As digital assets continue to challenge traditional financial systems, the OECD has launched a dual-pronged approach to modernize tax transparency that represents a seismic shift in the global tax landscape.
The Organization for Economic Cooperation and Development has extended the common reporting standard, or CRS, to cover certain digital financial products, and introduced the crypto-asset reporting framework, or CARF, focused exclusively on cryptoasset transactions.
Cryptoasset platforms and fintechs must now be prepared to operate under the same scrutiny as traditional financial institutions.
Standalone Regime
CARF applies to reporting crypto-asset service providers, or RCASPs, broadly defined as any business providing exchange or transfer services involving cryptoassets. This includes:
- Centralized and decentralized exchanges
- Custodial wallet providers
- Crypto brokers and dealers
- Certain DeFi platforms and protocols, depending on their degree of control or remuneration.
An entity’s obligation under CARF depends on whether it qualifies as an RCASP. That determination is the first and most critical step. If crypto platforms, brokers, and wallet providers determine that they are RCASPs, several action points follow:
Assess data collection gaps. Do current onboarding flows collect tax residence and tax identification numbers? Are transfers between hosted and self-hosted wallets tracked and attributed to users? Can fiat equivalent values be reliably calculated and timestamped?
Choose a technology path. Build an internal compliance engine that aligns with CARF and reporting deadlines or buy an external solution (RegTech or reporting-as-a-service) to handle data processing and submission.
Review governance and legal exposure. This means ensuring clear internal responsibilities for tax reporting, documenting reporting logic and user classification decisions, and monitoring developments in each jurisdiction where users are based.
Identify reporting jurisdiction. If an RCASP has a nexus with only one CARF jurisdiction, it must report all relevant information to that single jurisdiction’s tax authority.
If the RCASP has a nexus with multiple jurisdictions, it may choose any one of them for its CARF reporting obligations, but only if that jurisdiction is committed to CARF, and the RCASP notifies all relevant tax authorities of its chosen reporting jurisdiction.
Early engagement with these requirements is essential.
Cryptoasset businesses that fail to adapt may find themselves locked out of key markets or subject to heavy penalties.
Fintech Catch-Up
Introduced in 2014, the CRS has become the cornerstone of cross-border tax information exchange. Participating jurisdictions automatically exchange financial account data relating to nonresidents, enabling tax authorities to detect offshore tax evasion.
In 2023, the OECD approved substantial revisions to the CRS to bring it in line with financial innovation. These amendments, effective from 2026 in adopting jurisdictions, include:
In-scope digital products. The CRS will now cover central bank digital currencies and specified electronic money products, including prepaid debit cards and digital wallets issued by licensed institutions.
Crypto exposure via derivatives. While CARF focuses on exchanges and transfers of crypto, indirect investments (such as exchange-traded funds, structured products, or derivatives referencing crypto) will now be reportable under the CRS.
Stronger due diligence. There are enhanced procedures for identifying account holders and controlling persons, particularly in cases involving passive non-financial entities.
Nonprofit carveout. Some nonprofit entities, especially those already subject to financial transparency, may benefit from streamlined obligations under the revised rules.
These changes ensure the CRS remains relevant in a world where financial assets increasingly take non-traditional forms.
Phased Global Adoption
The updated CRS and CARF are both scheduled to begin in most early-adopting jurisdictions on Jan. 1, 2026, with first reports due by mid-2027. Others may opt for a Jan. 1, 2027 start, providing an additional year for legislative and technical preparation.
Importantly, these aren’t self-executing systems. Each jurisdiction must implement enabling domestic legislation and define its own penalties and enforcement rules.
The EU is transposing both frameworks into the directive on administrative cooperation DAC8, (for cryptoassets) and DAC2 (for traditional finance) with a 2026 start date. Additionally, the UK has committed to both CARF and the CRS amendments from 2026. Many offshore jurisdictions have yet to publish draft legislation.
This patchwork implementation creates uncertainty for multinational crypto platforms, particularly where users and services span jurisdictions with differing start dates.
User Guides
To support implementation, the OECD has published user guides for the CRS and CARF. These technical guides specify the electronic reporting formats (XML schemas) that tax authorities and reporting entities must follow when exchanging information.
The CARF guide focuses on aggregate level data, including asset type, quantity, transfer values, and wallet addresses. The CRS guide revisions focus on enhanced account metadata, accommodating digital product classifications and new due diligence fields.
Both guides include validation rules and are highly prescriptive, so reporting systems must align precisely to avoid rejection by receiving authorities.
For RCASPs and financial institutions, this means that compliance isn’t just legal, it’s also technical. Firms must either upgrade in-house systems or partner with third-party vendors that can map and transmit data in line with guide requirements.
Penalties and Risks
Each jurisdiction will set its own domestic penalty framework, but OECD guidance encourages financial penalties for failure to report or collect data, administrative penalties for mismatches or late filing, and operational restrictions, such as banking blacklists or loss of licensing.
The CARF framework highlights the importance of penalties; however, it is up to each jurisdiction to determine what they are. Despite the imminent implementation, to date, the UK has been the most open jurisdiction about aspects such as penalties. The UK tax authority is already introducing penalties of up to £300 ($400) per missing self-certification under related rules.
It is almost certain other jurisdictions will have penalties for non-compliance; however, other than the UK, details are scant.
More broadly, reputational damage and commercial disruption may arise if a platform is found to be noncompliant, particularly if it operates in multiple jurisdictions under regulatory scrutiny.
Going Forward
While implementation will vary, the direction of travel is clear. Tax authorities worldwide are building a net wide enough to include digital assets, directly via CARF and indirectly via the CRS.
The prudent course of action for businesses is early investment in compliance infrastructure, robust legal review, and proactive engagement with tax authorities.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law, Bloomberg Tax, and Bloomberg Government, or its owners.
Author Information
Zoe Wyatt is a partner and head of Web3 and disruptive technology at Andersen LLP.
Dion Seymour is crypto tax and accounting technical director at Andersen LLP.
Write for Us: Author Guidelines
To contact the editors responsible for this story:
Learn more about Bloomberg Tax or Log In to keep reading:
Learn About Bloomberg Tax
From research to software to news, find what you need to stay ahead.
Already a subscriber?
Log in to keep reading or access research tools.