Recent activity by foreign tax authorities, as well as newly effective rules under the Common Reporting standard¹ (known as CRS 2.0) has refocused attention on new and existing financial accounts that are missing taxpayer identification numbers (TINs). As such, financial institutions (FIs) should consider reviewing their due diligence policies and procedures to collect TINs to comply with filing requirements under the Foreign Accounting Tax Compliance Act (FATCA) and self-certification requirements under CRS 2.0.

FATCA

For FATCA information exchange purposes, account holders' TINs are the most efficient way for tax authorities to identify if account holders have complied with their tax obligations. FATCA regulations and FATCA intergovernmental agreements (IGAs) require account holders to provide TINs to their FIs.

To be FATCA compliant, FIs in an IGA jurisdiction must obtain self-certifications from new account holders, and those certifications must include a TIN. Some Fis may be unable to collect TINs because (1) other regulations require accounts to be opened for new account holders even if they refuse to provide a TIN; or (2) pre-existing account holders did not respond to the FI's request for TINs.

To address the concerns of these FIs, the IRS provided in Notice 2023-11 that an FI would not be viewed significantly non-compliant under the relevant IGA solely because it failed to report a required TIN for an individual pre-existing account, as long as certain actions were taken regarding accounts without TINs. The relief initially applied for calendar years 2022 through 2024. Notice 2024-78 extended this relief from 2025 through 2027.

Notices from foreign tax authorities on TIN compliance

Foreign tax authorities, such as His Majesty's Revenue Service (HMRC) in the United Kingdom, have been sending TIN compliance notices to FIs about their 2023 FATCA reports, requiring them to confirm or carry out the following actions in accordance with Notice 2023-11:

• Confirm that the FI has annually requested a missing TIN from each relevant account holder
• Confirm that the FI has annually searched its electronic records for any missing TINS
• Submit an amended return for the period ending December 31, 2023 with any missing TIN information

FIs that do not update returns within 18 months of a TIN compliance notice could have their Global Intermediary Identification Number (GIIN) removed from the IRS Foreign Financial Institution List, which could subject the FI to 30% withholding on most US-source income under IRS Section 1471(a).

EY observes: FIs should review their 2023 through 2025 filings to confirm that no pre-existing accounts were reported with missing TINs. If any filings had a missing TIN field, the FI should file an amendment using the TIN codes. FIs should also make sure their procedures capture the actions taken to request and search for missing TINs as well as keep a record of any evidence showing that such actions were timely taken.

While relief for new accounts with missing TINs is not expressly provided, FIs that do not have TINs for new accounts can follow the same procedures used for existing accounts (i.e., TIN codes). Separate information is not requested for new accounts, so responses likely apply to all accounts with missing TINs.

Newly effective rules under CRS 2.0 requiring collection of valid self-certifications

CRS 2.0, released by the OECD in 2022, requires that Reporting FIs collect valid self-certifications from account holders of their tax residence and other information, including their TINs. The new rules became effective January 1, 2026, for certain countries for 2027 reporting, and give Reporting FIs 90 days to collect valid self-certifications from account holders and controlling persons of passive nonfinancial entities (NFEs) when the account is opened. Controlling persons must be "reported persons" (e.g., have an ownership interest, control through other means or be a senior managing official).

To be valid, a CRS self-certification must include the following information for each account holder or controlling person of a passive NFE:

• Name
• Residence address
• Jurisdiction(s) of residence for tax purposes
• TIN for each reportable jurisdiction
• Date of birth
• Signature (or other positive affirmation (e.g., via email))

Some jurisdictions have released their own self-certification forms and recommend that FIs use them (but it is not mandatory), Aside from the information that must be included in a valid self-certification, there is no specific format/template for a CRS self-certification.

Valid CRS self-certifications will not expire unless a change occurs in the account holders' or controlling persons' circumstances. If the Reporting FI discovers that the self-certification is invalid, it must obtain a new valid form or document a reasonable explanation of why it could not obtain a valid form.

EY observes: FIs should verify that a valid self-certification is on file for each account holder or controlled person of a passive NFE. Any missing valid self-certifications should be addressed during 2026 in preparation for 2027 reporting.

FIs should also consider reviewing their CRS self-certifications to confirm they comply with the new CRS 2.0 requirements even though an updated CRS 2.0 self-certification has not been released. While many of the fields remain the same, instructions should be updated to note the new fields that FIs must now report.

Additionally, FIs should consider enhancing their validation process for self-certifications provided by account holders and controlling persons. Specifically, validation systems could be programmed to invalidate a self-certification if a required field, such as the controlling person type, is missing. For passive NFEs that are trusts, the process could make sure that validations require controlling person certifications to include both the trustee and beneficiaries.