Self-certification is one of the most important due diligence mechanisms under DAC8. It is the process by which users declare their tax residency status and provide their Tax Identification Numbers (TINs) directly to the Reporting Crypto-Asset Service Provider (RCASP). Getting self-certification right is essential because the accuracy of your DAC8 reports depends heavily on the quality of these declarations.

> Disclaimer: Self-certification requirements may vary by Member State based on national transposition of DAC8. The guidance below reflects the general EU framework. Always check with your national tax authority for jurisdiction-specific self-certification rules and forms.

What Is Self-Certification?

Self-certification under DAC8 is a formal declaration by an account holder (user) in which they provide information about their tax residency status. It serves as the primary mechanism for determining:

  • In which jurisdiction(s) a user is tax resident
  • What TIN(s) apply to the user in those jurisdictions
  • Whether the user should be included in reports sent to specific tax authorities

Self-certification is similar in concept to the self-certification mechanisms used under the Common Reporting Standard (CRS) and FATCA, though DAC8 applies specifically to crypto-asset transactions.

What Information Should the Self-Certification Collect?

A DAC8-compliant self-certification form should typically collect the following information from individual users:

For Individuals

  1. Full legal name (first name, middle name if applicable, last name)
  2. Current residential address (street, building number, city, postal/ZIP code, country)
  3. Date of birth
  4. Place of birth (city and country, may be required in some implementations)
  5. Jurisdiction(s) of tax residence (one or more countries)
  6. TIN for each jurisdiction of tax residence
  7. Reason for TIN unavailability (if the user cannot provide a TIN for a declared jurisdiction)

For Entities

  1. Legal entity name
  2. Registered address
  3. Country of incorporation or organization
  4. Jurisdiction(s) of tax residence
  5. TIN or entity registration number for each jurisdiction
  6. Entity classification (active, passive, financial institution, etc., depending on the reporting requirements)

Declaration and Certification

The form should also include:

  • A declaration statement where the user certifies that the information provided is true, correct, and complete to the best of their knowledge
  • An undertaking to notify the RCASP of any change in circumstances that affects the information provided
  • The date of certification
  • An electronic signature or equivalent confirmation mechanism (such as clicking a "confirm" button with appropriate audit trail)

Designing the Self-Certification Form

User Experience Considerations

The self-certification form should be clear and accessible. Poor design leads to incomplete or inaccurate data.

  • Use plain language: Avoid unnecessary jargon. Explain terms like "tax residency" and "TIN" in simple terms
  • Provide help text: Include tooltips or explanatory notes for each field (e.g., "Your TIN is the number assigned by your tax authority. In the UK, this is your UTR or National Insurance number")
  • Support multiple jurisdictions: Allow users to add additional jurisdictions with corresponding TINs using an intuitive "add another" interface
  • Localize the form: Provide the self-certification in languages relevant to your user base
  • Mobile-friendly: Ensure the form works well on mobile devices, as many crypto platform users access services via mobile

Technical Implementation

  • Mandatory field enforcement: Do not allow form submission if required fields are empty
  • Real-time TIN validation: Where possible, validate TIN format as the user types (see the separate guide on TIN validation)
  • Country code dropdowns: Use ISO 3166-1 alpha-2 country codes and present countries in a searchable dropdown
  • Date picker: Use a standardized date picker for date of birth to ensure consistent formatting
  • Audit trail: Record the exact timestamp, IP address (if applicable and compliant with privacy rules), and method of certification
  • Version control: Track which version of the self-certification form the user completed, so you can demonstrate compliance if the form is updated over time

Validation Rules

At Submission Time

Apply these validation checks when the user submits their self-certification:

  1. All mandatory fields populated: Name, address, date of birth, at least one tax residency jurisdiction, and at least one TIN
  2. TIN format check: Validate that the TIN matches the expected format for the declared jurisdiction
  3. Country code validity: Ensure all country codes are valid ISO 3166-1 alpha-2 codes
  4. Date of birth range: Verify the date of birth is reasonable (e.g., not in the future, not more than 150 years ago)
  5. Address completeness: Minimum required address fields are present
  6. Consistency check: Flag if the country in the residential address differs from all declared tax residency jurisdictions (this is not necessarily an error, but should be reviewed)

Reasonableness Checks

Beyond basic format validation, consider implementing reasonableness checks:

  • Known tax residency rules: Some jurisdictions have specific residency rules (e.g., the US taxes based on citizenship). If a user declares US nationality but does not include the US as a tax residency jurisdiction, this may warrant a follow-up
  • Multiple EU residencies: If a user declares tax residency in multiple EU Member States, consider whether this is plausible given their circumstances
  • No TIN available: If a user indicates they cannot provide a TIN, require a reason (e.g., the jurisdiction does not issue TINs, TIN application is pending)

Handling Incomplete Self-Certifications

Not all users will complete their self-certification on the first attempt. You need procedures for handling incomplete certifications.

Approaches

  1. Block account functionality: Prevent users from executing reportable transactions until self-certification is complete. This is the most effective approach but may impact user experience and revenue.
  2. Grace period: Allow users a defined period (e.g., 30 or 90 days) to complete the self-certification after account opening, with reminders sent at intervals.
  3. Escalating restrictions: Begin with full functionality, then progressively restrict features (e.g., reduce withdrawal limits) if self-certification is not completed within a certain timeframe.
  4. Flag for manual review: Flag users with incomplete self-certifications for compliance team review and outreach.

Communication Strategy

  • Initial prompt: Include the self-certification as a clear step during onboarding
  • First reminder: Send a reminder within 7 to 14 days if the self-certification is not completed
  • Second reminder: Send a more urgent reminder at 30 days
  • Final notice: At 60 to 90 days, notify the user that account restrictions may apply
  • Restriction notification: If restrictions are applied, clearly communicate what is restricted and how to resolve it

Renewal and Updates

Self-certifications are not necessarily permanent. You should plan for:

Change of Circumstances

  • Require users to update their self-certification if they change their tax residency, address, or other relevant information
  • Implement a mechanism for users to initiate an update through their account settings
  • Trigger a review if you become aware of information that contradicts the existing self-certification (e.g., the user changes their address to a different country)

Periodic Renewal

Some jurisdictions may require periodic renewal of self-certifications. Even if not explicitly mandated, it is generally good practice to:

  • Prompt users to confirm or update their self-certification annually or at a frequency appropriate to your risk assessment
  • Re-validate TINs periodically as formats may change

Record of Changes

Maintain a complete history of all self-certification submissions and updates, including:

  • The original self-certification date and content
  • Each subsequent update with the date, the changed fields, and the reason for the change
  • The version of the self-certification form used for each submission

Storage Requirements

Self-certification data must be stored securely and retained for the period required by your national legislation. Key requirements typically include:

  • Encryption at rest: Store self-certification data in encrypted form
  • Access controls: Limit access to self-certification data to authorized compliance and reporting personnel
  • GDPR compliance: Ensure that the collection, processing, and storage of self-certification data complies with the General Data Protection Regulation, including having a valid legal basis for processing and providing appropriate privacy notices
  • Retention period: Retain self-certification records for at least 5 years after the end of the period to which the report relates, or longer if required by national law
  • Retrievability: Ensure that self-certification records can be retrieved promptly if requested by the tax authority

Self-Certification Checklist

  • [ ] Self-certification form designed and reviewed by legal/compliance
  • [ ] Form collects all required fields (name, address, DOB, tax residency, TIN)
  • [ ] Declaration and certification statement included
  • [ ] TIN format validation implemented for major jurisdictions
  • [ ] Multiple tax residency jurisdictions supported
  • [ ] Help text and explanatory notes provided for key fields
  • [ ] Mobile-friendly form tested
  • [ ] Localization in relevant languages completed
  • [ ] Audit trail captures timestamp, form version, and method of certification
  • [ ] Incomplete certification handling procedures defined and implemented
  • [ ] Reminder and escalation communications drafted
  • [ ] Change of circumstances update mechanism available to users
  • [ ] Data storage meets encryption and access control standards
  • [ ] GDPR-compliant privacy notice updated to cover self-certification data
  • [ ] Retention policy documented and implemented

Summary

Self-certification is the cornerstone of DAC8 user due diligence. A well-designed self-certification process collects accurate data, validates it at the point of entry, handles incomplete submissions gracefully, and stores everything securely for the required retention period. Investing in a robust self-certification process upfront will significantly improve the quality and reliability of your DAC8 reports.

This article is for informational purposes only and does not constitute legal or tax advice. Check with your national tax authority for specific self-certification requirements in your jurisdiction.

Need help with DAC8 reporting?

Our team handles XML generation, TIN validation, and submission for CASPs across all 27 EU Member States.

Get Expert Help