Introduction
The next phase of international crypto regulation is no longer about securities laws or national licensing. It is about tax transparency—and the OECD is leading the charge.
In 2025, over 50 jurisdictions signed the Crypto-Asset Reporting Framework Multilateral Competent Authority Agreement (CARF-MCAA), committing to automatic exchange of crypto-related tax data under a globally coordinated regime. The agreement marks a historic shift: tax authorities will now treat crypto platforms and protocols much like banks, subjecting them to annual reporting, identity verification, and cross-border compliance.
Unlike MiCA or the GENIUS Act, the CARF is not a licensing regime. It is a global tax infrastructure blueprint. For crypto founders, investors, and general counsel, this means designing products and operations that comply with extraterritorial tax reporting even if no transaction appears “onshore.”
This article breaks down the structure of CARF, the obligations it imposes, and the strategic blind spots many Web3 businesses will face if they ignore its reach.
What Is the OECD Crypto-Asset Reporting Framework (CARF)?
CARF is a legal and technical framework created by the OECD to bring crypto-asset transactions within the scope of automatic exchange of tax information. It functions in parallel to the Common Reporting Standard (CRS) for traditional financial institutions but focuses specifically on crypto-related activity.
CARF is intended to prevent taxpayers from hiding wealth and income in digital assets by requiring Reporting Crypto-Asset Service Providers (RCASPs) to identify account holders and report specific transactions to their domestic tax authority, which then shares the information with other jurisdictions.
The legal authority comes from a multilateral agreement: the CARF-MCAA, signed by jurisdictions such as the United Kingdom, France, Canada, Singapore, and Japan as of March 2025.
Who Must Report Under CARF?
CARF applies to any entity or individual that, as a business, provides a service effectuating exchange transactions involving crypto-assets for or on behalf of customers. This includes custodial and non-custodial platforms alike.
The definition of a Reporting Crypto-Asset Service Provider includes:
- Centralized exchanges
- Decentralized protocols offering brokerage or trading
- Platforms offering crypto-to-fiat or crypto-to-crypto swaps
- Payment processors transferring crypto from customers to merchants
Even platforms without custody functions are covered if they facilitate exchange transactions.
RCASPs are subject to CARF if they are tax resident in a signatory jurisdiction, have a regular place of business there (including a branch), or offer services to customers in that jurisdiction.
What Must Be Reported?
CARF introduces standardized categories of reportable data, broken down into the following areas:
1. Exchange Transactions
These include crypto-to-fiat, crypto-to-crypto, and wrapping/unwrapping transactions (e.g., wBTC for BTC), as well as liquid staking mechanisms that generate tokenized receipts. If one crypto-asset is exchanged for another, it is reportable—even if not taxable under local law.
2. Retail Payment Transactions
Transfers of crypto used to purchase goods or services exceeding USD 50,000 annually per customer must be reported separately. This covers payment processors and merchant platforms.
3. Transfers of Relevant Crypto-Assets
CARF defines “Relevant Transfers” broadly, including crypto loans, collateral transfers, and other movement of assets outside of exchange contexts. These must be reported with classification tags (e.g., “Crypto Loan,” “Collateral”).
What Due Diligence Is Required?
RCASPs must perform KYC-style due diligence to identify whether users are Reportable Persons under CARF. This includes:
- Obtaining and verifying tax residence information
- Collecting names, addresses, tax identification numbers (TINs), and dates of birth (for individuals)
- For non-resident entities, establishing place of effective management or using principal office address
Entities that lack tax residence—such as DAOs or partnerships—must be assessed based on their managing location, or default to their listed business address if no better evidence exists.
Importantly, non-compliant users may trigger refusal of service or enhanced scrutiny.
Strategic Blind Spots and Enforcement Risk
Many Web3 projects may believe that CARF is irrelevant if they are “decentralized,” don’t serve EU users, or don’t hold fiat. This is false.
CARF covers non-custodial platforms if they facilitate exchange functionality. There is no exemption for AMMs, liquidity pools, or cross-chain bridges that permit swaps.
Offshore incorporation is not a shield. If the project has a developer team, office, or tax registration in a CARF signatory country, reporting is likely required.
DAO wrappers may not avoid obligations. If the legal entity is performing operations or holds user data (even indirectly), the jurisdiction of effective management applies.
Global Adoption: Who Has Signed?
As of March 2025, more than 50 jurisdictions have signed the CARF-MCAA, including:
- United Kingdom
- France
- Germany
- Canada
- Japan
- Singapore
- Cayman Islands
- Bahamas
- Switzerland
Importantly, the United States is not a signatory to the CARF-MCAA. However, U.S.-based projects may still be indirectly exposed through partnerships with foreign platforms, international user bases, or if they offer services into CARF-participating jurisdictions.
In parallel, the United States is implementing its own tax reporting regime under Internal Revenue Code Section 6045, which will impose similar obligations on digital asset brokers beginning in 2025. While not harmonized with CARF, these rules reflect a growing convergence toward global tax transparency.
The full list of CARF-MCAA signatories is available on the OECD’s exchange of tax information page.
What to Do Now: Legal Checklist for Compliance Teams
1. Map Nexus Across Jurisdictions
Determine where your entity, development team, and infrastructure create tax nexus under CARF. This includes branches, affiliates, and operational contributors.
2. Classify Your Platform’s Functions
Assess whether your protocol or platform offers exchange functionality. If yes, it is likely a Reporting Crypto-Asset Service Provider—even if non-custodial.
3. Collect and Verify Tax Data
Implement TIN and residency collection at onboarding. For legacy users, launch a remediation campaign or risk non-compliance penalties.
4. Monitor De Minimis Thresholds
Track merchant-related payments exceeding USD 50,000 per user annually. Retail payments above this limit must be reported separately.
5. Align With FATF and MiCA
CARF does not replace AML/KYC obligations or MiCA licensing. Ensure Travel Rule, VASP registration, and licensing frameworks are interoperable with CARF.
Conclusion: Tax Infrastructure Is the Next Compliance Frontier
The OECD’s Crypto-Asset Reporting Framework is not a theoretical construct. It is an enforceable global standard with over 50 committed jurisdictions, coordinated implementation timelines, and direct impact on Web3 platforms, exchanges, and protocols.
Founders who treat tax compliance as a last-mile issue will be caught flat-footed as their users, counterparties, and local banks demand CARF alignment. General counsel and investors should treat CARF-readiness as a baseline requirement for operating internationally.
Need help preparing your crypto operation for CARF compliance?
Veritas Global advises fintech platforms, exchange operators, and cross-border investors on legal infrastructure strategies aligned with OECD, FATF, and MiCA standards.
Schedule a compliance strategy session or read more insights to protect your roadmap.
