Blockchain and Virtual Currencies – dedicated Crypto regulation is taking shape and crypto custody services are no exception. The German regulator BaFin is establishing a regulatory framework. An overview.
Just before Christmas and right in time for the implementation of the EU’s latest instalment in its ongoing saga of AML directives, BaFin, the German financial regulator published a notice on the German Act Implementing the Amending Directive on the Fourth EU Anti-Money Laundering Directive – the law that would transpose EU into the law of the Union’s largest member state. This required changes to German Banking Act (Kreditwesengesetz – KWG) and of particular interest was the incorporation of crypto custody business as a new financial service. BaFin pointed out that as from 1 January 2020, when this legislation entered into force, companies seeking to provide such services would require authorisation from BaFin though transitional provisions would be part of it to smooth the move.
Only last week, the German regulator had published an English translation that explained to non-German speaking community that companies already conducting crypto custody business, i.e. in need of authorization should submit an informal, non-binding expressions of interest. There is also the option to provide relevant documents with legal effects, which means nothing else than triggering the authorisation process. And lastly, the German regulator referred to the quintessential article 64y KWG that defines the scope and legal consequences of crypto custody business, albeit in German though.
Work in progress
Similar to other jurisdictions, crypto regulation in Germany is very much work in progress, but BaFin seems to be fully aware of the ongoing confusion in the industry. To provide clarity, it has published on Monday a circular that specifies the new legal requirements and provides information on the interpretation of the rules specific to conducting crypto custody business in Germany. It is structured into three parts:
1) The regulatory scope of crypto custody;
2) How crypto custody differs from other regulated activities under German law; and
3) the licensing requirements of crypto custody activities.
The regulatory scope of crypto custody
Section 1 (1a) sentence 2 No. 6 of the German Banking Act (Kreditwesengesetz – KWG) defines the
Crypto custody business is defined in the German Banking Act as the safekeeping, management and security of crypto values or private cryptographic keys for the purpose of holding, storing and transferring of crypto values. Since this had not been covered under existing regulations, the implementation law created a broad definition of crypto value introducing it as a new financial instrument together with crypto custody business as a new financial service under German law.
In order to fall within the scope of crypto custody business is limited by the following three requirements:
1) It needs to concern crypto values or private cryptographic keys that are used to hold, store or transfer crypto values;
2) These crypto values need to be held by the person in question in order to be stored, managed and secured; and lastly
3) This needs to be done for others rather than just for yourself.
What sounds fairly straightforward, is, of course, anything but simple. To begin with, the definition of crypto value itself is done through a list of eight potential aspects. Naturally, it hasn’t escaped the German legislator that the crypto industry itself is subject to constant change and for that reason has sought to create a catch-all to cover as many as possible of the potential use cases of virtual currencies, especially since the latter only represent a subset of the digital value units available on the market. FinTech seemingly is a constant race to catch up with innovation and the German financial watchdog knows it. This is expressed in the possibility to cover crypto values under another category of the financial instrument concept due to their specific design in individual cases.
The reference to conduct such activies “for others” under the other hand is easily explained as it covers every form of safekeeping, administration or storage for every person or majority of people other than their own company including the issuer of the crypto token itself.
This activity naturally requires an element of commercial interest as the mere administration of your parents’ cryptocurrencies (or any other member of your closer family) is excluded.
Store, manage and secure
And lastly, it has to be done to store, manage or secure crypto values. The emphasis here is on the “or” as any of the three would get you into trouble without the necessary authorisation. The BaFin circular defines to store as taking the crypto values into care as a service for third parties. This primarily includes service providers who keep their customers’ crypto values in a collective inventory without the customers themselves being aware of the cryptographic keys used.
Managing on the other hand and in the broadest sense, would be the ongoing exercise of rights deriving from the crypto value itself.
And to secure means both the digital storage of the private cryptographic keys of third parties, as well as the storage of physical data carriers like an USB or on a sheet of paper, where the keys are stored. This is opposed to simply providing storage space like web hosting or cloud storage providers, as long as it isn’t part a service that aims at crypto custody in general or the storage of private cryptographic keys in particular. Nor does the mere production or sale of hardware or software to secure the crypto values crypto keys fall under this requirement as long as, again, it isn’t part of the service.
The decisive factor therefore is the possibility to access public addresses under which the crypto values are decentrally stored due to the custody agreement.
Crypto Custody v other regulated activities
The circular also makes references to other activities that include virtual currencies to emphasise the possibility of a regulatory overlap or distinction.
For example, if the use case is pointing to the nature of the token as a security, prospectus regulations could very well be applicable as well as alternative investment funds that could result in the application of the respective rules.
The same is true for the use as settlement instrument.
And where institutions provide crypto-value services under an existing license like financial commission, the question would still arise whether it would require a separate authorisation.
In the end, the regulator will have to decide on a case by case basis, which takes us to the third and last part of the circular:
Licensing requirements of crypto custody
If you want to conduct crypto custody activities, written permission from BaFin is required for anyone as it is true for anyone that wants to conduct banking business or provide financial services commercially in Germany. This is not the place to provide legal advice and anyone not sure whether caught by these rules, should better seek legal advice. To highlight this, is all the more important because the last part of the BaFin circular basically stresses that there are many ways, in which you could be required to seek BaFin authorisation, be in terms of geographical scope or because of the nature of your business.
And it is true because BaFin itself makes it very clear at the end of the document that eventually the circular consists only of basic information and does not claim to be exhaustive.
In the end, only a concrete assessment of the licensing requirements with regard to an individual case that consists of complete documentation as well as the specific contractual agreements of the crypto custody business will bring clarity.