The Crypto-Asset Reporting Framework and its implications for the Cayman Islands
The Crypto-Asset Reporting Framework (“CARF”) is an international tax transparency standard developed by the Organisation for Economic Co-operation and Development (“OECD”). Introduced as an extension of the existing Common Reporting Standard (“CRS”) for financial accounts, CARF requires the automatic exchange of information on crypto-asset transactions between participating jurisdictions. It targets the perceived visibility gap that previously allowed crypto transactions to occur largely outside traditional financial reporting systems.
Globally, CARF obliges certain crypto-asset service providers to collect detailed information on their users and report crypto-asset transactions to local tax authorities, which then share this data with partner jurisdictions where users are tax resident. As of late 2025, over 60 jurisdictions, including the Cayman Islands, have committed to implementing CARF, with first information exchanges scheduled for 2027.
Implementation in the Cayman Islands
The Cayman Islands, a leading offshore financial centre, has aligned with international standards by enacting the Tax Information Authority (International Tax Compliance) (Crypto-Asset Reporting Framework) Regulations, 2025 (the “CARF Regulations”). These regulations come into effect on 1 January 2026, demonstrating the jurisdiction’s commitment to global tax transparency while maintaining its position as a cooperative financial hub.
The framework applies from the 2026 calendar year, with the first reporting deadline set for 30 June 2027. Information collected will be exchanged automatically with partner jurisdictions starting in 2027.
Who is subject to reporting obligations?
In the Cayman Islands, reporting obligations fall on Cayman Reporting Crypto-Asset Service Providers (“Cayman RCASPs”). These are individuals or entities that, as part of their business, provide services effectuating “Exchange Transactions” or “Transfers” in “Relevant Crypto-Assets” for or on behalf of customers.
Relevant Crypto-Assets include digital representations of value relying on distributed ledger technology (eg Bitcoin, stablecoins, NFTs, utility tokens), excluding Central Bank Digital Currencies (CBDCs), Specified Electronic Money Products, or assets determined unusable for payment or investment.
Services in scope typically include:
- Operating crypto trading platforms or exchanges
- Acting as brokers, dealers, or intermediaries in crypto transactions
- Providing counterparty services or operating crypto ATMs
A Cayman RCASP includes entities resident in the Cayman Islands (incorporated, managed, or financially regulated there) or Cayman branches of non-resident providers. Purely investment activities by funds (without providing exchange services) are generally excluded.
Whilst the CARF Regulations apply only to a fairly narrow set of crypto-related intermediaries, the OECD has issued Frequently Asked Questions (“FAQs”) providing interpretative guidance on the CARF to ensure consistent implementation across jurisdictions. In particular, these FAQs clarify that, as a general matter, providers of non-custodial services in respect of Crypto-Assets—including those operating in a decentralised manner—can meet the definition of a Reporting Crypto-Asset Service Provider. This addresses previous uncertainties around decentralised finance (DeFi) platforms and non-custodial wallets or exchanges. Subsequent updates to the FAQs have introduced a “Control or Sufficient Influence” (COSI) test to determine whether decentralised platforms fall within scope, aligning with approaches in anti-money laundering standards.
We await clarity from the Department for International Tax Compliance (the “DITC”), part of the Tax Information Authority (the “TIA”) as to whether the FAQs form part of the CARF Regulations. The broad wording in Regulation 3 would suggest they do, though the OECD itself distinguishes between the FAQs, as guidance, and its commentary, which forms an integral part of CARF. The DITC’s CARF ‘Quick Guide’ appears to make this same distinction.
The OECD has noted that purely decentralised protocols without any entity exercising control may fall outside, but platforms facilitating transactions (even non-custodially) often qualify if they enable users to effectuate exchanges. Additional detailed guidance on non-custodial and decentralised services is under development by the OECD.
Cayman RCASPs must register with the DITC:
- Pre-existing providers by 30 April 2026
- New providers by 31 January of the following year
Changes in registration details must be notified within 30 days.
What information must be collected and reported?
Cayman RCASPs must perform due diligence to identify “Reportable Users”—crypto-asset users (individuals or entities) or their controlling persons who are tax resident in a reportable jurisdiction (ie jurisdictions with which the Cayman Islands has an exchange agreement).
Due diligence relies heavily on self-certifications, similar to CRS and supplemented by AML/KYC procedures:
- For new users (from 1 January 2026): Collect valid self-certification upon relationship establishment
- For pre-existing users: Collect by 31 December 2026
Self-certifications must include tax residency, Tax Identification Numbers (“TINs”), and for entities, details of controlling persons.
Reported information includes:
- User identification: Name, address, jurisdiction(s) of tax residence, TIN(s), date/place of birth (for individuals), and confirmation of valid self-certification
- Transaction details (aggregated by type of Relevant Crypto-Asset)
- Acquisitions and dispositions (exchanges with fiat or other crypto-assets)
- Transfers (including retail payments, airdrops, staking rewards, or loans)
- Number of units, total values, number of transactions, and details of transfers to non-custodial wallets
Nil returns are required if no reportable activity occurs.
Reporting timelines and recipients
Reporting is annual and electronic, using the OECD’s CARF XML schema.
- Deadline: 30 June in the year following the reporting period (first submission: 30 June 2027 for 2026 data)
- Recipient: Reports are submitted directly to the DITC/TIA in the Cayman Islands
- Exchange: The TIA then automatically exchanges the information with tax authorities in reportable partner jurisdictions
RCASPs must avoid duplicate reporting by considering nexus rules if operating in multiple jurisdictions.
Records must be retained for at least six years.
Penalties for Non-Compliance
The CARF Regulations include robust enforcement provisions. Non-compliance—such as failure to register, conduct due diligence, file accurate returns, or respond to TIA requests— constitutes an offence.
Penalties include:
- Fixed fines up to CI$50,000 (approximately US$61,000)
- Daily continuing default penalties
- Personal liability for directors, managers, or other officers of entities, unless they can prove they exercised reasonable diligence to prevent the breach
Additional offences cover providing false self-certifications or hindering the TIA’s functions.
Conclusion
The introduction of CARF in the Cayman Islands reinforces the jurisdiction’s reputation for regulatory cooperation while imposing new compliance burdens on crypto-asset service providers. Entities operating in or from the Cayman Islands should promptly assess their status, implement compliance policies, and prepare for registration and due diligence obligations starting in 2026. Early preparation will be key to avoiding significant penalties in this evolving regulatory landscape.
Please reach out to Chris Duncan or another member of the Carey Olsen Digital Assets team to discuss further.
