After the German Federal Financial Supervisory Authority ("BaFin") had commented on the requirements of the newly financial service "made in Germany" - the crypto custody business - (we reported on this in detail in the first part of our series of articles on crypto custody business), it has now followed up. The guidance notice "Notes on the application for a licence for crypto-custody business" ("Guidance Notice") published on 1 April 2020 is a brief Need-to-Know for all those wishing to apply for a licence to provide the crypto custody business, which was recently designated a financial service. Is BaFin overreaching the goal by setting too strict requirements? Answer: Yes and No.
Summary of essentials
Due to the introduction of the crypto custody business as a financial service within the meaning of the German Banking Act (Kreditwesengesetz, “KWG“), the respective service providers (“Crypto Custodians“) are now obliged to apply for a licence from BaFin in accordance with section 32 para 1 KWG (more details in the first part of our series of articles on crypto custody business). Crypto Custodians who fail to comply not only faces a prison sentence of up to five years (section 54 KWG), but may also become subject to far-reaching administrative measures by BaFin, as well as consequences under competition and civil law (such as obligations to pay damages).
A transitional provision (more details on the transitional provision pursuant to section 64y KWG here (German only)) enables companies that were already active as Crypto Custodians before 1 January 2020 to continue their business without permission until 30 November 2020.
In order to structure the licensing procedure as quickly and smoothly as possible, applicants should examine the licensing requirements, which have now been formalised in the Guidance Notice as a “small ABC” for Crypto Custodians, at an early stage:
The “Need-to-Know“ for Crypto Custodians
General information on licensing procedure
The licensing procedure largely follows the pattern of the already established licensing procedures for other regulated financial services. Thus, the relevant regulations – in particular the notification regulation – are to be applied. Here, BaFin refers to the guidance notice of the German Federal Bank (Deutsche Bundesbank).
Applicants must prove that they have sufficient initial capital of at least EUR 125,000.
This appears to be quite high, at least in comparison to the initial capital requirements of only EUR 50,000, which, for example, apply to financial portfolio managers or other financial service providers who do not have possession or ownership of client funds. This is particularly the case given the fact that BaFin interprets the definition of crypto custody business very broadly, meaning that – in BaFin’s view – the mere ongoing exercising of rights embodied in crypto values (in other words, administration) is covered by the regulation without crypto values of their corresponding private keys being transferred and kept in custody.
It is at least questionable whether an initial capital requirement of at least EUR 125,000 is justified for such business models, which are covered by the broad interpretation of the facts and whose risk assessment – also from the customer’s point of view – is likely to be rather low in some cases (such as the business model of a staking infrastructure provider).
Required number of managing directors
BaFin does not deviate from its usual administrative practice with regard to the required number of directors.
For applicants that will only be providing crypto custody services – and no other financial services – one managing director (in the regulatory, not corporate sense) is generally sufficient.
This is not the case if the applicant wishes to provide further types of financial services at the same time (for example, if other types of financial instruments, such as units of account, are to be held in custody or traded in addition to the custody of crypto values) or if, due to the size of the company and the scope of its business activities, a proper business organisation with only one managing director cannot be guaranteed. In these cases, at least two directors must be appointed.
Temporary permission regime
With regard to Crypto Custodians, who benefit from the temporary permission regime pursuant to section § 64y KWG, BaFin points out that they must comply with the legal requirements without delay. Without delay means: implementation by the end of the transitional period at the latest. Among the legal requirements to be implemented (which already have priority) is the prevention of money laundering (further information regarding obligations of Crypto Custodians under the German Anti-Money Laundering Act (Geldwäschegesetz, “GwG”) will be soon available in the third part of this insight series)
If a company is not able to implement the regulatory requirements within this period, a licence should ordinarily be denied. An exception to this principle may only be made if the reasons for the delay were explained in a comprehensible manner and a timetable for rapid implementation was submitted. Companies are also encouraged to independently analyse which (technical) risks they identify during the ongoing implementation and how they will address them.
One of the most important prerequisites is the professional suitability of the applicant’s designated managing directors.
First, applicants should consider the general requirements (see this guidance notice (last updated in mid 2019) on directors pursuant to KWG, German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz)and the German Capital Investment Code (Kapitalanlagegesetzbuch) (German only)).
In examining the professional suitability of a managing director, the theoretical and practical knowledge of the relevant businesses and management experience is, as always, decisive. However, BaFin is making concessions here due to the new and technical background:
For example, BaFin considers that the technical expertise of a managing director must play a special role in case of crypto custody business and that technical expertise, such as relevant studies and extensive practical experience with IT security issues, should therefore be comprehensively recognised as professional competence “in the relevant business”.
Moreover, BaFin will consider certain activities at a senior level for companies subject to the temporary permission regime of section 64y KWG, as practical knowledge of the crypto custody business.
However, it is expected that managing directors who do not have the required knowledge will use the time during the transitional period to obtain that knowledge. This also requires the company to have sufficient personnel and organisational resources to temporarily compensate for the (still) low level of knowledge of the managing director.
The fee for the issuance of a licence to provide crypto custody business is EUR 10,750 and is due upon issuance of the licence.
Fees will also be payable if the application is refused or the licence withdrawn.
A business plan must be filed along with the application – as with other applications – containing in particular the following information:
BaFin has emphasised the requirement of an adequate IT security. In addition to the consideration and implementation of the minimum requirements for risk management (“MaRisk”) and the banking supervisory requirements for IT (“BAIT”), information is expected in particular on the design of the IT systems and the IT processes implemented.
The focus should be on the explanation of the implemented IT processes for securing cryptographic keys. Also expected are a presentation of the security strategy, the handling of security incidents and a risk assessment of the company as well as a presentation of the existing technical and organizational procedures in handling cryptographic keys.
The technical storage of the crypto values in practice should also be explained – for example, which form of storage (such as “hot wallet” or “cold wallet” – storage on separate storage media such as USB sticks or hard drive disks not connected to the Internet) the crypto custodian will use and whether / how crypto values are stored for individual customers in separate or bundled wallets.
The security measures specifically required by BaFin are, therefore, aimed primarily at those business models which have as their object the safekeeping and protection of cryptographic keys (and not necessarily the administration). A detailed overview of the information and documents to be submitted to prove adequate IT security can be found here.
Since 1 January 2020, Crypto Custodians – irrespective of whether they fall within the scope of the temporary permission regime of section 64y KWG or not – are subject to the GwG (further information to be provided here shortly).
The licence applicant must therefore notify BaFin of the appointment of an anti-money laundering officer and their deputy in addition to the presentation of effective risk management.
More detailed information on the anti-money laundering obligations of Crypto Custodians is not yet available.
Finally, the licence applicant must prove the reliability of its managing directors and individuals with significant holdings (persons who either hold 10% of the capital/voting rights or can exercise significant influence over the applicant).
Generally, the standards for determining the reliability as well as for the professional suitability of managing directors apply accordingly with regard to Crypto Custodians. Anyone that cannot be guaranteed to carry out their business activities properly will be considered unreliable. The following factors are taken into account: the existence of a criminal record (especially with regard to property offences such as fraud or embezzlement), possible tax offences, but also the existence of “deficiencies” for which the managing director is not responsible.
Managing directors must also avoid conflicts of interest and spend sufficient time on the task.
With the Guidance Notice, BaFin provides Crypto Custodians (to be) with a helpful orientation. The licensing requirements, which are strict overall, may nevertheless be regarded as appropriate with regard to business models involving the securing and safekeeping of cryptographic keys. However, individual requirements – such as the minimum initial capital – appear to be disproportionately high, particularly under the broad definition of the crypto custody business. It remains to be seen whether BaFin will counteract this imbalance by fine-tuning its administrative practice.