Structure

The Privacy Edge, Part 1: Global Crypto Reporting and Self-Custody

19 February 2025 Steffen Feike

CARF extends the CRS reporting architecture to crypto-assets, requiring service providers to report transaction data to tax authorities. The question for custody decisions is what this means in practice — and what self-custody does and does not protect against.

The Privacy Edge, Part 1: Global Crypto Reporting and Self-Custody

The OECD’s Common Reporting Standard has been the backbone of automatic tax information exchange between jurisdictions since 2014. The Crypto-Asset Reporting Framework — CARF — extends the same architecture to crypto-assets, requiring Crypto-Asset Service Providers to report transaction data to tax authorities in the same way that financial institutions report account balances and income under CRS. Participating jurisdictions are expected to begin integrating CARF into domestic law by 2025, with reporting obligations likely commencing in 2026 or 2027.

For anyone holding crypto-assets through custodial platforms, this represents a material change in the reporting environment. For those considering self-custody as an alternative, it raises a more precise question: what does self-custody actually protect against, and what does it not?

What CARF and CRS Require

Both frameworks are built on third-party reporting. The obligation sits with the intermediary — the financial institution under CRS, the Crypto-Asset Service Provider under CARF — not with the individual. Exchanges, brokers, and regulated wallet providers will be required to collect, store, and transmit transaction data to domestic tax authorities, who exchange it automatically with their counterparts in participating jurisdictions.

The scope of CARF is broad: it covers cryptocurrencies, stablecoins, and certain NFTs. The objective is to close the information gap that has allowed crypto-asset transactions to remain outside the automatic exchange regime that has applied to conventional financial assets for a decade.

Institutional Custody Under CARF

The trade-offs of institutional custody are not new, but CARF sharpens them. The advantages — no private key management, KYC and AML handled by the institution, recovery options if access is lost — remain. The privacy implications become more concrete:

Transactions conducted through custodial platforms will be subject to automatic reporting. Tax authorities in participating jurisdictions will receive detailed transaction data without needing to make individual requests. Data held by centralised custodians is also a target for breaches in ways that self-held private keys are not. And regulated custodians are subject to regulatory pressure — including asset freezing and seizure orders — that cannot be applied directly to a self-custodied holding.

None of this makes institutional custody inadvisable as a general matter. For most holders, the compliance infrastructure and operational convenience of institutional custody outweigh the privacy considerations. The relevant question is whether, for specific holdings or specific threat models, the trade-offs point in a different direction.

What Self-Custody Does and Does Not Protect

Self-custody eliminates the third-party reporting mechanism that CARF relies on. A transaction that never passes through a CASP generates no reporting obligation under the framework. Private key holders who transact directly on-chain, without using a regulated platform, do not appear in the data that CASPs are required to report.

This is a real distinction, and it is the primary privacy advantage of self-custody under CARF.

It is not, however, a complete shield. Several significant vulnerabilities remain regardless of custody method.

On-chain analytics. Blockchain transactions are permanently public. Governments and private analytics firms have developed sophisticated tools for tracing transaction histories and linking on-chain activity to identified individuals — particularly where transactions intersect with exchanges, known addresses, or other identifiable on-ramps and off-ramps. Pseudonymity is not anonymity.

On-ramp and off-ramp exposure. Converting between fiat and crypto almost always involves interaction with a regulated entity subject to KYC requirements. That point of intersection creates a link between an identified individual and a wallet address that analytics tools can then trace forward and backward through the transaction history.

Jurisdictional risk. Some jurisdictions have moved toward requiring disclosure of self-custodied holdings or imposing reporting obligations directly on individuals, independent of whether a CASP is involved. The regulatory environment is not static, and what self-custody protects against today may be subject to different legal treatment as frameworks develop.

Privacy-enhancing mechanisms — coin mixing, CoinJoin transactions, privacy coins — extend the privacy properties of self-custody by breaking the transaction chain that analytics tools rely on. The legal status of these tools varies significantly by jurisdiction, and in several cases enforcement actions have been brought against their operators and, in some instances, users.

The Fifth Circuit’s 2024 ruling on Tornado Cash — finding that OFAC exceeded its authority in sanctioning immutable smart contracts — provides some legal clarity on the limits of sanctions as a tool for policing privacy protocols. It does not resolve the broader question of how AML law applies to individuals using privacy-enhancing tools in jurisdictions that have criminalised their use.

Before relying on any privacy-enhancing mechanism, the regulatory environment of the relevant jurisdiction should be assessed carefully. The gap between what is technically possible and what is legally permissible is material and jurisdiction-specific.

The Direction of Travel

CARF represents the extension of a trajectory that has been consistent for a decade: expanding the automatic information exchange regime to cover asset classes that were previously outside it. The question for individuals making custody decisions is not whether this trajectory will continue — it will — but how to structure holdings in a way that is both legally compliant and appropriately private.

Self-custody is not a mechanism for avoiding legitimate tax obligations. It is a mechanism for reducing dependence on intermediaries that are themselves subject to reporting requirements, data breach risk, and regulatory pressure. Those are distinct considerations, and conflating them produces decisions that are neither legally sound nor practically effective.

The tension between financial privacy and regulatory oversight will define the regulatory environment for crypto-assets over the next several years. Part 2 of this series examines what that tension looks like in specific jurisdictions and what it means for individuals with multi-jurisdictional holdings.


This article is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional before making decisions about custody arrangements, tax reporting obligations, or privacy-enhancing tools.