The global crypto industry now entered a new era of tax transparency. As of January 1, 2026, crypto platforms in dozens of countries began collecting detailed user and transaction data under the OECD’s Crypto-Asset Reporting Framework, known as CARF. By 2027, the majority of committed jurisdictions will begin exchanging that data with each other. By 2029, the United States layers international data sharing on top of its already-active domestic reporting regime.
For crypto exchanges, brokers, wallet providers and even some decentralised platforms, CARF represents the most significant shift in reporting obligations since the industry’s inception. This article breaks down what CARF is, who it affects, what data gets reported and the timeline every crypto business should have on its wall.
What is CARF and why now?
CARF is the OECD’s purpose-built framework for exchange of tax-relevant information on crypto-asset transactions between jurisdictions. Approved in June 2023, it was designed to close a gap that the Common Reporting Standard (CRS) left open. CRS, which has been in force since 2017, covers traditional financial accounts – bank deposits, investment funds, insurance products – but it was never built to handle crypto assets.
The result was a blind spot. While banks reported account balances and interest income across borders, crypto exchanges operated outside this information-sharing network entirely. A user could trade millions in Bitcoin through an offshore exchange and no tax authority would receive an automatic notification. CARF changes that by creating a single global standard for crypto transaction reporting, modelled on the CRS architecture but adapted for the unique characteristics of digital assets.
The political momentum behind CARF is substantial. As of early 2026, approximately 76 jurisdictions had committed to implementing the framework and more than 50 had signed the Multilateral Competent Authority Agreement (MCAA) that enables the actual cross-border data exchange.
Who must comply? The RCASP definition
CARF introduces the concept of a Reporting Crypto-Asset Service Provider or RCASP. This definition is deliberately broader than the Financial Action Task Force’s definition of a VASP. It captures any entity or individual that, as a business, facilitates exchange transactions in crypto assets on behalf of customers.
This includes centralised exchanges and trading platforms, crypto brokers and dealers, custodial wallet providers managing assets on behalf of users, certain decentralised finance (DeFi) platforms where an identifiable party exercises control or sufficient influence over the protocol and NFT marketplaces where tokens serve payment or investment functions.
The “Control or Sufficient Influence” (COSI) test for DeFi is one of CARF’s more nuanced provisions. Purely decentralised protocols with no controlling entity may fall outside scope, but the OECD has drawn the line carefully. If a platform has identifiable operators who can modify the protocol, control access or extract fees, it could qualify as an RCASP.
For businesses that currently consider themselves outside the regulatory perimeter, this broader definition is a wake-up call. A firm that is not classified as a VASP under its national AML framework could still be an RCASP under CARF.
What data gets reported?
CARF reporting covers two categories of information: user identity data and transaction data.
On the identity side, RCASPs must collect and report each user’s full name, date of birth, address, tax residency jurisdiction and taxpayer identification number (TIN). For entity users, the reporting extends to the entity’s legal name, address, TIN and the identity of controlling persons.
On the transaction side, RCASPs must report the type of crypto asset involved, the nature of the transaction (exchange for fiat, exchange for another crypto asset or transfer), aggregate transaction values over the reporting period, fair market values at the time of transaction and wallet addresses involved in transfers.
Transfers to or from self-hosted wallets are also separately reportable under CARF. The OECD’s XML reporting schema requires RCASPs to identify whether a withdrawal destination is the user’s own self-hosted wallet or a third party’s. While authorities will not see private keys or seed phrases, they will see that a user moved assets from a KYC-verified exchange to an external wallet – enough to trigger follow-up enquiries.
| Data category | What is reported |
|---|---|
| User identity | Name, date of birth, address, tax residency, TIN |
| Entity users | Legal name, address, TIN, controlling persons |
| Transactions | Type (fiat/crypto/transfer), aggregate values, fair market values |
| Wallet transfers | Destination wallet address, self-hosted vs. third-party identification |
| Crypto asset details | Type and identification of crypto asset |
The global implementation timeline
CARF implementation is rolling out on a staggered timeline, creating a comprehensive global net. While the OECD does not designate official “waves,” implementation is clustering around three key dates.
Exchanges beginning 2027
The largest group of jurisdictions committed to a common implementation date of January 1, 2026 for data collection, with first automatic exchanges of information targeted for September 2027. This group includes the entire European Union (implementing via the DAC8 directive), the United Kingdom, Canada, South Korea and Japan. Crypto platforms in these jurisdictions have been collecting reportable data since the start of 2026. First reports to domestic tax authorities are due in 2027, with cross-border exchanges following shortly after.
Exchanges beginning 2028
A number of additional jurisdictions, including Switzerland, Singapore, the United Arab Emirates, Hong Kong and Turkey, are targeting first exchanges in 2028. Due diligence and data collection in these countries begins on January 1, 2027.
United States: exchanges beginning 2029
The US has committed to CARF exchanges starting in 2029. However, this does not mean American crypto users are in a reporting-free zone. The US did not sign the CARF MCAA, instead relying on its domestic reporting infrastructure under Section 6045 of the Internal Revenue Code. Brokers began reporting gross proceeds on Form 1099-DA for 2025 transactions and cost-basis reporting kicks in for 2026 transactions. By the time CARF exchanges start in 2029, the US will have layered international data sharing on top of an already-established domestic reporting infrastructure.
The EU’s DAC8: CARF’s European twin
The European Union implemented CARF through the Eighth Directive on Administrative Cooperation, known as DAC8. All 27 EU member states were required to transpose DAC8 into national law by December 31, 2025, with provisions applying from January 1, 2026.
DAC8 largely mirrors CARF but adds EU-specific elements. Data collection obligations under DAC8 applied from January 1, 2026, with the first reports due to national authorities between January 1 and September 30, 2027.
Penalties for non-compliance are determined by each EU member state through national implementing legislation. The directive requires that penalties be “effective, proportionate and dissuasive,” meaning enforcement rigour will vary across the bloc. Given the EU’s track record with GDPR enforcement, crypto businesses should expect that member states will take DAC8 compliance seriously.
The scope is also broad. DAC8 covers crypto assets as defined under the Markets in Crypto-Assets Regulation (MiCA), including assets issued in a decentralised manner, stablecoins, e-money tokens and certain NFTs.
Key challenges for crypto businesses
Implementing CARF compliance is not a simple reporting exercise. Several structural challenges make it materially harder than traditional CRS compliance.
The fragmented global timeline is the first challenge. A platform serving users across jurisdictions with 2027, 2028 and 2029 go-live dates must manage different data collection start dates, different reporting deadlines and potentially different local interpretations of the CARF model rules. Unlike CRS, which had a more unified rollout, CARF’s staggered implementation creates operational complexity.
TIN collection from a global user base is another significant hurdle. Many crypto users signed up for platforms with minimal KYC and retroactively collecting tax identification numbers from millions of existing users across dozens of jurisdictions is a major operational and customer-experience challenge.
The DeFi scope boundary remains ambiguous. The COSI test provides a framework, but its application to specific protocols will require case-by-case assessment. Platforms operating in the grey zone between centralised and decentralised models face genuine uncertainty about their reporting obligations.
Finally, dual compliance adds cost and complexity. CARF tax reporting obligations run parallel to AML/CFT requirements under FATF recommendations and national laws. Both frameworks require KYC data, but they serve different purposes and flow through different reporting channels. Firms that build these as separate compliance programs will duplicate effort and increase the risk of inconsistencies.
Integrating CARF with AML/CFT compliance
The smartest approach is integration. CARF due diligence and AML/CFT customer due diligence both require identity verification, tax residency determination and ongoing transaction monitoring. A unified compliance program can capture all required data points through a single onboarding flow and feed the same transaction data into both AML monitoring systems and CARF reporting engines.
This is where Compliance7 works with crypto platforms. Our team designs integrated compliance architectures that satisfy both FIU reporting obligations and CARF tax reporting requirements from a single data infrastructure. For firms operating across multiple jurisdictions with different go-live dates, we build phased implementation roadmaps that prioritise 2027 obligations while preparing for 2028 and 2029 requirements.
The record-keeping requirements also overlap. Most AML frameworks require five-year retention of KYC and transaction records. CARF reporting records must be retained for comparable periods. A single record-keeping framework that satisfies both sets of requirements reduces operational cost and minimises the risk of gaps during regulatory examinations.
What comes next
CARF is not a future obligation – it is a current one. Platforms in dozens of committed jurisdictions have been collecting data since January 2026. The first cross-border exchanges will happen in 2027. By 2029, when the US joins, virtually every major crypto market in the world will be part of the network.
The era of crypto operating outside the global tax transparency infrastructure is ending. For crypto businesses, the choice is straightforward: invest in compliant infrastructure now or face penalties, loss of banking relationships and potential exclusion from key markets later.
If your platform needs help navigating CARF implementation across multiple jurisdictions, get in touch with Compliance7. Our team specialises in cross-border crypto compliance for exchanges, brokers and wallet providers operating in CARF-participating jurisdictions.
This article is for informational purposes only and does not constitute legal or tax advice. For guidance specific to your business, consult a qualified compliance or tax professional.
