Back to Resources

HMRC Enquiries into Crypto Businesses: How to Prepare and Respond

Raymond Shuai August 2025 7 min read Sources: HMRC Cryptoassets Manual · HMRC Compliance Check Guidance · Tribunal Cases 2023–2025 · Finance Act 2024

FCA & Regulatory

HMRC's Focus on Crypto Is Systematic, Not Random

Share
Executive summary: HMRC has systematically increased its compliance activity directed at crypto businesses through 2024 and 2025, using third-party data from exchanges, industry risk profiling, and CARF data sharing (commencing 2026) to identify mismatches between reported income and actual activity. Understanding the types of enquiry, what triggers them, and how to prepare proactively is now a material part of the CFO's regulatory risk management function.

The days when crypto income reliably escaped HMRC's visibility are over. The infrastructure for systematic data collection is now in place or in final stages of deployment. HMRC has been issuing third-party information notices to UK-accessible exchanges since at least 2022. The Cryptoasset Reporting Framework (CARF), developed by the OECD and adopted in the UK through the Finance Act 2024, will begin mandating automatic exchange of transaction data between participating jurisdictions from 2026. The effect is that HMRC's information about crypto businesses and their principals will improve significantly over the next 18 months.

Against that backdrop, the risk of an HMRC enquiry for a crypto business is not declining: it is increasing. The question for CFOs and finance directors at crypto businesses is no longer whether an enquiry is possible, but whether the business is adequately prepared to respond if one arrives.

This article covers the three main types of HMRC enquiry, what triggers them in the crypto context, how to prepare proactively, and how to manage an active compliance check effectively.

Why HMRC Is Focused on Crypto Businesses

HMRC's focus on crypto businesses stems from three converging factors: the scale of potential tax at stake, the structural complexity of many crypto business models, and the recent improvement in HMRC's data access.

The scale of potential tax is material. Even in a compressed market, businesses involved in exchange operations, custody, lending, or yield products may generate substantial income that has historically been difficult for HMRC to verify independently. Transfer pricing between offshore and UK entities adds a further layer of complexity, and offshore holding structures that were structured in 2018 to 2021 are now coming under scrutiny as HMRC's sectoral knowledge has improved.

CARF is the most significant development in HMRC's information capabilities. From 2026, regulated crypto service providers in participating jurisdictions will be required to report transaction data for customers who are tax resident in other participating jurisdictions. The UK has committed to implementing CARF, and HMRC will receive data covering transaction types including exchanges, transfers, and specified payments. This data will be compared against tax returns, and discrepancies will trigger compliance checks.

CARF Data Sharing
2026Automatic exchange of crypto transaction data begins across OECD participating jurisdictions
Third-Party Notices
ActiveHMRC issuing information notices to exchanges and custodians to obtain customer data
Industry Risk Profiling
HMRCCrypto identified as a high-risk sector for compliance work in HMRC's published strategy
Finance Act 2024
UK CARFLegislative basis for UK CARF implementation confirmed in FA 2024

Types of HMRC Enquiry

It is important to distinguish between the types of HMRC enquiry, as the appropriate response strategy varies significantly depending on the type.

Aspect Enquiry

The most common type of compliance check for crypto businesses is the aspect enquiry, which focuses on one specific area of a tax return rather than the whole return. A typical aspect enquiry into a crypto business might focus on the treatment of a specific token issuance event, the tax treatment of staking rewards, the deductibility of technology development costs, or the basis for a related party transaction pricing.

Aspect enquiries are opened under Schedule 1A TMA 1970 and must be opened within 12 months of the filing date for an in-time return (or longer for late returns or cases involving fraud or negligence). The aspect enquiry notice specifies the precise area under review, and the taxpayer's obligation to provide information is limited to that area.

Full Statutory Enquiry

A full enquiry under Schedule 1A TMA 1970 (or Section 9A for self-assessment returns) covers the entire return, not just a specific aspect. Full enquiries are less common than aspect enquiries but are more resource-intensive to manage. They are typically triggered by significant discrepancies between reported figures and HMRC's information, or by risk flags that suggest systemic issues with the return rather than a single point of uncertainty.

Code of Practice 9 (COP9) Investigation

COP9 is HMRC's investigation procedure for cases where HMRC suspects serious tax fraud. It is rare but serious. Under COP9, the taxpayer is given the opportunity to make a full and complete disclosure under a contractual disclosure facility (CDF) in exchange for a commitment from HMRC not to pursue criminal prosecution. Refusal to engage with the CDF does not prevent HMRC from pursuing criminal prosecution. COP9 investigations require specialist tax investigation advisers and are not appropriate to manage with a general tax adviser.

Important: If your business receives a COP9 notification, do not respond without specialist tax investigation counsel. The obligations and risks at COP9 stage are materially different from a routine compliance check, and the decisions made in the first response can have significant consequences for the outcome.

What Typically Triggers an Enquiry into a Crypto Business

HMRC does not publicise its risk profiling criteria, but based on published guidance, tribunal decisions, and the pattern of compliance checks we have seen in practice, the following factors appear to increase the probability of an enquiry into a crypto business:

  • Inconsistencies between tax returns and known income: Where HMRC's third-party data from exchanges or payment processors shows significant transaction activity that is not reflected in the tax return, this creates an obvious discrepancy that requires explanation.
  • Industry risk profiling: Businesses in sectors that HMRC has identified as high-risk (which explicitly includes crypto) are subject to higher rates of compliance activity regardless of whether there is a specific discrepancy.
  • Related party transactions with offshore entities: Where a UK crypto business has related party transactions with offshore group entities (whether Cayman, BVI, or other jurisdictions commonly used in crypto structures), HMRC will scrutinise whether the transfer pricing is at arm's length and whether the offshore structure has any genuine economic substance.
  • Token issuance events: ICOs, IEOs, and private token sales are areas of significant uncertainty in HMRC's Cryptoassets Manual, and the tax treatment of the proceeds has been litigated. Where a business has received substantial token sale proceeds and has not clearly documented the basis for their tax treatment, this is a common trigger.
  • Large, unexplained movements on the balance sheet: Where statutory accounts show large movements in cryptoasset holdings, liabilities, or equity that are not clearly explained in the notes or the tax computation, this creates an obvious basis for an aspect enquiry.

How to Prepare Proactively

The most effective response to an HMRC enquiry is one that begins before the enquiry is opened. Businesses that maintain contemporaneous records and documented tax positions are substantially better placed to respond promptly and comprehensively, which limits both the cost of the enquiry and HMRC's ability to escalate it.

Record-keeping requirements for crypto businesses

  • Transaction logs for all cryptoasset activity: date, type, counterparty or wallet address, quantity, sterling value at transaction date
  • Wallet addresses and the mapping between wallet addresses and entities or individuals in the group
  • Exchange statements for all exchanges used, going back to the earliest open tax year (typically six years; 20 years if HMRC suspects fraud)
  • Records of all transfers between wallets, including intra-group transfers, with documentation of why each transfer was not a disposal for tax purposes (if that is the position taken)
  • Contemporaneous valuations for any cryptoasset transactions where there is no active market price at the transaction date

Tax policy documentation

A documented tax policy is one of the most effective tools for managing HMRC enquiry risk. The policy should cover: the basis for classifying token issuance proceeds (deferred revenue, financial liability, or equity); the treatment of staking and yield income; the basis for intercompany transfer pricing; the basis for any R&D claims; and the treatment of cryptoasset disposals for corporation tax purposes. The policy should be board-approved and reviewed annually.

Transfer pricing documentation for offshore structures

Where a UK crypto business has related party transactions with non-UK entities above the threshold for transfer pricing documentation (broadly, where the UK entity is not a small company), contemporaneous transfer pricing documentation is a legal requirement. This documentation must demonstrate that each related party transaction is priced on arm's length terms. In practice, this means an analysis of the functions, assets, and risks of each entity and a benchmarking analysis supporting the pricing. Many crypto businesses that structured offshore entities in 2019 to 2021 have not prepared adequate transfer pricing documentation for subsequent years.

"The businesses that manage HMRC enquiries most effectively are not those with the cleanest tax positions. They are those with the best contemporaneous documentation: transaction records, tax policy papers, and transfer pricing files that make HMRC's information requests straightforward to answer."

Timeline of a Typical HMRC Compliance Check

Month 0
Enquiry Notice Received
HMRC opens the enquiry by written notice specifying the tax year and scope (aspect or full). Deadline to respond is usually 30 to 60 days. Do not ignore: failure to respond is a separate offence.
Month 1–2
Initial Information Request
HMRC issues an information notice (Schedule 36 TMA 1970) requesting specific documents and information. The scope of the request is limited to what is reasonably required. You have the right to appeal an information notice that is unduly wide or irrelevant to the stated scope.
Month 2–4
Response and Follow-Up Requests
You provide the requested information. HMRC reviews and typically issues follow-up requests on specific points. Meetings may be requested. All correspondence should go through your tax adviser, not directly from the company.
Month 4–12
Technical Discussion and Negotiation
HMRC sets out its technical position on any disputed items. Your adviser responds with counter-arguments. Many enquiries are resolved at this stage through agreement on the technical position and an amendment to the return.
Month 12+
Closure or Escalation
The enquiry closes with either a no-change letter, an agreed amendment to the return, or (in more serious cases) a jeopardy assessment or referral to HMRC's fraud investigation service. If the technical dispute cannot be resolved, the case can proceed to the First-tier Tax Tribunal.

How to Respond to a Compliance Check

The principles for managing an active HMRC compliance check are well-established and consistent across business types. For crypto businesses, there are a small number of specific considerations that elevate these principles in importance.

  1. Respond within the deadline. Late responses to information notices can trigger penalties and, more importantly, signal to HMRC that the business is not cooperating. Agree extensions in writing where more time is needed, but never simply miss a deadline.
  2. Provide only what is requested. The obligation under Schedule 36 TMA 1970 is to provide documents and information that HMRC is entitled to request. It is not an obligation to volunteer information that has not been requested. Over-disclosure can inadvertently open new areas of enquiry. Your adviser should review everything before it is provided.
  3. Engage specialist tax advisers. A crypto business under HMRC enquiry should be represented by advisers with specific experience of crypto tax issues. The HMRC Cryptoassets Manual, the technical treatment of various token types, and the intersection with transfer pricing all require specialist knowledge that a general tax adviser may not have.
  4. Manage the timing of information disclosure strategically. Within the legal obligation to respond to information notices, there is legitimate scope to manage the sequence and timing of disclosure. Your adviser can help ensure that information is presented in the most coherent and favourable sequence, and that context is provided where individual documents might otherwise be misinterpreted.
  5. Keep the enquiry narrow. The scope of an aspect enquiry is defined by the notice. If HMRC attempts to broaden the scope informally (through information requests that go beyond the stated scope), you have the right to challenge this. Keeping the enquiry within its defined scope limits both the cost and the risk of the process.
Practical note on CARF preparation: If your business has not yet conducted a systematic review of your cryptoasset transaction records against your historical tax returns, now is the time. CARF data sharing in 2026 will give HMRC transaction-level data that it can match against filed returns. Any discrepancies identified by HMRC will attract a higher penalty than a voluntary disclosure made before the discrepancy is identified.
Enquiry Type
Scope and Trigger
Typical Duration
Aspect Enquiry
One specific area of the return; most common; triggered by risk profiling or data discrepancy
6–18 months
Full Enquiry
Entire return; less common; triggered by systemic discrepancies or high-risk profile
12–36 months
COP9 Investigation
Suspected serious fraud; rare; requires specialist fraud investigation advisers
2–5+ years

Key Takeaways

  • HMRC's compliance activity directed at crypto businesses has increased materially through 2024 and 2025, driven by third-party data collection, industry risk profiling, and the forthcoming CARF data sharing regime.
  • The three types of enquiry are the aspect enquiry (most common), the full statutory enquiry, and the COP9 fraud investigation (rare but serious). Each requires a different response strategy.
  • Common triggers include discrepancies between exchange data and tax returns, related party transactions with offshore entities, token issuance events with unclear tax treatment, and unexplained balance sheet movements.
  • Proactive preparation means maintaining contemporaneous transaction records, documenting tax policy positions, and preparing transfer pricing files for offshore structures before an enquiry is opened.
  • In an active enquiry, respond within deadlines, provide only what is requested, engage specialist advisers, and manage the scope carefully.
  • CARF data sharing from 2026 means any discrepancies between transaction data and filed returns will become visible to HMRC. Voluntary disclosure before identification attracts lower penalties than a discrepancy found by HMRC.
  • COP9 notifications require specialist fraud investigation counsel immediately. Do not respond without it.

Work Together

Is your crypto business
HMRC-ready?

From transaction record reviews to transfer pricing documentation and tax policy papers, preparation now significantly reduces the cost and risk of any future enquiry.

Book a Free Discovery Call →