Due diligence is the foundation of CARF compliance. Before reporting user transactions, CASPs must identify their users, determine their tax residency, and collect required information. This guide covers all aspects of CARF due diligence requirements.

What is Due Diligence?

Under CARF, due diligence refers to the procedures CASPs must follow to identify Reportable Users and collect the information needed for reporting. This includes verifying user identity, determining tax residency, and collecting Taxpayer Identification Numbers (TINs).

Due diligence serves multiple purposes:

  • Identifying which users are reportable
  • Collecting accurate information for reports
  • Ensuring data quality for tax authorities
  • Preventing users from evading reporting through false declarations

Key Requirements

Self-Certification

The primary due diligence tool is the self-certification—a declaration by the user of their tax residency and TIN. Self-certifications must include:

  • Full legal name
  • Current residence address
  • Jurisdiction(s) of tax residence
  • TIN for each jurisdiction of residence
  • Date of birth (for individuals)
  • Declaration of accuracy
  • User signature or electronic equivalent

Reasonableness Test

CASPs cannot blindly accept self-certifications. They must confirm the information is reasonable based on other information collected during onboarding. Red flags include:

  • Address in different country than declared tax residence
  • Phone number from different jurisdiction
  • Payment methods linked to other countries
  • IP addresses consistently from different locations
Important Requirement

CASPs must document the reasonableness checks performed and retain evidence of any inconsistencies identified and how they were resolved.

TIN Validation

CASPs must validate TINs against the format requirements of each jurisdiction. Many jurisdictions provide validation services. Invalid TINs must be flagged and corrected before reporting.

New vs Existing Users

New Users (Post-Implementation)

For users onboarding after CARF takes effect:

  • Self-certification required before first transaction
  • TIN validation before account activation
  • Immediate compliance with all requirements

Pre-Existing Users

For users who existed before CARF implementation:

  • Remediation period typically 12-24 months
  • Must obtain self-certification during this period
  • Can use existing information as starting point
  • Must resolve any inconsistencies

Documentation Requirements

CASPs must maintain comprehensive records:

  • Original self-certifications (or copies)
  • Supporting identity documents
  • Evidence of reasonableness checks
  • TIN validation results
  • Any correspondence regarding discrepancies

Records must be retained for the period specified by each jurisdiction—typically 5-7 years after the reporting period.

Ongoing Obligations

Due diligence is not a one-time exercise:

  • Change in circumstances: Monitor for changes affecting tax residency
  • Periodic review: Some jurisdictions require regular re-certification
  • Updated information: Obtain new self-certification when circumstances change
  • Expired documents: Refresh identity documents as needed
Best Practice

Implement automated monitoring for changes in circumstances such as address updates, new phone numbers, or changes in payment methods that might indicate a change in tax residency.

Conclusion

Robust due diligence procedures are essential for CARF compliance. CASPs should implement systematic processes for collecting, validating, and maintaining user information. Investment in due diligence infrastructure pays dividends through more accurate reporting and reduced regulatory risk.

Automate CARF Compliance

Self-certification, TIN validation, transaction reporting, and XML generation for 76 jurisdictions.

Expert Consulting