European Union: DAC 8 - Implementation of Crypto-Asset Reporting Framework published

Crypto operators may soon be responsible for collecting, validating and reporting information related to crypto-assets and their users

In brief

On 8 December 2022, the European Commission proposed a text amending Directive 2011/16/EU on administrative cooperation in the field of taxation (DAC8). DAC8 provides, among other things, the following: changes to the existing DAC framework, rules on advance cross-border rulings for high-net-worth individuals, and a crypto-asset reporting framework for competent EU authorities. The focus of this alert is on the Crypto-Asset Reporting Framework (CARF), intended to enter into force on 1 January 2026. Within the current DAC framework, crypto-assets are excluded from information exchange. If a taxpayer holds or transacts in crypto-assets, the party that has these customers is currently not obliged to declare related information on crypto-assets to EU tax authorities. Since assets held in these electronic instruments carry a potential risk for under-taxation, DAC8 enables EU member states to receive and exchange information about crypto-asset users, by implementing due diligence procedures and reporting rules for operators active in crypto-asset transactions and their users. The rules are based on the OECD's CARF.

Who reports on who and what?

The definition of Reporting Crypto-Asset Service Provider covers crypto-asset service providers as defined in the Regulation on Markets in Crypto-Assets (MiCA) as well as crypto-asset operators that do not fall under the scope of MiCA, but that provide services that are included in the scope of MiCA. The purpose of MiCA is to introduce harmonized conditions in the EU that deal with, among other things, the issuance of, acting as (transaction) the intermediary in and the dealing of crypto-assets. We note that a proposal for MiCA was adopted on 24 September 2020, but that the legislative procedure is still ongoing, with an amended text only agreed on 5 October 2022 by the European Council.

A Reporting Crypto-Asset Service Provider in the scope of DAC8 is any legal person or undertaking whose occupation or business is the provision of one or more crypto-asset services in scope (e.g., exchanging fiat currency to crypto-assets) to third parties on a professional basis, and who is authorized in a member state to provide these crypto-asset services in accordance with MiCA.

One of the main differences between the EU's proposal and the OECD's CARF is that operators of crypto-asset services active in the EU must be regulated by MiCA to be in scope of DAC8. Like DAC7, DAC8 also contains a switch-off mechanism for Reporting Crypto-Asset Service Providers that have already declared reportable transactions in their non-EU jurisdiction, under the condition that the respective third-party jurisdiction is recognized and has implemented and enforces CARF (or equivalent) legislation.

The Reporting Crypto-Asset Service Provider must report on reportable individuals or entities that are their customer for the purposes of carrying out reportable transactions. These customers can be seen as the counterparty to the merchant and must be treated as crypto-asset users. These reportable individuals as defined by DAC8 as crypto-asset users, resident in a member state, that are not excluded ("Reportable Users"). Excluded persons are the following:

  1. Stock-listed entities and entities of that group (related entities)
  2. Governmental entities
  3. International organizations
  4. Central banks
  5. Financial institutions other than investment entities, broadly meaning entities that invest on behalf of their customers: e.g., trade in money market instruments, engage in individual or collective portfolio management or otherwise invest or administer financial assets for their customers

The general understanding of what constitutes as crypto-assets is very broad and includes those crypto-assets that have been issued in a decentralized manner, as well as stablecoins, and certain non-fungible tokens (NFTs). Crypto-assets that are used for payment or investment purposes would be reportable under DAC8. Therefore, Reporting Crypto-Asset Service Providers should consider on a case-by-case basis whether crypto-assets can be used for payment and investment purposes, taking into account the exemptions provided in MiCA, particularly in relation to a limited network and certain utility tokens.

In general, also in light of the OECD's guidance on CARF, it seems that if a crypto-asset is tradeable on an exchange, including NFTs, it can be considered to be used for payment or investment purposes. To summarize, this means that under DAC8, Central Bank Digital Currencies (CBDCs), E-money and Crypto-Assets that the Reporting Crypto-Asset Service Provider has adequately determined that it cannot be used for payment or investment purposes, are non-reportable crypto-assets. By default, all other Crypto-Assets are Reportable Crypto-Assets. In this sense, we note that the OECD already acknowledged that additional guidance will be needed to assist the Reporting Crypto-Asset Service Provider in making such a determination. More clarity on this needs to be provided by the OECD for the CARF, and by proxy DAC8, for the legislation to be adhered to properly by Reporting Crypto-Asset Service Providers.

Once the Reporting Crypto-Asset Service Providers and Reportable Crypto-Assets are identified, we will set out the three steps Reporting Crypto-Asset Service Providers will have to take to comply with the DAC8 proposal.

Step 1: Due diligence procedures

As a first step, the rules provide for an obligation on the Reporting Crypto-Asset Service Provider to collect and verify the information in line with due diligence procedures laid down by the DAC8 proposal. The due diligence procedures require that natural persons (also called individuals) and legal entity crypto-asset users are identified as Reportable Users. Reporting Crypto-Assets Service Providers must fulfil a different set of due diligence procedures for natural persons than for legal entities. For example, for legal entities, the controlling persons may also have to be identified in certain cases. In any case, the member state of a tax residency has to be identified along with the legal address and (legal) name. 

Step 2: Reporting to the competent authority by the reporting Crypto-Asset Service Provider

As a second step, the Reporting Crypto-Asset Service Providers must submit the required information on the Reportable Users to the relevant competent authority. The Reporting Crypto-Asset Service Provider must inform each individual concerned, that information relating to this individual will be collected and reported to the competent authorities as required under the proposed directive (i.e., DAC8), in line with the GDPR (General Data Protection Regulation). We recommend that the relevant parties to inform their customers as soon as DAC8 becomes effective. This can be done by, e.g., indicating a change in the Terms of Service related to the exchange of personal information. The Reporting Crypto-Asset Service Provider must also provide all information that the data controllers are required to provide under the GDPR.

Step 3: Automatic exchange of information between competent authorities

The third step concerns the exchange of information from the reported information by the respective member state's competent authority that is receiving the information from the Reporting Crypto-Asset Service Provider, to the competent authority of another relevant member state where the Reportable User is tax resident. Reportable transactions are exchange transactions and transfers of Reportable Crypto-Assets. Both domestic and cross-border transactions are in the scope of the proposal and are aggregated by type of Reportable Crypto-Assets. The EU does not deviate from CARF in this respect.
The following information of Reportable Users will be exchanged:

  • Legal name
  • Legal address
  • Member state of residency
  • TIN (if applicable)
  • Place of birth (in case of an individual)

This same information concerning the Reporting Crypto-Asset Service Provider will also be exchanged, as well as the individual identification number and global legal entity identifier, a code that provides unique identification information on legal entities that participate in financial transactions globally.

For each Reportable Crypto-Asset, information will be exchanged if any reportable transaction during the relevant reporting period occurs. This reported information consists of the following:

  • The full name of the type of asset.
  • Gross amount paid and received.
  • The fair market value.
  • The number of units of the transactions.

Reports are to be filed on an aggregated basis. The scope of the information listed is also in line with the OECD's CARF. 
We note that it is a concern that the OECD may underestimate the burden on competent authorities receiving all the data required by the CARF. Some jurisdictions, also within the EU, may still be trying to catch up with conventional AML/KYC or CRS reporting. Therefore, it remains to be seen how EU authorities will utilize the information collected and exchanged under DAC8. This may also raise legitimate concerns about the security and sensitivity of information reported and exchanged under DAC8. A system with a very high level of cyber security will be required by the competent authorities of all EU member states to safeguard the data they collect, exchange and store.

To keep in mind

The European Commission has made it clear in the directive that there will be penalties applicable to infringements of national provisions adopted pursuant to DAC8. The directive lays down a few ground rules that the member states should commit to, when laying down their own rules. For example, in case of non-compliance with national provisions adopted to comply with DAC8, the minimum pecuniary penalty shall be not less than EUR 50,000 (scaled on the annual turnover of the relevant taxpayer, for example this minimum penalty increases to EUR 150,000 when revenue exceeds EUR 6 million).

Member states must adopt and publish their laws, regulations and administrative provisions necessary to comply with this DAC8 by 31 December 2025 at the latest. This means that DAC8 will be effective from 1 January 2026.

CARF Implementation Package

Finally, in addition to CARF, the blueprint for DAC8, it is worth mentioning that the OECD is still working on an implementation package to ensure the consistent domestic and international application of the CARF and by proxy, DAC8. This "Implementation Package" will form and integral part of the CARF and consists of the following:

  1. A framework of bilateral/multilateral competent authorities to facilitate the information exchange between participating jurisdictions.
  2. IT-solutions to support the exchange of information.
  3. Further guidance to ensure the effective implementation of the CARF by Reporting Crypto-Asset Service Providers and participating jurisdictions. 

We note that with similar legislative packages such as FATCA and CRS, a period of six years passed before implementation was effective. Reporting Crypto-Asset Service Providers should, in our view, be given the same amount of time to effectively implement DAC8, especially given the unclarity about certain pieces of the proposed legislation, such as the scope of Reportable Crypto-Assets.

What now?

Interested parties are invited by the European Commission to provide feedback on the proposed text until 7 February 2023. Please feel free to reach out to us if you have any questions or concerns on DAC8 about what these changes may mean for your business as either a Reporting Crypto-Asset Service Provider or as a Reportable User or if you wish to provide input on the legislation.

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.