Introducing CARF - the OECD's Crypto-Asset Reporting Framework

Contents

• Introduction
• Contextualising CARF
• Introducing a new reporting regime, CARF, alongside CRS 2.0
• Guernsey's commitment to implementing CARF and CRS 2.0
• Key issues for Financial Service Providers
• Strategic opportunities amid compliance challenges
• Preparing for the future
• Conclusion
• Glossary

Introduction

The recent proliferation of crypto-assets and its uses have transformed the international financial landscape, offering innovative opportunities for payments, investment and Decentralised Finance (DeFi). At the heart of it, crypto-assets are an alternative way of storing value, with transfers and payments occurring through a peer-to-peer system. In other words, users can send and receive value directly without engaging an intermediary such as a bank. The evolution of a purely electronic, digital-based economy presents significant challenges, particularly for tax transparency and regulatory compliance. The Organisation for Economic Co-operation and Development (OECD) has responded by introducing the Crypto-Asset Reporting Framework (CARF), which is a global initiative designed to enhance tax compliance and curb tax evasion in the crypto-asset space. Guernsey, together with a number of other jurisdictions, has committed to implement CARF under domestic law with effect from 1 January 2026, in readiness to effect the first exchanges in 2027 in respect of 2026 data.

Back to top.

Contextualising CARF

In a working paper published by the International Monetary Fund in July 2023[1], the authors highlighted difficulties in trying to quantify the worldwide market in crypto-assets in order to calculate the potential tax gap attributable to unreported holdings and transactions. Based on a supposed market capitalisation of US$1 trillion and an assumed rate of gain of 5%, they calculated that the tax loss based on a rate of taxation of 20% could range from US$10 billion to US$26 billion, depending on market valuation. If a 0.1% tax charge on transactions were imposed, the paper suggested that US$15.8 trillion worth of crypto transactions could yield around US$15.8 billion in transaction tax. 

The same paper highlighted the "particularly low probability of detection" in crypto transactions, underscoring their potential for use in illicit activities. Based on the above, it is no wonder that the G20 nations requested the OECD to respond to growing concerns about the potential for tax evasion, money laundering and sanctions circumvention, facilitated by the anonymity and decentralised nature of crypto-assets.

Back to top.

Introducing a new reporting regime, CARF, alongside CRS 2.0

To address these concerns, the OECD launched a new reporting framework known as the Crypto-Asset Reporting Framework or CARF, which was released in its finalised form in 2023 for widespread implementation under the auspices of the Global Forum on Transparency and Exchange of Information for Tax Purposes. CARF establishes a new standardised global framework for the Automatic Exchange of Information (AEOI) in relation to crypto-asset transactions, much like the OECD's Common Reporting Standard (CRS) in relation to holdings of financial accounts, which was launched in 2014. In essence, CARF will track transactions in crypto-assets, whilst CRS will be amended to track holdings in electronic and digital money products. CARF is intended to work alongside the newly amended CRS as two separate, but complementary, reporting regimes. The intention is that obligations under each regime should together avoid the duplication of reportable information.

Why could we not rely on the existing CRS for reporting purposes? The answer lies in the unique challenges posed by crypto-assets, which can be issued, transferred and stored without the intervention of traditional financial intermediaries, such as banks and investment platforms. Operators in this sphere may have no physical headquarters or other conventional business presence in any one jurisdiction, whilst services and transactions can take place entirely online, without any central administrator having visibility over the transaction and service users as a whole. These characteristics mean that acquisitions, disposals and transactions in crypto-assets can bypass traditional touchpoints that have been used to gather and report data for tax compliance purposes as part of the mainstream economy.

Back to top.

Guernsey's commitment to implementing CARF and CRS 2.0

On 10 November 2023, Guernsey, along with the other Crown Dependencies, the UK, the US and 43 participating jurisdictions issued a joint statement indicating their collective engagement to implement CARF in readiness for exchanges to commence by 2027. Those countries that have already adopted the CRS will also be introducing amendments to their respective domestic legislation to accommodate the OECD's latest changes to the CRS to accommodate reporting of crypto-asset holdings.

The intention in Guernsey is that both CARF and CRS 2.0 will become effective from 1 January 2026.

This article explores some of the key aspects of CARF, their implications for Financial Service Providers (FSPs) and sets out steps to be considered in readiness for local implementation. As such, this note would be of interest to FSPs who are currently engaged in the crypto-asset sphere and those contemplating entering into this fast evolving and exciting market.

A separate note deals with the proposed amendments to the CRS as they will be implemented in Guernsey with effect from 1 January 2026 - CRS 2.0 Amendments to the OECD's Common Reporting Standard.

Back to top.

Key issues for Financial Service Providers

Replicating the approach of the US reporting regime of the Foreign Account Tax Compliance Act (FATCA) and the OECD's CRS, under CARF the burden of compliance and reporting falls on FSPs that meet the definition of Reporting Crypto-Asset Service Providers (CASPs). CASPs include cryptocurrency exchanges, wallet providers, brokers, and operators of crypto-asset ATMs. CASPs are required to collect detailed user information, including tax residences and transaction data, and to report that information to their tax authority of nexus for onward exchange across participating jurisdictions. We outline below key aspects of CARF, their implications for FSPs and actionable steps to consider in the run up to implementation in Guernsey with effect from 1 January 2026.

Expanded definition of reporting entities

CARF obligations fall on CASPs, which in summary are operators whose business is to facilitate exchanges of crypto-assets for other crypto-assets or for fiat currencies. CARF defines CASPs broadly as any individual or entity providing services to "effectuate" crypto-asset transactions. This includes exchanges, brokers, ATMs and many types of token issuers. An individual or entity which makes available a decentralised trading platform (such as a decentralised exchange or lending platform) could also be a CASP if the platform enables customers to effectuate exchange transactions. Whilst the definition of CASP aligns with the Financial Action Task Force's (FATF) definition of Virtual Asset Service Providers (VASPs), the definition of CASP is broader. It is anticipated that the term CASP is likely to include all VASPs in practice but also extend to a wider group of service providers that operate in the digital and electronic ecosystem.

Importantly, the framework establishes rules for determining the jurisdictional nexus of service providers, which will direct the reporting obligations and potential local registration requirements for the in-scope provider. This aspect is particularly relevant for those operating across multiple jurisdictions.

Implication: Traditional financial institutions entering the crypto-space, as well as existing firms that deal only with crypto-assets, should assess whether their operations trigger CARF obligations. For example, those that offer a platform on which to trade in crypto-assets may be classified as CASPs, requiring them to integrate new compliance processes to comply with CARF. Whereas, the simple passive investment of an investment fund investing into crypto-assets does not constitute a service of effectuating exchange transactions since such activities do not permit the fund or its investors to effectuate exchange transactions. Such holdings may instead be reportable under CRS 2.0.

Actionable step: Conduct a thorough review of your business model to determine CASP status in accordance with the rules applicable in the jurisdiction of nexus. Engage legal and compliance teams to map services against CARF obligations and FATF definitions.

Scope of crypto-assets

CARF defines crypto-assets broadly as encompassing cryptocurrencies, ERC-20 tokens, tradeable Non-Fungible Tokens (NFTs), and stablecoins. The framework also covers indirect investments via derivatives and certain DeFi applications where sufficient control exists to enforce reporting. 

CARF specifically excludes three categories:

• Closed-loop crypto-assets: those restricted for use within a fixed network for purchasing goods or services with participating merchants.
• Central Bank Digital Currencies (CBDCs): crypto-assets representing claims in fiat currency on central banks. 
• Specified electronic money products: digital representations of fiat currency issued in exchange for equivalent funds used for payment transactions.

While CBDCs and certain E-money products are excluded from CARF, they fall within scope of reporting under the amendments to the CRS, also due to be brought into force in Guernsey on 1 January 2026. So, from that date they will be reportable, but not under the new CARF framework, rather under CRS 2.0.

Implication: FSPs must classify their offerings to determine potential reporting obligations. The inclusion of NFTs and DeFi as reportable crypto-assets adds complexity, as these assets often involve unique valuation and tracking challenges.

Actionable step: Develop internal guidelines for classifying crypto-assets and monitor OECD updates on stablecoin designations. Consider deploying blockchain analytics tools to track transactions involving NFTs and DeFi protocols.

Due diligence, reportable users and reportable transactions

CASPs must identify crypto-asset users that are reportable. These are individuals or entities for whom the CASP carries out a relevant transaction. Reportable crypto-asset users are those that are tax resident in a reportable jurisdiction, being any jurisdiction which has in place a framework for AEOI under CARF. Identification is based on the implementation of specified due diligence procedures to identify customers, including individuals, entities, and controlling persons. The CASP must collect Tax Identification Numbers (TINs) and jurisdictional tax residences using self-certifications from customers, which are to be cross-checked against information on file and open source material. Failure to obtain self-certifications on which the CASP may reasonably rely for reporting purposes could result in penalties and restrictions on services that facilitate ongoing transactions for the relevant customer.

Reportable transactions include:

• Acquisitions and disposals: exchanges between crypto-assets to fiat currencies or between different crypto-to-crypto assets.
• Transfers: movements of crypto-assets between reportable users' accounts.
• Retail payment transactions: payments effected by service providers on behalf of merchants accepting crypto-assets as payment for goods or services over USD 50,000 in value. Note that lower value payments may still be reportable as transfers.
• Transfers to external wallet addresses: transfers made on behalf of a reportable user to any wallet address not known to be associated with a VASP or other financial institution.

In the European Union the Directive on Administrative Cooperation adopted in October 2023 (DAC8) aligns with CARF and extends reporting obligations to cover EU residents, even for non-EU-based CASPs. DAC8 is to be implemented under local law by EU Members States by 31 December 2025, with the first reporting year being 1 January 2026.

Implication: Compliance requires significant investment in IT systems, customer onboarding processes, and data management to handle cross-border reporting. Non-compliance risks penalties, reputational damage, restrictions on services provided and regulatory scrutiny.

Actionable step: Upgrade Know-Your-Customer (KYC) and Anti-Money Laundering (AML) systems to capture CARF-required data. Seek legal advice on upgrading terms of business for service users and service providers. Partner with IT providers to ensure seamless reporting to tax authorities using the CARF XML Schema reporting format.

Extra-territorial reach and regulatory divergence

CARF encourages global adoption, with 68 jurisdictions committing to exchange information in relation to CARF in 2027 (with regard to 2026 data) or, by the latest, 2028. These include the UK, the Isle of Man and Jersey as well as EU Member States undertaking first exchanges by 2027. Hong Kong, Singapore, the UAE and the US have committed to undertake first exchanges in 2028. However, regional variations exist. Implementation in the EU is through domestic law implementing DAC8, which applies extraterritorially to non-EU CASPs serving EU residents, while new US regulations will require brokers to file information returns (form 1099-DA) and furnish payee statements reporting gross proceeds and dispositions of certain digital assets undertaken for customers in certain sale or exchange.

This divergence creates a complex compliance landscape, reminiscent of the CRS/FATCA split in the early days of AEOI.

Implication: FSPs operating globally must navigate overlapping and sometimes conflicting regulations, increasing compliance costs and operational complexity.

Actionable step: Establish a global compliance framework that accommodates (as applicable to your business offering) CARF, DAC8, and FATCA requirements, that sits alongside CRS 2.0. Engage with industry associations to stay informed on jurisdictional developments.

Cybersecurity and operational risks

CARF and related regulations, such as the EU's Markets in Crypto-Assets (MiCA) framework, emphasize robust IT security to prevent hacks, market manipulation, and insider trading. MiCA, which became effective in 2023 for customers and operators based in EU Member States, mandates organisational and prudential requirements for CASPs to ensure market integrity and consumer protection. Whilst Guernsey is not part of the EU, Guernsey may seek to adopt some MiCA-like regulations or adapt its existing laws to reflect MiCA standards for FSPs operating in this field.

Implication: Cybersecurity failures could lead to regulatory penalties and loss of customer trust, particularly as crypto-assets are high-value targets for cyberattacks.

Actionable step: Invest in advanced cybersecurity measures, including blockchain-specific threat detection and incident response protocols. Conduct regular audits to ensure compliance with CARF security standards, being aware of MiCA standards as the crypto-asset services sector in Guernsey evolves over time.

Back to top.

Strategic opportunities amid compliance challenges

While CARF introduces significant compliance burdens, it also presents opportunities for FSPs to differentiate themselves. By proactively adopting robust governance and compliance frameworks, firms can build trust with regulators, tax authorities and customers, positioning themselves as leaders in the evolving electronic transactions and digital asset ecosystem. Moreover, CARF's focus on transparency aligns with broader trends in digital finance, such as tokenisation and adoption of blockchain services. FSPs can leverage these technologies to streamline operations, reduce costs, and offer innovative services like tokenised securities or cross-border payment solutions.

Back to top.

Preparing for the future

The legal framework is currently being progressed to implement CARF into Guernsey's domestic law. At the same time, additional functionality is being added to Guernsey's Information Gateway Online Reporter (IGOR) in readiness for filing CARF reports commencing in 2027 in respect 2026 data. To prepare effectively for CARF, FSPs should consider taking the following steps to ensure that controls, processes and procedures are in place to enable compliance with the due diligence and reporting requirements that may apply to business operations with effect from 1 January 2026:

• Assess exposure: Evaluate whether your organisation qualifies as a CASP and identify in scope crypto-assets in your portfolio, crypto-asset users amongst your clients and transactions which may potentially trigger reporting under CARF.
• Enhance systems: Upgrade KYC, AML, and reporting infrastructure to meet CARF requirements, alongside CRS 2.0. Consider engaging IT and specialist firms for scalable data capture and reporting solutions.
• Train staff: Educate compliance, onboarding, and IT teams on CARF obligations and regional variations like DAC8 and FATCA, to the extent relevant to the business offering.
• Engage stakeholders: Participate in industry consultations and OECD forums to learn about evolving asset and transactional classifications, as well as reporting and regulatory developments.
• Monitor updates: Stay informed on implementation, data collection and reporting timelines and reportable jurisdictions.

Back to top.

Conclusion

CARF marks a pivotal shift in the regulation of crypto-assets, aimed at addressing issues of tax transparency in the rapidly evolving electronic and digital economy. For service providers in Guernsey who are already accustomed to navigating FATCA and CRS over the past decade, CARF presents both challenges and opportunities. By proactively addressing due diligence, reporting, and cybersecurity requirements, FSPs can not only achieve compliance but also seize a competitive edge, building on their existing infrastructure, operating procedures and experience. As the 2026 implementation deadline approaches in Guernsey, now is the time to act, so as to face with confidence this exciting and innovative sector of our evolving economy.

Back to top.

Glossary of selected terms 

Blockchain

A decentralised digital ledger that securely stores records across a network of computers in a way that is transparent, immutable, and resistant to tampering. Each "block" contains data, and blocks are linked in a chronological "chain" across a network.

Decentralised Finance (Defi)

An emerging peer-to-peer financial system that uses blockchain and cryptocurrencies to allow people, businesses, or other entities to transact directly with each other, without the need to use third parties like banks and finance houses.

DeFi protocols

Sets of rules and smart contracts built on blockchain networks, that allow people to undertake financial transactions (such as lending, borrowing and trading) directly with each other without the need for a bank or other intermediary.

ERC-20 tokens

The technical standard for fungible tokens created for use in smart contracts using the Ethereum blockchain. A fungible token is one that is exchangeable with another token. Tokens that comply with the ERC-20 standard can be created to represent any real-world or virtual asset.

Fiat currency

A national currency that is not pegged to the price of a commodity such as gold or silver and is declared to be legal tender in a jurisdiction. The value of fiat money is largely based on the public's faith in the currency's issuer, which is normally that country's government or central bank of the relevant jurisdiction.

Non-Fungible tokens (NFTs)

Assets encrypted on a blockchain with unique codes that differentiate one from another, giving the purchaser specific rights. NFTs are "non-fungible" because they cannot be substituted or exchanged equivalently, but in some instances, can be traded and exchanged for money, cryptocurrencies, or other NFTs, depending on the value the market and owners have placed on them.

Stablecoins

Cryptocurrencies whose value is pegged to that of another currency, commodity, or financial instrument. Stablecoins aim to provide an alternative to the high volatility of the most popular cryptocurrencies.

VASPs

In Guernsey, these are firms which provide or carry out exchange, transfer, safe-keeping, administration, custody, issue, offer, sale, distribution, trading and other activities in connection with virtual assets from the Bailiwick. VASPs are required to hold a licence issued by the Guernsey Financial Services Commission under the Lending, Credit and Finance (Bailiwick of Guernsey) Law, 2022 (LCF), which was brought into full effect on 1 July 2023. The LCF introduced the regulation of VASPs to bring the Bailiwick in line with international standards issued by FATF. The LCF Law does not seek to regulate the technology underlying virtual assets or VASPs, but rather the natural or legal person or legal arrangement that may use the technology or software applications to conduct virtual asset services as a business.

Wallets

Used to securely store the private key that allows access to the crypto-asset, whether coins or tokens, held on the underlying blockchain. The key enables the holder to undertake transactions on the blockchain using their crypto-assets.

Back to top.