BaFin has published "Guidelines on applications for authorisation for crypto custody business".
Regulation of tokens and coins
Since the implementation of the fifth Anti-Money Laundering Directive (Directive (EU) 2018/843) on 1 January 2020, many tokens and coins fall under the definition of crypto assets (Kryptowerte). At the same time, the safekeeping, administration and securing of crypto assets as crypto depository service is now a financial service subject to authorisation. Anyone wishing to provide crypto depository service requires prior permission from the Federal Financial Supervisory Authority (BaFin). Therefore, service providers - irrespective of the transitional provisions (Section 64y KWG) - must now apply for a licence. Information on the licensing procedure and on the requirements for granting a license has now (30 March 2020) been published by BaFin.
For the authorisation procedure as a crypto depositary, the same applies in principle as for other financial services institutions. Of particular relevance to the type of procedure is whether the service provider limits itself to the crypto depository services or wishes to provide further financial services regulated by MiFID II (Directive 2014/65/EU). In the first case, the German requirements for the authorisation procedure apply; in the second case, the corresponding EU regulations.
Companies that currently make use of the transitional provisions (Section 64y KWG) and already provide crypto depository services must submit their complete licence application by 30 November 2020; other companies may only start their operations once they have been granted a licence.
Application for authorisation
In the application for authorisation, the applicant must demonstrate that he/she fulfils the conditions for the granting of the licence. These include in particular
- Proof of sufficient initial capital of at least EUR 125,000;
- Proof of the reliability of holders of a significant equity interest: the BaFin examines the reliability within the scope of a holder control procedure;
- Proof of the reliability and professional competence of the managers (see below);
- Submission of a business plan:
- Plans for the balance sheets (according to RechKredV) and the profit and loss account (P&L) for the first three full business years;
- Overview of the organizational structure of the company;
- Overview of the internal control procedures;
- Presentation of the proper business organisation: in particular: IT strategy and IT security.
When preparing the application for authorisation, sufficient time should be allowed for obtaining certificates of good conduct (Führungszeugnis) and extracts from the Central Trade Register (Gewerbezentralregister).
The application for authorisation is subject to a fee. BaFin states a fee of EUR 10,750 in its notes.
In contrast to traditional financial services, IT services are at the centre of the crypto depository service. IT security is therefore of particular importance. As a financial services institution, the crypto depository must apply the "Minimum Requirements for Risk Management" (MaRisk) and the " Supervisory Requirements for IT in Financial Institutions" (BAIT). It must be evident in the information on the IT systems and processes that these requirements have been considered. Explanations of the steps taken to ensure the security of the cryptographic keys are of particular interest to BaFin. For this reason, the applicant should attach to the licence application his security strategy, the plans for handling security incidents, an assessment of the risk position and an overview of the technical and organisational procedures for handling cryptographic keys.
In addition, BaFin is also interested in whether the tokens are kept in hot or cold wallets and whether they are kept individually for each customer or in a pool.
The crypto depository must have at least one managing director. However, the specific business model may require additional managing directors, mainly if the dual control principle is necessary to maintain proper business operations - due to the size of the company or the scope of its activities. An organization chart with the responsibilities must therefore be attached to the application for authorisation.
The managing directors must devote enough time to their duties within the company. They must also be reliable. BaFin checks this based on the certificates of good conduct (Führungszeugnis) and the extracts from the Central Trade Register (Gewerbezentralregister).
Theoretical and practical knowledge as well as management experience must be proven in the proof of professional qualification. The IT competence of managing directors is much more important for crypto depositories than for other financial service providers. An appropriate academic education has beneficial effect. Practical experience is also deemed to include the professional periods in which a managing director held a management position at a crypto depository before the introduction of the authorisation requirement became effective.
BaFin decides on a case-by-case basis based on the size and business operations of the individual company.
Further requirements relate to the prevention of anti-money laundering. Crypto depository services as regulated service has its origin in the Fifth Money Laundering Directive, which is why BaFin pays special attention to this aspect. BaFin intends to publish separate information on the anti-money laundering obligations of crypto depositories.