HMRC Cryptoasset Reporting Framework (CARF): A Complete Compliance Guide for UK Firms
HMRC's Cryptoasset Reporting Framework (CARF) requires UK cryptoasset service providers to report user and transaction data starting in 2027. This guide covers who must report, what data to collect, how to submit XML files, deadlines, penalties, and common pitfalls.
Introduction
If you operate a cryptoasset service provider in the UK, you are likely subject to HMRC's new Cryptoasset Reporting Framework (CARF). This framework, aligned with OECD standards, mandates that UK firms collect and report detailed transaction and user data to HMRC starting from the 2026 calendar year. The first report is due between 1 January 2027 and 31 May 2027. Non-compliance can result in penalties of up to £300 per user. This guide walks you through every step—from understanding who must report to submitting your XML file—so your firm stays compliant.
1. Overview of CARF
The Cryptoasset Reporting Framework (CARF) is an international tax transparency framework developed by the OECD. HMRC has adopted CARF to combat tax evasion through cryptoassets. Under CARF, UK cryptoasset service providers must report information on users who are tax resident in the UK or in other CARF-adopting jurisdictions. The first reporting period is the 2026 calendar year, with the report due between 1 January 2027 and 31 May 2027. Thereafter, reports are due annually by 31 May.
Who Must Report?
UK cryptoasset service providers that facilitate exchange transactions between cryptoassets and fiat currency, or between one or more forms of cryptoassets, including:
- Cryptoasset exchanges
- Brokers and dealers
- ATM operators
- Certain wallet providers (if they effectuate transactions)
If your firm is registered with the FCA for cryptoasset activities, you are likely within scope. Check HMRC's guidance for the full definition.
2. Reporting Obligations
What Must Be Reported?
For each reportable user (i.e., those tax resident in the UK or another CARF jurisdiction), you must provide:
- User information: full name, address, jurisdiction(s) of tax residence, Tax Identification Number (TIN), date of birth, and (for entities) place of incorporation.
- Transaction summaries: aggregated by type of cryptoasset (e.g., Bitcoin, Ether), including total gross proceeds, total number of units, and total number of transactions for each calendar year.
You do not need to report users who are exclusively tax resident in non-CARF countries (e.g., many non-OECD nations). However, you must have procedures to determine tax residency.
Deadlines
- First report: 1 January 2027 – 31 May 2027 (covering 2026 data)
- Subsequent reports: Annually by 31 May (covering the previous calendar year)
Penalties
Failure to report, late submission, or submission of inaccurate data can result in penalties of up to £300 per reportable user. For a firm with thousands of users, penalties can quickly escalate. HMRC may also impose additional penalties for deliberate non-compliance.
3. Data Collection Requirements
To comply, you must collect and store the following data for each reportable user:
- Identity data: Legal name, residential address, date of birth, TIN, and tax residence jurisdiction(s). For entities: legal name, registered address, place of incorporation, and TIN.
- Transaction data: For each type of cryptoasset (identified by its ticker symbol or CAIP-10 identifier if available), you need the aggregate gross proceeds (in fiat currency equivalent), aggregate number of units, and number of transactions for the calendar year. This includes purchases, sales, exchanges, and any other reportable transactions as defined by CARF.
You must have systems in place to capture this data from your existing transaction records and user onboarding processes. For users who are not tax resident in a CARF jurisdiction, you should still collect sufficient data to confirm their status and document your determination.
4. Submission Process
Reports must be submitted as XML files (up to 250MB in size) via an online service that HMRC is developing. As of early 2025, the service is not yet live. HMRC will provide details ahead of the first filing window. Steps to prepare:
- Generate XML: Use the OECD CARF XML Schema to structure your data. You can build your own exporter or use a third-party compliance tool.
- Validate: Ensure the XML file conforms to the schema and is under 250MB. If your file exceeds this limit, you must split it into multiple files.
- Submit: Upload via HMRC's online service. You will receive an acknowledgement receipt.
- Retain records: Keep all data and submission records for at least 6 years.
If you need to correct a previously submitted report, you must file a revised XML file as soon as possible.
5. Compliance Checklist
- ☐ Confirm whether your firm is a reportable cryptoasset service provider.
- ☐ Identify all reportable users (UK and CARF tax residents).
- ☐ Collect required identity and transaction data for each reportable user.
- ☐ Implement AML/KYC procedures to verify tax residency and TINs.
- ☐ Build or procure XML generation capability using OECD CARF schema.
- ☐ Test XML generation and validation before the filing window.
- ☐ Submit the first report between 1 Jan and 31 May 2027.
- ☐ Retain all records for 6 years.
- ☐ Establish ongoing monitoring for new reportable users and annual data.
6. Common Pitfalls
Missing Tax Residency Data
Many crypto firms do not collect tax residency or TINs during onboarding. Without this data, you cannot determine whether a user is reportable. Update your KYC processes immediately to capture this information.
Incorrect Aggregation
CARF requires transaction data aggregated per cryptoasset type per user. Some firms mistakenly report per transaction or per wallet. Ensure your system aggregates correctly.
Large XML Files
If you have many reportable users, your XML file may exceed 250MB. Plan to split files by user group or transaction type. HMRC will specify how to handle multiple files.
Ignoring Non-CARF Users
Even if a user is not reportable, you must document why (e.g., tax residence in a non-CARF country). HMRC may request this documentation during an audit.
Late Submission
Missing the 31 May deadline triggers automatic penalties. Start preparing early—do not wait until April 2027.
Frequently Asked Questions
What if a user refuses to provide their TIN?
You must still report the user but indicate that the TIN is unavailable. You should document your efforts to obtain it.
Do I need to report historical data before 2026?
No. The first reporting period is the 2026 calendar year. However, you should start collecting data from 1 January 2026.
Can I use a third-party service to submit?
Yes. Many compliance platforms offer CARF XML generation and submission support. Ensure the service is HMRC-compliant.
What about DeFi and unhosted wallets?
CARF applies to reportable service providers. If you operate a DeFi platform that qualifies as a service provider, you are in scope. Unhosted wallets are not directly reportable, but transactions involving them may be if you are the service provider.
Next Steps
CARF compliance is not optional. With the first report deadline just two years away, UK cryptoasset service providers must act now to update KYC processes, implement data collection systems, and prepare XML submission capabilities. For help with AML compliance and fraud detection in crypto transactions, consider using RisksRadarAI, which automates SAR generation and cross-domain risk detection. Start your compliance journey today to avoid penalties and ensure smooth reporting.
This content is for informational purposes only and does not constitute legal advice.