CRS and FATCA Reporting for Gibraltar Entities

Overview: What CRS and FATCA Are

CRS and FATCA are the two principal international frameworks for the automatic exchange of financial account information between tax authorities. Both are designed to combat offshore tax evasion by ensuring that financial institutions report account information held for foreign tax residents or US persons to the relevant tax authority, which then shares that information with the account holder's home jurisdiction.

Common Reporting Standard (CRS)

The Common Reporting Standard was developed by the OECD and adopted by over 100 jurisdictions. Under CRS, financial institutions in participating jurisdictions are required to identify financial accounts held by tax residents of other participating jurisdictions and report specified account information — account holder identity, account balance, and income and proceeds credited during the year — to their local tax authority annually. The local tax authority then exchanges this information automatically with the account holder's country of tax residence.

CRS is based on a single global standard, but implemented through bilateral Competent Authority Agreements (CAAs) between participating jurisdictions. Gibraltar has signed CAAs with all significant CRS partner jurisdictions and conducts annual automatic exchanges.

Foreign Account Tax Compliance Act (FATCA)

FATCA is US domestic legislation enacted in 2010 that requires foreign financial institutions to report information on financial accounts held by US persons (citizens, green card holders, and certain US-resident entities) to the US Internal Revenue Service (IRS). Unlike CRS, FATCA is not a multilateral framework — it is a unilateral US requirement backed by a 30% withholding tax on certain US-source payments to non-compliant institutions.

Most jurisdictions — including Gibraltar — have entered into Intergovernmental Agreements (IGAs) with the United States to implement FATCA through their domestic tax authority, reducing the burden on individual financial institutions and providing a domestic law framework for compliance. Gibraltar operates under a Model 1 IGA, meaning Gibraltar financial institutions report to the Gibraltar Income Tax Office, which then shares data with the IRS.

Gibraltar's Implementation Framework

Gibraltar implemented CRS through the International Co-operation (Improvement of International Tax Compliance) Regulations 2016 (as amended), which transpose the EU DAC2 Directive (incorporating CRS) into Gibraltar domestic law. FATCA is implemented through the US-Gibraltar IGA and the associated Gibraltar domestic regulations.

Both regimes are administered by the Gibraltar Income Tax Office (GITO), which acts as Gibraltar's Competent Authority for both CRS and FATCA purposes. GITO operates a secure online portal — the Gibraltar Automatic Exchange of Information (AEOI) portal — through which reporting financial institutions (RFIs) submit their annual returns.

Gibraltar's legal framework for CRS and FATCA is closely aligned with the OECD's CRS Implementation Handbook and the FATCA IGA guidance, making the Gibraltar regime consistent with international best practice. GFSC-regulated entities in particular have found Gibraltar's implementation clear and administratively manageable.

Which Gibraltar Entities Are Affected

CRS and FATCA apply to Reporting Financial Institutions (RFIs) — entities that maintain financial accounts for customers or investors. The definition is broader than the colloquial understanding of "financial institution" and encompasses:

• Deposit-taking institutions: Licensed banks and building societies accepting deposits.
• Custodial institutions: Entities that hold financial assets for the account of others, including prime brokers, custodians, and nominee services.
• Investment entities: This is the category of most practical significance for Gibraltar. An entity is an Investment Entity if its gross income is primarily attributable to investing, reinvesting, or trading in financial assets (shares, bonds, derivatives, foreign currency, etc.), or if it is managed by another financial institution and its gross income is primarily from such activities. This category captures collective investment schemes, funds, and many holding and investment companies depending on their structure and activities.
• Specified insurance companies: Insurers that issue or are obligated under cash value insurance or annuity contracts.

Entities that are not RFIs are classified as Non-Financial Entities (NFEs) — either Active NFEs (with primarily non-financial income and activities) or Passive NFEs (whose income is primarily passive — dividends, interest, rents, royalties). Passive NFEs do not themselves report, but financial institutions must identify Passive NFEs, look through them to identify controlling persons who are foreign tax residents, and report accordingly.

Entity Classification

Correct entity classification under CRS and FATCA is one of the most consequential and frequently mishandled aspects of compliance for Gibraltar entities. The stakes are high: misclassification as a Non-Reporting Financial Institution or Active NFE when the correct classification is a Reporting Financial Institution can expose the entity and its directors to significant penalties.

Key classification decisions for common Gibraltar entity types:

• Gibraltar private equity and venture capital funds: Almost always Investment Entities and therefore RFIs, required to report investor account information annually.
• Gibraltar investment holding companies: If managed by a GFSC-licensed fund manager or fiduciary and earning primarily passive investment income, likely an Investment Entity RFI. If trading actively in non-financial goods and services, may qualify as Active NFE — but this requires careful analysis.
• Gibraltar purpose trusts and foundations: Trusts that hold or invest financial assets for beneficiaries will typically be classified as Investment Entities, requiring the trustee (as the reporting financial institution) to report on account holders (settlors, trustees, and beneficiaries who are reportable persons).
• Gibraltar operating companies: Companies with substantive trading operations in non-financial activities (e.g. gaming operators, professional service businesses) are generally Active NFEs, with no reporting obligation as an RFI. However, their accounts held at Gibraltar or overseas banks must be self-certified to the bank for classification purposes.

Customer Due Diligence Requirements

RFIs must conduct CRS and FATCA due diligence on their account holders to identify reportable accounts. The due diligence procedures differ depending on whether the account is a pre-existing account or a new account, and whether the account holder is an individual or an entity.

New individual accounts

For new individual accounts, RFIs must collect a self-certification from the account holder at the time of account opening, confirming the individual's jurisdiction(s) of tax residence and tax identification number(s). Self-certifications must be validated against other information held by the institution and updated where there is a change of circumstances.

New entity accounts

For new entity accounts, RFIs must collect a self-certification confirming the entity's classification (RFI, Active NFE, Passive NFE) and, for Passive NFEs, information on all controlling persons. Each controlling person who is a reportable person must be identified and their TIN and jurisdiction of tax residence recorded.

Pre-existing accounts

Pre-existing accounts were subject to a phased due diligence review at the time of initial CRS implementation. Institutions must continue to update pre-existing account classifications when there is a change in circumstances — such as a change in the account holder's address, tax residency, or entity structure — that may render the account reportable.

Reporting Deadlines and Submission

Gibraltar RFIs must submit annual CRS and FATCA reports to the Gibraltar Income Tax Office via the AEOI portal. The filing deadlines are:

• CRS: Reporting for each calendar year must be submitted by 30 June of the following year. CRS reports filed by Gibraltar are then exchanged by GITO with partner jurisdictions by September of the same year.
• FATCA: Reporting for each calendar year must be submitted by 31 May of the following year. GITO forwards FATCA reports to the IRS following the domestic filing deadline.

Reports are submitted in XML format conforming to the OECD CRS XML Schema (for CRS) and the FATCA XML Schema (for FATCA). Institutions that fail to file by the deadline should file as soon as possible with a nil return (if genuinely no reportable accounts) or a late filing, and should notify GITO proactively. Voluntary disclosure of missed filings is treated more favourably than enforcement-driven discovery.

Penalties for Non-Compliance

Gibraltar's CRS and FATCA regulations provide for civil penalties for a range of compliance failures:

• Failure to submit a return: Fixed penalty for each year of non-filing, with additional daily penalties for continued failure after formal notification.
• Late submission: A fixed late filing penalty applies where a return is not submitted by the relevant deadline.
• Incorrect or incomplete returns: A penalty for material inaccuracies in a return, assessed per account or per error depending on the nature of the failure.
• Failure to maintain required records: RFIs must maintain records of their due diligence and account classification procedures. Failure to maintain adequate records is a separate penalty offence.

In practice, GITO has adopted a proportionate approach to enforcement, prioritising engagement and correction over immediate penalty assessment for institutions that have made genuine efforts to comply. Deliberate or repeated non-compliance is treated more seriously. For institutions that discover historical non-compliance, prompt self-correction and voluntary disclosure significantly reduce the risk of penalty.

Gibraltar Tax Authority as Competent Authority

The Gibraltar Income Tax Office (GITO) acts as Gibraltar's Competent Authority for both CRS and FATCA. In this role, GITO:

• Receives annual CRS reports from Gibraltar RFIs and transmits them to partner jurisdiction competent authorities through the OECD Common Transmission System.
• Receives CRS reports from partner jurisdictions relating to Gibraltar tax residents holding financial accounts offshore and uses this information in domestic tax compliance activities.
• Receives FATCA reports from Gibraltar RFIs and transmits them to the IRS under the terms of the Gibraltar-US IGA.
• Responds to specific exchange requests from partner jurisdictions and coordinates with the GFSC on compliance matters for regulated entities.

GITO provides guidance to Gibraltar RFIs on registration, classification, and filing requirements through its published guidance and through direct engagement. RFIs that are uncertain about their classification or reporting obligations should seek written guidance from GITO or engage a qualified Gibraltar compliance adviser.