Who reports on who and what?
The definition of Reporting Crypto-Asset Service Provider covers crypto-asset service providers as defined in the Regulation on Markets in Crypto-Assets (MiCA) as well as crypto-asset operators that do not fall under the scope of MiCA, but that provide services that are included in the scope of MiCA. The purpose of MiCA is to introduce harmonized conditions in the EU that deal with, among other things, the issuance of, acting as (transaction) the intermediary in and the dealing of crypto-assets. We note that a proposal for MiCA was adopted on 24 September 2020, but that the legislative procedure is still ongoing, with an amended text only agreed on 5 October 2022 by the European Council.
A Reporting Crypto-Asset Service Provider in the scope of DAC8 is any legal person or undertaking whose occupation or business is the provision of one or more crypto-asset services in scope (e.g., exchanging fiat currency to crypto-assets) to third parties on a professional basis, and who is authorized in a member state to provide these crypto-asset services in accordance with MiCA.
One of the main differences between the EU's proposal and the OECD's CARF is that operators of crypto-asset services active in the EU must be regulated by MiCA to be in scope of DAC8. Like DAC7, DAC8 also contains a switch-off mechanism for Reporting Crypto-Asset Service Providers that have already declared reportable transactions in their non-EU jurisdiction, under the condition that the respective third-party jurisdiction is recognized and has implemented and enforces CARF (or equivalent) legislation.
The Reporting Crypto-Asset Service Provider must report on reportable individuals or entities that are their customer for the purposes of carrying out reportable transactions. These customers can be seen as the counterparty to the merchant and must be treated as crypto-asset users. These reportable individuals as defined by DAC8 as crypto-asset users, resident in a member state, that are not excluded ("Reportable Users"). Excluded persons are the following:
- Stock-listed entities and entities of that group (related entities)
- Governmental entities
- International organizations
- Central banks
- Financial institutions other than investment entities, broadly meaning entities that invest on behalf of their customers: e.g., trade in money market instruments, engage in individual or collective portfolio management or otherwise invest or administer financial assets for their customers
The general understanding of what constitutes as crypto-assets is very broad and includes those crypto-assets that have been issued in a decentralized manner, as well as stablecoins, and certain non-fungible tokens (NFTs). Crypto-assets that are used for payment or investment purposes would be reportable under DAC8. Therefore, Reporting Crypto-Asset Service Providers should consider on a case-by-case basis whether crypto-assets can be used for payment and investment purposes, taking into account the exemptions provided in MiCA, particularly in relation to a limited network and certain utility tokens.
In general, also in light of the OECD's guidance on CARF, it seems that if a crypto-asset is tradeable on an exchange, including NFTs, it can be considered to be used for payment or investment purposes. To summarize, this means that under DAC8, Central Bank Digital Currencies (CBDCs), E-money and Crypto-Assets that the Reporting Crypto-Asset Service Provider has adequately determined that it cannot be used for payment or investment purposes, are non-reportable crypto-assets. By default, all other Crypto-Assets are Reportable Crypto-Assets. In this sense, we note that the OECD already acknowledged that additional guidance will be needed to assist the Reporting Crypto-Asset Service Provider in making such a determination. More clarity on this needs to be provided by the OECD for the CARF, and by proxy DAC8, for the legislation to be adhered to properly by Reporting Crypto-Asset Service Providers.
Once the Reporting Crypto-Asset Service Providers and Reportable Crypto-Assets are identified, we will set out the three steps Reporting Crypto-Asset Service Providers will have to take to comply with the DAC8 proposal.
Step 1: Due diligence procedures
As a first step, the rules provide for an obligation on the Reporting Crypto-Asset Service Provider to collect and verify the information in line with due diligence procedures laid down by the DAC8 proposal. The due diligence procedures require that natural persons (also called individuals) and legal entity crypto-asset users are identified as Reportable Users. Reporting Crypto-Assets Service Providers must fulfil a different set of due diligence procedures for natural persons than for legal entities. For example, for legal entities, the controlling persons may also have to be identified in certain cases. In any case, the member state of a tax residency has to be identified along with the legal address and (legal) name.
Step 2: Reporting to the competent authority by the reporting Crypto-Asset Service Provider
As a second step, the Reporting Crypto-Asset Service Providers must submit the required information on the Reportable Users to the relevant competent authority. The Reporting Crypto-Asset Service Provider must inform each individual concerned, that information relating to this individual will be collected and reported to the competent authorities as required under the proposed directive (i.e., DAC8), in line with the GDPR (General Data Protection Regulation). We recommend that the relevant parties to inform their customers as soon as DAC8 becomes effective. This can be done by, e.g., indicating a change in the Terms of Service related to the exchange of personal information. The Reporting Crypto-Asset Service Provider must also provide all information that the data controllers are required to provide under the GDPR.
Step 3: Automatic exchange of information between competent authorities
The third step concerns the exchange of information from the reported information by the respective member state's competent authority that is receiving the information from the Reporting Crypto-Asset Service Provider, to the competent authority of another relevant member state where the Reportable User is tax resident. Reportable transactions are exchange transactions and transfers of Reportable Crypto-Assets. Both domestic and cross-border transactions are in the scope of the proposal and are aggregated by type of Reportable Crypto-Assets. The EU does not deviate from CARF in this respect.
The following information of Reportable Users will be exchanged:
- Legal name
- Legal address
- Member state of residency
- TIN (if applicable)
- Place of birth (in case of an individual)
This same information concerning the Reporting Crypto-Asset Service Provider will also be exchanged, as well as the individual identification number and global legal entity identifier, a code that provides unique identification information on legal entities that participate in financial transactions globally.
For each Reportable Crypto-Asset, information will be exchanged if any reportable transaction during the relevant reporting period occurs. This reported information consists of the following:
- The full name of the type of asset.
- Gross amount paid and received.
- The fair market value.
- The number of units of the transactions.
Reports are to be filed on an aggregated basis. The scope of the information listed is also in line with the OECD's CARF.
We note that it is a concern that the OECD may underestimate the burden on competent authorities receiving all the data required by the CARF. Some jurisdictions, also within the EU, may still be trying to catch up with conventional AML/KYC or CRS reporting. Therefore, it remains to be seen how EU authorities will utilize the information collected and exchanged under DAC8. This may also raise legitimate concerns about the security and sensitivity of information reported and exchanged under DAC8. A system with a very high level of cyber security will be required by the competent authorities of all EU member states to safeguard the data they collect, exchange and store.
To keep in mind
The European Commission has made it clear in the directive that there will be penalties applicable to infringements of national provisions adopted pursuant to DAC8. The directive lays down a few ground rules that the member states should commit to, when laying down their own rules. For example, in case of non-compliance with national provisions adopted to comply with DAC8, the minimum pecuniary penalty shall be not less than EUR 50,000 (scaled on the annual turnover of the relevant taxpayer, for example this minimum penalty increases to EUR 150,000 when revenue exceeds EUR 6 million).
Member states must adopt and publish their laws, regulations and administrative provisions necessary to comply with this DAC8 by 31 December 2025 at the latest. This means that DAC8 will be effective from 1 January 2026.
CARF Implementation Package
Finally, in addition to CARF, the blueprint for DAC8, it is worth mentioning that the OECD is still working on an implementation package to ensure the consistent domestic and international application of the CARF and by proxy, DAC8. This "Implementation Package" will form and integral part of the CARF and consists of the following:
- A framework of bilateral/multilateral competent authorities to facilitate the information exchange between participating jurisdictions.
- IT-solutions to support the exchange of information.
- Further guidance to ensure the effective implementation of the CARF by Reporting Crypto-Asset Service Providers and participating jurisdictions.
We note that with similar legislative packages such as FATCA and CRS, a period of six years passed before implementation was effective. Reporting Crypto-Asset Service Providers should, in our view, be given the same amount of time to effectively implement DAC8, especially given the unclarity about certain pieces of the proposed legislation, such as the scope of Reportable Crypto-Assets.
Interested parties are invited by the European Commission to provide feedback on the proposed text until 7 February 2023. Please feel free to reach out to us if you have any questions or concerns on DAC8 about what these changes may mean for your business as either a Reporting Crypto-Asset Service Provider or as a Reportable User or if you wish to provide input on the legislation.