On July 30, 2025 the OECD released an updated set of FAQs for its Crypto-Asset Reporting Framework (CARF), providing critical clarifications on previously ambiguous areas. From DeFi and NFTs to M&A scenarios and cross-regime alignment, these updates significantly enhance regulatory certainty for crypto platforms operating in a rapidly evolving global compliance landscape.
Below, we break down the key developments, their implications for service providers, and what issues remain unresolved.
1. DeFi Is Not Exempt: COSI Test Clarified
As clarified in FAQ Section IV(1), contrary to the assumption that non-custodial status exempts an entity from CARF obligations, the OECD – in line with previous efforts by the Financial Action Task Force (FATF) – has introduced a “Control or Sufficient Influence” (COSI) test with respect to whether a decentralized platform will fall in or out of scope for reporting. Specifically, the FAQs clarify that if a platform operator exerts control or sufficient influence over a protocol—regardless of custody—they may still be classified as a Reporting Crypto-Asset Service Provider (RCASP). Examples of COSI, developed under existing AML-regimes include, among others, holding administrative or upgrade keys, participating in DAO governance, managing frontend interfaces, programming smart contracts, operating automated market makers (AMMs), or promoting or maintaining a protocol.
The FAQs also clarify that, until further guidance is issued, participating jurisdictions may defer enforcement of this COSI test in the context of DeFi. Overall, the regulatory direction is now much clearer: decentralized architecture alone does not place a platform beyond CARF’s scope.
Key takeaway: DeFi platforms may be subject to reporting obligations depending on their operational role, and short-term enforcement will vary across jurisdictions.
2. NFTs: Clearer Carve-Out Criteria Introduced
The OECD has published a four-part test, as detailed in FAQ Section IV(5) to determine when non-fungible tokens (NFTs) fall outside CARF reporting obligations.
An NFT is excluded if it:
- Does not represent financial or fungible assets
- Is not marketed or regulated as an investment product
- Is not classified as a virtual asset under FATF anti-money laundering definitions
- Has, based on reasonable knowledge at the time of reporting:
- A low value (e.g., below USD 200)
- No meaningful trading volume
It is important to note that local domestic implementations of CARF will need to be analyzed for variances in thresholds.
Key takeaway: Platforms now have clearer criteria to distinguish between utility NFTs and investment-grade digital assets, with the $200 benchmark suggesting emerging consensus.
3. Entity Due Diligence in M&A Scenarios
In FAQ Section III(2), the OECD has confirmed that RCASPs involved in a merger or acquisition may rely on the acquired entity’s existing due diligence and associated data —both for individual and entity Crypto-Asset Users and their Controlling Persons—unless there is reason to believe the data is inaccurate or circumstances have changed. Given the M&A activity happening in the space right now, driven primarily by consolidation in the markets following stricter licensing regimes, this brings much-needed relief to entities undergoing mergers, acquisitions, or large-scale platform transitions going forward.
Key takeaway: This clarification simplifies compliance in business consolidations, reducing duplication in onboarding and enabling faster transitions.
4. CRS and CARF Classification Alignment
Entities already classified as Financial Institutions under the Common Reporting Standard (CRS)—with the exception of certain investment entities—can now also be treated as Excluded Persons under CARF (FAQ Section IV(4)). This harmonization helps avoid redundant classifications and streamlines compliance processes. While the clarifications are helpful, many questions and topics remain open and unaddressed. A particularly relevant topic is the application of CRS and CARF to tokenized financial instruments, as well as how to handle ‘true’ stablecoins (or “Specified Electronic Money Products” as they are called under the OECD rules).
Key takeaway: Harmonization across CRS and CARF is developing, reducing operational friction and enabling cleaner entity mapping during onboarding and reporting. However, there are still a lot of open questions to be answered
5. Extraterritoriality in Practice: CARF and DAC8 May Reach Beyond Borders
While CARF itself does not mandate any specific extraterritoriality, the EU’s DAC8 framework explicitly incorporates extraterritorial application and also many other countries, including – for example – Switzerland and Brazil, have chosen to follow a similar approach in their domestic CARF implementation. This means, CASPs may fall within scope not based on where they are incorporated, but based on where their users reside or where their infrastructure operates. Under DAC8, a CASP serving EU residents—even via reverse solicitation—must register in an EU member state, begin collecting customer data by January 1, 2026, and commence reporting in 2027. Under CARF, jurisdictions such as Switzerland and Brazil apply an economic nexus model, capturing entities that serve local users or operate from those territories.
This means that CASPs based in non-participating jurisdictions with second wave adopting jurisdictions —such as Singapore, the BVI, the UAE, or the US—may still be required to comply as early as 2026 if they serve users in CARFor DAC8-active jurisdictions. Duplicative reporting is avoided if the RCASP’s home jurisdiction has joined a CARF-aligned multilateral exchange agreement.
Key takeaway: Jurisdictional reach is defined by user geography, not entity domicile. Businesses must assess exposure to CARF and DAC8 based on their client base and operational footprint.
What Still Needs Clarification
While these updates bring important clarity, several issues remain under development. Jurisdictions will continue to release their own interpretations of the COSI test for DeFi, and domestic thresholds for NFT exclusions are still pending. Additionally, the industry awaits final guidance from FATF on responsibility attribution within DeFi protocols.
Looking Ahead: A Global Standard in Motion
The latest OECD FAQ updates, and local implementation of CARF rules, mark a critical step toward global digital asset tax transparency. Compliance is no longer an abstract policy concept—it is now a technical and operational mandate. With the first CARF deadlines quickly approaching, the timeline for readiness is rapidly narrowing. In our recently published CARF Compliance Guide, we discuss best practices in ensuring readiness for all compliance milestones.
How Taxbit Can Help
Taxbit provides end-to-end solutions to support CASPs in meeting global tax compliance standards, from transaction-level tracking to automated due diligence and jurisdiction-specific reporting. For platforms navigating these changes, investing in scalable infrastructure and expert guidance will be critical to meeting new regulatory demands.If your business is unsure how CARF or DAC8 applies, or how to operationalize the requirements, Taxbit is here to help. Contact us to begin preparing for the next era of global crypto compliance.
