What to do next for crypto custody service providers?
On 29 November 2019, new German legislation on crypto custody business (Kryptoverwahrgeschäft) was approved by the German Federal Council (Bundesrat) after having been approved before by the German Parliament (Bundestag). The legislation forms part of a legislative package implementing amendments to the 4th European Anti-Money Laundering (AML) Directive into German law and is expected to enter into force on 1 January 2020.
Do I need a license for crypto custody business?
The new legislation sets out a new licensing requirement for service providers engaging in crypto custody business in Germany under the German Banking Act (Gesetz über das Kreditwesen). Crypto custody business includes the following types of services:
- the safekeeping (Verwahrung) of crypto assets;
- the administration (Verwaltung) of crypto assets; and
- the safeguarding (Sicherung) of crypto assets or of private keys which service
- for holding, storing or transferring crypto assets,
in each case for third parties.
Crypto assets (Kryptowerte) are defined as digital representations of an asset which are neither issued nor guaranteed by any central bank or public entity, and which do not have the statutory status of a currency or money, but which, based on agreements or actual practice, are accepted by natural or legal persons as means of exchange or payment or serve investment purposes and which can be transferred, stored or traded electronically. Electronic money within the meaning of the German Payment Services Supervisory Act (Zahlungsdiensteaufsichtsgesetz) does not qualify as a crypto asset.
The concept of crypto assets thus includes a wide array of crypto tokens and is not restricted to virtual currencies, such as payment tokens, within the meaning of the amended AML Directive. Safekeeping of crypto assets includes, in particular, the storage of crypto assets in a collective inventory where the customers have no knowledge of the cryptographic keys used.
Administration of crypto assets includes, in a broad sense, the exercise of rights resulting from a crypto asset, such as collection activities or notification services.
Safeguarding of crypto assets includes the service of digital storage of private cryptographic keys but also the storage of physical data storage devices (e.g., USB sticks) on which such keys are saved. It is important to note, that providing regulated services such as crypto custody business in Germany without a required license is a criminal offense.
Is a license for crypto custody business sufficient for my business?
A license for crypto custody business only allows business in crypto assets. If a service provider at the same time provides custody services in assets which qualify as securities (Wertpapiere) within the meaning of classic custody business, a license for crypto custody business is not sufficient. Therefore, service providers must carefully assess the legal qualification of assets to which their services relate.
A license for crypto custody business is furthermore limited to the aforementioned three types of services. The rendering of additional services, such as investment advice with respect to crypto assets, requires additional licenses under the existing regime of the German Banking Act.
Is there any grandfathering?
There is a grandfathering in the sense that service providers which as of 1 January 2020 become subject to the licensing requirement are deemed to be licensed if they inform the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – “BaFin”) by 31 March 2020 of their intention to apply for a license for crypto custody business and file a complete licensing application with BaFin by 30 November 2020.
The grandfathering is thus only available for service providers which as of 1 January 2020 already engage in activities qualifying as crypto custody business in Germany which would require a license under the new legislation. Service providers commencing such activities in Germany only after 1 January 2020 do not benefit from the grandfathering. Furthermore, while German licensing requirements may also be relevant for service providers domiciled outside of Germany (see below), generally only entities domiciled in Germany can obtain a license under the German Banking Act laws. This suggests that only entities engaging in crypto custody business on the ground in Germany may benefit from the grandfathering.
The grandfathering implies that service providers benefiting therefrom are deemed to be licensed until a decision has been reached with respect to their licensing application. Apart from the licensing requirement which is deemed to be fulfilled under the grandfathering regime, service providers operating thereunder are, however, not exempt from the ongoing requirements for the operation of a regulated financial institution under the German Banking Act.
Are financial institutions already licensed for other business grandfathered?
No. There is no special grandfathering for financial institutions licensed for other regulated services (e.g. traditional custody business) under which such financial institutions would be deemed to have also been granted a license for crypto custody business. However, like other players, financial institutions can benefit from the grandfathering described above if they can satisfy the relevant aforementioned requirements.
What about service providers domiciled outside of Germany? Is a passport available?
According to a well-established administrative practice by BaFin, licensing requirements under German banking regulatory laws do not only apply to service providers domiciled in Germany but also to service providers domiciled outside of Germany which actively target the German market to offer regulated services to (potential) customers domiciled in Germany. Service providers domiciled abroad must thus carefully assess whether they are actively targeting the German market and thus are captured by the new legislation.
It should be noted, however, that one of the requirements for obtaining the requisite license under the German Banking Act is a domicile in Germany. Given that the new regulated activity of crypto custody business is based on autonomous legislation by the German legislators and not on harmonized European law, service providers domiciled in other EU/EEA member states will for the time being not be able to rely on a passport to provide crypto custody services in Germany.
What are the minimum requirements to obtain a license?
The licensing requirements derive from the general provisions of the German Banking Act for obtaining a license for financial services. They include a minimum capital requirement of at least EUR 125,000. Furthermore, a service provider engaging in crypto custody business must have at least one managing director who is “fit-and-proper”, i.e. reliable, sufficiently qualified and experienced in crypto custody business. Generally, the service provider is obliged to ensure a proper business organization, not only in terms of personnel, but also with respect to technological resources and procedures. Given the novelty of the regulated activity of crypto custody business, it remains, however, to be seen, which specific requirements BaFin applies to the management and the organization of a service provider engaging in such business.