DAC8 CARF reporting compliance for crypto platforms in 2026

Key takeaways

• DAC8 entered into force January 1, 2026; CARF’s first bilateral exchanges between signatory jurisdictions begin 2027-2028

• Both frameworks require wallet-level transaction records, counterparty identification, and cross-chain data – beyond what standard KYC systems produce

• VASPs with exposure to high-volume markets face an acute version of the data problem: peer-to-peer flows and multi-chain activity create significant attribution gaps

• A four-building-block data layer – entity attribution, cross-chain records, counterparty identification, and audit-ready output – maps the path to filing readiness

• Crystal Expert and Crystal for Compliance provide the data layer beneath DAC8 and CARF reporting: wallet attribution, cross-chain monitoring, goAML-compatible reporting, and API connectivity to your existing RegTech stack

DAC8 CARF reporting compliance is now a hard legal obligation for crypto platforms operating in or serving the EU and OECD jurisdictions – and the first reports are due sooner than most compliance teams have planned for. To ensure digital asset regulatory compliance under both frameworks, you need to start with your data layer. Collecting KYC at onboarding is not enough. What DAC8 and CARF require is wallet-level transaction records, counterparty identification across chains, and structured output that tax authorities can ingest. Most platforms don’t have that infrastructure today.

What’s changing for crypto platforms in 2026

DAC8 – EU Directive 2023/2226 on Administrative Cooperation – entered into force on January 1, 2026, extending mandatory tax reporting to crypto-asset service providers (CASPs) registered in EU member states. Under DAC8, CASPs must collect and annually report transaction data to their local tax authority, which then exchanges that data automatically with other participating jurisdictions under the OECD’s Multilateral Competent Authority Agreement.

CARF builds the international architecture for that exchange. The OECD began activating bilateral CARF agreements in 2026, with most early-adopter jurisdictions committing to first data exchanges by 2027. By 2028, the network is expected to cover the majority of OECD and G20 member states.

The scope is broader than most operators expect. DAC8 and CARF apply to platforms handling fiat-to-crypto exchanges, crypto-to-crypto exchanges, and transfers – including transfers to unhosted wallets above reporting thresholds. For any VASP with customers in the EU, or any platform domiciled in an OECD signatory country, the reporting clock has been running since January 1, 2026.

What DAC8 and CARF require, and where they overlap

The two frameworks share a core reportable data set, but differ in legal basis, scope, and activation timeline.

The practical implication: a VASP registered in an EU member state that is also a CARF signatory jurisdiction needs one unified reportable data set that satisfies both frameworks simultaneously. That data set must be transaction-level, wallet-attributed, and counterparty-identified.

Where most platforms hit the data wall

The compliance obligation sounds straightforward until you examine what the data set actually requires. Most VASPs can confirm a customer’s identity at onboarding. Far fewer can produce wallet-level transaction history with counterparty attribution across multiple chains, denominated in USD equivalent, and matched to a customer record at scale.

The problem compounds for platforms with exposure to high-volume, high-adoption markets. Crystal Intelligence’s Vietnam Crypto Risk Report 2026 found $290 million in USDT peer-to-peer sell-side volume across 870 unique sellers, with 92.5% of that volume flowing through a single major exchange. Vietnam has 17 million crypto holders and is actively formalizing its regulatory framework under the Ministry of Finance’s DTIL licensing pilot. For any VASP serving customers in that market, counterparty data on peer-to-peer flows is sparse and cross-chain attribution requires active tooling – precisely the conditions that produce gaps in a DAC8/CARF reportable data set.

Three specific gaps trip up most platforms: customer-to-wallet mapping (KYC records don’t automatically link to on-chain addresses), cross-chain transaction history (a customer transacting across Ethereum, Tron, and Bitcoin requires reconciliation across three chains), and counterparty identification on transfers (determining whether a receiving address is a known VASP or an unhosted wallet requires real-time attribution, not just flagging).

Four building blocks of a reporting-ready data layer

Verified entity attribution. Every wallet address associated with a customer needs to link to an attributed entity record – either the customer’s own wallets or counterparty entities with known risk classifications. Attribution at scale requires a continuously updated entity database covering exchanges, custodians, mixers, and high-risk services.

Cross-chain transaction records. Transaction history must span all chains where the customer holds or transacts assets, denominated consistently in USD equivalent, with timestamps and transaction IDs extractable into a structured reportable format.

Counterparty identification. For every outbound transfer, you need to determine whether the receiving address is a known VASP (requiring VASP-level data under CARF) or an unhosted wallet (triggering DAC8/CARF due diligence thresholds). This requires real-time address screening against a comprehensive entity directory.

Audit-ready output. The reportable data set needs to be exportable in a format compatible with tax authority submission systems and your internal RegTech stack. API connectivity between your blockchain analytics layer and your reporting workflow eliminates manual reconciliation.

A five-step path to DAC8 and CARF readiness

1. Map your reporting obligations. Confirm which jurisdictions’ rules apply to your entity. Crystal’s crypto regulations guide 2025-2026 outlines the current framework by jurisdiction.

2. Audit your customer-to-wallet mapping. Identify what percentage of active customers have on-chain wallet addresses linked to their KYC records. Any gap here is a gap in your reportable data set.

3. Assess cross-chain coverage. List every blockchain your customers transact on. Confirm your compliance tooling covers all of them. Coverage gaps produce reporting gaps.

4. Build counterparty identification into transaction monitoring. Every outbound transfer screening needs to return a classification: known VASP, unhosted wallet, or unknown. That classification determines what you must report.

5. Test your reporting output before the first deadline. Run a sample period through your reporting workflow and validate against the DAC8 schema. Surface data quality issues now, not in mid-2027.

For jurisdiction-specific context, Crystal’s country reports for Vietnam, South Korea, and Brazil map the regulatory and risk environment across three of the highest-priority emerging crypto markets.

How Crystal Expert supports DAC8 CARF reporting compliance

Crystal for Compliance is built to deliver the four-building-block data layer that DAC8 and CARF reporting requires. Across 330+ blockchains and 118,000+ attributed entities, Crystal Expert provides the wallet attribution, cross-chain records, and counterparty identification the frameworks demand – with 210 million verified transfers and sanctions data updated every 15 minutes.

Key capabilities for reporting readiness: real-time KYT and address monitoring; unhosted wallet identification with risk scoring aligned to FATF guidance; audit-ready case and customer reports; goAML integration for SAR submission; and API connectivity to plug Crystal’s data output directly into your reporting workflow without manual reconciliation steps.

Crystal’s Advisory Services team works with compliance teams to configure monitoring thresholds, map Crystal’s alert outputs to your specific DAC8/CARF reporting obligations, and document screening procedures that satisfy regulatory review. When MiCA, VARA, or CARF requirements update, Crystal’s monitoring rules update with them.

FAQ

How can VASPs ensure digital asset regulatory compliance under DAC8 and CARF?
Start with your data layer. You need wallet-level transaction records linked to customer KYC, cross-chain coverage for all assets your customers hold, counterparty identification on every transfer, and audit-ready output structured for tax authority submission. Crystal for Compliance provides each component through a single platform.

What is the difference between DAC8 and CARF?
DAC8 is the EU directive requiring CASPs registered in member states to report crypto-asset transaction data to local tax authorities for automatic exchange. CARF is the OECD’s international standard governing that exchange globally. They use substantially the same reportable data set; a VASP in an EU member state that is also a CARF signatory needs to satisfy both simultaneously.

Who is in scope for DAC8 reporting?
Any CASP registered in an EU member state as of January 1, 2026, that facilitates fiat-to-crypto exchanges, crypto-to-crypto exchanges, or crypto transfers – including transfers to unhosted wallets above reporting thresholds. The scope is determined by your registration jurisdiction, not the nationality of your customers.

What data does DAC8 actually require platforms to report?
Customer identity (legal name, address, taxpayer identification number, date of birth), associated wallet addresses, the type and aggregate value of transactions per calendar year, and counterparty data on transfers – including identification of transfers to unhosted wallets. All amounts are reported in USD equivalent.

When is the first DAC8 reporting deadline?
DAC8 covers calendar year 2026 data. Most EU member states are implementing reporting deadlines in mid-2027, with exact dates varying by jurisdiction. Treat 2026 as the first full reporting period and build your data layer now. CARF first bilateral exchanges between early-adopter jurisdictions are expected 2027-2028.

For informational purposes only. Not legal or compliance advice.