Crypto custody business – unnecessary “gold plating” or greater legal security?

Since the beginning of the year, crypto custody business (Kryptoverwahrgeschäft) has "officially" joined the club of regulated financial services. For the first time, Germany’s Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – “BaFin”) has now commented on what it considers to be the decisive questions for crypto-custodians (Kryptoverwahrer) and those who want to become one. In its new guidance notice, BaFin has published information on crypto-regulation and given some indications of its administrative practice to be expected in this respect. However, it seems worth discussing whether this will result in increased legal security for all parties involved. Even after reading BaFin’s guidance notice, a question remains open: BaFin licence, yes / no / maybe?

The German legislator had until 10 January 2020 to implement the requirements resulting from the 5th Money Laundering Directive (“5th MLD”), according to which providers of electronic wallets for storing virtual currencies such as Bitcoins, had to become subject to German anti-money laundering law (we reported here and here).

In the spirit of the “blockchain strategy” presented in mid-September 2019 (we reported here – German only), the German legislator took the implementation as an opportunity to push ahead with the “crypto-regulation” of Germany as an important market. The result is a German special path which – so far unique in Europe – entails regulatory specifications not only for the FinTech sector.

Regulation “made in Germany”

By including the so-called crypto custody business as a new financial service within the meaning of the German Banking Act (Kreditwesengesetz – “KWG“), the respective service providers (so-called “Crypto Custodians“) have been subject to anti-money laundering law since January 1, 2020, unless they  already classified as such already. In accordance with the provisions of the Anti-Money Laundering Act (Geldwäschegesetz – “GwG“), all companies which provide financial services within the meaning of the KWG (with a few exceptions) are subject to anti-money laundering provisions – and thus, since 1 January 2020, also Crypto-Custodians.

This applies regardless of whether the respective Crypto-Custodian already holds a licence – now required due to the classification of crypto custody business as a financial service. In view of the large number of Crypto-Custodians already operating, the legislator has granted them a “grace period” to apply for such licence. The introduction of a transitional provision will enable these Crypto-Custodians to continue their business until 30 November 2020 without having submitted a corresponding application for a licence to BaFin.

If a Crypto-Custodian has not submitted a complete licence application by the end of the grace period, BaFin will prohibit this Crypto-Custodian from continuing its business. If the Crypto-Custodian nevertheless continues its business (without applying for a licence in time), this can be punished with a prison sentence of up to five years.

With this regulation, the German legislator went a few (regulatory) steps further than required at the European level (for details on the German “gold plating” click here – German only).

Crypto custody business

Crypto custody business within the meaning of section 1 para. 1a sentence 2 no. 6 KWG is the custody, administration and security of cryptographic values or private cryptographic keys for others, which serve to hold, store and transfer cryptographic values, shall represent so-called crypto custody business.

For Crypto-Custodians, whereby the legal form of the Crypto-Custodian (natural person, partnership, legal entity) is not important in the opinion of BaFin, this new regulation is associated with considerable organisational and behavioural obligations. For this reason, the BaFin, as the competent supervisory authority, has now addressed the Crypto Custody Business for the first time with its guidance notice” “Information on the facts of the crypto-custody business” of 2 March 2020 (“Guidance Notice“).

1. Cryptographic values

The (collective) term crypto value (Kryptowert – section 1 para. 11 sentence 4 KWG) refers to

  • digital representations of a value which
  • has not been issued or guaranteed by any central bank or public authority and
  • does not have the legal status of a currency or fiat-money, but
  • is accepted by natural or legal persons:
    • as a means of exchange or payment,
    • by virtue of an agreement or actual practice, or
    • to serve investment purposes; and
  • can be transferred, stored and traded electronically.

Explicitly not considered as crypto values according to section 1 para. 11 sentence 5 KWG is:

  • money within the meaning of section 1 para. 2 sentence 3 of the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – “ZAG”) or
  • a monetary value that
    • fulfils the requirements of section 2 para. 1 no. 10 ZAG (payment systems in limited networks or with a limited product range and instruments for social or fiscal purposes); or
    • is only used for payment transactions pursuant to section 2 para. 1 no. 11 ZAG (payment transactions in electronic communications networks/services).

The German legislator has defined crypto values as a new type of financial instrument, as opposed to traditional financial instruments such as shares, debt instruments and derivatives.

In this context, BaFin lays particular emphasis on the fact that the new financial instrument should be a “catch-all provision”. Accordingly, the provision should only apply if the requirements for any traditional financial instruments are not met (subsidiarity of the crypto-custody business).

However, BaFin does not provide a more detailed explanation of the individual elements of a crypto value in its Guidance Notice. Instead, BaFin lists a number of negative examples, including: purely electronic vouchers which are not tradable and which, due to their structure, do not reflect investor-like expectations regarding the performance of the voucher or the general corporate performance of the issuer or a third party in terms of value or accounting.

BaFin outlines the following decisive exclusion criteria:

  • lack of tradability; or
  • lack of suitability or determination as a general means of exchange and payment or no creation of an expectation of any kind of performance (investor-like expectations).

Some of the so-called “Utility Tokens” (tokens comparable to digital vouchers, which normally only refer to certain goods or services – for example, use of a cloud storage service) are, therefore, as a rule, not likely to meet the definition of crypto values.

By implication, however, the term crypto value within the meaning of section 1 para. 11 sentence 5 KWG may include in particular those digital units that

  • are tradable,
  • are suitable as a general means of exchange and/or payment or are intended for this purpose (“Currency Tokens“) or
  • embody an investor-like expectation (“Security Tokens” and, partly, Utility Tokens).

Mixed forms of currency, security and/or utility tokens (so-called “hybrid tokens”), on the other hand, should – subject to other predominant financial instruments – represent crypto values (detailed explanations of the various terms are here).

However, both Currency Tokens and Security Tokens, depending on their specific structure, already fell under certain categories of financial instruments pursuant to Section 1 (11) sentence 1 KWG before the implementation of the 5th MLDin German (regulatory) law.

For example, the BaFin – still- assumes that Bitcoins constitute units of account (Rechnungseinheit) within the meaning of section 1 para. 11 p. 1 no. 7 KWG (more on this controversial view here).

Security Tokens may qualify as securities (such as shares or debt securities), investments or investment funds within the meaning of section 1 para. 11 sentence 1 no. 2, 3 and 5 KWG. Provided that they are transferable, tradable and have rights similar to securities, Security Tokens are probably primarily securities (more details here).

In this respect, introducing crypto custody business with regard to Currency and Security Tokens meeting the definition of another financial instrument or the definition of e-money not ultimately leads to any change in the legal classification. A large number of tokens therefore likely still constitute traditional financial instruments. The crypto custody business can only be considered as a “catch-all provision” if all other traditional financial instruments can be ruled out.

2. Cryptographic keys

However, including so-called private cryptographic keys (“Private Keys“) in the scope of the crypto custody business is likely to be of greater practical relevance. Its counterpart is the so-called public cryptographic key (“Public Key“). Both are usually presented in longer series of numbers and letters, but differ fundamentally in their function.

The Public Key is comparable to an IBAN, as it must be publicly known. The Private Key in turn is similar to a giro card with a so-called personal identification number (PIN). Where the Public Key allows the assignment of crypto values, the Private Key enables their transmission. Just like the PIN, the Private Key is therefore only known to the person making the transfer, because otherwise unauthorized persons may also have access to the associated crypto values.

Therefore, if Private Keys are kept for token holders, this constitutes crypto custody business. The reason why Private Keys are also recorded is that they are of decisive importance for the transmission of crypto values – and are therefore often the object of hacker attacks, which is to be counteracted by regulating the “key custodians”, among other things.

3. “for others”

According to BaFin, crypto custody business is carried out “for others” if the custody, administration or storage is provided as a service for a person or a majority of persons (“Third Parties“) rather than for the respective service provider itself, unless the activity is performed by open representation (offene Stellvertretung). The activity as a Crypto-Custodian must therefore be carried out “externally”, i.e. offered as a service to customers. It remains unclear, however, what BaFin means by the exception for “open representation” (offene Stellvertretung).

In principle, a Third Party may also be an issuer of crypto values, for example if it entrusts the safeguarding of the Currency Tokens it has created to a service provider with appropriate IT security before the Currency Tokens are issued to users.

However, the free-of-charge administration of crypto values for the “closest family” is generally not covered. In this case, just like the custody, administration or safeguarding of crypto values by the owner himself or his employees, the activity is not carried out “for others”.

4. Custody, administration and safeguarding

According to BaFin, custody means entering into possession of the crypto values as a service for Third Parties. This covers in particular the providers of software and hardware wallets, which are intended to protect crypto values / Private Keys from unauthorised access. Developers / producers of hardware and software are not covered, however, as the reference to the custody of crypto values / Private Keys is too abstract or not existent.

Administration refers to the ongoing exercise of the rights from a crypto value; in case of Security Tokens, for example, the receipt of a profit share. This can also include so-called Staking Infrastructure Providers (SIP), who “borrow” tokens from their owners in order to verify new blocks, and as a “reward” receive tokens that they share with the owners. The exercise of voting rights associated with the crypto value is likely to also  constitute administration.

Safeguarding means both the digital storage of the Private Keys of Third Parties and the storage of physical data carriers (for example, a USB stick or a piece of paper) on which such keys are stored. According to BaFin, however, this does not include the mere provision of (cloud) storage space, as long as these providers do not offer their services expressly for the storage of the Private Keys.

Although the wording suggests otherwise, there is already licensing obligation in case only one of the three variants is provided.


The Guidance Notice confirms what was to expected in view of the renewed “gold plating” by the German legislator: the attempt to regulate “blockchain business models” in as comprehensive a manner as possible, regardless of their actual form. The result is a blanket regulation with a broad scope of provisions, but with probably a narrow scope.

Thus, the EU-wide unique regulation – due to its subsidiarity emphasized by BaFin – is likely to be largely ineffective, at least with regard to the custody of crypto values in the form of Currency or Security Tokens. The effects of the regulation of the crypto custody business, on the other hand, will probably affect in particular those companies which hold in custody cryptographic keys or which exercise rights associated with a crypto value. So far, they seem to be one of the few affected by the new “crypto-regulation”.

It remains to be seen what further indications will be given – this will become apparent when the first licences have been granted and the further shaping of the new “crypto-regulation” takes place in practice.