Global Crypto & Fiat Regulatory Frameworks: Beyond DAC8
Comprehensive mapping of tax reporting, AML, and operational compliance frameworks. Data collection active in 48 jurisdictions as of January 1, 2026.
Overview
Financial privacy is not about hiding wrongdoing. It is a prerequisite for personal autonomy in an age where data is power and surveillance is infrastructure. The ability to transact without creating a permanent, searchable record accessible to tax authorities worldwide is not a fringe concern. It is foundational to freedom of movement, freedom of association, and the practical exercise of property rights across borders.
As of January 1, 2026, that window is closing. 48 jurisdictions have activated the OECD's Crypto-Asset Reporting Framework (CARF), requiring exchanges, brokers, and custodial wallet providers to collect and report transaction data to local tax authorities, which then exchange that data automatically with the user's country of residence. Europe's Transfer of Funds Regulation went live December 30, 2024, with a mandated review of self-hosted wallet restrictions due June 30, 2026. The Commission can impose new restrictions via delegated act, bypassing parliamentary process. 85 jurisdictions have passed or are implementing the FATF Travel Rule, requiring identity data transmission with every crypto transfer above a threshold (or no threshold at all, in the EU's case).
These are not proposals. They are operational. Centralized exchanges are collecting now. The first data exchanges between tax authorities occur in 2027. The second wave, covering Dubai, Singapore, Hong Kong, and Switzerland, follows in 2028. The United States joins in 2029.
Why this matters: Most individuals tracking crypto regulation are aware of MiCA and DAC8. Far fewer are tracking the full compliance stack: tax reporting (CARF, DAC8, CRS 2.0, FATCA, US Form 1099-DA), anti-money laundering frameworks (FATF Travel Rule, EU TFR), and operational requirements (DORA, MiCA). The obligations are cumulative and overlapping. A MiCA-licensed exchange operating in the EU is simultaneously subject to seven separate reporting and compliance regimes, each with its own scope, threshold, and enforcement mechanism.
This report maps the architecture: what data is being collected, who is collecting it, where it goes, when it starts, and what enforcement looks like. It identifies jurisdictions not yet in the net, explains how the frameworks interlock, and provides the reference material needed to understand exposure based on where you hold assets, where you bank, and which platforms you use.
The presumption that relocating from one EU country to another, or from the EU to the UK or Switzerland, meaningfully alters reporting obligations is incorrect. The presumption that using a Dubai-based exchange avoids CARF is correct only until 2028. The presumption that self-custody wallets remain outside the system indefinitely may not survive the EU's June 2026 review.
This is not speculative. The frameworks are live, the data collection has begun, and the timeline for global coverage is measured in months, not years.
Part One: Tax Reporting Frameworks
CARF (Crypto-Asset Reporting Framework)
The OECD's global standard for automatic exchange of crypto transaction data between tax authorities. DAC8 is the EU's localized implementation of CARF, but CARF extends far beyond Europe.
| Governing Body | OECD Global Forum on Transparency and Exchange of Information for Tax Purposes |
| Status | Active. Data collection began January 1, 2026 in 48 jurisdictions. |
| First Data Exchange | 2027 for first-wave countries. 2028 and 2029 for subsequent waves. |
| Who Reports | Crypto-Asset Service Providers (CASPs): exchanges, brokers, custodial wallet providers, crypto ATMs. |
| What's Reported | User identity, tax residency, TIN, transaction history (disposals, swaps, transfers), aggregate values. |
| Self-Custody | Not directly in scope. Transfers touching a reporting CASP become visible. |
First-wave jurisdictions (2027 exchange): All 27 EU member states, plus the UK, Brazil, Chile, Israel, Japan, New Zealand, South Africa, Channel Islands, Cayman Islands, and others. 48 jurisdictions total as of January 2026.
Second-wave jurisdictions (2028 exchange): Australia, Canada, Hong Kong, Singapore, Switzerland, Thailand, UAE.
Third-wave (2029 exchange): United States.
Not yet committed: Argentina, El Salvador, Georgia, India, Vietnam.
Operational Impact: Using a centralized exchange domiciled in any of the 48 first-wave jurisdictions means your transaction data is being collected now. Relocating from Spain to the UK, Portugal, or any other EU/first-wave country does not change CARF exposure. The 2028 wave closes the gap on most popular "alternative" jurisdictions (UAE, Singapore, Switzerland). The window where those locations avoid crypto reporting is measured in months.
CRS 2.0 (Amended Common Reporting Standard)
The OECD's existing framework for automatic exchange of financial account information between tax authorities, now updated to cover digital assets.
| Governing Body | OECD |
| Status | Amendments effective January 1, 2026 in adopting jurisdictions. |
| Scope | 100+ participating jurisdictions (CRS has been operational since 2014/2017 for traditional accounts). |
| What Changed in 2026 | E-money wallets, Central Bank Digital Currency (CBDC) holdings, crypto derivatives, and stablecoin accounts now fall within CRS scope. Entity classification rules tightened. |
| Who's Newly In Scope | Electronic Money Institutions (Revolut, Wise, N26, etc.) now classified as Reporting Financial Institutions in jurisdictions that have adopted the amendments. |
| Self-Certification | Updated self-certification forms required. Dual-residence must now be recorded for all applicable jurisdictions. |
Operational Impact: Individuals holding funds in e-money platforms (Revolut, Wise, similar) were previously in a gray zone under CRS. That gray zone is closed. These platforms are now reporting institutions in most adopting jurisdictions. If you have accounts across multiple e-money providers in different countries, each one reports to its local tax authority, which then exchanges data with your country of tax residence.
FATCA (Foreign Account Tax Compliance Act)
The US unilateral regime for reporting on foreign financial accounts held by US persons. Operates independently from CRS.
| Governing Body | US Treasury / IRS |
| Status | Active since 2014. Ongoing. |
| Scope | Every foreign financial institution (FFI) worldwide that holds accounts for US persons. |
| Mechanism | FFIs report to their local tax authority, which exchanges data with the IRS under bilateral IGA agreements. Non-compliant FFIs face 30% withholding tax on US-source income. |
| Who's Affected | Any individual with US citizenship, green card, or US tax residency, regardless of where they live or bank. |
Operational Impact: FATCA operates on a separate track from CRS/CARF. The US does not participate in CRS. However, the US has committed to joining CARF by 2029 and has built its own parallel domestic reporting regime (Form 1099-DA, below). US persons face the most layered reporting exposure globally: FATCA + FBAR + 1099-DA + potentially CARF once US participation begins.
US Form 1099-DA (Digital Asset Proceeds from Broker Transactions)
The US domestic crypto reporting mechanism, separate from CARF/DAC8.
| Governing Body | IRS |
| Status | Active. Phased rollout. |
| 2025 Transactions | Custodial brokers report gross proceeds only. Good-faith penalty relief applies. |
| 2026 Transactions | Brokers must report both gross proceeds and adjusted basis for covered digital assets (those acquired and held at the same broker on or after Jan 1, 2026). |
| 2027 | Backup withholding obligations begin. Brokers must withhold 24% on transactions where customer TIN is missing or mismatched. |
| DeFi Carve-Out | Congress used the Congressional Review Act to overturn broker-reporting obligations for non-custodial DeFi actors. DEXs, AMMs, LP protocols, and smart-contract trading systems are NOT classified as brokers. Only custodial brokers are in scope. |
| Scope | US-based custodial exchanges, hosted wallet providers, payment processors, crypto kiosks. Also applies extraterritorially to non-US brokers dealing with US persons. |
Operational Impact: The DeFi carve-out is a meaningful exception for now. But cost-basis reporting starting with 2026 transactions means the IRS will have gain/loss visibility on every covered sale through a custodial broker. Individuals with US tax obligations who have been managing crypto reporting manually should expect automated cross-referencing of 1099-DA data against filed returns starting in 2027.
Part Two: AML and Transaction Monitoring Frameworks
FATF Travel Rule (Recommendation 16)
Global AML standard requiring Virtual Asset Service Providers to collect and transmit sender/recipient information.
| Governing Body | Financial Action Task Force (FATF) |
| Status | Active. 99 jurisdictions have passed or are passing implementing legislation as of 2025. |
| June 2025 Update | FATF fundamentally revised Recommendation 16, expanding objectives to include fraud prevention and proliferation financing. Mandated Confirmation of Payee (CoP) verification systems for cross-border transfers. Fully integrated with ISO 20022 messaging standards. |
| Threshold | FATF recommends USD/EUR 1,000. However, countries set their own thresholds or may have no threshold at all. |
| Enforcement Gap | Approximately 59% of jurisdictions with Travel Rule laws have not yet issued supervisory findings, directives, or enforcement actions tied to compliance (per FATF 2025 Targeted Update). |
| Who's Affected | Virtual Asset Service Providers (VASPs): exchanges, hosted wallets, payment processors. Any entity that conducts or facilitates transfers of virtual assets on behalf of customers. |
Operational Impact: The Travel Rule creates compliance pressure on VASPs, but enforcement remains inconsistent globally. Jurisdictions have varying thresholds, technical implementations, and supervisory capacity. The June 2025 update signals FATF's intent to expand scope beyond traditional AML/CTF into fraud and proliferation financing, increasing data collection expectations.
EU Transfer of Funds Regulation (TFR)
EU's implementation of the Travel Rule with zero threshold for all cryptoasset transfers.
| Governing Body | European Parliament and Council |
| Status | Adopted May 31, 2023. Published June 9, 2023. Full enforcement began December 30, 2024. |
| Transitional Period | CASPs had 18 months (June 2023 - December 2024) to adjust. No grace period after December 30, 2024. |
| Threshold | Zero threshold. All cryptoasset transfers require sender and recipient identifying information, regardless of amount. |
| Self-Hosted Wallets | CASPs must collect information on transfers to/from unhosted wallets exceeding EUR 1,000. For amounts above EUR 1,000, the CASP must verify the self-hosted wallet address belongs to the customer. |
| Who's Affected | All EU-licensed Crypto-Asset Service Providers (CASPs) under MiCA. |
Operational Impact: The EU TFR is the strictest Travel Rule implementation globally. The zero threshold means every transfer triggers data collection. The self-hosted wallet provisions create friction for individuals moving assets to private custody, requiring identity disclosure even for non-custodial transactions above EUR 1,000.
Part Three: Operational and Licensing Frameworks
DORA (Digital Operational Resilience Act)
EU operational resilience and cybersecurity requirements for financial entities, including crypto service providers.
| Governing Body | European Supervisory Authorities (ESAs): EBA, EIOPA, ESMA |
| Status | In full application as of January 17, 2025. |
| Scope | Applies to all EU financial entities including banks, insurers, payment institutions, e-money institutions, investment firms, and crypto-asset service providers under MiCA. |
| Core Requirements | Five pillars: (1) ICT risk governance, (2) incident response and reporting, (3) third-party risk management, (4) digital resilience testing with threat-led exercises, (5) information sharing on cyber threats. |
| Penalties | Up to 2% of annual worldwide turnover for financial entities. Up to 1% of average daily worldwide turnover for critical ICT third-party providers. |
| Who's Affected | Crypto exchanges licensed under MiCA, custodians, wallet providers. Also: cloud providers, payment processors, and other ICT vendors serving these entities. |
Operational Impact: DORA creates mandatory operational resilience requirements on top of MiCA's conduct and capital rules. A licensed EU crypto exchange must implement incident reporting, third-party vendor due diligence, threat-led penetration testing, and governance structures to manage ICT risks. Non-compliance can result in fines reaching 2% of global turnover.
MiCA (Markets in Crypto-Assets Regulation)
EU comprehensive licensing and conduct regime for crypto-asset service providers.
| Governing Body | European Securities and Markets Authority (ESMA) |
| Status | Titles III & IV (stablecoins) effective June 30, 2024. Full application (CASP licensing, conduct) effective December 30, 2024. |
| First Licenses Issued | Netherlands and Malta issued first licenses on December 30, 2024. Germany followed mid-January 2025. |
| 2025 Milestones | January 2025: CASPs begin license applications. March 2025: RTS and ITS on notification requirements enter force. June 2025: European Commission interim report on MiCA application. |
| Transitional Periods | Vary by jurisdiction: July 1, 2025 (Netherlands) to July 1, 2026 (some member states). Existing providers have time to achieve compliance. |
| Who's Affected | All crypto-asset service providers operating in the EU: exchanges, custodians, wallet providers, trading platforms, issuers of asset-referenced tokens and e-money tokens. |
Operational Impact: MiCA creates a unified EU licensing regime, replacing fragmented national approaches. A MiCA license grants passporting rights across all 27 EU member states. However, compliance requires capital adequacy, governance, conduct, disclosure, and client asset protection standards comparable to traditional financial services. Combined with DORA (resilience), TFR (AML), and DAC8 (tax reporting), the EU compliance stack is the most comprehensive globally.
Part Four: Framework Interlock Summary
The frameworks above do not operate in isolation. They interlock to create a comprehensive compliance environment where tax reporting (CARF, DAC8, CRS 2.0, FATCA, 1099-DA), AML obligations (FATF Travel Rule, EU TFR), and operational requirements (DORA, MiCA) all apply simultaneously. An EU-licensed crypto exchange serving international clients faces:
| Domain | Framework(s) | Compliance Obligation |
|---|---|---|
| Tax Reporting | DAC8, CARF, CRS 2.0 | Report crypto transactions and e-money balances to tax authorities for automatic exchange. |
| AML / Transaction Monitoring | EU TFR, FATF Travel Rule | Collect and transmit sender/recipient information for all transfers. Zero threshold under TFR. |
| Licensing & Conduct | MiCA | Obtain CASP license, meet capital requirements, governance, disclosure, client asset protection. |
| Operational Resilience | DORA | Implement ICT risk governance, incident reporting, third-party risk management, resilience testing. |
For individuals, the interlock is simpler but pervasive. If you hold crypto at an EU-licensed exchange and have tax residency in a CARF jurisdiction, your transactions are reported under DAC8 and exchanged with your home tax authority under CARF. If you move crypto to self-custody, the transfer above EUR 1,000 triggers TFR identification requirements. If you are a US person, FATCA and 1099-DA reporting apply in addition to CARF.
Implementation Timeline Visualization
The chart below shows the phased rollout of CARF jurisdictions from 2026 through 2029, based on OECD implementation schedules.
48 jurisdictions began collecting data on January 1, 2026 for first exchanges in 2027. The second wave (47 jurisdictions) started data collection in 2027 for 2028 exchanges. The US has committed to joining CARF by 2029, significantly expanding global coverage.
Key Dates Reference
| Date | Framework | Event |
|---|---|---|
| Jan 1, 2026 | CARF (48 jurisdictions) | Data collection begins for first exchanges in 2027 |
| Jan 1, 2026 | US 1099-DA | 2026 transactions become "covered digital assets" for basis reporting |
| Jan 17, 2025 | DORA | Full application begins |
| June 30, 2024 | MiCA Titles III & IV | Stablecoin rules effective |
| Dec 30, 2024 | MiCA (full) | CASP licensing, conduct, disclosure requirements effective |
| Dec 30, 2024 | EU TFR | Full enforcement begins (zero threshold) |
| Jan 1, 2027 | CARF | First automatic exchanges (48 jurisdictions) |
| Jan 1, 2027 | CARF (47 jurisdictions) | Data collection begins for second wave (exchanges in 2028) |
| 2027 | US 1099-DA | Backup withholding (24%) begins for missing/mismatched TINs |
| Jan 1, 2028 | CARF | Second wave automatic exchanges (47 jurisdictions) |
| By 2029 | CARF (US) | United States committed to join CARF |
CARF Adoption Map
The map below shows which jurisdictions are participating in CARF, coded by implementation wave. Click on markers for jurisdiction details.
48 jurisdictions. Data collection began Jan 1, 2026. First exchanges Jan 1, 2027.
47 jurisdictions. Data collection began Jan 1, 2027. First exchanges Jan 1, 2028.
United States committed to join by 2029.
Jurisdictions Not Yet in CARF
As of 2026, certain jurisdictions have not committed to CARF implementation. These fall into several categories:
Major Financial Centers Still Outside CARF (as of 2026):
Singapore, Hong Kong, UAE (Dubai), Switzerland (monitoring but not yet committed to first wave).
Note on "Haven" Jurisdictions:
The absence of a jurisdiction from CARF does not mean it is a viable long-term base for avoiding reporting. Many non-CARF jurisdictions participate in CRS (fiat reporting), have robust AML regimes, or lack the legal infrastructure for compliant crypto custody. Additionally, FATF and OECD exert diplomatic pressure on non-participants, and the list of CARF jurisdictions continues to expand.
Methodology
This Special Report is based on primary regulatory sources, official implementation schedules, and direct analysis of legal texts. All framework descriptions reference official documents from governing bodies (OECD, EU, FATF, IRS, ESAs).
Sources
| Source | Type | Date | Link |
|---|---|---|---|
| OECD: Crypto-Asset Reporting Framework and Amendments to the Common Reporting Standard | Regulatory Framework | 2023 | View |
| EU Council: DAC8 Directive (Council Directive 2023/2226) | EU Directive | 2023 | View |
| FATF: Targeted Update on Implementation of FATF Standards on Virtual Assets and VASPs | Policy Update | 2025 | View |
| IRS: Form 1099-DA Digital Asset Proceeds from Broker Transactions | Tax Form | 2024 | View |
| ESMA: Markets in Crypto-Assets Regulation (MiCA) | EU Regulation | 2023 | View |
| EIOPA: Digital Operational Resilience Act (DORA) | EU Regulation | 2022 | View |
| EBA: Guidelines on Transfer of Funds Regulation | Guidelines | 2023 | View |
Date of Analysis: February 2026. Regulatory frameworks are subject to ongoing updates and amendments. Readers should verify current status with governing authorities.