How the Ultra Wealthy Avoid CRS and FATCA

How One US Citizen Managed to Avoid His Swiss Bank Reporting $2.7 Billion Under FATCA

CRS and FATCA are the two reporting systems that let governments see inside your offshore bank accounts. If you hold money outside your home country and you have not planned around these frameworks, your bank has already told your tax authority exactly what you own, what you earned, and where you keep it. Over 171 million accounts across 116 jurisdictions now get reported automatically under CRS alone. FATCA covers the American side of the equation. Together, both frameworks have made traditional offshore banking secrecy a relic of the past.

But there is a gap. A big one. The U.S. Senate Finance Committee called it a “glaring loophole” that allowed one billionaire to hide $2.7 billion in Swiss accounts without a single report reaching the IRS. That gap is the shell bank loophole, and it exploits the very mechanics of both frameworks’ registration to turn the reporting system against itself.

This guide breaks down how both frameworks actually work at a mechanical level, why the shell bank loophole exists, who has used it, what regulators are doing about it in 2026, and what legitimate privacy strategies remain for people who want to protect their wealth without breaking any laws.

What CRS and FATCA Actually Do (And Why You Should Care)

Most people hear about automatic reporting frameworks and their eyes glaze over. Fair enough. Acronyms are boring. But what these two systems do to your money is anything but boring.

FATCA (Foreign Account Tax Compliance Act) was signed into U.S. law in 2010. It forces every foreign bank on the planet to identify American account holders and report their financial details to the IRS. If a bank refuses, the U.S. government slaps a 30% withholding tax on all U.S.-source payments flowing through that institution. That threat worked. Over 300,000 foreign financial institutions now comply with FATCA.

CRS (Common Reporting Standard) is the OECD’s answer to FATCA, but on a global scale. Instead of one country demanding information, 116 countries agreed to share financial account data with each other automatically. Your bank in Singapore reports to the Singapore tax authority, which forwards everything to your home country’s tax office. No request needed. No suspicion required. It just happens, every single year.

The numbers are staggering. CRS tracks over €13 trillion in offshore assets across 171 million accounts. FATCA covers every American with more than $50,000 in foreign financial assets. Together, both frameworks have created the most comprehensive financial surveillance network in human history.

How CRS and FATCA Reporting Works Step by Step

Understanding the mechanics is critical if you want to plan around them. Both frameworks follow a similar three-step process, and knowing where the weak points are matters.

Step 1: Self-certification. When you open a bank account, the bank hands you a form asking for your tax residency, taxpayer identification number (TIN), and country of citizenship. Under FATCA, Americans fill out W-9 or W-8 forms. Under CRS, you complete a self-certification declaring your tax residence. Lie on these forms and you are committing a criminal offence in most jurisdictions.

Step 2: Due diligence. The bank cross-checks your information against “indicia” that might suggest you are tax resident somewhere else. A U.S. phone number, a mailing address in Germany, a standing instruction to transfer funds to an account in Australia. Any of these triggers additional review. Banks that skip this step face massive fines.

Step 3: Automatic exchange. The bank compiles annual reports and sends them to its local tax authority. That authority then transmits the data to every relevant partner jurisdiction through secure channels. Your home tax authority receives the report and matches it against your filed tax returns. Discrepancies trigger audits.

The whole system runs on autopilot. No judge signs off. No probable cause needed. Your financial privacy evaporates the moment you open an account in a participating jurisdiction.

The Shell Bank Loophole: How It Works

Here is where these reporting systems break down. And “break down” is not an exaggeration.

Under both frameworks, banks must report on individual account holders and certain entities. But they are not required to report on other financial institutions. That exemption makes sense on the surface. A bank holding an account for another bank is not the same as a bank holding an account for a person hiding money. The financial institution is supposed to do its own reporting on its own clients.

The shell bank loophole exploits this exemption. Here is the play:

You incorporate an entity in an offshore jurisdiction. The Cayman Islands, British Virgin Islands, Guernsey, or Bermuda are the usual choices. Then you register that entity with the IRS as a Foreign Financial Institution and obtain a Global Intermediary Identification Number (GIIN). Once you have that GIIN, you walk into a Swiss bank, present your entity’s registration, and open an account. The Swiss bank sees a registered financial institution, not an individual, and has no obligation under either framework to look any deeper.

Bottom line: the bank reports nothing. Your name never appears in any automatic exchange. The shell bank loophole turns the reporting exemption for financial institutions into a cloak of invisibility.

Why the IRS Cannot Police Its Own Registration System

You would think the IRS would catch fake financial institutions registering on its portal. You would be wrong.

The GIIN application process is almost comically simple. An entity submits IRS Form 8957 or registers online. The IRS does not contact the applicant’s responsible officer before approving the registration. It does not investigate the entity’s assets, beneficial ownership, or business activities. It does not verify whether the entity actually operates as a financial institution.

The numbers tell the story. Over 128,000 entities across just eight jurisdictions hold active GIIN registrations. The Cayman Islands alone has more than 84,000 IRS-approved “financial institutions,” a number that exceeds the country’s entire population of 69,000. The IRS simply does not have the personnel to monitor whether these registered entities actually file their own reports disclosing their beneficial owners.

Senator Ron Wyden’s 2022 investigation put it bluntly: wealthy individuals can convert shell companies into shell banks with virtually no scrutiny. The entity self-certifies its own reporting obligations. The receiving bank trusts the registration. And the IRS lacks the resources to verify compliance. That is the shell bank loophole in three sentences.

The Robert Brockman Case: $2.7 Billion Hidden in Plain Sight

If you want to understand why the shell bank loophole is not some academic curiosity, look at Robert Brockman.

Brockman was a Houston billionaire and the CEO of Reynolds and Reynolds, a software company. The Department of Justice charged him with the largest individual tax evasion scheme in U.S. history. The amount? Over $2 billion in unreported income.

His method was the shell bank loophole, executed with surgical precision. Brockman established entities in the Cayman Islands and Bermuda, registered them with the IRS as Foreign Financial Institutions, and obtained valid GIINs. He then opened accounts at two Swiss banks, Mirabaud and Syz, under these entity names. Because the Swiss banks saw registered FFIs on the other side of the counter, they were not required under CRS or FATCA to report Brockman’s beneficial ownership to anyone.

The scale was staggering. A single wire transfer of $799 million landed in one of his Mirabaud accounts, representing his share of a software company sale. Between 2010 and 2011, three Brockman transactions totaling $943 million accounted for nearly half of Mirabaud’s total net new inflows during that period. His account was 600 times larger than the bank’s typical client account.

Nobody flagged it. Not the IRS. Not the Swiss regulators. Not the banks’ own compliance teams. The shell bank loophole, combined with lax verification, let $2.7 billion sit in plain sight for years.

CRS and FATCA in 2026: What Has Changed

The regulatory landscape around these reporting frameworks is shifting fast. If you are reading older guides from 2022 or 2023, much of that information is already outdated.

CARF is coming. The Crypto-Asset Reporting Framework extends automatic reporting to cryptocurrency exchanges, DeFi platforms, stablecoins, and NFTs. The EU adopted CARF through DAC8, effective January 1, 2026. Sixty-seven jurisdictions, including the UK, Singapore, Hong Kong, and the UAE, have committed to first exchanges by 2027 or 2028. If you thought moving assets into crypto put you outside automatic reporting, that window is closing.

The IRS is switching systems. The legacy FIRE system shuts down in January 2027. All information return filings, including FATCA reports, will migrate to the new IRIS (Information Returns Intake System). The transition could create short-term chaos, but it also signals increased processing capacity and tighter data matching.

Reporting schemas are being overhauled. The UK’s HMRC announced that the current combined reporting schema will be discontinued after December 31, 2026. New, separate schemas based on the amended OECD standard take effect January 1, 2027. Other jurisdictions are following suit.

The shell bank loophole is under pressure. PwC Luxembourg now recommends that banks implement enhanced due diligence on FFI account holders, including requiring proof that the FFI has actually filed its reports. Academic papers from researchers at the Chinese University of Hong Kong have proposed concrete legislative fixes. The Inflation Reduction Act allocated $80 billion to the IRS specifically to increase scrutiny of offshore entity registrations and partnership audits.

The clock is ticking. None of these changes close the shell bank loophole overnight, but the trajectory is unmistakable.

Non-CRS Countries: Where Automatic Reporting Does Not Reach

Not every country plays ball with the OECD. Several jurisdictions with functioning banking systems have not signed on to CRS, and a handful do not participate in FATCA either. For people seeking legitimate financial privacy, these gaps represent real opportunities.

The United States is the elephant in the room. America forces every other country to report under FATCA, but it never joined CRS. That means a non-U.S. person can open a bank account in the United States and their home country’s tax authority receives nothing through automatic exchange. Absolute lunacy from a consistency standpoint, but it is the reality. Wyoming LLCs and Nevada corporations combined with U.S. bank accounts have become the go-to structure for non-Americans seeking automatic reporting-free banking.

Other non-CRS jurisdictions with usable banking include Cambodia, Paraguay, the Philippines, the Dominican Republic, Guatemala, and North Macedonia. Each comes with trade-offs in banking infrastructure, political stability, and access to international payment networks.

A word of caution. Banking in a non-CRS country does not mean you are exempt from tax obligations in your home country. If you are a U.S. citizen, you still owe FBAR and reporting obligations regardless of where you bank. If you are a UK tax resident, HMRC still expects you to declare worldwide income. Non-CRS banking gives you privacy from automatic exchange, not immunity from your own tax laws.

Legitimate Ways to Minimize CRS and FATCA Exposure

Forget the shell bank loophole for a moment. What can law-abiding people actually do to protect their privacy in a world dominated by automatic reporting?

More than you might think.

1. Bank in non-CRS jurisdictions. As covered above, several countries with functional banking systems do not participate in automatic exchange. The U.S. is the most robust option for non-Americans. Paraguay and Cambodia offer alternatives for those willing to trade convenience for confidentiality.

2. Use properly structured entities. A single-member U.S. LLC owned by a non-American is treated as a disregarded entity for U.S. tax purposes. It is not a “financial institution” and does not trigger reporting from the U.S. bank. The bank reports the LLC’s account, but because the U.S. is not a CRS participant, the information stays in the United States. This is legal. It is widely used. And it works, for now.

3. Establish tax residency in a territorial tax country. Countries like Panama, Paraguay, Costa Rica, and the UAE do not tax foreign-source income. If you become tax resident in one of these jurisdictions, CRS reports flowing back to your new tax authority are largely irrelevant because the income reported is not taxable there anyway.

4. Use compliant trust structures. Properly drafted trusts in jurisdictions like the Cook Islands, Nevis, or Belize can separate legal ownership from beneficial enjoyment. Both frameworks still apply to the trust’s financial accounts, but the reporting flows to the trustee’s jurisdiction rather than the beneficiary’s, creating legitimate distance between you and your tax authority.

5. Diversify across jurisdictions. Spreading assets across multiple banks in multiple countries reduces the impact of any single automatic report. No one jurisdiction sees the full picture. This is not evasion. It is smart asset allocation combined with the practical reality that tax authorities have limited bandwidth to cross-reference reports from dozens of countries.

Common Mistakes People Make With CRS and FATCA Planning

After years of helping clients navigate these frameworks, some mistakes come up again and again. Avoid these and you are already ahead of 90% of people trying to go offshore.

Thinking nominee directors hide you from CRS. They do not. CRS requires banks to look through entities and identify “controlling persons.” A nominee director or shareholder does not break the reporting chain. The bank must identify the ultimate beneficial owner regardless of how many corporate layers sit in between.

Confusing non-participation with tax freedom. Banking in Cambodia does not make your income tax-free. Your home country still expects you to report worldwide income. Participation status just determines whether the bank sends the information automatically or whether your tax authority has to ask for it.

Using the shell bank loophole without understanding the risk. Let’s be blunt. The Brockman case did not end well for anyone involved. Criminal charges. Asset seizures. Death before trial. The Swiss banks faced regulatory scrutiny that damaged their reputations permanently. The shell bank loophole may exist on paper, but exploiting it for tax evasion is playing with fire.

Ignoring FBAR alongside other reporting obligations. U.S. persons must file FinCEN Form 114 (FBAR) if their aggregate foreign account balances exceed $10,000 at any point during the year. FBAR penalties are brutal: up to $100,000 per violation or 50% of the account balance, whichever is greater. People who focus on automatic reporting sometimes forget that FBAR has its own set of teeth.

Opening accounts with outdated documentation. Banks update their due diligence procedures constantly. A self-certification form that worked three years ago may no longer satisfy current requirements. Outdated or incomplete documentation triggers enhanced scrutiny, which is the opposite of what you want.

CARF: The Next Wave of Global Financial Surveillance

Just when you thought these reporting systems had covered everything, the OECD decided crypto needed its own reporting framework. CARF, the Crypto-Asset Reporting Framework, extends automatic exchange to digital assets.

CARF covers cryptocurrency exchanges, stablecoin issuers, certain DeFi protocols, and NFT platforms. If you hold crypto on a regulated exchange in a CARF-participating jurisdiction, your account details get reported to your home tax authority just like a traditional bank account under automatic reporting.

The EU was first to move. DAC8 transposes CARF into European law effective January 1, 2026, with first data exchanges in 2027. Sixty-seven jurisdictions have signed on globally, including heavy hitters like the UK, Singapore, Hong Kong, and the UAE. Even the United States committed to first exchanges in 2028.

For anyone who moved wealth into crypto specifically to avoid automatic reporting, that strategy has an expiration date. The question is not whether CARF will reach you, but when.

CRS and FATCA vs. the Shell Bank Loophole: Side-by-Side Comparison

How does proper compliance compare to the shell bank loophole approach? The differences are not subtle.

The numbers don’t lie. Compliant offshore planning costs less, carries no criminal risk, and works indefinitely. The shell bank loophole is a ticking time bomb that gets more dangerous with every regulatory update.

Which Entities Trigger CRS and FATCA Reporting (And Which Do Not)

Not all entities are treated the same under these frameworks. Understanding the classification system is half the battle.

Financial Institutions (FIs): Banks, custodians, investment entities, and certain insurance companies. These entities report on their account holders. They are not reported on by other banks (this is the exemption the shell bank loophole exploits).

Active Non-Financial Foreign Entities (Active NFFEs): Companies that earn most of their income from active business operations. Banks report the entity’s account but do not need to identify controlling persons if the entity qualifies as an Active NFFE with no U.S. indicia.

Passive Non-Financial Foreign Entities (Passive NFFEs): Holding companies, investment vehicles, and entities where more than 50% of income is passive (dividends, interest, rent, royalties). Both frameworks require banks to look through these entities and report on every controlling person. This is where most people get caught.

The key insight? An entity’s classification determines whether the bank reports on the entity, on its owners, or on nobody at all. Getting this classification right is the foundation of every legitimate offshore strategy.

The Future of CRS and FATCA: Where This Is All Heading

Anyone planning offshore structures in 2026 needs to think about where these frameworks will be in 2030, not where they are today.

The trend is unmistakable: more countries joining automatic exchange standards, more asset classes covered (crypto via CARF), more enforcement funding, and tighter verification at every step. The non-CRS country list gets shorter every year. Armenia, Georgia, and Thailand all joined recently. The shell bank loophole is attracting legislative attention from both the U.S. Senate and international regulatory bodies.

What will not change is the fundamental reality that governments want to tax offshore wealth. These reporting frameworks are tools, and those tools will keep getting sharper.

The smart money is building structures that work regardless of which direction regulations move. That means compliant entities, proper reporting, tax residency planning, and diversification across stable jurisdictions. It means getting advice from people who understand both the technical mechanics of these frameworks and the practical realities of offshore banking.

That ship has sailed on the days of simply hiding money in a Swiss numbered account and hoping nobody notices. The question now is not whether your offshore assets will be discovered. It is whether your structure is built to withstand the scrutiny when it comes.

Final Thoughts on CRS and FATCA

These reporting frameworks changed offshore banking permanently. The shell bank loophole is a fascinating case study in how regulatory systems create their own blind spots, but treating it as a viable long-term strategy is a wake-up call waiting to happen. The Brockman case proved that. The Senate investigation proved that. And the wave of regulatory changes hitting in 2026 and 2027 will prove it again.

What works is boring by comparison. Proper entity classification. Banking in non-CRS jurisdictions with clean structures. Tax residency planning. Compliant trust arrangements. None of it sounds exciting, but it lets you sleep at night and it scales without criminal risk.

If you are serious about protecting your wealth and your privacy in a world of automatic reporting, start with the fundamentals. Get the structure right. Get the reporting right. And get advice from someone who has done this thousands of times.

For more on offshore structuring, explore our guides on asset protection strategies, offshore banking options, and second passport programs. If you need a tax-free company structure to complement your offshore bank account, Tax Free Companies can help with formation in zero-tax jurisdictions. And if you want to discuss your specific situation, book a strategy call and get a clear roadmap.