White-label crypto-asset platforms — where one entity provides the underlying technology infrastructure and another entity operates the customer-facing service — create important questions about who bears DAC8 reporting responsibilities. As the use of white-label solutions grows across the crypto industry, both technology providers and their clients should understand how reporting obligations are allocated.

Understanding the White-Label Model

In a typical white-label arrangement:

  • A technology provider builds and maintains the trading platform, matching engine, custody infrastructure, or other core systems.
  • An operating entity (the white-label client) brands the platform, onboards customers, and holds the relevant regulatory licenses.
  • End users interact with the operating entity's branded service and may be unaware of the underlying technology provider.

Variations on this model include fully hosted solutions, partially integrated services, and hybrid arrangements where responsibilities are shared across multiple layers.

Who Reports Under DAC8?

The fundamental principle under DAC8 is that the Reporting Crypto-Asset Service Provider (RCASP) is the entity that provides crypto-asset services to the end user. In most white-label arrangements, this should be the operating entity — the licensed, customer-facing business — rather than the technology provider.

Key factors in determining reporting responsibility include:

Regulatory Licensing

The entity holding the relevant crypto-asset service license (such as a MiCA authorization) is typically the entity with regulatory obligations, including DAC8 reporting. In most white-label models, the operating entity holds the license and therefore should bear the primary reporting obligation.

Customer Relationship

DAC8 requires due diligence on Reportable Users — collecting identification data, TINs, and tax residence information. The entity that maintains the direct customer relationship and performs KYC/AML procedures is generally best positioned to fulfill these requirements. This is usually the operating entity.

Transaction Execution

The entity in whose name transactions are executed — and that appears to the user as the service provider — should typically be the reporting entity. Even if the technology provider operates the matching engine or executes trades on a technical level, the operating entity is the one providing the service to the user.

Contractual Considerations

White-label agreements should clearly address DAC8 reporting responsibilities. Key contractual provisions to consider include:

Allocation of Reporting Duties

The contract should explicitly state which party is responsible for:

  • Collecting and verifying user due diligence data.
  • Generating and submitting DAC8 reports to the competent authority.
  • Maintaining records for the required retention period.
  • Responding to competent authority inquiries.

Data Access and Sharing

If the technology provider controls the data infrastructure, the operating entity may need contractual guarantees of access to:

  • Complete transaction records for all users.
  • Raw data needed to generate aggregate reporting figures.
  • Historical data for the full retention period.

The contract should specify data formats, access methods, and update frequencies to ensure the operating entity can fulfill its reporting obligations.

Reporting Support Services

Some technology providers offer reporting as a value-added service, generating DAC8-compliant reports on behalf of their white-label clients. If this model is adopted, the contract should address:

  • Accuracy and liability: Who is liable if reports contain errors?
  • Timeliness: Are reporting timelines contractually guaranteed?
  • Regulatory responsibility: Even if the technology provider generates the report, the operating entity typically remains legally responsible for its accuracy and submission.

Transition and Termination

The contract should address what happens to reporting data and obligations if the white-label relationship ends. The operating entity should ensure it retains access to all data necessary to complete reporting for periods covered by the relationship and to meet ongoing record-keeping requirements.

Shared Responsibility Scenarios

In some arrangements, responsibility may not fall cleanly on a single party:

Co-Branded Services

Where the technology provider and operating entity jointly present the service to users, both parties may need to assess whether they individually qualify as RCASPs. If both entities have a direct relationship with users, there is a risk of duplicative or conflicting reporting obligations.

Sub-Licensing Chains

In complex arrangements where a technology provider licenses to a distributor, who in turn sub-licenses to a customer-facing entity, the reporting obligation should generally rest with the entity that directly serves end users. However, each link in the chain should confirm its position.

Technology Provider as Processor

Where the technology provider processes transactions or holds data on behalf of the operating entity, data protection and data processing agreements should align with DAC8 requirements. The technology provider may be a data processor under GDPR while the operating entity remains the data controller with reporting obligations.

Practical Recommendations

For Operating Entities (White-Label Clients)

  1. Confirm that your organization is the reporting entity and ensure this is reflected in the white-label contract.
  2. Secure contractual data access sufficient to meet all DAC8 reporting and record-keeping requirements.
  3. Verify that due diligence data collected through the white-label platform meets DAC8 standards.
  4. Do not assume the technology provider will handle DAC8 compliance without explicit contractual arrangements.

For Technology Providers

  1. Clarify in contracts that the operating entity bears primary reporting responsibility unless otherwise agreed.
  2. Ensure your platform can capture and export the data fields required for DAC8 reporting.
  3. Consider offering DAC8 reporting tools as a service to your white-label clients, creating both value and compliance support.
  4. Build data retention capabilities that align with DAC8 requirements.

For Both Parties

  1. Engage jointly with legal advisors to confirm the allocation of DAC8 obligations in the specific arrangement.
  2. Test reporting processes before the first reporting deadline to identify gaps.
  3. Establish escalation procedures for resolving disagreements about data, reporting accuracy, or competent authority inquiries.

Conclusion

In white-label crypto-asset arrangements, DAC8 reporting responsibility should typically rest with the customer-facing operating entity. However, the technology provider plays a critical supporting role in enabling compliance. Clear contractual provisions, robust data access arrangements, and joint planning are essential to ensure that reporting obligations are met without gaps or duplication.

This article provides general information and should not be treated as legal or tax advice. Both technology providers and operating entities should seek qualified professional guidance on their specific arrangements.

Need help with DAC8 reporting?

Our team handles XML generation, TIN validation, and submission for CASPs across all 27 EU Member States.

Get Expert Help