The OECD Crypto Asset Reporting Framework, DAC 8 & Malta

The OECD Crypto Asset Reporting Framework, commonly abbreviated to CARF, introduced the concept of standardised due diligence requirements that Reporting Crypto Asset Service providers (RCASPs) should adhere to. These due diligence requirements introduce a consistent set of identification, verification and monitoring processes that RCASPs must apply to their users for the purpose of determining which users and which transactions are reportable and to which tax jurisdiction. The intention seems clear to replicate the common reporting standard (CRS) due diligence, but to adapt and apply it to Crypto Asset activity.

What is a Reporting Crypto Asset Service Provider (RCASP)?

A Reporting Crypto Asset Service Provider, abbreviated to RCASP, is defined as any individual or entity that, as a form of business, provides services that allow or facilitate reportable crypto asset transactions on behalf of customers. This can include acting as a counterparty, intermediary, broker, or by operating a digital asset trading platform.

An RCASP can include, but is not limited to, custodial wallet providers, brokers, crypto asset exchanges, operators of trading platforms and service providers that allow exchanges between crypto assets and fiat currency, exchanges between different crypto assets, or transfers of crypto assets.

Under the OECD Crypto Asset Reporting Framework and its EU implementation through DAC 8, an RCASP is required to perform standardised due diligence, collect user and transaction data, and report to the relevant tax authorities, irrespective of whether the provider is regulated under MICA, or is established in or outside of the EU, providing it services to EU tax resident users.

Is Crypto Asset Reporting Framework (CARF) Due Diligence just AML Due Diligence?

No, the OECD clearly outline that Anti Money Laundering (AML) and Know Your Customer (KYC) due diligence is different to due diligence requirements for CARF. AML & KYC have a primary focus on identity and financial crime risk, where CARF focuses on tax residence and reportability. CARF is a tax regime and not to be confused with an AML regime. In general, AML checks are usually not sufficient by themselves as they do not seek to establish tax residence.

What Is Standardised Due Diligence under the Crypto Asset Reporting Framework (CARF)?

Under CARF, standardised due diligence means that the same rules apply across all participating jurisdictions, with the same data being collected on users and transactions, and the same tests are applied to determine reportability. This allows for a consistent and easily understandable methodology to be applied across multiple jurisdictions. The information collected that is deemed reportable is then exchanged automatically across jurisdictions to increase visibility and tax transparency.

RCASPs have standardised guidelines to identify:

• Who the crypto asset user is
• Where that crypto asset user is a tax resident
• Whether that crypto asset user has carried out reportable transactions
• Who controls them (in the case the user is an entity)

Core Elements of Crypto Asset Reporting Framework Standardised Due Diligence

Identification of the Crypto Asset User

Reporting Crypto Asset Service Providers must identify each Crypto Asset User, and this applies in either case, whether the crypto user is an individual or a legal entity. The identification process is required before transacting/reporting, and must be able to determine tax residence. Individuals would be requested to provide personal identifying information such as name, address and tax identification number. For entities, the entity must first be identified and then subsequently the controlling persons must be identified.

Self Certification of Tax Residence

An important concept of the Crypto Asset Reporting Framework within standardised due diligence is the requirement to obtain a self-certification from the crypto asset user confirming their tax residence.

The self-certification provided by the crypto user must be provided by themselves, it must cover tax residency, and it should be assessed for reasonableness by the RCASP by cross-checking against other information held in connection with the crypto user.

The OECD highlights that reporting cannot rely on AML Data or assumptions made if it contradicts the self-certification.

Identification of Controlling Persons (in the case of entities)

If the crypto asset user is an entity rather than an individual, the Crypto Asset Reporting Framework requires RCASPS to determine whether the legal entity has controlling persons and an assessment is made to determine if those individuals are reportable persons. This is to remove or mitigate the risk that a legal entity is used to obscure the tax residence of natural persons.

Determination of Reportability for Crypto Asset Reporting Framework

The RCASP must determine if the user is a tax resident in a participating jurisdiction and if the transactions carried out are reportable transactions as per the Crypto Asset Reporting Framework. Only users who meet these conditions are reportable under the Crypto Asset Reporting Framework.

Review and Ongoing Monitoring Requirement for Change of Circumstances of Crypto Users

The Crypto Asset Reporting Framework requires RCASPs to continually monitor and review the information collected so as to be able to assess and react to a change in circumstances, such as a change in tax residence. If an RCASP becomes aware of any information that may affect tax residence or reportability of the crypto asset user, it must reassess the user’s status using the standardised rules.

Why is the Due Diligence Process in Crypto Asset Reporting known as Standardised Due Diligence?

The OECD uses the term standardised within the Crypto Asset Reporting Framework because:

• The same due diligence rules apply globally
• Jurisdictions cannot materially alter the core requirements
• Data collected feeds directly into the automatic exchange of information

This standardisation is what allows the Crypto Asset Reporting Framework (and DAC 8 in the EU) to function as a cross‑border transparency system, rather than a fragmented system with different national rules complicating understanding, consistency and treatment.

How is the Crypto Asset Reporting Framework Implemented within the EU and Malta?

DAC 8, or the EU Directive on Administrative Co-Operation (tax transparency for crypto-assets), directly adopts the Crypto Asset Reporting Framework due diligence rules within its legislative framework, which means that these standardised procedures will apply as a matter of Malta legislation once DAC 8 for Crypto Assets is fully transposed into Maltese law. Malta has committed to implementing DAC 8 Crypto Asset Reporting legislation in full as an EU member state, and reporting periods are to commence from January 1st 2026, with the first filings to be made within 2027.

Schedule a complimentary consultation with our expert team for more information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.