Determining whether your organization has CARF reporting obligations is the critical first step in compliance planning. The framework casts a wide net, potentially capturing entities that don't consider themselves traditional financial services providers.

Reporting Entity Definition

Under CARF, a Reporting Crypto-Asset Service Provider (RCASP) is any individual or entity that, as a business, provides services effectuating Exchange Transactions for or on behalf of customers. The key elements are:

  • Business activity: Services must be provided as a business, not occasional personal transactions
  • Effectuating exchanges: The entity must actually execute or facilitate the exchange
  • Customer relationship: Services must be provided for or on behalf of customers

Key Point: The definition focuses on the function performed, not the legal structure or how the entity describes itself. A company calling itself a "technology platform" may still be an RCASP if it facilitates crypto exchanges.

Types of CASPs

The following business models typically fall within CARF's scope:

Centralized Exchanges

Traditional crypto exchanges that hold customer assets and execute trades are clearly within scope. This includes major platforms offering spot trading, derivatives, and other crypto services.

Brokers and Dealers

Entities that buy and sell crypto-assets on their own account as a regular business, providing quotes to customers, are covered regardless of whether they hold customer assets.

Crypto ATM Operators

Bitcoin ATMs and similar kiosks that enable fiat-to-crypto exchanges are RCASPs. Even if operated by a third party, the operator has reporting obligations.

Payment Processors

Services that enable merchants to accept crypto payments and convert them to fiat may be RCASPs if they effectuate the exchange transaction.

Certain Wallet Providers

Wallet providers that also facilitate exchanges—such as through integrated swap features or fiat on/off ramps—may have reporting obligations for those exchange functions.

OTC Desks

Over-the-counter trading desks facilitating large crypto transactions for institutional or high-net-worth clients are within scope.

Nexus Rules: When Do Obligations Apply?

A CASP has reporting obligations in a jurisdiction if it has sufficient nexus, which can be established through:

  • Tax residency: The entity is tax resident in the jurisdiction
  • Incorporation: The entity is incorporated or organized under the jurisdiction's laws
  • Management: The entity is managed from the jurisdiction
  • Regular place of business: The entity maintains offices or regular business presence

Importantly, merely having customers in a jurisdiction does not automatically create nexus—though some jurisdictions (particularly in the EU under DAC8) have extended requirements to non-resident CASPs serving their residents.

Exemptions

Certain entities are excluded from RCASP status:

  • Pure software providers: Companies that only provide technology without facilitating transactions
  • Hardware wallet manufacturers: Unless they also provide exchange services
  • Blockchain validators: Entities only involved in transaction validation
  • Pure custodians: Services that only store assets without exchange functionality

However, these exemptions are narrowly construed. Any integrated exchange functionality can bring an otherwise exempt entity into scope.

Multiple Jurisdictions

CASPs operating across borders face complex jurisdictional questions:

Multiple Reporting Obligations

A CASP with nexus in multiple CARF-implementing jurisdictions may have reporting obligations in each. However, the framework includes mechanisms to avoid duplicate reporting of the same information.

Primary Reporting Jurisdiction

Where a CASP has obligations in multiple jurisdictions, it may designate a primary reporting jurisdiction. Other jurisdictions can then receive information through automatic exchange rather than direct reporting.

Non-Implementing Jurisdictions

CASPs in jurisdictions that haven't implemented CARF may still face obligations if they have nexus in implementing jurisdictions. Additionally, many implementing jurisdictions require CASPs to report on all users, not just those resident in exchange partner countries.

Determining Your Obligations

Organizations should undertake a structured analysis:

  1. Map business activities: Identify all services that involve crypto exchange transactions
  2. Analyze entity structure: Determine which legal entities provide relevant services
  3. Assess jurisdictional nexus: For each entity, identify jurisdictions where nexus exists
  4. Review local rules: Examine how each jurisdiction has implemented CARF
  5. Consider DAC8 implications: If serving EU customers, assess extended reporting requirements

Conclusion

CARF's broad definition of reporting entities means many organizations may have unexpected obligations. Early assessment is essential to ensure adequate time for compliance preparation. When in doubt, seek professional guidance—the consequences of incorrectly concluding you're exempt can be severe.

Automate CARF Compliance

Self-certification, TIN validation, transaction reporting, and XML generation for 76 jurisdictions.

Expert Consulting