The Reporting Cryptoasset Service Providers (Due Diligence and Reporting Requirements) Regulations 2025
These regulations implement the OECD Crypto-Asset Reporting Framework in the UK, mandating due diligence, record-keeping, and reporting obligations for UK cryptoasset service providers.
They detail procedures for self-certification, reporting to HMRC via an electronic system, and notification to users.
Penalties are outlined for various breaches, including failure to comply with due diligence, record-keeping, reporting, and notification requirements, along with provision for appeals.
An anti-avoidance clause is included.
Arguments For
Increased tax revenue: The regulations aim to improve tax collection by increasing transparency and reporting of cryptoasset transactions.
Global alignment: These regulations align UK tax law with the OECD Crypto-Asset Reporting Framework, promoting international cooperation in tackling tax evasion related to cryptoassets.
Improved regulatory oversight: The framework enhances the UK's ability to supervise cryptoasset service providers and mitigate financial risks associated with this sector.
Level playing field: The regulations create a level playing field for businesses, ensuring fair competition and compliance with tax obligations.
Arguments Against
Compliance costs: UK reporting cryptoasset service providers may face significant costs associated with implementing new due diligence procedures and reporting requirements.
Operational challenges: The regulations may create operational challenges for smaller cryptoasset businesses, potentially hindering innovation and growth in the sector.
Potential for errors and penalties: The complexity of the regulations increases the risk of unintentional errors leading to costly penalties.
Data privacy concerns: The reporting requirements may raise concerns related to the privacy of user data, requiring careful consideration of data protection laws.
Part 1Introductory and general provisions
Citation and commencement1.
These Regulations may be cited as the Reporting Cryptoasset Service Providers (Due Diligence and Reporting Requirements) Regulations 2025 and come into force on 1st January 2026.
Interpretation2.
(1)
In these Regulations—
“HMRC” means His Majesty’s Revenue and Customs;
“the rules” means the rules and commentary set out in the OECD Crypto-Asset Reporting Framework, published in 2022, as modified, supplemented or replaced from time to time3;
“self-certification provider” means an individual cryptoasset user, an entity cryptoasset user or a controlling person of an entity cryptoasset user who has received a request from a UK reporting cryptoasset service provider to provide a self-certification;
“tribunal” means the First-tier Tribunal or Upper Tribunal as determined under Tribunal Procedure Rules4;
“UK reporting cryptoasset service provider” has the meaning given by regulation 3.
(2)
Any expression defined in the rules but not in these Regulations has the same meaning in these Regulations as in the rules.
(3)
The Schedule contains a table listing places where expressions that are used in these Regulations are defined or otherwise explained in the rules.
(4)
In their application for the purposes of these Regulations, the rules are to be read as if—
(a) a reference to a “calendar year or other appropriate reporting period” were a reference only to a calendar year,
(b) a reference to “[jurisdiction]” were a reference to the United Kingdom,
(c) the list referred to in (b) of Section IV(D)(9)(b) (definition of reportable jurisdiction) is the list contained in a notice published by the Commissioners for HMRC further to this regulation, and
(d) the list referred to in Section IV(F)(1) (definition of partner jurisdiction) is the list contained in a notice published by the Commissioners for HMRC further to this regulation.
UK reporting cryptoasset service provider3.
(1)
For the purpose of these Regulations, a UK reporting cryptoasset service provider is a reporting cryptoasset service provider which is—
(a) either—
(i) subject to the reporting and due diligence requirements in Sections II and III of the rules in the United Kingdom by virtue of Section I(A) of the rules, or
(ii) subject to the reporting and due diligence requirements in Sections II and III of the rules in the United Kingdom with respect to relevant transactions effectuated through a branch in the United Kingdom by virtue of Section I(B) of the rules, and
(b) is not exempt from the reporting and due diligence requirements to which it is subject in the United Kingdom by virtue of Section I(C) to (H) of the rules.
(2) A notification under Section I(H) of the rules—
(a) must be given to HMRC on or before—
(i) 31st May 2027, where it relates to the calendar year 2026, or
(ii) 31st January following the calendar year to which it relates, where that year is 2027 or a subsequent year,
(b) has effect for the calendar year to which it relates and all subsequent calendar years until it is withdrawn, and
(c) must be given and withdrawn in the form and manner specified in specific or general directions given by the Commissioners for HMRC under this regulation.
Part 1 introduces the regulations, defining key terms and establishing the scope.
Regulation 1 sets the title and effective date (January 1, 2026).
Regulation 2 defines terms like HMRC, the OECD Crypto-Asset Reporting Framework ('the rules'), and different types of cryptoasset users and providers, clarifying how these terms are applied within the regulations.
Regulation 3 specifies the criteria for a 'UK reporting cryptoasset service provider,' these are entities subject to the reporting and due diligence requirements of the rules within the UK, with some possible exemptions.
It also sets out the process and deadlines for notifications under Section I(H) of the rules.
Part 2Due diligence, record-keeping and reporting obligations
Due diligence and record-keeping4.
(1) A UK reporting cryptoasset service provider must apply, and establish and maintain arrangements designed to apply, the due diligence procedures set out in Section III of the rules.
(2) A UK reporting cryptoasset service provider must keep a record of—
(a) the steps taken to comply with this regulation, and
(b) the information collected in the course of applying the due diligence procedures set out in Section III of the rules.
(3) A UK reporting cryptoasset service provider must keep the records required by paragraph (2) for a period of five years beginning with the day after the end of the calendar year to which they relate.
(4) For the purposes of paragraph (3), records in respect of a particular cryptoasset user or controlling person of an entity cryptoasset user relate to the calendar year in which the information was—
(a) collected,
(b) generated, or
(c) relied on under Section III of the rules.
Provision of a valid self-certification5.
(1) A self-certification provider must provide the self-certification requested—
(a) in the case of an individual cryptoasset user, in accordance with the requirements of Section III(A) of the rules, and
(b) in the case of an entity cryptoasset user or a controlling person of an entity cryptoasset user, in accordance with Section III(B) of the rules.
(2) The self-certification provided must satisfy the requirements as to validity in Section III(C) of the rules.
Reporting of Information6.
(1) A UK reporting cryptoasset service provider must, for each calendar year, make a report to HMRC setting out the information in paragraph (2) on or before 31st May following the end of the calendar year.
(2) The information is—
(a) for a UK reporting cryptoasset service provider within regulation 3(1)(a)(i), the information set out in Section II(A) to (F) of the rules, and
(b) for a UK reporting cryptoasset service provider within regulation 3(1)(a)(ii), the information set out in Section II(A) to (F) of the rules, with respect to relevant transactions effectuated through a branch in the United Kingdom.
Electronic report system7.
(1) A report under regulation 6(1) must be made electronically using an electronic report system.
(2) The form and manner in which a report is to be made using an electronic report system is specified in specific or general directions given by the Commissioners for HMRC.
(3) A report which is made otherwise than in accordance with paragraphs (1) and (2) is treated as not having been made.
(4) An electronic report system must incorporate an electronic validation process.
(5) Unless the contrary is proved—
(a) the use of an electronic report system is presumed to have resulted in the making of a report only if this has successfully been recorded as such by the relevant electronic validation process,
(b) the time of making the report is presumed to be time recorded as such by the relevant electronic validation process, and
(c) the person delivering the report is presumed to be the person identified as such by any relevant feature of the electronic report system.
Notification to reportable users and reportable persons8.
(1) Where a UK reporting cryptoasset service provider must make a report under regulation 6(1) that will include information relating to a reportable user or a reportable person, it must notify that reportable user or reportable person that the information—
(a) will be reported to HMRC, and
(b) may be transferred to the competent authority of another jurisdiction in accordance with the OECD Crypto-Asset Reporting Framework.
(2) The notification must be made on or before 31st January following the first calendar year for which the UK reporting cryptoasset service provider must report information required by regulation 6 relating to that reportable user or reportable person.
Provision of information to HMRC9.
(1) In order to determine whether or not the obligations arising under these Regulations have been complied with, an officer of Revenue and Customs may require a reporting cryptoasset service provider on whom the officer reasonably suspects these Regulations impose obligations, to provide such information and documents as the officer reasonably requires as specified by written notice.
(2) The information required by notice under paragraph (1) must be provided—
(a) within such period, being no less than 14 days, and
(b) by such means and in such form, as is reasonably required by the officer of Revenue and Customs.
Registration with HMRC: UK reporting cryptoasset service providers10.
(1) A UK reporting cryptoasset service provider, and a reporting cryptoasset service provider which has lodged a notification under Section I(H) of the rules in accordance with regulation 3(2), must register with HMRC on or before the later of—
(a) 31st May 2027, and
(b) 31st January following the first calendar year in which it falls within the definition of UK reporting cryptoasset service provider in regulation 3(1) or in relation to which it is required to give a notification in accordance with regulation 3(2)(a).
(2) Registration must be effected by the giving of notice to HMRC.
(3) A notice under paragraph (2) must contain the information, and be given in the form and manner, specified in specific or general directions given by the Commissioners for HMRC under this regulation.
Part 2 details the obligations on UK cryptoasset service providers.
Regulation 4 mandates due diligence procedures (as defined in the rules), along with record-keeping for five years.
Regulation 5 addresses self-certification requirements from users.
Regulation 6 outlines the mandatory annual reporting to HMRC, with deadlines.
Regulation 7 specifies the use of an electronic reporting system and related legal presumptions.
Regulation 8 requires notification of reportable users and persons to inform them about HMRC reporting and potential cross-border data sharing.
Regulation 9 allows HMRC to request information.Regulation 10 requires registration with HMRC.
Part 3Penalties for breach of obligations
Penalties for failure to apply due diligence procedures11.
(1) Subject to paragraph (2), if a UK reporting cryptoasset service provider fails to comply with regulation 4(1), the UK reporting cryptoasset service provider is liable to a penalty not exceeding £100 for each reportable user or reportable person in respect of which the UK reporting cryptoasset service provider fails to apply the due diligence procedures in regulation 4(1).
(2) Where the failure in question is a failure to obtain a valid self-certification required by the rules, the UK reporting cryptoasset service provider is liable to a penalty not exceeding £300 for each reportable user or reportable person in respect of which the UK reporting cryptoasset service provider fails to apply the due diligence procedures in regulation 4(1).
Penalties for failure to comply with record-keeping requirements12.
If a UK reporting cryptoasset service provider fails to comply with regulation 4(2), the UK reporting cryptoasset service provider is liable to a penalty not exceeding £5,000 for each calendar year in respect of which one or more failures have occurred.
Penalties for failure to provide a valid self-certification13.
If a self-certification provider fails to provide a self-certification under regulation 5 (provision of a valid self-certification), the self-certification provider is liable to a penalty not exceeding £300—
(a) where the failure is deliberate, or
(b) where the failure is due to a failure to take reasonable care.
Penalties for late reports14.
If a UK reporting cryptoasset service provider fails to make a report required under regulation 6(1) on or before the date specified in that paragraph, the UK reporting cryptoasset service provider is liable—
(a) to a penalty not exceeding £5,000, and
(b) if the failure continues after notice of assessment of a penalty under paragraph (a) is issued, to a penalty or penalties not exceeding £600 for each subsequent day on which any of the failures continue.
Penalties for inaccurate or incomplete reports15.
If a UK reporting cryptoasset service provider makes a report under regulation 6(1) which contains inaccurate information, or which is incomplete, the UK reporting cryptoasset service provider is liable to a penalty not exceeding £100 for each cryptoasset user that is a reportable user or has controlling persons that are reportable persons in respect of which the information in the report is inaccurate or incomplete, where—
(a) the inaccuracy or incompleteness is deliberate,
(b) the inaccuracy or incompleteness is due to a failure to take reasonable care, or
(c) the UK reporting cryptoasset service provider discovers the inaccuracy or incompleteness some time later and fails to take reasonable steps to inform HMRC.
Penalties for failure to provide notification to reportable users and reportable persons16.
If a UK reporting cryptoasset service provider fails to comply with regulation 8 (notification to reportable users and reportable persons), the UK reporting cryptoasset service provider is liable—
(a) to a penalty not exceeding £100 for each reportable person in respect of which one or more failures have occurred, and
(b) if any of the failures continue after notice of an assessment of a penalty under paragraph (a) is issued, to a penalty or penalties not exceeding £100 for each subsequent day on which any of the failures continue.
Penalties for failure to provide information to HMRC17.
If a reporting cryptoasset service provider fails to comply with regulation 9 (provision of information to HMRC), the reporting cryptoasset service provider is liable—
(a) to a penalty not exceeding £5,000 and
(b) if the failure continues after notice of an assessment of a penalty under paragraph (a) is issued, to a penalty or penalties not exceeding £600 for each subsequent day on which the failure occurs.
Penalties for failure to register with HMRC18.
If a reporting cryptoasset service provider fails to comply with regulation 10 (registration with HMRC: UK reporting cryptoasset service providers), the reporting cryptoasset service provider is liable—
(a) to a penalty not exceeding £1,000, and
(b) if the failure continues after notice of assessment of a penalty under paragraph (a) is issued, to a penalty or penalties not exceeding £300 for each subsequent day on which the failure occurs.
Liable persons19.
(1) Where under this Part—
(a) a reporting cryptoasset service provider or self-certification provider is made liable to a penalty, and
(b) the reporting cryptoasset service provider or self-certification provider is a partnership or trust, the liability to the penalty falls upon a liable person of the reporting cryptoasset service provider or self-certification provider.
(2) In paragraph (1), “liable person” means, in relation to—
(a) a partnership, a partner of the partnership,
(b) a trust which is not a collective investment scheme, a trustee of the trust, or
(c) a trust which is a collective investment scheme, a trustee, manager or operator of the scheme.
(3) In this regulation, “collective investment scheme” means any arrangements that are a “collective investment scheme” within the meaning of the Financial Services and Markets Act 20005.
Reasonable excuse20.
(1) Liability to a penalty under this Part does not arise if the person satisfies an officer of Revenue and Customs or, on an appeal notified to the tribunal, the tribunal that there is a reasonable excuse for a failure to do anything required to be done under the applicable regulation.
(2) For the purposes of this regulation neither of the following is a reasonable excuse—
(a) that there is an insufficiency of funds to do something;
(b) that a person relies upon another person to do something.
(3) If a person had a reasonable excuse for a failure but the excuse has ceased, the person is to be treated as having continued to have the excuse if the failure is remedied without unreasonable delay after the excuse ceased.
Duplication of liability to penalties21.
(1) A UK reporting cryptoasset service provider cannot be liable to penalties under any two or more of regulations 11 (failure to apply due diligence procedures), 12 (failure to comply with record-keeping requirements), and 15 (inaccurate or incomplete reports) in respect of the same act or omission.
(2) Where, apart from paragraph (1), a UK reporting cryptoasset service provider would be so liable, the UK reporting cryptoasset service provider is liable to a penalty in respect of that act or omission under whichever of regulations 11, 12, or 15 is, in the opinion of an officer of Revenue and Customs, correct or appropriate in the circumstances.
Assessment of penalties by HMRC22.
(1) An officer of Revenue and Customs may make an assessment imposing a penalty under any of regulations 11 to 18 and setting it at such amount as, in the opinion of the officer, is appropriate.
(2) Notice of an assessment of a penalty under this regulation must—
(a) be given to the person liable to the penalty,
(b) state the date on which it is issued and the time within which an appeal against the assessment may be made, and
(c) in the case of an assessment of a penalty under regulation 11, 12, 14, 15, or 16, state the calendar year in respect of which the penalty is assessed.
(3) Subject to paragraph (4), after a notice of assessment of a penalty under this regulation has been given, the assessment must not be altered except on appeal.
(4) If it is discovered by an officer of Revenue and Customs that the amount of a penalty under regulation 14(b), 16(b), 17(b) or 18(b) which has been assessed under this regulation is or has become insufficient, the officer may make an assessment in a further amount so that the penalty is set at the amount which, in the opinion of that officer, is appropriate.
Time limit and treatment of penalties23.
(1) An assessment of a penalty under regulation 12, 14, 16, 17, or 18 must be made within the period of 12 months beginning with the date on which the person became liable to the penalty.
(2) An assessment of a penalty under regulation 11, 13, or 15 must be made—
(a) within the period of 12 months beginning with the date on which the inaccuracy, incompleteness or failure first came to the attention of an officer of Revenue and Customs, and
(b) within the period of 6 years beginning with the date on which the reporting cryptoasset service provider or self-certification provider became liable to the penalty.
(3) A penalty assessed under regulation 22 is due and payable at the end of the period of 30 days beginning with the day on which notice of assessment is issued.
(4) A penalty assessed under regulation 22 is to be treated for all purposes as if it were tax charged in an assessment and due and payable.
Right to appeal against penalty assessments24.
An appeal may be brought against a penalty assessment under regulation 22—
(a) on the grounds that liability to a penalty under any of regulations 11 to 18 does not arise, or
(b) as to the amount of a penalty assessed under any of regulations 11 to 18.
Procedure on appeal25.
(1) Notice of an appeal under regulation 24 must—
(a) state the grounds of appeal, and
(b) be given—
(i) in writing;
(ii) before the end of the period of 30 days beginning with the date on which notice of the assessment under regulation 22(2) was issued;
(iii) to HMRC.
(2) Subject to paragraph (3), the provisions of Part 5 of the Taxes Management Act 19706 relating to appeals have effect in relation to an appeal against an assessment under regulation 22 as they have effect in relation to an appeal against an assessment to income tax.
(3) On an appeal under regulation 24 that is notified to the tribunal, the tribunal may—
(a) if it appears that no liability to a penalty has arisen, set the assessment aside,
(b) if the amount assessed appears to be appropriate, confirm the assessment,
(c) if the amount assessed appears to be excessive, reduce it to such other amount (including nil) as the tribunal considers appropriate, or
(d) if the amount assessed appears to be insufficient, increase it to such amount not exceeding the permitted maximum as the tribunal considers appropriate.
Part 3 sets out penalties for non-compliance.
Regulations 11-18 specify different penalties for various types of non-compliance, ranging from £100 to £5000 per incident, with daily penalties for ongoing non-compliance.
Regulation 19 clarifies penalty liability for partnerships and trusts.
Regulation 20 allows for a reasonable excuse defense.
Regulation 21 prevents double-penalties for the same offense.
Regulations 22-25 handle penalty assessment procedures and appeals, including time limits for assessment and appeals.
Part 4Supplementary
Anti-avoidance26.
If—
(a) a person enters into any arrangements, and
(b) the main purpose, or one of the main purposes, of entering into the arrangements is to avoid any obligation under these Regulations, these Regulations are to have effect as if the arrangements had not been entered into.
Part 4 includes supplementary provisions; Regulation 26 is an anti-avoidance clause, stating that any arrangement designed to avoid the regulations will be treated as if it did not exist.