Crypto tax data to be collected in 48 countries under CARF 2027

OECD’s “Crypto-Asset Reporting Framework” (CARF) raises a timing and scope question for crypto-asset businesses: when do due diligence, reporting, and record-building obligations start for service providers with a nexus in jurisdictions committed to begin automatic exchanges of CARF data in 2027–2029, and what information must be reported and exchanged.

CARF is an OECD/G20 tax transparency standard that extends automatic exchange of information (AEOI) into the crypto-asset sector. Jurisdictions transpose CARF through domestic implementing rules and activate exchange arrangements to send reports to partner tax authorities under agreed timelines. The Global Forum monitors commitments and implementation milestones, including confidentiality and data safeguard readiness.

Timing: when data collection starts vs when exchanges start

The Global Forum’s public commitment list (last updated 4 December 2025) groups jurisdictions by the first exchange year: 48 jurisdictions undertake first exchanges by 2027, 27 by 2028, and the United States by 2029 (76 total). Five jurisdictions identified as relevant to CARF are listed as not yet committed on that update (Argentina, El Salvador, Georgia, India, Viet Nam).

The OECD monitoring update explains the operational lag between collection and exchange. A jurisdiction that undertakes exchanges in 2027 generally needs its domestic implementing rules effective from 1 January 2026, because the 2027 exchange transmits information collected in the prior calendar year. A jurisdiction targeting 2028 exchanges generally needs domestic rules effective from 1 January 2027.

For service providers, the practical result is simple: if the business has a nexus in a “first exchanges by 2027” jurisdiction, 1 January 2026 is a common effective date for beginning CARF due diligence and transaction data capture under that jurisdiction’s implementing rules. For “first exchanges by 2028” jurisdictions, the analogous date is commonly 1 January 2027. Effective dates still depend on each jurisdiction’s enacted text and any local transitional relief.

Who must report: the “Reporting Crypto-Asset Service Provider” trigger

CARF applies to intermediaries that, as a business, effectuate exchange transactions for or on behalf of customers. The definition is broad and can extend beyond custodial exchanges to entities that make a trading platform available and have sufficient control or influence to carry out the due diligence and reporting obligations.

A service provider’s reporting obligation turns on nexus rules that allocate the reporting duty to a particular jurisdiction in a prioritised order, designed to reduce double reporting. Under the OECD monitoring materials, a provider can be subject to a jurisdiction’s CARF reporting rules based on tax residence, incorporation/organisation with qualifying local ties, management from the jurisdiction, or a regular place of business there. A customer base alone does not create a “regular place of business” nexus.

Material fact that drives the outcome: where the provider has CARF nexus under the hierarchy, and whether the provider’s activities meet the definition of effectuating reportable exchange transactions.

Due diligence: identifying reportable users and controlling persons

CARF reporting rests on due diligence to determine the customer’s jurisdiction(s) of tax residence. OECD materials contemplate that service providers will request customer self-certifications to establish tax residence and associated identifiers, and will refresh documentation if a change in circumstances makes prior documentation unreliable.

Entity users require additional work. Where an entity user’s controlling persons are reportable, the service provider may need a self-certification from the entity and/or the controlling person(s). OECD implementation guidance describes core validity requirements for controlling-person self-certifications (positive affirmation/signature, dating, and specified identity and tax-residence data fields).

Edge case: group structures and outsourcing. OECD guidance allows reliance on third parties for performance of due diligence and reporting tasks in domestic implementation, but the reporting service provider remains responsible for the obligations (including confidentiality and data protection duties imposed by the implementing jurisdiction).

What gets reported and exchanged: identification data and transaction aggregates

OECD implementation guidance breaks reportable content into (1) identification information and (2) transaction information, reported to the local tax authority for onward exchange to the partner jurisdiction(s).

Identification information commonly includes:

1. User identity and residence: name, address, jurisdiction(s) of tax residence; tax identification number(s) where collected and reportable under the applicable rules.

2. Service provider identity: the reporting provider’s name and address, plus an identifying number (tax number, business registration number, or LEI, depending on availability and local rules).

3. Individuals and controlling persons: date of birth is reportable; place of birth can be reportable where domestic law requires collection and it is available in the provider’s electronically searchable records.

4. Linkage to the report: information must tie back to the relevant reportable period and the provider submitting it.

Transaction information is reported by crypto-asset type and category of transaction. OECD guidance describes aggregated reporting for common transaction types, including:

1. Fiat-on/off ramps: aggregate amounts paid (for acquisitions) and received (for disposals), net of transaction fees, by crypto-asset type.

2. Crypto-to-crypto exchanges: fair market value reporting for acquired/disposed crypto-assets, net of fees, by crypto-asset type.

3. Transfers: transfers can be reportable categories, including where the provider lacks knowledge to treat a movement as a disposal/acquisition event under the reporting categories.

4. Retail payment transactions: where a provider transfers payments in relevant crypto-assets to a merchant as agent for the customer above the USD 50,000 threshold, the transfer is reported as a reportable retail payment transaction (subject to the detailed OECD conditions and any domestic implementing variations).

Exchange mechanics: legal basis, technical format, and confidentiality gates

Jurisdictions need an international legal basis to exchange CARF data with partners. OECD monitoring materials note that most committing jurisdictions participate in the Convention on Mutual Administrative Assistance in Tax Matters, and that a CARF multilateral competent authority agreement (CARF MCAA) provides a multilateral route for activating exchange relationships. The monitoring update also sets expectations for when exchange arrangements must be in place (by September 2027 for jurisdictions exchanging in 2027, and by September 2028 for jurisdictions exchanging in 2028).

Exchanges use a prescribed technical format (CARF XML schema and related user guide). Many tax authorities already use the Global Forum’s Common Transmission System for secure bilateral exchanges, and OECD monitoring materials indicate that the same channel can be used for CARF exchanges.

Confidentiality and data safeguards are not optional. OECD monitoring materials describe pre- and post-exchange reviews, and note that where safeguard issues are not addressed, exchange partners are generally not expected to send information to that jurisdiction.

Limit areas that commonly require early legal and technical triage

DeFi and non-custodial arrangements can raise threshold questions about whether any person has sufficient control or influence over a trading platform to meet the reporting service provider definition. OECD interpretive materials also recognise that implementing jurisdictions may defer application of certain tests to DeFi arrangements pending further interpretive guidance.

Asset classification remains central. OECD interpretive materials discuss exclusions and boundary lines, including treatment of certain NFTs (where an NFT cannot be used for payment or investment purposes and meets specified conditions) and treatment of certain tokenised or digitally issued financial assets that functionally remain within traditional intermediary rails.

EU note: DAC8 timelines run in parallel, not as a substitute

Within the EU, DAC8 extends tax transparency and AEOI to crypto-assets and aligns EU reporting with the OECD CARF standard. The European Commission materials indicate that DAC8 applies from 1 January 2026, with collection beginning for reportable crypto-asset transactions of EU-resident users from that date, and first exchanges relating to the 2026 reporting year taking place by 30 September 2027 (subject to domestic transposition details, filing formats, and local portal requirements).

Our team at Licentium advises crypto-asset service providers, token projects, and investors on CARF and DAC8 implementation planning, including nexus analysis, due diligence design, reporting data models, and cross-border rollout sequencing across multiple jurisdictions. Examples include: CARF readiness, DAC8 compliance, MiCA registration, VASP licensing, AML/KYC, sanctions compliance, stablecoins, DeFi, NFT scope, AEOI reporting.

The information provided is not legal, tax, investment, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your own legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be automatically generated. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information.