From 1 January 2026, providers of cryptoasset services in the UK will legally need to collect detailed information about their users and their transactions, under new rules aligned with the OECD’s Cryptoasset Reporting Framework (CARF).
What Information Must Be Collected
The rules specify that crypto firms must gather data for both individual and entity users. For individuals, this includes name, date of birth, home address, country of residence, and for UK residents, their National Insurance number or Unique Taxpayer Reference. For non-UK individuals, a tax identification number (TIN) and issuing country are required.
If the user is a company, trust, charity or other entity, the provider must collect its legal name, main address, registration number (if UK), or TIN and country of issue (if non-UK). In many cases, data about “controlling persons” must also be collected.
For every transaction, the platform must record the value, the cryptoasset type, the transaction type (e.g. transfer, disposal), and the number of units involved.
Timing, Verification & Penalties
The obligation to collect begins on 1 January 2026, though firms are encouraged to prepare earlier. The guidance requires that the collected data be verified via due diligence. Inaccurate, incomplete or unverified reports may incur penalties, up to £300 per user.
Subsequent to collection, some of the data must be reported annually to HMRC. The first report, covering calendar year 2026, is due by 31 May 2027.
International Exchange & Purpose
The CARF rules require that information on UK user transactions may also be exchanged with other jurisdictions participating in the framework. The aim is to strengthen tax transparency, reduce evasion, and align the UK with global standards for crypto tax reporting.
