With the launch of our GATCA Resource Library coming up soon, I thought I’d take this opportunity to write a series of relatively short (for me) blogs on aspects of GATCA that people might find interesting or useful. In this first post, I want to discuss the role of FATCA in the compliance landscape and the trends I have observed when meeting with compliance officers.When I speak and consult with firms about GATCA I find a rather curious, but very heartening reaction to the variation in compliance standards across different regulatory frameworks.

In FATCA, there is a clear control system based around the idea of a ‘Responsible Officer’. From the US perspective, the concept of the RO in terms of what they do and the rules they follow is pretty much a copy-and-paste of the previous Sarbanes Oxley Act (‘SOX’) which followed on from the Worldcom debacle and corporate financial accountability issues in the US. In FATCA, the RO and their obligations really flow from the fact that the intergovernmental agreements (IGAs) essentially hand control and oversight over to the domestic regulator – who in turn has some direct control over the compliance of their financial firms. However, in the non-IGA jurisdictions, of which there are still a fair number, the oversight must be direct from the US to the firm in its local jurisdiction. Hence the IRS has the idea of ROs, with personal liability and requirements to certify compliance and ‘adequate controls’ on a regular (triennial) basis, and the specific requirement to have a whistle-blower policy in place. Now, in GATCA the landscape is uneven because CRS does not have the RO concept, leaving the control and oversight entirely to the local regulators, with Competent Authority Agreements (‘CAAs’) as the communications method for resolution of disputes.

So, given the massive overlap across so many areas of FATCA, CRS and BEPS, how would a Responsible Officer, usually with seniority and compliance responsibility, view GATCA? Interestingly, the answer has been that most compliance officers would rather adopt a similar compliance approach to CRS as they are required to have under FATCA if they are in a non-IGA jurisdiction, even though it is not mandated. This even applies in the more limited landscape of IGA jurisdictions and FATCA. I find in most cases that financial firms are so risk averse that they chose to use the highest standard of control across their whole universe rather than adopt a more fragmented or bifurcated model.

I first came across this when performing Interim Periodic Reviews, which are not mandated under FATCA, and are not required in an IGA jurisdiction. We are regularly asked to perform these informal audits of compliance to the higher, non-IGA FATCA standard because the ROs want the protection this brings. Get things right at that level and you’re pretty much set for all the lower levels.

This might all seem rather odd in light of the recent EU-US Safe Harbor fiasco, where the US is recognised as having substantially weaker data protections than the EU. However, in the land of GATCA, ROs are adopting the US standard because it actually represents the ‘high road’ to compliance when compared to the CRS model!

Image Credit: 드림포유