On 1 January 2020, the crypto depository service was introduced as a new financial service under the German Banking Act (Kreditwesengesetz – KWG). The legislation, demanded by European prescriptions, changes Germany’s approach to tokenization including licensing requirements and passporting.
The German legislator had to implement the requirements of the amending directive to the Fourth EU Money Laundering Directive (the so-called Fifth EU Money Laundering Directive - AMLD5). The new law, however, takes a special path and goes far beyond the directive’s prescriptions. The AMLD5 only requires the registration of providers of electronic wallets as obliged entities according to section 2 paragraph 1 to the German Anti-Money Laundering Act (Geldwäschegesetz - GwG). The classification of the crypto depository services (Kryptoverwahrgeschäft) as a financial service leads indeed to the fact that providers of crypto depository services are covered as obliged entities according to section 2 paragraph 1 no. 2 of the German Anti-Money Laundering Act. In addition, it triggers an obligation to obtain a licence under section 32 paragraph 1 sentence 1 of the German Banking Act. Companies that provide crypto depository services are now subject to supervision of the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht - BaFin) and must apply for a license.
The new law sets a transitional period for companies already providing crypto depository services until the end of November 2020. To benefit from this transitional period, BaFin must receive a notification by the end of March 2020 at the latest.
The new term 'crypto depository service' is introduced into the law and legally defined in section 1 paragraph 1 sentence 2 no. 6 of the German Banking Act as follows:
"the safekeeping, administration and securing of crypto assets or private cryptographic keys which are used to hold, store or transfer crypto assets, for others (crypto depository service)".
The explanatory memorandum further explains the concept of crypto depository service:
- Safekeeping of crypto assets is the core of the new financial service. This includes taking crypto assets of customers into custody, i.e. as a service for third parties. The regulation is intended to cover those service providers who store crypto assets of their customers in a collective stock without the customers knowing the related cryptographic keys.
- Administration of crypto assets, in the sense laid out in the explanatory memorandum, means the ongoing exercise of the rights implied in the crypto assets.
- Securing of crypto assets as a service is the storage of cryptographic keys. This includes service providers that offer online digital storage of private cryptographic keys as much as their storage on physical data carriers. In addition to hard drives or USB sticks, physical data carriers can include paper as soon as a key it holds or otherwise keeps a cryptographic key.
For many IT service providers (such as web hosting or cloud providers) the isolated analysis of the exact wording may result in confusion or even preventive overkill. The explanatory memorandum clarifies the scope of the definitions. The simple supply of hardware or software capable of storing crypto assets is in fact not always covered. If the customers themselves store the crypto assets or private cryptographic keys (i.e. the service providers do not have access to the stored data), the service should not be classified as a crypto depository service. The question is more complex for crypto exchanges which receive the private key for trading utility token. This probably constitutes a crypto depository service.
The amendment further introduces a new definition for crypto assets in section 1 paragraph 11 of the German Banking Act as a new financial instrument:
"digital representations of a value that is not issued or guaranteed by any central bank or a public authority, and which does not have the legal status of currency or money but is accepted by natural or legal persons due to an agreement or practice in exchange, payment or for investment purposes, and which can be transferred, stored and traded electronically".
E-Money, in the sense of section 1 paragraph 2 sentence 3 of the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG), is explicitly excluded from this definition. Monetary assets which are not regulated as e-money following the exceptions of section 2 paragraph 1 no. 10 ZAG (limited networks or limited product range) and section 2 paragraph 1 no. 11 ZAG (payment transactions in electronic communications networks/services) although they meet the principle requirements for e-money, are further excluded as crypto assets.
The definition of crypto assets includes tokens which function as means of exchange or payment. So far, BaFin defines these types of crypto assets as units of account within the scope of section 1 paragraph 11 sentence 1 no. 7 of the German Banking Act. The definition of crypto assets includes tokens which function as means of exchange or payment. So far, BaFin defines these types of crypto assets as units of account within the scope of section 1 paragraph 11 sentence 1 no. 7 of the German Banking Act. The classification of crypto assets as financial instruments is designed as a complementary “catch-all provision”. All crypto assets classified as a unit of account continue to be treated as such. Tokens designed as capital investments (so-called security tokens) are also covered by the term “crypto assets”. A classification as another type of financial instrument (e.g. shares, debt instruments, investments or investment assets) is, however, possible.
The authorisation of crypto depository services (section 1 paragraph 1a sentence 2 no. 6 of the German Banking Act) is subsidiary to both the safe custody business (section 1 paragraph 1 sentence 2 no. 5 of the German Banking Act) and the limited custody business (section 1 paragraph 1a sentence 2 no. 12 of the German Banking Act). Any activity that falls within the scope of these financial services, excludes the application of the crypto depository services-rules.
The prioritisation, though not inherent to the law’s wording, is described in the explanatory memorandum. In the event crypto assets are managed or held in safe custody as securities, and this is done exclusively for alternative investment funds within the meaning of section 1 paragraph 3 of the German Capital Investment Code (Kapitalanlagegesetzbuch – KAGB), this activity constitutes a restricted custody transaction within the meaning of Section 1 paragraph 1a sentence 2 no. 12 of the German Banking Act. For crypto assets that fall under the definition of securities in the meaning of the German Safe Custody Act (Depotgesetz - DepotG), the service provider must have a licence to provide the depository services within the scope of section 1 paragraph 1 sentence 2 no. 5 of the German Banking Act. A clean classification of token into one of the categories of financial instruments remains most important. A permission to perform crypto depository services thus may not suffice for the custody of security token.
A licence to provide a financial service can be passported to apply to the European Single Market. To trigger this mechanism, the license requirement must be based on EU law. This is not the case for the permission to provide crypto depository services as Germany went beyond the directive’s requirements. A service provider who intends to offer crypto depository service outside of Germany must analyse and comply with the relevant laws of the member state. The same is true for European service providers registered in a member state and expanding their business to Germany.
As with any licence application under the German Banking Act, the licence application for the crypto depository services must be submitted in writing to BaFin by the future licence holder and must meet the requirements of BaFin and the German Central Bank (Bundesbank).
Service providers must meet the following criteria to be eligible for a crypto depository services licence:
- Sufficient initial capital: min. EUR 125,000.
The new law does not contain any regulation regarding the amount of the required initial capital. This amount thus follows the general rules in accordance with section 33 paragraph 1 sentence 1 no. 1 b) of the German Banking Act. Crypto depository service providers are financial service institutions which do not trade financial instruments on their own account, but do not fall into any other category of section 33 paragraph 1 sentence 1 no. 1 a) to h) of the German Banking Act. In practice, the initial capital must be available at any later date and only constitutes a minimum amount. Should the providers offer further financial services, the required initial capital may be higher.
- Professionally qualified and reliable managers (cf. section 1 paragraph 2 sentence 1 of the German Banking Act) who are not only employed on a voluntary basis (cf. sections 32 paragraph 1, 33 paragraph 1 sentence 1 nos. 2, 4 and 5 of the German Banking Act). The managers must prove their suitability to BaFin and devote sufficient time to the institution.
- The head office of the financial service institution must be located in Germany (section 33 paragraph 1 sentence 1 no. 6 KWG).
- The owner or legal or statutory representative or personally liable partner of a company that holds a significant interest in the financial services institution (section 1 paragraph 9 of the German Banking Act) must fulfil standards of solid and prudent management of the financial service institution.
- The institution must be willing or able to establish the necessary organisational precautions for the proper conduct of the business with regard to the licence applied for (section 33 paragraph sentence 1 no. 7 of the German Banking Act). This in particular includes the MaRisk and BAIT. BaFin will take a particular look at the security of crypto assets and cryptographic keys.
A limited regulation within the scope of the German Banking Act applies for service providers that offer crypto depository services exclusively (and no other financial services.) In particular the following regulations do not apply: the regulations on supplementary capital adequacy requirements (section 10 of the German Banking Act), regulations on capital buffers (Sections 10c to 10i of the German Banking Act), regulations on liquidity (Section 11 of the German Banking Act), regulations on large loans, loans in millions and loans to executive bodies (sections 13, 14, 15 of the German Banking Act) and Capital Requirements Regulations (CRR) (articles 39, 41, 50 to 403 and 411 to 455 of Regulation (EU) no. 575/2013).
Originally, the German Federal Government planned to separate crypto depository services from other financial services (section 32 paragraph 1 (g) of the draft German Banking Act). A licence for crypto depository services should only be granted for applying companies that do not carry out any other activities requiring a licence under the German Banking Act; The application for a subsequent licence under the German Banking Act would only be considered once the company has formally waived a licence for crypto depository services or the licence has expired or been revoked by other means. Following discussions in the Finance Committee of the German Bundestag, this separation principle has been abandoned and did thus not take effect on 1 January 2020. Future deliberations may result in the introduction of a separation requirement at a later date, but at this point this is only speculation.
In practice, companies that have already provided crypto depository services before 1 January 2020 need to inform BaFin of their intention to obtain a licence in writing by 31 March 2020 at the latest. Following this notification, an application can be submitted until 30 November 2020.