We do not exit when complexity enters. We stand by our clients through every regulatory shift, audit, and challenge. Unwavering support is the foundation of our firm.
We use cookies to ensure our website functions properly and to understand how you interact with our site. Privacy Policy
From 1 January 2026, UK reporting cryptoasset service providers must run due diligence on every user under the Cryptoasset Reporting Framework. The first report is due by 31 May 2027. For a family office holding crypto through trusts, FICs, or holding companies, the look-through to controlling persons is the exposure.
The market read of the Cryptoasset Reporting Framework is that exchanges now report transactions to tax authorities. That is true and it is the least consequential part of the regime for a family office. The Common Reporting Standard has reported bank accounts since 2016, and the sophisticated holder learned long ago that an account in a CRS jurisdiction is visible. Crypto sat outside that net because a self-custodied wallet or an account at a non-reporting platform was not a financial account under CRS. CARF closes that gap, and it closes it the same way CRS did: not by reporting the asset, but by reporting the person identified as its beneficial holder.
For a family office, that is the entire point. The question is not whether the exchange reports a Bitcoin balance. It is who the exchange names when it reports. Where the crypto is held personally, the answer is the individual. Where it is held through a trust, a family investment company, or a holding company, CARF applies the Common Reporting Standard look-through: the entity is examined, and if it is a passive entity, the controlling persons behind it (the settlor, the beneficiaries, the trustees, the owners, the senior managing officials) are identified and reported as reportable persons. The structure that was built to hold the asset becomes the thing that names the family.
The UK brought this into force on 1 January 2026 through the Reporting Cryptoasset Service Providers (Due Diligence and Reporting Requirements) Regulations 2025 (SI 2025/744). UK reporting cryptoasset service providers began collecting and verifying user data from that date, and the first report, covering calendar year 2026, is due to HMRC by 31 May 2027. From 2027 the UK exchanges that data with partner jurisdictions. The UAE has signed the same framework, with go-live scheduled for 2027 and first exchanges in 2028. The corridor cohort that moved crypto wealth alongside the rest of the balance sheet is now inside a network that did not exist when the structures were built.
This article walks the statutory frame in SI 2025/744 and the OECD model rules, who is a reporting cryptoasset service provider, what is reported and on whom, the controlling-persons look-through that is the family-office exposure, the due-diligence and self-certification mechanics, the penalties, the five recurring family-office traps, and the sequencing with the UAE CARF and CRS 2.0 rollout and the wider corridor transparency architecture.
The framework sits at two layers: the OECD international standard and the UK implementing instrument.
The OECD standard. On 8 June 2023 the OECD published "International Standards for Automatic Exchange of Information in Tax Matters: Crypto-Asset Reporting Framework and 2023 update to the Common Reporting Standard". The CARF and the 2023 CRS amendments were designed as a complementary package: CARF brings crypto-assets into automatic exchange, and the CRS amendments (often called CRS 2.0) extend the existing financial-account standard to electronic money and central bank digital currencies and tighten the controlling-persons and account-type requirements. The policy logic, stated in the UK implementation note, is that CRS allowed tax authorities to exchange information on financial accounts, and CARF prevents taxpayers from defeating CRS by moving money into crypto.
The UK instrument. The UK implemented CARF through the Reporting Cryptoasset Service Providers (Due Diligence and Reporting Requirements) Regulations 2025 (SI 2025/744), laid before the House of Commons on 25 June 2025 and made under the powers in section 136 Finance Act 2002 and section 349(2) Finance (No. 2) Act 2023. The regulations do not amend or replace existing legislation; CARF is a new freestanding measure. The operative date is 1 January 2026.
The timeline is precise and the dates matter.
The operational consequence for the family office is that the data is already being collected. A family office that opened or maintained an account with a UK RCASP during 2026 has had its user and transaction data captured from 1 January 2026, whether or not it engaged with the regime. The first report in 2027 is not the start of the exposure; it is the moment the collected data leaves the provider for HMRC. The planning window for getting the structure and the self-certifications right closed, in substance, at the start of 2026.
HMRC's operational guidance sits in the International Exchange of Information Manual (IEIM8000000 onwards) and the Cryptoassets Manual (CRYPTO49000 onwards), supported by the published guidance on collecting and reporting cryptoasset user and transaction data. The manual is the operational anchor for the due-diligence, reportable-information, and penalty detail walked below.
The reporting obligation attaches to the reporting cryptoasset service provider, not to the holder. Understanding who is an RCASP determines which of a family office's crypto positions are reported and by whom.
An RCASP is, in broad terms, an entity or individual that provides a service effectuating exchange transactions in cryptoassets for or on behalf of customers, including as a counterparty, an intermediary, or by making available a trading platform. The UK implementation note estimates approximately 50 RCASPs currently in scope. The category captures:
The nexus rules determine which jurisdiction's RCASP reports. A UK RCASP reports to HMRC. Where a provider has a presence in more than one jurisdiction, the CARF nexus rules allocate the reporting obligation, and the HMRC guidance addresses dual-nexus cases where a UK RCASP retains the UK reporting obligation in relation to UK cryptoasset users. The practical point for a family office is that the reporting follows the provider's nexus, not the family's residence: a family office in the UAE that uses a UK-established or UK-nexus platform is reported through that platform's UK obligation, and a UK family office using a non-UK CARF-jurisdiction platform is reported through that jurisdiction and exchanged to the UK.
What is not an RCASP matters as much. A genuinely self-custodied wallet, with no service provider effectuating transactions, is not itself an RCASP and is not within the direct reporting net. This is not a planning route. The moment the self-custodied holder transacts through an exchange, a broker, or a custodial service, that provider is an RCASP and the transaction enters the reporting framework. CARF is built so that the points at which crypto touches the regulated financial system (the on-ramps and off-ramps) are reporting points. Sustained self-custody isolation is incompatible with the liquidity and banking realities of a family office that needs to move value in and out of fiat.
The reportable information is specified in the HMRC guidance (IEIM8000515) and tracks the CRS data model, adapted for crypto.
For individual reportable users, the RCASP reports name, address, jurisdiction(s) of tax residence, taxpayer identification number(s) for each jurisdiction of residence, and date of birth. A user resident in more than one jurisdiction is reported to each.
For entity reportable users, the RCASP reports name, address, and jurisdiction(s) of tax residence with TIN(s).
For controlling persons of passive entities, in addition to the entity-level information, the RCASP reports the controlling person's identifying information and the role by which the individual is a controlling person (for example, owner, settlor, trustee, beneficiary, or senior managing official). This is the look-through that the next section develops.
The transaction data. The RCASP reports, for each reportable user, the aggregate value and number of transactions across reportable transaction types for the calendar year. Reportable transactions include exchange transactions between cryptoassets and fiat, exchange transactions between different cryptoassets, transfers of cryptoassets, and reportable retail payment transactions (payments for goods or services) where the transaction exceeds USD 50,000. Values are reported by reference to the framework's valuation rules in the HMRC guidance (IEIM8000590 onwards), which set out how to value transfers and retail payment transactions.
The data set is granular. It is not a year-end balance; it is the user's identity, tax-residence profile, and transactional activity across the year, reported to HMRC and, for non-UK users, exchanged to their jurisdiction of residence. For a family office, that means the activity in a structure's crypto account is visible to the tax authority of every jurisdiction in which a reportable controlling person is resident, not only to the authority of the entity's jurisdiction.
The single most consequential feature of CARF for a family office is that it imports the Common Reporting Standard treatment of passive entities and their controlling persons. This is the mechanism by which a structure does not shield the family from reporting; it determines who is named in the report.
The analysis runs in three steps.
Step 1: classify the entity. Where a crypto account is held by an entity (a trust, a family investment company, a holding company, a foundation), the RCASP must determine whether the entity is an active or a passive non-financial entity. An entity whose income is predominantly passive (investment income, including the holding of cryptoassets for investment) is a passive entity. Most family-office holding vehicles, FICs, and investment-holding trusts are passive entities for this purpose.
Step 2: identify the controlling persons. For a passive entity, the RCASP must identify the controlling persons, applying the anti-money-laundering and CRS definitions. For a company, the controlling persons are the beneficial owners exercising control through ownership or other means, and, where no such person is identified, the senior managing official. For a trust, the controlling persons are the settlor, the trustees, the protector (if any), the beneficiaries or class of beneficiaries, and any other natural person exercising ultimate effective control. For a foundation, an equivalent set applies.
Step 3: report the reportable controlling persons. Each controlling person who is resident in a reportable jurisdiction (or, for UK domestic reporting, in the UK) is a reportable person. The RCASP reports the entity and, separately, each reportable controlling person with the role by which they control. A trust holding crypto with a UK-resident settlor, UAE-resident beneficiaries, and a Channel Islands trustee produces a report that names the settlor to the UK, the beneficiaries to the UAE (once the UAE is exchanging), and the structure itself.
The consequence is that the family-office structure is transparent to the look-through, exactly as it is under CRS for bank accounts. A family that holds crypto through a passive holding company does not reduce the reporting; it adds an entity layer that is itself reported and then looks through to the same individuals. The structures that legitimately serve succession, governance, and asset-protection objectives continue to serve those objectives, but they do not provide reporting opacity for the crypto they hold. Any expectation that interposing an entity removes the crypto from the individual's reporting profile is misconceived: the look-through is the design.
For corridor families the cross-jurisdictional dimension compounds this. A controlling person who is a long-term UK resident is reported to the UK under domestic reporting. A controlling person who has become UAE-resident is reported to the UAE once the UAE is exchanging from 2028. A controlling person resident in a third CARF jurisdiction is reported there. A single structure with controlling persons across the corridor generates reports into multiple tax authorities, each seeing the role and the activity attributable to its resident.
CARF places the verification burden on the RCASP and a corresponding disclosure obligation on the user.
The RCASP's due diligence. From 1 January 2026 the RCASP must apply due-diligence procedures to establish each user's identity and tax-residence profile. For individuals this means collecting the reportable identifying information and a self-certification of tax residence. For entities it means classifying the entity (active or passive) and, for passive entities, identifying and obtaining self-certifications for the controlling persons. The due-diligence procedures track the CRS model, with reliance on self-certifications confirmed against the information the RCASP holds (including AML/KYC records), and with reasonableness checks where the self-certification is inconsistent with other data.
The user's self-certification. The user is required to provide the relevant information when requested by the RCASP. For an entity account, this includes the entity's classification and the controlling-persons information. A self-certification that is false exposes the user to a penalty: the UK implementation note is explicit that an individual who provides a false self-certification to a provider may face a penalty, treated as fraudulent or negligent behaviour. The self-certification is the point at which the family office's representation of its own structure becomes a documented, penalty-backed statement to a reporting entity.
The accuracy problem for legacy structures. The due-diligence and self-certification mechanics surface a specific problem for structures built before CARF. A holding company or trust whose controlling-persons analysis was never formally documented, or whose self-certifications to banks were completed inconsistently across providers, now faces a fresh self-certification to every RCASP it transacts through, on a penalty-backed basis, with the controlling-persons analysis exposed to HMRC's receipt of the report. Inconsistency between what a structure told its bank under CRS and what it tells its crypto provider under CARF is visible to the same tax authority. The architectural requirement is a single, accurate, and consistent controlling-persons analysis used across every CRS and CARF self-certification the structure makes.
The CARF penalties operate on two sides: the provider and the user.
The provider penalty. An RCASP that fails to comply with the due-diligence and reporting obligations faces a penalty of up to £300 per reportable user or reportable person (HMRC guidance IEIM8000620). The penalty is per user, so a provider with a large reportable population faces an aggregated exposure that drives the compliance investment the UK implementation note anticipates (new IT infrastructure, onboarding procedures, and annual submission processes). Registration with HMRC is mandatory for RCASPs.
The user penalty. A user who provides a false or misleading self-certification faces a penalty. This is the user-side exposure that matters for the family office: the self-certification of the entity classification and the controlling-persons information is a representation on which the provider relies and which HMRC receives in the report. A self-certification that misstates the controlling persons, the tax residences, or the entity classification is the kind of fraudulent or negligent behaviour the regime penalises.
The penalty quantum is not the principal risk for a family office. The £300-per-user provider penalty is a provider-side compliance cost, and the user-side penalty for a false self-certification is itself secondary to the substantive consequence: the report reaches HMRC and the relevant foreign tax authorities regardless, and any inconsistency between the CARF report, the CRS reports, the self-assessment returns, and the structure's documented controlling-persons analysis becomes a discrepancy that the receiving tax authority can act on. The risk CARF creates for the family office is visibility and reconciliation, not the penalty line.
Five patterns recur in family-office crypto files as the 1 January 2026 commencement beds in and the 31 May 2027 first report approaches.
Trap 1: assuming a structure removes the crypto from reporting. The most common error is to treat a holding company, FIC, or trust as a shield. CARF applies the CRS controlling-persons look-through: a passive entity is reported, and the controlling persons behind it are identified and reported as reportable persons. Interposing an entity adds a reported layer; it does not remove the individuals. The architectural answer is to hold crypto through structures for their genuine succession, governance, and protection purposes, and to accept that the reporting profile of the controlling persons is unchanged by the wrapper.
Trap 2: inconsistent self-certifications across providers. A family office that has completed CRS self-certifications to banks, and now completes CARF self-certifications to crypto providers, frequently does so through different advisers and different templates, producing inconsistent controlling-persons and tax-residence representations. HMRC receives both the CRS and the CARF reports. Inconsistency between them is a visible discrepancy. The architectural answer is a single master controlling-persons analysis, maintained centrally, that drives every self-certification the structure makes under both regimes.
Trap 3: treating self-custody as a planning route. The fact that a self-custodied wallet is not itself an RCASP leads some families to assume that holding crypto in self-custody removes it from CARF. It does not remove the exposure; it defers the reporting point to the moment the holder transacts through an RCASP, which is the on-ramp and off-ramp every family office needs to convert value to and from fiat. A position that can never be moved into the banking system without entering CARF is not a planning structure. Self-custody changes the timing of the reporting touchpoint, not the existence of it.
Trap 4: ignoring the corridor multiplicity of reporting. A structure with controlling persons resident in more than one jurisdiction generates reports into each. A corridor family with a UK-resident settlor, UAE-resident beneficiaries, and a third-jurisdiction trustee does not produce a single report to a single authority; it produces reports that reach the UK (domestic reporting), the UAE (from 2028), and any other CARF jurisdiction of residence. Planning that models CARF as a single-authority exposure understates it. The architectural answer is to map every controlling person to their jurisdiction of residence and to the reporting that residence triggers.
Trap 5: leaving the tax position behind the reporting unreconciled. CARF reports activity; it does not assess tax. The substantive risk is that the reported activity is inconsistent with the controlling persons' self-assessment returns. A UK-resident controlling person whose CARF-reported crypto disposals do not reconcile to the capital gains reported on the UK self-assessment return is the precise discrepancy CARF is designed to surface. The architectural answer is to ensure that the tax reporting of crypto gains and income, for every controlling person, reconciles to the activity that the RCASP will report, before the first report reaches HMRC in 2027.
The common feature of the five traps is the assumption that CARF is a provider-side compliance event rather than a transparency event that names the family. Treated as a provider-side event, the family office does nothing and waits for the report. Treated as a transparency event, the family office reconciles its structure, its self-certifications, and its tax filings to the report before the report is made.
CARF does not operate in isolation. It is one layer of an automatic-exchange architecture that now spans financial accounts, crypto, and (under CRS 2.0) electronic money and central bank digital currencies, across the corridor and beyond.
UAE CARF implementation. The UAE Ministry of Finance signed the Multilateral Competent Authority Agreement on the Automatic Exchange of Information under the Crypto-Asset Reporting Framework. UAE CARF implementation is scheduled to go live in 2027, with the first exchanges of information expected in 2028. A UAE-resident family office is therefore inside the CARF network on two fronts: as a holder reported by UK or other CARF-jurisdiction providers it transacts through, and, from 2027/2028, through UAE RCASPs reporting to the UAE Federal Tax Authority for onward exchange. The UAE position is not outside the framework; it is on a slightly later timetable than the UK.
CRS 2.0. The UAE has committed to implement the updated Common Reporting Standard (CRS 2.0) effective 1 January 2027, with the first exchange of information under CRS 2.0 to begin in 2028. CRS 2.0 extends the financial-account standard to electronic money products and central bank digital currencies and tightens the controlling-persons and account-classification requirements. The combined effect is that the gap CARF was designed to close (crypto outside CRS) is closed from both directions: CARF captures crypto-assets, and CRS 2.0 captures the electronic-money and CBDC instruments at the edge of the definition. A family office cannot move value between the crypto net and the financial-account net to escape reporting, because both nets now report.
The corridor transparency stack. For a corridor family the automatic-exchange architecture now has several layers operating together. CRS reports financial accounts. CARF reports crypto. CRS 2.0 extends both. The UAE exchange-of-information framework under Cabinet Decision No. 209 of 2025 (in force 30 January 2026) operates on the UAE side for exchange of information on request, sitting alongside the automatic-exchange regimes. The result is that the controlling persons of a corridor structure are visible to their respective tax authorities across financial accounts, crypto, and electronic money, with the only material variable being the timing of each jurisdiction's first exchange.
The governance-architecture point. CARF for the family office is, in substance, the same governance problem that the UK Senior Accounting Officer regime is for the corporate group and that the long-term resident IHT framework is for the estate: a documented, consistent, reconciled position that survives the receiving authority's scrutiny. The family office that maintains a single controlling-persons analysis, consistent self-certifications across CRS and CARF, and crypto tax filings that reconcile to the reportable activity has built the governance substrate that the transparency architecture demands. The family office that treats each provider's self-certification as a one-off form, completed differently each time, has built the discrepancies that the architecture is designed to find.
The UK Cryptoasset Reporting Framework takes effect on 1 January 2026, the date from which UK reporting cryptoasset service providers must collect and verify user and transaction data. It is implemented by the Reporting Cryptoasset Service Providers (Due Diligence and Reporting Requirements) Regulations 2025 (SI 2025/744), laid before Parliament on 25 June 2025 under section 136 Finance Act 2002 and section 349(2) Finance (No. 2) Act 2023. The first report covers calendar year 2026 and is due to HMRC between 1 January 2027 and 31 May 2027. The UK exchanges reportable data on non-UK users with partner jurisdictions from 2027.
No. CARF applies the Common Reporting Standard look-through to passive entities. Where crypto is held through a passive entity (a trust, a family investment company, or a holding company), the reporting cryptoasset service provider must identify and report the controlling persons (settlor, beneficiaries, trustees, owners, senior managing officials) as reportable persons, in addition to reporting the entity. The structure is reported, and the look-through names the individuals behind it. Interposing an entity adds a reported layer rather than removing the individuals from the report.
For individual reportable users, the RCASP reports name, address, jurisdiction(s) of tax residence, taxpayer identification number(s), and date of birth. For entity reportable users, it reports name, address, and jurisdiction(s) of tax residence with TIN(s). For controlling persons of passive entities, it reports the controlling person's identifying information and the role by which they control. The transaction data reported is the aggregate value and number of reportable transactions for the calendar year, covering exchanges between crypto and fiat, exchanges between cryptoassets, transfers, and reportable retail payment transactions exceeding USD 50,000.
Yes, on two fronts. A UAE-resident family office that transacts through a UK or other CARF-jurisdiction provider is reported by that provider and, where a controlling person is UAE-resident, exchanged to the UAE once the UAE begins exchanging. Separately, the UAE has signed the CARF Multilateral Competent Authority Agreement, with implementation scheduled to go live in 2027 and first exchanges in 2028, so UAE RCASPs will report to the UAE Federal Tax Authority for onward exchange. The UAE is inside the CARF network on a slightly later timetable than the UK, not outside it.
CARF is the crypto-asset reporting framework; CRS 2.0 is the updated Common Reporting Standard for financial accounts. The OECD published both together on 8 June 2023 as a complementary package. CARF brings crypto-assets into automatic exchange. CRS 2.0 extends the financial-account standard to electronic money products and central bank digital currencies and tightens the controlling-persons and account-classification requirements. Together they close the gap that allowed crypto to sit outside CRS: CARF captures crypto-assets, and CRS 2.0 captures the electronic-money and CBDC instruments at the edge. The UAE has committed to CRS 2.0 effective 1 January 2027 with first exchange in 2028.
A reporting cryptoasset service provider that fails to comply with the due-diligence and reporting obligations faces a penalty of up to £300 per reportable user or reportable person, alongside mandatory registration with HMRC. A user who provides a false self-certification to a provider faces a penalty, treated as fraudulent or negligent behaviour. The principal risk for a family office is not the penalty quantum but the substantive consequence: the report reaches HMRC and the relevant foreign tax authorities, and any inconsistency between the CARF report, the CRS reports, and the controlling persons' tax returns becomes a discrepancy the receiving authority can act on.
A genuinely self-custodied wallet, with no service provider effectuating transactions, is not itself a reporting cryptoasset service provider and is not within the direct reporting net. This is not a planning route. The reporting point is deferred to the moment the holder transacts through an exchange, broker, or custodial service, which is the on-ramp and off-ramp every family office needs to move value to and from fiat. Self-custody changes the timing of the reporting touchpoint; it does not remove the exposure, and a position that can never enter the banking system without triggering CARF is not a usable structure.
Reconcile three things to the activity the provider will report. First, maintain a single, accurate controlling-persons analysis for every structure that holds crypto, used consistently across all CRS and CARF self-certifications. Second, ensure the self-certifications given to crypto providers are consistent with those given to banks, because HMRC receives both. Third, ensure the crypto tax filings (capital gains and income) of every controlling person reconcile to the reportable activity before the first report reaches HMRC. The data is collected from 1 January 2026 and reported by 31 May 2027; the reconciliation should be completed before the report is made, not after the enquiry.
CARF does not report a crypto balance. It reports the people the framework identifies as standing behind it, and for a family office holding crypto through a structure, the look-through names the family regardless of the wrapper. The structure that was built to hold the asset is now the thing that reports it.
Since 1 September 2025, a large organisation is criminally liable under section 199 ECCTA 2023 where an associated person commits a fraud intended to benefit it. The only defence is reasonable fraud prevention procedures. For a UK-UAE-Ireland corridor group, the UK nexus reaches conduct abroad.
Read AnalysisThe UK Senior Accounting Officer regime under Schedule 46 Finance Act 2009 applies to UK-incorporated companies whose turnover exceeds £200 million or whose balance sheet exceeds £2 billion, aggregated across the UK 51% group. The duty is not a certificate. It is the architecture of tax accounting controls.
Read Analysis