New U.K. rules could mean more data from crypto users, just as a recent leak shows how risky that can be.
Just as a major crypto platform admitted contractors leaked user info, the United Kingdom unveiled strict new rules requiring firms to collect and report detailed personal data on every crypto transaction.
Starting Jan. 1, 2026, crypto firms operating in the U.K. will be expected to keep tabs on just about everything — every customer, every transaction, every movement of crypto. It’s part of the U.K.’s effort to bring transparency — and accountability — to a space long accused of being a bit too shadowy for its own good.
HM Revenue and Customs dropped the news in a May 14 statement, saying crypto firms will need to collect the full name, home address, date of birth, and tax identification numbers of all individual users. Entities like companies, partnerships, and charities are also in the spotlight, with requirements for legal business names, addresses, and company registration numbers.
That includes every transaction, even those just moving crypto between wallets. The rules follow international standards but go further by applying them within the U.K., not just across borders. Firms will be expected to submit reports annually, and those that fall short could face fines of up to £300 (around $398) per user.
Protecting consumers
Authorities say the move is about protecting consumers and creating a more robust regulatory environment. But it’s also clearly aimed at closing tax loopholes and keeping pace with broader global standards, including the European MiCA regulation. As HMRC put it, firms should start preparing now — not in 2026 — to avoid a last-minute scramble.
Mark Aruliah, head of EMEA policy at blockchain analytics firm Elliptic, said in a commentary for crypto.news that the move is an “expected next step” for an industry maturing toward parity with traditional finance.
“Reporting of personal transaction data has historically been a challenge for the industry and for consumers. This clarity on legal obligations to reporting will help and also the growth of new reporting services.”
Mark Aruliah
While Aruliah acknowledged the potential burden on smaller startups, he said the push toward transparency was not only necessary but overdue.
“Any regulation is generally regarded as an additional cost burden to the industry but that has to be balanced against the benefits that it provides. Therefore, it may be that smaller firms are impacted disproportionately based purely on costs (i.e. due to their size and profits), but nevertheless, these obligations are an expected next step and simply look to match the general reporting obligations in the tradfi space.”
Mark Aruliah
But for many critics, the bigger question is not about collecting data. It’s about keeping it safe.
Great responsibility
That concern came into sharp focus as cryptocurrency exchange Coinbase recently confirmed a breach involving customer data. According to the U.S.-based crypto exchange, contractors working for Coinbase overseas were bribed by attackers who gained access to sensitive customer information.
That included names, emails, phone numbers, addresses, and in some cases, partial Social Security numbers. Some users have even reported that ID documents like passports and driver’s licenses were exposed.
Coinbase said the breach affected less than 1% of its user base, though with nearly 9 million monthly active users, even that sliver represents a significant population. Worse still, it’s exactly the kind of personal data the U.K. now wants firms to collect and verify — and the breach raises urgent questions about whether crypto companies are equipped to handle such responsibility.
While Coinbase claims its internal systems caught the breach quickly, blockchain investigator ZachXBT has said signs of trouble were visible much earlier. Back in February, he flagged a string of scams tied to Coinbase’s infrastructure, including one victim who lost $850,000 after being duped by a fake Coinbase support agent.
If the U.K.’s CARF-aligned rules were already in force, the firm could be staring down millions in fines, not to mention reputational damage that’s harder to quantify. Still, the juxtaposition is hard to ignore: the U.K. is telling crypto firms to hoard personal data, just as one of the world’s largest exchanges admits it failed to keep such data safe.
