From January 2026, crypto-asset service providers in the UK will face a new set of data collection and reporting obligations under the Crypto-Asset Reporting Framework (CARF). Developed by the OECD (and implemented locally by HMRC, the framework marks a significant step towards international tax transparency in the digital asset space.
Firms in scope should start getting ready before the rules go live.
What is CARF?
CARF sets a standard way for firms to collect, verify and report customer and transaction data to enable tax authorities to share information automatically.
In the UK, CARF comes into force on January 1st, and applies to reporting crypto-asset service providers (RCASPs). These are firms that are tax resident, incorporated or managed in the UK, or that operate here through a branch, and that enable users to transact crypto-assets.
In practice, RCASPs must verify customer details, confirm tax residency and report relevant transactions to HMRC each year.
When Does it Start?
- 1 January 2026 – Firms must start collecting reportable information
- 31 May 2027 – First submission deadline to HMRC for the 2026 calendar year
What is Being Reported?
CARF requires firms to capture a wider range of data than many currently collect. This includes:
- Core customer details such as name, address, date of birth, tax residency and taxpayer ID
- ‘Relevant transactions’, which includes crypto-to-crypto, crypto-to-fiat and fiat-to-crypto exchanges
- Transfers between users or to external wallets
- Crypto payments for goods or services above the retail payment threshold
Firms must collect information on all users, but only report those who are tax resident in the UK or in another CARF-participating jurisdiction. There are 67 jurisdictions in total, including EU countries and Switzerland.
Key Challenges for Firms
CARF should be seen as a further development in the UK’s efforts to bring greater transparency and accountability to crypto markets. Consequently, firms need to enhance its framework across onboarding, KYC, systems and oversight.
- Customer due diligence uplift
Firms will need to revisit their onboarding flows to ensure they collect the required data fields and verify tax residency, particularly for legacy customers who may not have been onboarded with these data points in mind.
HMRC’s guidance sets out specific due diligence steps RCASPs must follow. These include identifying whether a customer is an individual or entity, collecting key information such as name, address, jurisdiction(s) of tax residence, and Tax Identification Number (TIN) where available. Firms are also expected to verify the reliability of this information using supporting documentation, and to repeat the process at set intervals or when there is a change in circumstances. - System and data limitations
Many firms will need to upgrade or reconfigure their systems to properly categorise and record transaction types. This may include changes to how platforms capture wallet transfers, internal movements or payment activity. - Policy alignment
CARF-related procedures will need to be embedded within wider financial crime policies, from onboarding and risk assessments to transaction monitoring and data governance. - Cross-jurisdiction complexity
As other jurisdictions roll out their own CARF legislation, international firms may face slightly different versions of the same requirement. Ensuring consistency across global operations will be essential.
What This Means for Compliance Teams
CARF is tax-focused in its origin, but it leans heavily on AML, CTF and CPF processes due to the information required at onboarding and throughout firms’ business relationships with its customers. Customer identification, transaction checks, record keeping and governance all sit squarely in compliance.
This means financial crime teams will drive much of the work. Treating CARF as a pure tax issue risks missing key gaps in the wider control framework.
It also raises the stakes on getting CDD and monitoring right. If a firm is unable to demonstrate effective onboarding, accurate risk classification or appropriate controls for high-risk customers, that will quickly become apparent once transaction data is shared with authorities.
What Firms Should Be Doing Now
- Map your obligations and assess which services and clients are affected
- Review data collection processes to confirm whether tax residency and transaction data are being captured
- Update policies and procedures to reflect CARF expectations
- Engage with technology teams to address any system gaps early
- Train internal stakeholders across compliance, ops and product teams
- Monitor for regulatory updates from HMRC and overseas CARF adopters
- Note the additional domestic requirements, including the need to register with HMRC’s CARF service and notify users by 31 January 2027, and the penalties for inaccurate or late reporting.
CARF marks the move from reactive oversight to proactive, data driven reporting. For UK RCASPs, it is an opportunity to strengthen controls and show maturity in a market under greater scrutiny. Firms that prepare early and work cross functionally will be in the best position.
How Thistle Initiatives Can Help
- Enhance policies and procedures to ensure alignment with CARF requirements
- Provide tailored training for compliance teams on due diligence and reporting obligations
- Support digital transformation projects to ensure systems can capture, categorise and report required data accurately
- Conduct independent reviews of your control framework to assess current capabilities, identify gaps, and recommend proportionate improvements aligned with regulatory expectations
Meet the Expert
Katya Davis, Manager 
Katya brings a wealth of experience and energy to our Financial Crime team. Previously financial crime lead and analyst in banking and fintech, Katya developed expertise in handling diverse financial crime and compliance responsibilities. As a solo practitioner, she managed fraud detection, investigations, procedural updates, and compliance measures. This experience has equipped her with a comprehensive understanding of the intricacies of compliance in traditional and digital financial landscapes.