Security and compliance has becoming increasingly important for every organization. The corporate world has realized the significance and started appointing CSOs and CCOs from early 2002, especially after the accounting scandals in year 2000 that started the whole Serbians-Oxley saga.Chief Security Officer and Chief compliance officers(CCO) play a key role in securing the customer data and being compliant with constantly changing compliance landscape.
Every once in a while, when a new compliance act is discussed, passed into law, compliance officers get into action. The purpose of this guide is to provide an insight to compliance officers and compliance analysts to understand and achieve FATCA compliance in their organization.
This will be a four-part series:
Part 1 - Understanding FATCA Due Diligence and Life Cycle
Part 2 - Approaching FATCA, Providers, Tools and Technologies
Part 3 - How do I select the right compliance provider ?
Part 4 - Best Practices Common Pitfalls to avoid
Why FATCA is different from other compliance regulations ?
Generally most regulations and compliancepolicies are specific to a domain, nature of business, and quite often enforced by the local tax authority of an independent state. The compliance across borders are discussed only in the context of trading related activities. For more info and stay up to date see International Compliance Professionals Association.
However FATCA is a different beast, an international financial compliance program that involves individuals and businesses almost all over the globe. FATCA has been accepted, and treaties have been signed by a long list of countries. See the list here: http://www.treasury.gov/resource-center/tax-policy/treaties/Pages/FATCA-Archive.aspx
Understanding FATCA – Due Diligence & Life Cycle – Part 1
Understanding the customer base is an important piece in the puzzle. Most organizations have bunch of analytic tools generated from their sales and marketing and customer support teams that could provide enough insight on:
- Contact Information of the customer
- Proof of Identity data
- Product offerings used
- Special Instructions or notes
- Customers with incomplete or missinginformation
With that data, you get a good idea on what percent of your customers needs to be reviewed, and/or remediated for FATCA compliance. The following diagram explains a simplistic approach on implementing FATCA compliance.
FATCA life cycle starts with collecting information from source systems in your organization, it might include CRMs such as sales force, custom-built components etc. Usually financial organizations store their customer data on some core banking product. If you’re using a SAAS (Software as a Service Provider ), you should start the conversation early on how they can provide the data extract in a periodic fashion. Irrespective of the FATCA provider you choose, the data attributes required would be:
- Name of the Individual or Business Entity
- Date Of Birth if applicable
- Address and phone numbers
- account balance
- Owners / stake holders of the business and their information along with percentage of ownership.
The data extract from source systems gets imported into your FATCA software. The FATCA platform will analyze, classify and organize into appropriate buckets. Compliance officers and analysts should go through every case, and fulfill the remediation with necessary documents, audit logs, notes and comments. It’s a good idea to record the remediation process with audit logs and comments to show proof of efforts undertaken to remediate the issue properly. Depending on the size and nature of the organization, the import process can be performed once a year or few times a year, may be once every quarter, which would enable compliance analysts collect necessary proof of documentation from the customers in a timely manner.
At the end of the year, FATCA reporting should be performed, it’s a multi-step process:
- Generate FATCA XML , meta data as per the specification
- Include Security Certificates for encryption
- Depending on the country and the IGA(Intergovernmental Agreements) signed by your country, the final data packet should be submitted to the HTAC i.e local tax authority of that nation.
- Corrections and Amendments can be submitted separately.
The following diagram explains the FATCA life cycle.
On the next installment, Part -2 will talk about FATCA providers, tools and technologies to simplify the process, Stay Tuned….