAR is required to be filed even if a US person only has signatory authority on an account and is not the owner of the account.  If 3 board members are signatory on a foreign account that breaches the FBAR reporting requirement, then all 3 must file an FBAR.

I won’t belabor this point further but to say that it is clear that substantial non-compliance remains.  Swiss banks were prosecuted for sometimes assisting, and sometimes just turning a blind eye, to the beneficial owners of accounts who were not tax compliant with their filing obligations including the FBAR and the Form 1040.  Now with FATCA, all taxpayers with foreign assets must also file a Form 8938 which is somewhat more encompassing than the FBAR form.

It is worth noting for the audience, in case some are thinking “this discussion of tax compliance does not apply to me” that the 2005 Supreme Court decision of Pasquatino established precedent that U.S. prosecutors may hold criminally liable the U.S. intermediary, by analogy a bank, of a transaction that evades foreign tax.   So while I am focusing on US tax reporting obligations because most of the customers of our audience are US customers, financial institution compliance officers must also be aware of the foreign tax reporting obligations of their customers as well and ensure proper capture and sharing of the requisite tax self certification forms.

Which brings me to tax self certification forms such as the W-8 series and W9.

In the infamous words of Ronald Reagan, “Trust but Verify”, the US tax system is not just based upon self-reporting.  The United States Congress has deputized financial institutions’ compliance officers to leverage their AML systems to become information collectors and verification auditors.

I want to introduce three W-8 series benchmarks that have been collected by my FATCA research colleague, Haydon Perryman, who has served as the Director of Compliance for several tier-one financial institutions.  Compliance officers listening right now will be very interested to learn that:

Firstly, when the IRS Qualified Intermediary regime (known as the “QI” regime) was introduced in the early 2000s to require foreign financial institution compliance officers to report on their US clients – at that time, only 20% of W8s were fit for purpose. Based on our research, we know that as of 2015 that only 35% of W8s are fit for purpose – not a substantial increase over a decade, leading the IRS to question the veracity of financial institution compliance officers.

Secondly, we know from interviews with large financial institutions that on average it requires between 5 and 7 months for a financial institution to obtain a new W8 from a pre-existing customer.  And only then can the validation process begin.

Finally, the IRS estimates the time to complete the new W8-BEN-E is 12 hours and 40 minutes of record keeping and another 8 hours and 16 minutes preparing and sending the form.  That’s 21 compliance hours BEFORE verification begins as to the information within the form against the AML system maintained by the financial institution.

We must apply these metrics to the customer base for whom the compliance officer of a large institutions must reach out to.  Firstly, obtaining W8s or W9s and their equivalent substitutes under an IGA, secondly validating those withholding certificates, and thirdly repeating this process in the 65% of the cases where the W8 submission turns out to be ‘invalid’, multiplied by at least 21 hours – I can appreciate the size and scale of the challenge for our industry’s compliance officers.

Amazingly, a 2015 large survey by Paystream Advisors found that 71 percent of respondents did not have an automated system for collecting, validating and managing W-8 and W-9 forms.  If this survey information resonates with you, I suggest you call Simon and open a dialogue about what it will take to bring your department into the modern age of big data.

The IRS estimates that 400,000 – 500,000 foreign financial institution should register on its FATCA portal to obtain a IRS issued Global Intermediary Identification Number also known as a GIIN.  However, after two years of the compliance requirement to register, as of May 1, 2016 the IRS GIIN list contains less than 200,000 registrations from 226 countries and jurisdictions. Did the IRS over-estimate the number of financial firms in the world?  No.

We know that based on the Legal Entity Identifier, also known as the LEI, that all firms involved in the securities markets must obtain, there is a significant difference from the number of Legal Entity Identifiers issued versus GIINs issued.  The number of LEIs and GIINs issued should be relatively close, but as of May 1, 2016 over 436,127 entities from 189 countries had obtained Legal Entity Identifiers, twice as many than obtained GIINs.  Are foreign financial firms deciding not to comply with the US FATCA?  And are the US compliance officers listening to this webinar today taking their compliance obligations seriously when interacting with these firms?

I’ll refer to one more data set.  The same Paystream Advisors FATCA survey of 2015 concluded that a substantial portion of U.S. paying entities still do not understand the impact of FATCA upon their payments to foreign payees.  Of the payors surveyed, 61 percent replied that their foreign payees are not classified as Foreign Financial Institutions for compliance purposes.

Yet, when responding to questions about the nature of the foreign payees’ businesses, 66 percent replied their payees accept deposits as banking and financial businesses, 13 percent trade, manage or invest financial assets and hold financial assets on behalf of others, 12 percent act as a holding company in connection with an investment vehicle, and 10 percent qualify as foreign regulated insurance companies.

Consequently, a majority of US compliance officers have internally misclassified their foreign payees and probably have incorrectly completed W-8BEN-Es on file.

Moving on – February 13 of last year the OECD released the Standard for Automatic Exchange of Financial Account Information Common Reporting Standard, known by the two acronyms of CRS and GATCA for Globalized FATCA.

The CRS calls on jurisdictions to obtain information from their financial institutions and automatically exchange that information with other jurisdictions on an annual basis. It sets out the financial account information to be exchanged, the financial institutions that need to report, the different types of accounts and taxpayers covered, as well as common due diligence procedures to be followed by financial institutions.

Part I of the OECD report gives an overview of the standard whereas part II contains the text of the Model Competent Authority Agreement (CAA) and the Common Reporting and Due Diligence Standards (CRS) that together form the “standard”.

Almost 100 countries, including Panama, but not yet the United States have agreed to implementation of this automatic exchange of information between their jurisdictions.

What are the main differences between the OECD’s CRS and the US’ FATCA that impact a compliance officer on the AML side of the house?

The CRS starts with the premise of a fully reciprocal automatic exchange system for financial information of accountholders, whereas the FATCA started one-sided with the information flowing being one way to the U.S.  CRS removes U.S. tax specificities, the two most substantial being that the CRS is based on determining a beneficial owner’s residence whereas FATCA initially was primarily concerned with determining whether an accountholder was a U.S. person, and if not, the account was ignored. CRS has standardized terms, concepts and approaches instead of allowing countries to negotiate variances in definitions by signing an IGA.

With my remaining minutes, let me turn to the FinCEN proposed rule of June 30, 2014, that should soon be finalized this year.

The new FinCEN rule will amend existing Bank Secrecy Act (BSA) regulations to help prevent the use of anonymous companies to launder the proceeds of illegal activity in the U.S. financial sector.  The Panama Papers points to the widespread use of Delaware and Nevada companies in this regard, and many news organizations have reported that the U.S. is the last bastion of secrecy because it does not necessarily require banks or company service providers in the U.S.A. to know the ultimate beneficial owner of state incorporated business associations.

The final rule will strengthen the customer due diligence obligations of banks and other financial institutions such as including brokers or dealers in securities, mutual funds, futures merchants, and commodities brokers.

The proposed amendments will probably add a new requirement that these entities know and verify the identities of the real people, that is the ultimate beneficial owners who own, control, and profit from the companies they service.  FinCEN has stated that this information will be used to provide reciprocity under the FATCA IGA agreements to foreign governments.

The amended required Customer Due Diligence by US Financial Institutions includes a new emphasis in the four core Customer due diligence elements:

  1. identifying and verifying the identity of customers;
  2. identifying and verifying the beneficial owners of legal entity customers;
  3. understanding the nature and purpose of customer relationships; and
  4. conducting ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions.

The proposed requirement to identify and verify the identity of beneficial owners is addressed through the proposal of a new requirement for covered financial institutions to collect beneficial ownership in a standardized format. FinCEN provided the sample form with its proposed announcement.  Pursuant to FATF standards and the CRS requirement, US financial institutions will have to identify and verify any individual who owns 25 percent of more of a legal entity, and an individual who controls the legal entity.

The primary impact here regards the second element that requires financial institutions to identify and verify the beneficial owners of legal entity customers.  FinCEN proposes a new requirement that financial institutions identify the natural persons who are beneficial owners of legal entity customers, subject to limited exemptions.

The definition of “beneficial owner” proposed herein requires that the person identified as a beneficial owner be a natural person (as opposed to another legal entity). A financial institution must satisfy this requirement by obtaining at the time a new account is opened a standard certification form directly from the individual opening the new account on behalf of the legal entity customer.

Financial institutions would be required to verify the identity of beneficial owners consistent with their existing CIP practices.  However, FinCEN has provided a loophole under the proposed rule in that it does not require that financial institutions verify that the natural persons identified on the form are in fact the actual ultimate beneficial owners. Thus, Panamanian corporate service provider power of attorneys may still be used for nefarious means.

In other words, the requirement focuses on verifying the identity of the beneficial owners, but does not require the verification of their status as beneficial owners.

In order to identify the beneficial owner, a covered financial institution must obtain a certification from the individual opening the account on behalf of the legal entity customer (at the time of account opening).  The form requires the individual opening the account on behalf of the legal entity customer to identify the beneficial owner(s) of the legal entity customer by providing the beneficial owner’s:

  • name,
  • date of birth,
  • address and
  • social security number (for U.S. persons).

For foreign persons, financial institutions must verify the authenticity of the certification with a –

  • a passport number and country of issuance, or
  • other similar identification number (name, date of birth, address, and social security number (for U.S. persons), etc.), according to the same documentary and non-documentary methods the financial institution may use in connection with its customer identification program (to the extent applicable to customers that are individuals), within a reasonable time after the account is opened.

A financial institution must also include procedures for responding to circumstances in which it cannot form a reasonable belief that it knows the true identity of the beneficial owner, as described under the CIP rules.

The proposed definition of “beneficial owner” includes two independent prongs:

(a) an ownership prong and

(b) a control prong.

A covered financial institution must identify each individual under the ownership prong (i.e., each individual who owns 25 percent or more of the equity interests), in addition to one individual for the control prong (i.e., any individual with significant managerial control).

If no individual owns 25 percent or more of the equity interests, then the financial institution may identify a beneficial owner under the control prong only. If appropriate, the same individual(s) may be identified under both criteria.

 My last comment before my tie expires regards the new collecting and sharing of corporate beneficial ownership information globally.  The European Union has already agreed that it will automatically share corporate ultimate beneficial ownership among the countries, and it is likely that this will be adopted by the OECD and thus become a global protocol.  However, it is possible, based on current proposals in the EU, that such information may be fully accessible to the public as well going forward.

Be sure to download my free SSRN 118-page FATCA chapter for Lexis.


To make sure you do not miss out on regular updates from the Kluwer International Tax Blog, please subscribe here.

Kluwer International Tax Law

The 2022 Future Ready Lawyer survey showed that 78% of lawyers think that the emphasis for 2023 needs to be on improved efficiency and productivity. Kluwer International Tax Law is an intuitive research platform for Tax Professionals leveraging Wolters Kluwer’s top international content and practical tools to provide answers. You can easily access the tool from every preferred location. Are you, as a Tax professional, ready for the future?

Learn how Kluwer International Tax Law can support you.

Kluwer International Tax Law
This page as PDF


  1. Another excellent and highly informative article from Prof. Byrnes, who not only keeps his lucky readers up-to-date, but does so with such clearly written articles that even a tax attorney can understand ;) . Thank you for tackling this difficult and complex topic. Prof Byrnes, I imagine FinCEN will be closing the loophole you and other commentators have pointed out. Excerpt below; but I wondering how a financial institution could in fact verify that the natural persons identified on the form are in fact the actual ultimate beneficial owners of the entity? For example, must they ask to see when the company paid dividends and then, follow the dividend money into the purported owner’s account and from there, see if the owner diverted it elsewhere (e.g., to someone else’s account who might be the “real” owner). It sounds daunting & I am unsure how this can realistically ever be tackled. The compliance burden on financial institutions is already at a dangerous tipping point.

    “Financial institutions would be required to verify the identity of beneficial owners consistent with their existing CIP practices. However, FinCEN has provided a loophole under the proposed rule in that it does not require that financial institutions verify that the natural persons identified on the form are in fact the actual ultimate beneficial owners. Thus, Panamanian corporate service provider power of attorneys may still be used for nefarious means.

    In other words, the requirement focuses on verifying the identity of the beneficial owners, but does not require the verification of their status as beneficial owners.”

  2. Howdy Virgina! Thank you for the compliment.

    Firstly, accounts are risk weighted. Institutions develop their own risk weighting matrix benchmarked to their regulators risk matrices and alternative sources such as IGO like the FATF (or acquire it by other means such as license one from an AML solutions provider written into a data management system or for small institutions it may be as simple as a printed manual developed by the banker association).

    By example, an institution is approached by Mr. Smith to open an account for Corporation X located in a foreign country, with an initial deposit of $100,000. Let’s assume that the institution is pleased to expand its business footprint and receive a sizeable deposit, that is, its protocols do not close the door on his type of account. The institution’s CIP will contain different silos of risk that attributes of this scenario fit into. Attribute A: customer relationship. If Mr. Smith is not a long term customer of the institution, then the protocol may shift to an enhanced due diligence protocol for new customers. Attribute B: foreign company. The institution may have a protocol for in-state corporate accounts, another for out-of-state corporate accounts, and yet others for foreign corporations depending on country of location (e.g. UK, BVI, or Ghana) and underlying business, each protocol ratcheting up the required documentation and verification-diligence. Attribute C: size of deposit.

    Moreover, the institution may have unique protocols to it that fit into certain risk weighting. A long term customer, Mr. Smith, enters the institution to open this account, out of the ordinary for this customer. Protocol may require enhanced questioning based on fraud / scams typologies alerts received from regulators, police authorities or IGO sources whereby unsuspecting customers may be the target of criminal organizations (e.g. unknown relative inheritance scams, agency for trading company).

    Accounts, once open, move from the CIP protocols to the monitoring protocols. Such protocols depend on the size of the institution, and may be handled via a data management system, or for a credit union, the local staff. The protocol employed for the monitoring once again depends on the account risk weighting applied.

    FinCEN will publish its Final Rule tomorrow (see my blog post FinCEN’s Final CDD/CIP Rule Requiring US Corporate Beneficial Ownership Published Herein – link below this response). The ultimate beneficial owner presented by the Final Rule and the use of Power of Attorneys presents a challenge for a financial institution. The Final Rule, in my initial reading (I just downloaded it last night but will write a deep analysis for my AML and my FATCA treatises) allows the institution, on self- certification by the POA (that is probably a trustee) to list the trustee on the FinCEN New Form A: “If a trust owns directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, 25 percent or more of the equity interests of a legal entity customer, the beneficial owner … shall mean the trustee.”

    Let’s say that the POA acts on behalf of a clearly defined and identifiable PEP, such as a prime minister or president of a country. If the institution had identified that the account opener was just a POA, and then drilled down to identify the PEP, then obviously certain risk weighting would apply for EDD, and potentially additional protocols regarding documentation, verification, and other diligence, and these protocols would impact account maintenance protocols. Such additional EDD requires resources, and thus small institutions may simply “close the door” on accounts that fall into this silo. The FinCEN rule does not require the institution to exceed the required DD for a given type of account, but an institution pursuant to its internal risk management (consideration of potential negative publicity, consideration of potential regulatory action and fines, consider of corporate character) may do so. And nefarious actors do not tell the truth on self-certification forms.

    How an institution establishes and calibrates its risk management systems is actually a course that we are currently building at Texas A&M University Law in association with the Mays Business School Department of Finance. We hope to have the requisite state and regulatory approval to begin considering applications of risk managers this summer for a January 2017 semester start. More on that risk management program as it develops.

    source referenced above:

  3. Dear Prof. Byrnes – First, let me apologize for not having earlier acknowledged your detailed and most informative reply. I was not notified by email that you replied – but found it just today, upon returning to re-read your article. Second, your response along w. the link to FinCEN’s final rule is very helpful; thank you. While the loophole remains, it seems the risk weighting factors developed by the institution may pick up on something that slips through the net. At the end of the day the burden falls on the institution to take the risk (e.g., regulatory fines / negative publicity) in opening or maintaining a customer’s account. It’s a very challenging area and I am glad I am not running a financial institution. Best of luck with developing the risk management program. Am sure you’ll have a long waiting list for those wishing to attend!

Leave a Reply

Your email address will not be published. Required fields are marked *