Crypto depository service in Germany: BaFin provides information on money laundering obligations

BaFin has published "Guidelines on anti-money laundering for crypto custody business".

Regulation of crypto depository service

Since the implementation of the fifth Anti-Money Laundering Directive (Directive (EU) 2018/843) on 1 January 2020, , the safekeeping, administration and protection of tokens and coins that fall under the definition of crypto assets (Kryptowerte) is subject to the obligation to obtain a licence as crypto depository service. Crypto depositories are therefore financial institutions and are subject to the provisions of money laundering law. The Federal Financial Supervisory Authority (BaFin) has now provided information on selected topics of particular importance for crypto depositaries.

Obligation of crypto depositaries

As financial services institutions, crypto depositories are also obligated under the German Anti-Money Laundering Act (Geldwäschegesetz – GwG/AMLA). As a matter of principle, crypto depository services may only be provided once license has been granted. Once the licence has been granted, the company is then an obligated party under the AMLA.

However, the German Banking Act (Kreditwesengesetz – KWG) provides for a transitional period (so-called grandfathering) for companies that have already provided the crypto depository services before 1 January 2020. Under Section 64y KWG, these companies had to notify BaFin in writing of their intention to apply for a licence by 31 March 2020. In order to be allowed to continue operating, these companies must now submit an application for a license by 30 November 2020. However, the German Banking Act contains a fictional permit for the transitional period, which makes these companies already obligated under the AMLA since 1 January 2020. The obligations under money laundering law must therefore have been fulfilled since the beginning of the year. Failure to do so may lead to unreliability and thus to the refusal of a permit.

Selected topics

In its guidance letter, BaFin now presents three selected topics in the fight against money laundering: risk management, customer due diligence and suspicious activity reports.

Risk management

It is essential for each obliged entity to have an effective risk management system that is based on the risk-based approach. This also includes a risk analysis in which the crypto depository determines and evaluates the money laundering risks for his business. The risk groups are divided into customer risk, product, service, transaction or distribution channel risk and geographical risk. The German Anti-Money Laundering Act provides risk factors for this:

For example, there are factors that indicate a potentially lower risk. These include, for example, if the customer is listed on the stock exchange or has its (residential) seat in an EU member state. However, there are also factors that indicate a potentially higher risk. These include if the business relationship involves exceptional circumstances or if the customer lives in a high-risk country. In its guidance letter, BaFin emphasises in particular that crypto assets can be products that favour anonymity and are therefore subject to a higher risk.

The risk analysis must be documented and regularly updated.

Crypto depositories must also appoint an anti-money laundering officer who carries out his activities in Germany. Normally, no person should be appointed who belongs to the management level. An exception is made if the crypto depository has fewer than 15 employees (calculated on the basis of full-time positions). The appointment (and, if necessary, subsequent dismissal) of the anti-money laundering officer must be reported to BaFin.

The crypto depository may outsource the internal security measures. He must report this to the BaFin.

The regulations and documentation on risk management must be submitted in the application for permission to BaFin.

Customer due diligence obligations

BaFin also provides information on customer due diligence obligations. Like all obligated entities, the crypto depositories must carry out the general duties of care. This includes in particular that he must identify his contractual partners.

Video identification is particularly useful in online business. BaFin has published a separate circular on this subject.

Suspicious activity reports

The crypto depository must report suspicious transactions to the Financial Intelligence Unit (FIU). To do this, he must register on the reporting portal goAML Web.


For the providers of the new financial service crypto depository, many traditional regulations in financial supervision are new. This makes it all the more important to obtain competent legal advice.

Latest insights

More Insights