Custody providers — entities that safeguard crypto-assets on behalf of clients — occupy a distinct position under the DAC8 directive. Unlike exchanges that facilitate trading, custody-only providers may not process buy or sell transactions directly. Nonetheless, they should expect to fall within DAC8's reporting scope and face specific obligations related to the assets they hold and the transfers they process.

Custody Providers as Reporting Entities

Under DAC8, a Reporting Crypto-Asset Service Provider (RCASP) generally includes any entity that provides services to exchange, transfer, or safeguard crypto-assets. Custody providers typically fall under the "safeguarding" category. This means that even if a custody provider does not facilitate trading, its role in holding and managing crypto-assets on behalf of users may trigger reporting obligations.

Providers should carefully review how DAC8 defines "Crypto-Asset Service Provider" in conjunction with MiCA licensing categories, as custody and administration of crypto-assets on behalf of clients is a specifically recognized service type.

What Custody-Only Providers May Need to Report

The reporting obligations for custody providers may differ somewhat from those of exchanges, but they are not necessarily lighter. Key areas of reporting typically include:

Transfer Reporting

When a user instructs a custody provider to transfer crypto-assets to an external wallet or another platform, this transaction may be reportable. DAC8 generally requires reporting of transfers, including:

  • The aggregate fair market value of crypto-assets transferred out of the platform during the reporting period.
  • The number of units transferred for each type of crypto-asset.
  • Whether the transfer was directed to another RCASP or to a non-custodial wallet.

Acquisition and Disposal Through Third Parties

In some custody arrangements, the custodian may facilitate transactions through partner exchanges or brokers. When the custody provider is involved in the transaction chain — even if it does not operate the order book — it should assess whether it has reporting obligations for those transactions.

Holdings and Valuations

While DAC8 primarily focuses on transaction-based reporting rather than balance reporting, custody providers should maintain accurate records of holdings. This data may be needed to support aggregate calculations and to respond to competent authority inquiries.

Due Diligence for Custody Clients

Custody providers must perform due diligence on their Reportable Users, similar to other RCASPs. This includes collecting and verifying:

  • Legal name and date of birth (for individuals)
  • Entity name, registration details, and controlling persons (for legal entities)
  • Tax Identification Numbers (TINs)
  • Country of tax residence

Institutional custody providers that serve corporate clients, funds, or high-net-worth individuals should pay particular attention to the entity due diligence requirements. Identifying controlling persons and determining the tax residence of legal arrangements can be more involved than individual customer verification.

Challenges Specific to Custody Providers

Segregated vs. Omnibus Accounts

Some custody providers use omnibus account structures where multiple clients' assets are pooled together. For DAC8 reporting, the provider should be able to attribute holdings and transfers to individual Reportable Users, which may require robust sub-accounting systems even when assets are held in pooled structures.

Limited Transaction Visibility

Custody-only providers may have limited insight into the purpose or nature of transfers. A transfer out of custody could represent a sale, a gift, a payment, or simply a movement to another wallet owned by the same user. Custody providers may need to work with clients to classify transactions appropriately, or report transfers as a general category where the specific nature is unknown.

Institutional and Qualified Investor Clients

Custody providers serving institutional clients should note that DAC8 generally does not exempt institutional investors from reporting. While the due diligence procedures may differ for entities versus individuals, the reporting obligation should still apply.

Interaction with Other Regulatory Frameworks

Custody providers operating under MiCA licenses should be aware that DAC8 reporting sits alongside — but is separate from — MiCA's prudential and conduct requirements. Additionally, custody providers that are also regulated as financial institutions under other directives (such as MiFID II or AIFMD) should assess whether DAC8 creates overlapping or supplementary reporting obligations.

Practical Recommendations

Custody providers preparing for DAC8 should consider:

  1. Mapping all transfer types that may be reportable, including internal movements between client accounts.
  2. Upgrading sub-accounting systems to ensure per-client attribution of assets and transactions.
  3. Reviewing client onboarding processes to ensure all DAC8-required data points are collected.
  4. Establishing processes for entity due diligence, particularly for complex corporate structures.
  5. Coordinating with partner exchanges or brokers to clarify reporting responsibilities for transactions facilitated through third parties.

Conclusion

Custody providers should not assume that a narrower service offering translates to minimal DAC8 obligations. Transfer reporting, client due diligence, and accurate record-keeping are all likely requirements. Early engagement with the specifics of DAC8 — and with qualified legal and tax advisors — should help custody providers prepare effectively.

This article provides general information and should not be treated as legal or tax advice. Custody providers should seek professional guidance tailored to their specific operations and jurisdictions.

Need help with DAC8 reporting?

Our team handles XML generation, TIN validation, and submission for CASPs across all 27 EU Member States.

Get Expert Help