§
How CRS Treats Crypto-Asset Exchanges and Custodians in 2025
The global regulatory landscape for digital assets has shifted dramatically in the past twelve months. According to the OECD’s 2025 progress report on Crypto-Asset Reporting Framework (CARF) implementation, over 60 jurisdictions have now committed to integrating crypto-asset reporting into their existing Common Reporting Standard (CRS) infrastructure. Hong Kong’s Inland Revenue Department confirmed in its March 2026 consultation paper that the first CARF reporting cycle will commence on January 1, 2027, covering the 2026 calendar year. For crypto exchanges and custodians operating across multiple jurisdictions, understanding how CRS now treats these entities is no longer optional—it is a fundamental compliance imperative.
The core question facing the industry is straightforward: how does a framework originally designed for traditional financial accounts apply to decentralized, pseudonymous assets? The answer lies in the deliberate expansion of CRS definitions, the introduction of CARF as a complementary standard, and the growing expectation that virtual asset service providers will report with the same rigor as conventional banks. This article examines the precise obligations facing crypto-asset exchanges and custodians in 2025, with particular attention to Hong Kong’s implementation timeline and the practical challenges of due diligence in a rapidly evolving asset class.
The OECD’s Expansion of CRS to Cover Crypto-Assets
The Common Reporting Standard (CRS) was never designed with digital assets in mind. When the OECD first published the standard in 2014, Bitcoin was still a niche experiment and the term “crypto-asset exchange” barely registered in policy circles. By 2023, however, the global market capitalization of crypto-assets had exceeded $1.2 trillion, forcing a fundamental rethink. The OECD responded with the Crypto-Asset Reporting Framework (CARF) , approved in August 2022 and updated with implementation guidance in January 2025.
CARF does not replace CRS. Instead, it operates as an integrated extension, applying the same automatic exchange of information principles to a new category of assets and intermediaries. The key structural change is the redefinition of Reporting Financial Institution to explicitly include crypto-asset exchanges, custodians, brokers, and certain wallet providers. Under the 2025 consolidated guidance, any entity that effectuates exchange transactions between crypto-assets and fiat currencies, between different forms of crypto-assets, or facilitates reportable retail payment transactions exceeding USD 50,000 in aggregate value now falls within scope.
For crypto custodians, the threshold is even lower. Any entity holding Custodial Crypto-Assets on behalf of users—defined as the private keys or equivalent means of control over the assets—must apply CRS-style due diligence procedures to identify account holders and reportable persons. The 2025 guidance clarifies that this includes centralized custodians, multi-signature wallet providers where the provider retains one key, and staking-as-a-service platforms where the provider exercises control over the underlying assets. Decentralized protocols without a central controlling entity remain outside the scope, though the OECD is actively studying this boundary.
CARF Hong Kong: Implementation Timeline and Regulatory Framework
Hong Kong has positioned itself as a first-mover in CARF adoption. The Inland Revenue (Amendment) (Crypto-Asset Reporting Framework) Ordinance 2025, gazetted in September 2025, formally integrates CARF into the existing CRS regime under the Inland Revenue Ordinance. This legislative move reflects Hong Kong’s broader strategy to align with international tax transparency standards while maintaining its status as a competitive digital asset hub.
The implementation timeline is aggressive. Reporting Crypto-Asset Service Providers must complete their first round of due diligence by June 30, 2026, covering the period from January 1, 2026. The first reporting deadline to the Inland Revenue Department is May 31, 2027, with the first automatic exchanges with partner jurisdictions scheduled for September 2027. Hong Kong has confirmed that it will exchange information under CARF with all jurisdictions that have signed the Multilateral Competent Authority Agreement on Automatic Exchange of Information on Crypto-Assets (MCAA-CA) , which as of April 2026 includes 48 signatories.
The Hong Kong Monetary Authority (HKMA) and the Securities and Futures Commission (SFC) have issued joint guidance on how CARF obligations intersect with existing licensing requirements. Licensed virtual asset trading platforms under the SFC’s regime are automatically classified as Reporting Crypto-Asset Service Providers. Unlicensed but regulated custodians and money service operators that touch crypto-assets must self-assess their CARF status and, if in scope, register with the Inland Revenue Department by March 31, 2026. Failure to register carries penalties of up to HKD 50,000 plus HKD 500 per day of non-compliance.
Crypto Exchange CRS: Classification and Reporting Obligations
For crypto exchanges, the most consequential question in 2025 is whether they are classified as a Reporting Financial Institution under CRS, a Reporting Crypto-Asset Service Provider under CARF, or both. The answer depends on the specific services offered and the jurisdictional interpretations of the expanded definitions.
A crypto exchange that offers fiat-to-crypto trading and maintains a custodial wallet for users is almost certainly a dual-reporting entity. Under CRS, the exchange is a Depository Institution because it accepts fiat deposits in the ordinary course of business. Under CARF, it is a Reporting Crypto-Asset Service Provider because it effectuates exchange transactions and holds custodial crypto-assets. The consequence is that the exchange must apply two overlapping but distinct due diligence frameworks to the same user base.
The due diligence requirements for crypto exchanges under CARF are modeled closely on CRS but adapted for the crypto context. Exchanges must collect self-certifications from users at onboarding, identifying their tax residency and Tax Identification Number (TIN). For individual users, the exchange must review documentation including government-issued identification, proof of address, and self-certification forms. For entity users, the exchange must identify the controlling persons and their tax residencies, applying the same 25% ownership threshold used in traditional CRS.
The reporting itself covers three categories of transactions. First, exchange transactions between crypto-assets and fiat currencies must be reported on an aggregate basis per user per calendar year. Second, transfers of crypto-assets between accounts at different service providers must be reported if the aggregate value exceeds USD 50,000. Third, retail payment transactions using crypto-assets for goods or services must be reported if the aggregate value exceeds USD 50,000 and the service provider processes payments on behalf of merchants.
Crypto Custodian CRS Obligations: Due Diligence and Account Identification
Crypto custodians face a distinct set of challenges under the expanded CRS and CARF framework. Unlike exchanges, which can anchor their due diligence to the fiat on-ramp and off-ramp, pure custodians may never touch fiat currency. The 2025 OECD guidance addresses this gap by requiring custodians to treat the custodial relationship itself as the triggering event for reporting obligations, regardless of whether fiat currency is involved.
A crypto custodian is defined as any entity that holds Custodial Crypto-Assets—meaning it has the ability to control, transfer, or otherwise dispose of the crypto-assets on behalf of the user. This definition captures centralized custodians like institutional-grade custody platforms, qualified custodians under US state law, and prime brokerage platforms that pool client assets. It also captures staking providers that hold the private keys to staked assets, even if the assets are technically locked in a smart contract.
The due diligence process for custodians mirrors the CRS approach for Custodial Accounts. The custodian must identify the Account Holder—the person or entity with the right to access the custodial assets—and determine whether that person is a Reportable Person in a partner jurisdiction. For pre-existing accounts as of January 1, 2026, custodians may apply the residence address test for accounts with an aggregate value below USD 250,000, relying on the address on file to determine tax residency. For accounts exceeding this threshold, or where the address test is inconclusive, the custodian must obtain a self-certification or conduct an electronic record search for indicia of foreign tax residency.
One area of particular complexity is non-custodial wallet integration. If a custodian provides a service where users retain their private keys but the custodian facilitates transactions through a multi-signature arrangement where it holds one key, the OECD guidance suggests this may still constitute a custodial relationship. The determining factor is whether the custodian can unilaterally prevent the user from transacting. If so, the custodian likely has sufficient control to trigger reporting obligations.
Digital Asset Reporting CRS: Reportable Transactions and Data Points
The scope of digital asset reporting under the combined CRS-CARF framework extends well beyond simple account balances. Reporting entities must capture and report granular transaction-level data that presents significant operational challenges for platforms not originally designed with tax reporting in mind.
Under CARF, the reportable data points for each Reportable User include: the user’s full name, address, jurisdiction of tax residence, Tax Identification Number (TIN) , and date of birth; the full name and identifying number of the Reporting Crypto-Asset Service Provider; and for each reportable transaction type, the aggregate fair market value and aggregate number of units transferred or exchanged during the calendar year. For exchange transactions, the reporting entity must also specify the type of transaction (crypto-to-fiat, crypto-to-crypto, or crypto-to-retail payment) and the fair market value denominated in the fiat currency of the reporting jurisdiction.
The valuation methodology is a critical operational concern. The 2025 OECD guidance requires reporting entities to use a consistent valuation method throughout the reporting period, with a preference for the market price at the time of the transaction sourced from a reputable exchange or data aggregator. For crypto-assets without a readily available market price—such as certain governance tokens or illiquid NFTs—the reporting entity may use the acquisition cost or book value, provided this is disclosed to the tax authority.
For crypto custodians that do not effectuate exchange transactions, the reporting obligation is narrower but still significant. They must report the aggregate fair market value of custodial assets held at the end of the calendar year, along with the aggregate value of transfers into and out of the custodial account during the year. This data allows tax authorities to cross-reference with exchange reports and identify potential discrepancies in user reporting.
Virtual Asset CRS: Cross-Border Coordination and Compliance Challenges
The international nature of virtual asset transactions creates unique compliance challenges that distinguish CARF from traditional CRS. A user in Hong Kong trading on an exchange incorporated in the British Virgin Islands, with servers in Singapore and banking relationships in Switzerland, triggers reporting obligations across multiple jurisdictions. The 2025 OECD coordination guidance attempts to address this through a hierarchy of reporting rules, but significant gaps remain.
The primary rule is that the jurisdiction of residence of the Reporting Crypto-Asset Service Provider takes precedence. If a crypto exchange is tax-resident in Hong Kong, it reports to the Hong Kong Inland Revenue Department, which then exchanges the information with the user’s jurisdiction of tax residence under the applicable Competent Authority Agreement. However, if the exchange has a permanent establishment in another jurisdiction that is involved in the relevant transactions, that jurisdiction may also assert reporting rights. The 2025 guidance provides a tiebreaker rule: the jurisdiction where the user relationship is primarily managed prevails.
For decentralized platforms and DeFi protocols, the compliance picture is even murkier. The OECD has explicitly stated that truly decentralized protocols without a central controlling entity are not Reporting Crypto-Asset Service Providers. However, the 2025 guidance introduces the concept of a Deemed Reporting Crypto-Asset Service Provider—an entity that exercises sufficient influence or control over a protocol to be treated as the operator. Factors include the ability to upgrade smart contracts, control over governance tokens, and the receipt of fees from protocol activity. This is an evolving area, and the OECD has committed to further guidance by December 2026.
The practical compliance burden on crypto exchanges and custodians is substantial. Platforms must implement real-time transaction monitoring to identify reportable events, integrate tax residency verification into the onboarding flow, and maintain audit-ready records for at least six years after the reporting period. For multi-jurisdictional platforms, the cost of building and maintaining this infrastructure is estimated by industry consultants at USD 2 million to USD 5 million for mid-sized exchanges, with ongoing annual compliance costs of USD 500,000 to USD 1 million.
Preparing for the 2026 Reporting Cycle: Practical Steps for Exchanges and Custodians
With the first CARF reporting cycle covering the 2026 calendar year, crypto-asset exchanges and custodians have limited time to achieve compliance readiness. The Hong Kong Inland Revenue Department’s March 2026 circular outlines a phased approach that other jurisdictions are likely to follow, and platforms that delay preparation risk significant penalties and reputational damage.
The first priority is entity classification. Every platform touching crypto-assets must determine whether it is a Reporting Financial Institution under CRS, a Reporting Crypto-Asset Service Provider under CARF, or both. This requires a detailed analysis of the services offered, the degree of control over user assets, and the jurisdictional rules of each country where the platform operates. Platforms should document this analysis thoroughly, as tax authorities will expect to see a reasoned basis for any determination that the entity is not in scope.
The second priority is due diligence integration. Platforms must update their Know Your Customer (KYC) processes to capture the additional data points required for CRS and CARF reporting, including Tax Identification Numbers for all jurisdictions of tax residence. For existing users, platforms must conduct pre-existing account reviews to identify indicia of foreign tax residency and, where necessary, obtain self-certifications. The residence address test provides a streamlined option for lower-value accounts, but platforms must ensure their address data is current and verified.
The third priority is transaction monitoring and reporting infrastructure. Platforms must be able to identify and aggregate reportable transactions in real time, apply consistent valuation methodologies, and generate reports in the format specified by the local tax authority. For Hong Kong platforms, this means the IRD’s CARF XML Schema, which was finalized in January 2026 and is aligned with the OECD’s standard schema. Platforms should engage external auditors to validate their reporting systems before the first filing deadline of May 31, 2027.
Finally, platforms must invest in staff training and governance. CARF compliance is not a one-time project but an ongoing obligation that requires dedicated personnel, regular updates to policies and procedures, and board-level oversight. The HKMA and SFC have signaled that they will review CARF compliance as part of their routine supervisory examinations, and platforms that cannot demonstrate a robust governance framework risk enforcement action.
FAQ
What is the threshold for reporting crypto-asset transactions under CARF in 2025?
Under the 2025 OECD CARF guidance, there is no de minimis threshold for exchange transactions (crypto-to-fiat and crypto-to-crypto)—all such transactions are reportable regardless of value. For retail payment transactions using crypto-assets for goods or services, the reporting threshold is USD 50,000 in aggregate value per user per calendar year. For transfers of crypto-assets between accounts at different service providers, the same USD 50,000 aggregate threshold applies. These thresholds are expected to be reviewed by the OECD in 2027 after the first full reporting cycle.
When does Hong Kong’s CARF reporting obligation officially begin?
Hong Kong’s CARF reporting obligation begins with the 2026 calendar year. Reporting Crypto-Asset Service Providers must complete due diligence on new accounts from January 1, 2026, and on pre-existing accounts by June 30, 2026. The first reports must be filed with the Inland Revenue Department by May 31, 2027, covering the full 2026 year. Hong Kong’s first automatic exchanges of CARF data with partner jurisdictions are scheduled for September 2027, covering 48 signatories to the MCAA-CA as of April 2026.
Are decentralized exchanges (DEXs) subject to CRS and CARF reporting?
As of 2025, truly decentralized exchanges without a central controlling entity are not classified as Reporting Crypto-Asset Service Providers under CARF. However, the OECD’s 2025 guidance introduces the concept of a Deemed Reporting Crypto-Asset Service Provider for entities that exercise sufficient influence or control over a protocol. Factors include the ability to upgrade smart contracts, control over governance tokens, and receipt of protocol fees. The OECD has committed to issuing further guidance on DeFi classification by December 2026, and this remains a rapidly evolving area of regulatory interpretation.
What penalties apply for non-compliance with CARF in Hong Kong?
Under Hong Kong’s Inland Revenue (Amendment) (Crypto-Asset Reporting Framework) Ordinance 2025, failure to register as a Reporting Crypto-Asset Service Provider by the March 31, 2026 deadline carries a penalty of HKD 50,000 plus HKD 500 per day of continuing non-compliance. Failure to file a CARF return by May 31, 2027 attracts a penalty of HKD 10,000 plus HKD 200 per day. Knowingly or recklessly providing false or misleading information in a CARF return is subject