CARF: The New Global Tax Reporting Framework for Crypto

ByOfficer

Last updated: March 2026

Introduction

The Crypto-Asset Reporting Framework (CARF) represents a fundamental shift in how crypto-asset transactions are reported across borders for tax purposes. Developed by the OECD and endorsed by the G20, CARF establishes a common standard for automatic exchange of information about crypto-asset transactions – similar in scope to the Common Reporting Standard (CRS) that transformed cross-border financial reporting a decade ago.

For compliance teams, reporting officers, and financial institutions operating in the EU and globally, CARF is not optional. It is a regulatory requirement that is already reshaping data collection, customer due diligence, and reporting infrastructure. In the EU, CARF has been transposed through DAC8 (Directive (EU) 2023/2226), with rules applying from 1 January 2026 and first reporting due in 2027. This article explains what CARF is, who it affects, what must be reported, and the practical steps your organization should take now.

Background: Why CARF Exists

The crypto-asset market has grown exponentially, reaching hundreds of billions in notional value. Yet tax compliance in this space has lagged significantly. Tax authorities identified substantial revenue loss due to underreporting of crypto transactions and income. The OECD published the final CARF standard in October 2022, alongside amendments to the Common Reporting Standard (CRS).

The G20 formally endorsed CARF in 2023, signaling strong consensus among major economies that coordinated international reporting was necessary. As of early 2026, over 60 jurisdictions have committed to implementing CARF, with the first exchanges of information expected in 2027 or 2028. Unlike CRS, which focuses on financial accounts held by individuals, CARF targets the transactions themselves – the buy, sell, exchange, and transfer of crypto-assets.

Key Drivers

  • Tax evasion risk: Individuals could trade cryptocurrencies without traditional financial intermediaries reporting transactions to tax authorities.
  • Data opacity: Unlike traditional securities or forex trading, crypto trades often occur on platforms with limited institutional oversight or across decentralized protocols.
  • Cross-border complexity: Crypto markets are borderless. A UK taxpayer can trade on a Singapore exchange and hold assets in a digital wallet without UK authorities knowing.

CARF addresses these gaps by creating a uniform reporting standard that participating jurisdictions implement and exchange data under.

What CARF Covers

CARF is not a blanket crypto regulation. It is specifically a tax reporting framework that requires Reporting Crypto-Asset Service Providers (RCASPs) to report certain transactions to tax authorities.

The Core Scope

CARF requires reporting of three categories of transactions:

  • Crypto-to-fiat exchange transactions: Purchase or sale of crypto-assets for traditional currency (USD, EUR, GBP, etc.)
  • Crypto-to-crypto exchange transactions: Exchange of one crypto-asset for another (e.g., Bitcoin for Ethereum)
  • Transfers of crypto-assets: Movement of crypto-assets, including transfers to unhosted wallets (cold wallets) or third-party custodians. Under CARF, transfers to cold wallets are a core reportable transaction type and must be reported at the aggregate level.

Reporting is done on an aggregate basis, grouped by transaction type, crypto-asset, and direction (inward or outward), for the reporting period. Individual transactions are not reported separately.

In-Scope Assets

CARF applies to crypto-assets broadly defined – assets that rely on cryptography and distributed ledger technology and can be held and transferred in a decentralized manner. This includes:

  • Cryptocurrencies (Bitcoin, Ethereum, etc.)
  • Stablecoins (though some stablecoins may qualify as “Specified Electronic Money Products” under the amended CRS rather than CARF – see below)
  • Crypto-asset derivatives issued in the form of crypto-assets
  • Non-fungible tokens (NFTs) that can be used for payment or investment purposes. NFTs are not blanket-excluded from CARF. The OECD has stated that even assets marketed as collectibles may be in scope if they can be used for payment or investment. Each NFT must be evaluated on a case-by-case basis.
  • Tokenized real-world assets (tokenized equities, real estate tokens, asset-backed tokens) – these are in scope for CARF because they can be used for investment purposes.

Excluded from CARF:

  • Central bank digital currencies (CBDCs): Excluded from CARF transaction reporting. However, CBDCs are not invisible to tax authorities – under the amended CRS (also part of the DAC8 package), CBDCs fall within the scope of reporting as depository accounts. The same applies to certain e-money products.
  • Closed-loop crypto-assets: Assets that can only be exchanged or redeemed within a limited, fixed network (e.g., loyalty reward points, airline miles, in-game currencies that cannot be traded on secondary markets).
  • Specified Electronic Money Products (SEMPs): Stablecoins and e-money tokens that meet the criteria for SEMPs are excluded from CARF but are instead reported under the amended CRS framework as depository accounts.

This distinction matters for compliance teams. If your institution handles a mix of crypto-assets, stablecoins, and e-money tokens, you need to classify each product correctly to determine whether it falls under CARF or the amended CRS – and report accordingly.

Who Reports: Reporting Crypto-Asset Service Providers (RCASPs)

CARF places reporting obligations on Reporting Crypto-Asset Service Providers. The OECD defines RCASPs as entities or individuals that, as a business, provide services effectuating exchange transactions or transfers of crypto-assets for or on behalf of customers. This includes:

  • Crypto exchanges (centralized and, in some cases, intermediated decentralized platforms)
  • Custodians holding customer crypto-assets
  • Brokers and dealers facilitating crypto transactions
  • Crypto-asset ATM operators
  • Wallet providers (where they facilitate exchange or transfer transactions on behalf of customers)

The definition focuses on whether the entity effectuates transactions for customers. Entities that merely provide technology infrastructure without facilitating transactions for specific customers may not be RCASPs. In practice, the line can be fine – if your platform enables customers to trade, exchange, or transfer crypto, you are likely in scope.

Notably excluded: Individuals who self-custody crypto-assets without providing services to others. A person holding Bitcoin in their own hardware wallet is not an RCASP and has no CARF reporting obligation directly – but transactions they conduct through an RCASP will be reported.

For EU institutions, MiCAR (the Markets in Crypto-Assets Regulation, Regulation (EU) 2023/1114) defines crypto-asset service providers. DAC8 uses MiCAR definitions as a starting point but adopts a broader scope for CARF reporting purposes, capturing entities not licensed under MiCAR that nonetheless provide crypto services.

What Gets Reported: Data Elements

RCASPs must report the following information to tax authorities:

About the Customer

  • Full name and date of birth
  • Tax identification number (TIN) – where available
  • Jurisdiction of tax residence
  • Address
  • Entity status (for entity customers) and controlling persons where applicable

About the Transactions (aggregated)

  • Type of transaction (exchange to fiat, exchange to crypto, transfer)
  • Crypto-asset identifier (e.g., ticker, classification)
  • Aggregate gross proceeds or fair market value
  • Number of units (aggregate)
  • Direction (inward or outward, for transfers)
  • Currency denomination (where applicable)

Timing

Data is reported annually. In the EU under DAC8, the reporting deadline is generally within the first half of the year following the reporting period. In Luxembourg, the first reports (covering calendar year 2026) are due by 30 June 2027. Tax authorities then exchange information with other jurisdictions by 30 September 2027.

This mirrors the CRS model. Just as banks report on financial accounts annually, crypto service providers will report on transactions annually to their local tax authority, which then exchanges that data with other jurisdictions.

Due Diligence Requirements

Before reporting transactions, RCASPs must perform customer due diligence (CDD) to obtain necessary information. CRS compliance officers will recognize the framework.

RCASPs must:

  1. Identify the customer: Obtain name, date of birth, and address through KYC procedures (already mandatory under AML/CFT rules and MiCAR in the EU).
  2. Obtain self-certification: Collect a self-certification from the customer confirming their jurisdiction of tax residence. This is a specific CARF/DAC8 requirement that goes beyond standard AML KYC.
  3. Collect tax identification numbers: Request the customer’s TIN for their jurisdiction of residence. Where a customer cannot provide a TIN, document reasonable efforts to request one.
  4. Validate against conflicting indicia: Cross-check self-certifications against other customer information on file. If there are inconsistencies (e.g., address in a different jurisdiction than declared tax residence), the RCASP must resolve them.
  5. Maintain records: Keep copies of documentation for at least five years.
  6. Enforce compliance (DAC8-specific): Under DAC8, if a customer does not provide the required self-certification after two reminders within 60 days, the RCASP must block the customer from performing reportable transactions on the platform. This is a significant enforcement mechanism unique to the EU implementation.

For existing customers, CDD must be completed by the implementation deadline. For new customers, CDD occurs during onboarding.

EU Implementation: DAC8

The EU has implemented CARF through DAC8 – Council Directive (EU) 2023/2226, adopted on 17 October 2023 and published in the Official Journal on 24 October 2023. DAC8 amends the existing Directive on Administrative Cooperation (Directive 2011/16/EU) to extend automatic exchange of information to crypto-assets.

DAC8 Timeline and Status

DAC8 is not a future proposal – it is adopted EU law with binding deadlines:

  • 17 October 2023: DAC8 adopted by the EU Council
  • 31 December 2025: Deadline for Member States to transpose DAC8 into national law
  • 1 January 2026: DAC8 rules apply – RCASPs must begin collecting data and performing due diligence
  • First half of 2027: First reporting submissions to national tax authorities (in Luxembourg: by 30 June 2027 for calendar year 2026)
  • 30 September 2027: First automatic exchange of information between EU tax authorities

DAC8 goes beyond CARF in several respects:

  • Extraterritorial reach: Non-EU RCASPs serving EU residents must register in a Member State and comply with DAC8 reporting. There is no exemption for being headquartered outside the EU.
  • 60-day blocking rule: If a customer fails to provide a self-certification after two reminders within 60 days, the RCASP must block them from transacting.
  • GDPR notifications: RCASPs must inform customers that their information will be collected and reported to tax authorities before the information is actually reported.
  • Penalty range: DAC8 provides for penalties for non-compliance ranging from EUR 20,000 to EUR 500,000, depending on national implementation.
  • Amended CRS: DAC8 also updates the CRS framework to cover e-money products, CBDCs, and additional data fields – affecting all existing Reporting Financial Institutions, not just crypto service providers.

Luxembourg-Specific Implementation

Luxembourg introduced Draft Law no. 8592 on 24 July 2025 to transpose DAC8 into national law. The law is expected to be adopted before the end of 2025, with entry into force on 1 January 2026. Key points for Luxembourg-based entities:

  • CASPs authorized under MiCAR are automatically identified by the CSSF and communicated to the Luxembourg Tax Authorities (Administration des contributions directes). They do not need to register separately for DAC8.
  • Non-MiCAR operators with a Luxembourg nexus must register with the tax authorities before the filing deadline.
  • First reporting covers calendar year 2026, with submissions due by 30 June 2027.
  • The Luxembourg Tax Authorities exchange information with other jurisdictions by 30 September 2027.
  • CASPs that also qualify as Reporting Financial Institutions under CRS may rely on existing CDD procedures and avoid duplicate reporting where the same information is covered under both regimes.
  • Penalties for failure to register or report: EUR 5,000 for registration failures; up to EUR 250,000 for failure to meet due diligence and reporting obligations.

Global CARF Implementation Timeline

Beyond the EU, CARF implementation is proceeding globally:

  • 2022: OECD publishes final CARF standard (October 2022)
  • 2023: G20 endorsement; DAC8 adopted in EU; jurisdictions begin committing to CARF implementation
  • 2024-2025: Jurisdictions draft and adopt legislation; over 60 jurisdictions commit to CARF
  • 1 January 2026: DAC8 rules apply in the EU; several non-EU jurisdictions also begin data collection
  • 2027: First reporting and automatic exchange of information in the EU and many early-adopting jurisdictions (UK, Switzerland, Singapore, Cayman Islands, UAE, and others)
  • 2028-2029: Additional jurisdictions commence exchanges

Implementation timelines vary by jurisdiction. The EU is among the earliest movers. Confirm your jurisdiction’s specific timeline with your national tax authority.

Relationship to Existing Frameworks

CARF does not exist in isolation. Reporting officers should understand how it interacts with frameworks already familiar to compliance teams.

CRS and FATCA

CRS and FATCA require annual reporting of financial accounts. CARF is distinct – it reports on transactions, not account balances. However, the infrastructure is similar: tax identification, customer due diligence, and automatic exchange of information. Many institutions will reuse CRS/FATCA systems and processes as a foundation for CARF compliance.

An important note: DAC8 also updates the CRS framework itself (“CRS 2.0”), introducing new data fields, broader entity scope, and coverage of e-money and CBDCs. So even if your institution handles no crypto-assets, DAC8 may still affect you through the CRS amendments.

MiCAR (EU)

The EU’s Markets in Crypto-Assets Regulation (MiCAR) – Regulation (EU) 2023/1114 – establishes prudential and conduct rules for crypto service providers. CARF/DAC8 is a tax reporting overlay on top of MiCAR. MiCAR has been in force since late 2024. Key alignment points:

  • KYC requirements: MiCAR requires KYC; CARF/DAC8 requires the same plus explicit tax residence determination and TIN collection
  • Record-keeping: MiCAR requires retention; CARF aligns at five years
  • CASP definition: DAC8 uses MiCAR definitions as a starting point but casts a wider net for reporting purposes
  • Reporting infrastructure: MiCAR-compliant systems often require modest enhancement to support CARF data requirements

AML/CFT Framework

AML/CFT rules already require crypto service providers to conduct KYC and report suspicious transactions. CARF builds on this foundation – it uses much of the same customer identification. However, CARF is not AML reporting; it is tax reporting. Different data elements are involved (TINs, tax residence vs. suspicious activity indicators), and different authorities receive the information (national tax authorities, not FIUs). You may need to supplement AML/CFT processes with additional tax-specific data collection, particularly self-certifications of tax residence.

What Reporting Teams Should Do Now

Several actions are universally recommended, regardless of jurisdiction.

1. Clarify Your RCASP Status

Determine definitively whether your organization qualifies as an RCASP under CARF. Review your business model against the OECD definition. The key question: does your entity effectuate exchange transactions or transfers of crypto-assets for or on behalf of customers? If so, you are likely in scope. If in doubt, consult your regulator or external counsel.

Entities that may be in scope but may not immediately realize it include: traditional financial institutions that have added crypto trading capabilities, payment service providers handling crypto transactions, and platforms that intermediate DeFi transactions.

2. Inventory Your Customer Data

Audit your current customer due diligence processes. Assess what tax residence and TIN information you currently hold. Identify gaps. Plan for collection of missing data from existing customers before the implementation deadline.

For each customer:

  • Do you have their full legal name and date of birth?
  • Do you have their tax identification number for their jurisdiction of residence?
  • Have they provided a self-certification of tax residence?
  • If they are an entity, have you identified controlling persons?

Existing customers: plan an outreach campaign with a clear collection deadline. Under DAC8, failure to collect self-certifications triggers the 60-day blocking mechanism.

New customers: embed tax residence and TIN capture in onboarding from day one.

3. Assess Transaction Data Capture

Audit your transaction recording systems:

  • Do you capture transaction date and time?
  • Do you record asset type with a standard identifier?
  • Do you record quantity of crypto transferred?
  • Do you capture fair market value at transaction time?
  • Do you record fees and costs?
  • Do you track transfer direction and destination type (e.g., hosted wallet vs. unhosted wallet)?

CARF requires precise data. Many institutions will discover that their transaction systems record some elements but lack others.

4. Address Fair Market Value Sourcing

CARF requires reporting the fair market value of crypto-assets at transaction time. This is challenging for price-volatile assets and illiquid tokens. Plan for:

  • Obtaining reliable pricing feeds (e.g., from major exchanges or data aggregators)
  • Timestamping values precisely
  • Handling scenarios where market data is unavailable or unreliable (particularly for NFTs and illiquid tokens)
  • Maintaining an audit trail of pricing sources and methodology

5. Coordinate Across Teams

CARF compliance involves multiple functions: compliance, tax, technology, and legal. Establish a cross-functional CARF programme team early. Assign clear ownership and accountability.

Key functions to include:

  • Tax: Tax authority coordination and data exchange structures
  • Compliance: Regulatory requirements and interpretation
  • Legal: Data protection (GDPR), customer consent, and contractual implications
  • Technology: System design, XML schema implementation, and data integration
  • Operations: Customer onboarding, due diligence, and transaction handling

6. Plan for DAC8-Specific Requirements

If you operate in the EU or serve EU customers, pay particular attention to:

  • The 60-day blocking mechanism for non-compliant customers
  • GDPR notification requirements (informing customers before data is reported)
  • Registration requirements if you are a non-EU RCASP serving EU residents
  • The interaction between CARF reporting and amended CRS obligations

7. Engage External Partners and Plan Training

Many institutions will engage external consultants, software vendors, or reporting utilities. Begin vendor evaluation now. Lead times for system upgrades are typically 12 to 18 months.

Ensure that customer-facing teams, compliance staff, and operations understand CARF obligations. Develop training materials and conduct sessions well ahead of the reporting deadline.

Coming Soon: Template-by-Template Deep Dives

We’re building detailed, template-level guides for each reporting framework covered on RegReportingDesk. Whether you need a field-by-field walkthrough of CARF XML schema requirements, DAC8 data element mappings, or reporting process flows, these guides are on the way. Bookmark this page and check back soon.

Frequently Asked Questions

What is CARF?

The Crypto-Asset Reporting Framework (CARF) is an OECD standard for automatic exchange of information about crypto-asset transactions across jurisdictions. Endorsed by the G20, CARF requires Reporting Crypto-Asset Service Providers to collect customer tax information and transaction data, then report to tax authorities, which exchange that data with other jurisdictions. CARF aims to combat tax evasion in the crypto market.

When does CARF take effect?

In the EU, CARF has been implemented through DAC8 (Directive (EU) 2023/2226). Member States were required to transpose DAC8 by 31 December 2025, with rules applying from 1 January 2026. The first reporting covers calendar year 2026, with reports due in the first half of 2027 (by 30 June 2027 in Luxembourg) and automatic exchange between tax authorities by 30 September 2027. Globally, over 60 jurisdictions have committed to CARF, with first exchanges expected in 2027 or 2028.

Who reports under CARF?

Reporting Crypto-Asset Service Providers (RCASPs) report. This includes exchanges, custodians, brokers, dealers, crypto ATM operators, and wallet providers that facilitate exchange or transfer transactions for customers. Individuals self-custodying crypto without providing services to others are not RCASPs and don’t report directly, but their transactions through RCASPs will be reported.

What crypto-assets are covered?

CARF covers crypto-assets that can be used for payment or investment purposes, including cryptocurrencies, stablecoins, crypto-asset derivatives, tradeable NFTs, and tokenized real-world assets. Closed-loop crypto-assets (loyalty points, in-game currencies) are excluded. CBDCs and specified e-money products are excluded from CARF but are covered under the amended CRS framework.

Are NFTs included in CARF?

NFTs are not blanket-excluded. The OECD has stated that NFTs must be evaluated on a case-by-case basis. NFTs that can be used for payment or investment purposes are in scope. Only NFTs that are genuinely closed-loop or cannot be transferred or used for payment/investment are excluded. In practice, many tradeable NFTs will be reportable.

How does CARF relate to CRS?

CRS reports on financial account balances and income. CARF reports on crypto transactions. Both use automatic exchange frameworks, but they are distinct reporting regimes. DAC8 updates both frameworks simultaneously – implementing CARF for crypto transactions and amending CRS (“CRS 2.0”) to cover e-money, CBDCs, and additional data fields. Infrastructure and teams overlap, but the data reported is different.

What should organizations do now?

Immediately: clarify whether you are an RCASP. Audit customer data for TINs and tax residency self-certifications. Assess transaction recording systems against CARF data requirements. Plan for the DAC8 60-day blocking rule. Establish cross-functional governance. Monitor your national regulator’s guidance. Plan system enhancements and engage external partners if needed.

What are the penalties for non-compliance?

Under DAC8, penalties range from EUR 20,000 to EUR 500,000, depending on national implementation. In Luxembourg, the Draft Law provides for EUR 5,000 for registration failures and up to EUR 250,000 for failure to meet due diligence and reporting obligations. Non-compliance also creates reputational risk and potential supervisory scrutiny.

Key Takeaways

  • CARF is a global tax reporting standard for crypto transactions endorsed by the G20 and implemented in the EU through DAC8 (Directive (EU) 2023/2226). It is already in effect – rules apply from 1 January 2026 in the EU.
  • First reporting is due in 2027, not 2028-2030. In Luxembourg, reports covering calendar year 2026 must be filed by 30 June 2027. Tax authorities exchange information by 30 September 2027.
  • RCASPs must report aggregated transaction data including crypto-to-fiat exchanges, crypto-to-crypto exchanges, and transfers to unhosted wallets.
  • In-scope assets include NFTs and tokenized assets that can be used for payment or investment. The exclusion of NFTs is not blanket – each must be assessed. CBDCs and e-money are covered under the amended CRS, not CARF.
  • Due diligence requirements include self-certification of tax residence and TIN collection – going beyond standard AML KYC. Under DAC8, failure to obtain self-certification triggers the 60-day blocking mechanism.
  • DAC8 has extraterritorial reach. Non-EU platforms serving EU customers must register in a Member State and comply. There is no exemption for being headquartered outside the EU.
  • Organizations should be in active implementation, not planning. With rules applying from January 2026 and first reporting in 2027, the time for readiness assessment is now past – institutions should be executing.
  • CARF is distinct from but complementary to MiCAR, CRS, FATCA, and AML/CFT rules. Understand how each interacts with your reporting infrastructure and avoid duplicate reporting where regimes overlap.

Disclaimer

Disclaimer: The information on RegReportingDesk.com is for educational and informational purposes only. It does not constitute legal, regulatory, tax, or compliance advice. Always consult your compliance officer, legal counsel, or the relevant supervisory authority for guidance specific to your institution.

Sources and References

Similar Posts