DAC8 Due Diligence Procedures: Step-by-Step Compliance Guide

DAC8 prescribes specific due diligence procedures that CASPs must follow to identify reportable users and collect the required information. This guide walks through each step of the due diligence process.

Step 1: Identify Reportable Users

The first step is determining which users are subject to DAC8 reporting. In practice, all users with at least one reportable transaction during the reporting period must be reported. Since DAC8 has no minimum thresholds, this means virtually every active user on the platform.

CASPs should flag all users who have conducted at least one exchange (fiat-to-crypto, crypto-to-crypto), transfer, or payment transaction during the year.

Step 2: Collect Identification Information

For each reportable user, collect the full set of identification data required by DAC8: name, address, date of birth, TIN(s), and jurisdiction(s) of tax residence. This information should ideally be collected at onboarding, before the user conducts any transactions.

Step 3: Obtain Self-Certification

Request a self-certification from the user confirming their tax residency. The self-certification must be obtained before or at the time of the first reportable transaction for new users, and through the look-back process for existing users.

Step 4: Validate the Self-Certification

Check the self-certification against all other information available to the CASP. If there are no inconsistencies, accept the self-certification. If there are conflicts, request additional documentation or apply the multiple-residency rule.

Step 5: Validate TINs

Verify that the TIN provided by the user matches the expected format for the claimed jurisdiction of tax residence. Apply check-digit algorithms where available. If the TIN format is invalid, request a corrected TIN from the user.

Step 6: Monitor for Changes

Throughout the reporting period, monitor for changes in user information that could affect their tax residency status or the accuracy of their self-certification. Triggers include address changes, changes in payment method jurisdiction, and user-initiated updates to personal information.

Step 7: Apply the Look-Back Process

For existing users who were onboarded before January 1, 2026, apply the look-back process to collect any missing information. Prioritize users by activity level, starting with the most active users.

Step 8: Document Everything

Maintain comprehensive records of all due diligence steps performed, including when self-certifications were requested and received, TIN validation results, any discrepancies identified and how they were resolved, communications with users requesting additional information, and any decisions to report a user as non-compliant (TIN not provided).

Step 9: Compile the Report

At the end of the reporting period, compile the annual report using all collected data. Classify transactions by type, calculate aggregate amounts, and generate the XML file in the required format.

Step 10: Submit and Retain

Submit the report to the competent tax authority by the applicable deadline. Retain all supporting documentation, including self-certifications, TIN records, and transaction data, for the period required by national law.

Conclusion

DAC8 due diligence is a structured, multi-step process that requires systematic execution and thorough documentation. CASPs that establish clear internal procedures and train their staff on each step will be best positioned to meet the directive's requirements and demonstrate compliance during audits.