Skip to main content

MTCA sharpens expectations on CRS/FATCA governance and oversight

Background

The Malta Tax and Customs Administration (MTCA) has issued a circular summarising the outcome of the 2026 CRS/FATCA Self Compliance Questionnaire (“SCQ”). While responses indicate broad awareness of CRS/FATCA obligations, MTCA identifies a number of areas where Financial Institutions need to further strengthen their governance and operational frameworks.

The circular forms part of MTCA’s ongoing monitoring under the Cooperation with Other Jurisdictions on Tax Matters Regulations, Subsidiary Legislation 123.127 and signals increased focus on how Financial Institutions evidence the effective implementation of their CRS and FATCA obligations.

Key messages for Financial Institutions

Governance must move from awareness to discipline

Many respondents reported having written CRS/FATCA policies and providing training. However, MTCA notes that governance arrangements are not consistently formalised or embedded.

Financial Institutions are expected to:

  • Maintain documented and up to date CRS/FATCA policies and procedures tailored to their business model;
  • Clearly allocate responsibilities across the board, senior management, compliance and operations; and
  • Ensure classification, due diligence and reporting decisions are supported by a documented rationale and adequate records.

 

Operational controls and reviews should be structured and risk based

The circular highlights inconsistencies in review practices and reliance on ad hoc checks.

MTCA expects:

  • Defined review cycles for account holder information;
  • Trigger based mechanisms to identify and respond to changes in circumstances (e.g. indicia, tax residency, documentation inconsistencies); and
  • Enhanced due diligence for higher risk customers, including Citizenship by Investment and Residence by Investment (CBI/RBI) participants and complex structures.

 

Outsourcing requires demonstrable oversight

Around half of respondents reported outsourcing at least one CRS/FATCA function. MTCA reiterates that ultimate responsibility remains with the Financial Institution.

Financial Institutions should:

  • Put in place clear contractual arrangements and service level expectations;
  • Periodically review third party outputs and management information; and
  • Document challenge, escalation and remediation where deficiencies are identified.

 

Good practice is becoming the benchmark

MTCA sets out examples of good practice, including ongoing role specific training, integration of CRS/FATCA controls with broader AML/CFT and CDD processes, and timely remediation of identified gaps. These examples are likely to inform future supervisory reviews and onsite examinations. Financial Institutions that fall short of these practices may be subject to further supervisory scrutiny and remediation expectations.

Recommended actions

In light of the circular, Financial Institutions should consider:

  • Performing a targeted gap analysis of their CRS/FATCA governance, operational controls and outsourcing arrangements against MTCA’s expectations;
  • Reviewing the design and frequency of review cycles, trigger events and documentation standards, with a focus on higher risk accounts and complex client profiles; and
  • Assessing the scope, frequency and effectiveness of CRS/FATCA training programmes for relevant staff.

How Deloitte can help

Deloitte can support Financial Institutions in:

  • Conducting CRS/FATCA health checks aligned with MTCA’s supervisory expectations;
  • Enhancing governance, oversight and escalation frameworks; and
  • Designing and delivering tailored CRS/FATCA training and remediation programmes.

A copy of the MTCA circular on the outcome of the 2026 CRS/FATCA SCQ exercise is available here.

For further information, or to discuss how this development may impact your Financial Institution and CRS/FATCA framework, please contact your usual Deloitte contact or any member of our CRS/FATCA team.

Did you find this useful?

Thanks for your feedback