CARF & DAC8: New crypto tax, ID, & compliance rules

Key takeaway

• CARF and DAC8 are live. The same user-level data now drives tax reporting, compliance monitoring, and financial crime investigation simultaneously, representing a structural shift for crypto.

• CARF is becoming a global compliance baseline. Over 50 jurisdictions went live in 2026, requiring CASPs to collect TINs, tax residency info, and UBO data.

• CARF demands full infrastructure – not cosmetic changes. CRS and FATCA have shown that early movers pay less, while users and issuers need education to prevent drop-off and data failures.

• TINs and tax residency self-certification are critical gaps that should be closed at naturally occurring junctions, such as when document renewal is required , or transaction thresholds are being reached, while treating compliance as a continuous user relationship.

• CARF mandates integrated infrastructure: AML, the Travel Rule, and tax reporting must operate as one system, as fragmented identity generates exponential failures across compliance, investigation, and user taxation.

Why CARF and DAC8matter for the crypto industry

Crystal hosted this webinar to examine what the Organization for Economic Co-operation and Development’s (OECD) Crypto Asset Reporting Framework (CARF) and the EU’s Directive on Administrative Cooperation (tax transparency for crypto-assets), or DAC8, mean in practice.

These new frameworks introduce the OECD’s Common Reporting Standard (CRS), modeled on the US’s Foreign Account Tax Compliance Act (FATCA), for crypto transactions, bringing them in line with disclosure requirements for the traditional finance sector. This dramatically increases transparency for tax authorities, law enforcement agencies, and tax specialists, while creating new operational challenges for compliance teams and anti-money laundering and know-your-customer (AML/KYC) professionals at crypto exchanges and crypto-asset and virtual asset service providers (CASPS and VASPs).

Crystal’s Compliance Advisory Manager, Irina Gorbach, moderated a panel of three complementary specialists in their respective fields to unpack the issues, including:

• Colby Mangels, Global Head of Government capabilities at Taxbit, and a former advisor on CARF at the OECD and the Financial Action Task Force (FATF).
• Anamaria Fuiorea, Compliance Manager & money laundering reporting officer (Austria) at Transak.
• Emeka Mgbenu, Senior Product Manager at Sumsub.

The discussion covered user transparency, identity collection, data quality, and the accelerating convergence of tax reporting with AML and financial crime investigation.

The core theme of the session was that the same user-level data now supports tax reporting, compliance monitoring, and criminal investigations simultaneously. This is a structural shift in how the crypto industry is regulated and how it must operate.

Crystal started the webinar with an audience poll to establish who had tuned in, and found that three-quarters (76%) of attendees were directly involved in the implementation and impact of CARF and DAC8:

Above: Over half of the audience (55%) were engaged in compliance and/or AML, followed by 21% in tax-related activities. Just 10% were from law enforcement and/or investigations backgrounds. Source: Crystal Intelligence.

What CARF and DAC8 require for AML/KYC compliance

Global scope and timeline

TimelineColby explained that CARF is OECD’s framework requiring crypto asset service providers (CASPs) to collect and report user identity and transaction data to tax authorities, and DAC8 is the EU’s implementation. Over 70 jurisdictions are adopting these frameworks within several years, with 47 going live in 2026, requiring CASPs in those markets to begin collecting qualifying data now, ahead of reporting that starts in 2027. The remaining jurisdictions will follow by 2028 (28 Jurisdictions) and 2029 (one jurisdiction: The USA). CARF is thus on course to become a global compliance baseline with universal AML/KYC standards.

CARF is built on four pillars:

• Asset scope: The framework covers crypto assets with tradeable value – payment tokens, investment tokens, including Bitcoin, most stablecoins, and tokenized assets.
• Intermediaries: Any business that exchanges crypto-to-fiat or crypto-to-crypto as a service falls within scope (reporting crypto-asset service providers, or RCASPs). This mirrors the FATF VASP definition and captures exchanges, brokers, dealers, ATM operators, and wholesale intermediaries.
• Data collection on users: CASPs must collect standard AML/KYC data and supplement it with tax-specific information that most platforms currently do not capture. This includes the customer’s tax residency jurisdiction – which may differ from their residential address – their tax identification number (TIN), date and place of birth, and the ultimate beneficial owners (UBOs) of corporate customers.
• Reporting obligations: Aggregated transaction data – crypto-to-crypto trades, crypto-to-fiat conversions, and transfers, etc.- must be reported per customer, per year, to the tax authority in the CASP’s jurisdiction of incorporation or management.

The impact of CARF and DAC8 on crypto platforms, CASPs and end users

The compliance burden for CASPs

Colby clarified that CARF is not a cosmetic change. Exchanges and VASPs must build or overhaul a full data collection and reporting infrastructure – retroactively for existing customers and systematically for new onboarding. Drawing on CRS and FATCA experience, he noted that institutions delaying compliance faced significantly higher remediation costs. In a nutshell, starting correctly is cheaper than correcting under pressure. CASPs should treat CARF with the same operational seriousness as their AML programs.

What changes for users

Individual users will be asked for their TIN and confirmed tax residency, with data reported to their home tax authority, regardless of where the exchange operates. A French resident trading on a Singapore-registered exchange will have transactions reported to French authorities, provided Singapore has implemented CARF. Users in established crypto tax markets will adapt smoothly; those in less prepared jurisdictions will need active platform education to prevent drop-off and data quality issues.

Identity verification, KYC, and the onboarding challenge

More data, less friction

Anamaria pointed to digital identity infrastructure – national ID systems and government-backed e-ID frameworks – as the most robust solution for high-confidence verification. Platforms that integrate these tools gain both compliance certainty and a cleaner user experience.

She added that how platforms communicate data requests is as important as the requests themselves. Proactive customer education- informing users early about upcoming requirements and why – reduces abandonment and builds the trust needed for ongoing data collection. Compliance is not a single onboarding event but a continuous relationship between the platform and the user.

Self-certification and the TIN problem for VASPs

Users resist sharing more data, yet CASPs need more of it to comply. Emeka identified the immediate operational priority: audit what you hold, identify gaps and close them without breaking the user experience. TIN collection and tax residency self-certification are the two most common shortfalls. Document renewal windows and transaction thresholds are the most practical entry points. Self-certification cannot be inferred from IP addresses or residential data; it is a distinct compliance obligation.

Tax reporting as investigative intelligence under CARF and DAC8

The convergence of tax and AML

The most substantive theme of the webinar was the convergence of tax transparency and financial crime enforcement. Colby observed that CARF requirements closely resemble AML information reporting in scope and function. The customer-level data being collected (TINs, aggregate transaction histories, transfer counterparties and UBOs) is directly relevant to financial crime detection, not just tax compliance. Tax evasion, money laundering, and related offenses increasingly share a common evidentiary foundation.

CARF makes this explicit. The framework requires CASPs to apply Travel Rule mechanisms to identify counterparties on inbound and outbound transfers. Unidentified counterparties trigger transfer reporting obligations. AML and tax reporting infrastructure must be integrated: shared data pools and common user identifiers are compliance requirements, not optional design choices.

The role of off-chain identity

Emeka offered a precise account of why off-chain data is critical to interpreting on-chain activity. Off-chain data spans platform-level transaction records – swaps, on/off-ramp conversions, internal transfers – and behavioral signals including VPN usage, device data, and transaction frequency. Combined with de-anonymized on-chain data enabled by Travel Rule adoption, these signals produce a comprehensive user profile that supports both CARF reporting and AML investigations.

Continuity is critical. The user profile must run from onboarding to offboarding, anchored to a consistent identifier linking KYC, transaction data, and behavioral patterns. Without it, risk scoring, suspicious activity report (SAR) filings, and reporting submissions all fail.

The consequences of fragmented identity

Anamaria set out the risk matrix directly. Fragmented identity carries consequences at every level. For CASPs, it’s incomplete reporting, regulatory scrutiny, and penalties. For users, it’smisreportedjurisdiction, double reporting, and incorrect taxation. Operationally, duplicate or incomplete profiles block AML workflows and can cause tax reporting file submissions to fail entirely.

European platforms face an additional layer of complexity. Data collected to fulfill KYC obligations and data collected for CARF tax reporting may have different processing foundations under the EU’s General Data Protection Regulation (GDPR). Anamaria described this as “dual-use data,” adding that reconciling these obligations requires close coordination among compliance, legal, data, and tech teams before reporting deadlines.

Practical steps that businesses covered by CARF and DAC8can take now

The panel aligned on three actions that CASPs should begin immediately:

Colby stressed the importance of establishing jurisdictional scope: Determine where reportable presence exists, including incorporation, tax residence, or effective management. Multi-jurisdictional groups may have separate CARF reporting obligations for each entity across each relevant market. Groups with holdings across multiple regions may carry separate reporting obligations for each entity. Build a relationship with local tax authorities early and understand jurisdiction-specific requirements, which vary even within the CARF framework.

Anamaria emphasized education for crypto businesses and end-users: Communicating clearly now, without alarm, that reporting obligations are already in effect – alongside a modular data architecture capable of absorbing new requirements as they evolve, rather than a rigid structure built for a single regulatory moment.

Emeka recommended beginning with a data audit, then systematically closing gaps: Map what customer data is currently held, in what format, and against what standard. Identify where TINs, tax residency declarations, and UBO information are absent. Collect missing data through document renewal, transaction thresholds, and re-engagement campaigns, sequenced to preserve user experience and explain why information is required.

The future of the global crypto industry under CARF and DAC8

Irina concluded the session by noting that CARF and DAC8 are structural reconfigurations, not incremental compliance updates. They are reshaping user identification, transaction understanding, and intelligence sharing across tax authorities, compliance teams, and law enforcement. For exchanges, VASPs, fintechs, and the regulators and investigators policing them, the window to build compliant infrastructure on solid foundations is open now.

Find out more by watching the full webinar: