This article takes a fresh look at the German regulatory landscape for crypto securities. In November 2023, the German Parliament adopted the Act on Financing of the Future (Zukunftsfinanzierungsgesetz, “ZuFinG”), which will allow German stock corporations to issue stock “on the blockchain”. At the same time the German regulator BaFin published a new guidance notice on crypto securities registrars.

1. Security tokens in capital markets law and in civil law

Securities in capital markets law are characterized by the fact that they embody a financial right (e.g. payment of principal and interest) and/or a membership right (e.g. an equity participation in a company or maybe also a governance token in a DAO). Furthermore, to come under the definition of a security, the instrument must be fungible (each instrument confers the same right) and transferable. Traditionally, that has meant that a security must be transferable in the traditional capital markets via book entry transfer between securities accounts held with a bank or a broker. For this reason, partnership interests or shares in a German limited liability company are not securities, since the transfer of the former requires an assignment agreement (and possibly approval by the other partners) and the latter even a notarized transfer. Registered securities are trade-able if they have been endorsed in blank.

As regards security tokens, the German regulator BaFin has taken the view that any token that is stored in a distributed ledger and can be transferred via the blockchain from one wallet to another wallet is transferable in that sense. On that basis, it is possible to create a “security token” that triggers the prospectus requirements of the EU Prospectus Regulation for public offerings of securities or the need for a key information document under the EU PRIIPS Regulation (Regulation (EU) No 1286/2014 of 26 November 2014 on key information documents for packaged retail and insurance-based investment products (PRIIPs). Moreover, for the professional trading or brokerage of security tokens a license for investment services under MiFID (Directive 2014/65/EU of 15 May 2014 on markets in financial instruments) is required.

However, such “security tokens” are not “securities” in the civil law sense, since they have not been created by a traditional “scripture act”. In other words a “security” must under civil law traditionally be issued in paper form (global certificate or individual certificates). In order to make securities trade-able in the capital markets in Germany, it was necessary in the past to put the (global) securities certificate into custody with a central custodian who would then book the securities for the benefit of the custody banks who would then credit the securities with their customers’ individual securities accounts. Any such security is considered movable property and any transfer of securities within the German custody and settlement system follows the rules of German property law (with a few modifications under the German Safe Custody Act).

In contrast, there is no property law regime for title to and transfers of security tokens. This has created a certain level of uncertainty on the legal character of security tokens. The tokens are merely blockchain entries that represent contractual rights against the issuer. Whether a wallet-to-wallet transfer of the tokens is also a good transfer of the underlying contractual rights was a matter of drafting the terms of issue for the security tokens and uncertainty remains on the enforceability of these transfer rules. Moreover, the treatment of blockchain-based “tokens” is uncertain in insolvency scenarios.

2. Crypto-securities under the German e-Securities Act (eWpG)

Under the German e-Securities Act (eWpG), which entered into force in 2021, it has become possible to issue debt securities and (since June 2022) fund units in German investment funds purely electronically by creating an electronic register of security holders. Interestingly, the eWpG not only allows centrally registered e-securities but also “crypto securities”, i.e., de-centrally registered securities using distributed ledger technology. The legal “trick” for making this possible is a legal fiction that e-securities, including crypto securities, are deemed movable property.

As a result, e-securities and crypto securities become transferable in the same manner as traditional paper-based securities, i.e., by book entry transfer. Also this clarifies the rights to e-securities in insolvency scenarios. Both forms of securities (centrally and de-centrally registered) can be issued in collective form (kind of an electronic global certificate) and in single form. The latter would be the preferable form to issue crypto securities on the blockchain.

An important key concept in this respect is the difference between the “holder” (Inhaber) of an electronic security and its “beneficiary” (Berechtiger). A “holder” is the person registered in the register of security holders (centrally or in the blockchain), but the owner of the security is the beneficiary, which may not be identical. For example, the register could show a custodian or central custodian as holder, who would book the security to a securities account of its customer. The customer would then be the beneficiary of the crypto security without being the registered holder.

Crypto securities are slowly gaining traction in Germany: The public register of crypto securities shows six issues of securities in 2021, 13 issues in 2022 and 44 in 2023 as of 20 November 2023.

3. Crypto shares will be coming soon

At present, the eWpG can only be used to issue debt securities and fund units in German investment funds. Under the ZuFinG adopted in November 2023 and entering into force very soon thereafter, the concepts and technical possibilities will in the future also be available for e-shares, including crypto shares in Germany.

One important restriction is that it will not be possible to issue crypto shares in the form of bearer shares. Only registered shares are permitted, i.e., in addition to being registered on the blockchain with an anonymous wallet address, the shareholder must also be registered in the register of shareholders with the company to exercise rights as a shareholder, e.g. attending general meetings or receiving dividend payments.

The reasoning behind this restriction is the risk of money laundering. For the same reason, at present, bearer shares are only permitted if the company’s shares are listed on a securities exchange or if the shares have been certificated in a global certificate and deposited with a central custodian. In this case, the custodian banks would perform “know your customer” checks on their deposit customers so that the risk of money laundering is mitigated. In the case of crypto shares, these could be held via un-hosted wallets so that there would be no deposit bank or crypto-custodian who could act as a gatekeeper under existing money laundering regulation. It may also be difficult for the company to communicate with its shareholders if the shares were bearer shares since the company cannot rely on the communication channels via the custodian banks.

The new rules also clarify that a transfer of a registered e-share by way of endorsement is excluded – since there is no paper security which could be endorsed. It would have been more logical if registered e-securities would have been deemed to have been endorsed in blank.

To simplify handling of the registration and transfer process, crypto securities registrars (this term will be explained further below) can also act as the registrars for the register of shareholders.

To issue crypto shares, the issuer’s articles of association will need to allow for this. If this is not the case, all current shareholders would need to grant consent. This will allow a switch into crypto shares only for very small companies in which all shareholder are known to the company. In contrast, switching back to conventional securities should be possible without needing consent of all individual shareholders (but may require a change of the company’s articles of association).

The new regime will likely enter into force before 1 January 2024. It remains to be seen whether this will result in new equity financing opportunities for German companies. The German crypto share regime will not be available for non-German companies.

4. A closer look at crypto securities registrars and custodians in Germany

As mentioned earlier, crypto securities can be issued using the eWpG regime, but, in addition, there can be security tokens issued outside of this regime, i.e., it is not mandatory to use the eWpG rules. Moreover, security tokens have been issued in Germany before the entry into force of the eWpG and security tokens can also be issued under laws other than German law.

The key difference is that crypto securities under the eWpG will require the appointment of a crypto securities registrar who must be duly licensed by the German regulatory authority under the German Banking Act (KWG). If no crypto registrar is appointed, the function will be assumed by the issuer (who would in this case also have to become licensed).

The key function of the crypto securities registrar modifies the fundamental concept of immutability of the blockchain: If someone has access to a person’s personal key and uses the key to “steal” crypto assets, the assets are typically irretrievable, because the owner of the wallet address to which the stolen crypto assets are transferred will typically remain anonymous. For the same reason, transfers which under normal rules of civil law are legally invalid (e.g., by a person without legal capacity) or voidable (e.g., a transaction made in error or under duress) are factually irreversible after the transfer of a crypto assets to another wallet has been validated on the blockchain. In addition, if the personal key to a wallet (and the mnemonic phrase if applicable) is lost, the wallet holder will have lost control over all crypto assets stored in that wallet.

The crypto-registrar under the eWpG must have the power to make changes to the register and to delete a crypto security based on an instruction by the holder of the crypto asset (unless the crypto registrar has knowledge that the holder is not the beneficiary) or by instruction of a person authorised under law, based on a power conferred by law, by a legal transaction, by a court decision or enforceable administrative act.

In other words, the blockchain used for registration of crypto securities must be a kind of “filtered” blockchain that allows an override of an otherwise immutable record assured by the consensus mechanism under the DLT, e.g., by marking a transaction as void or reversing it. Whether a permissionless or a permissioned blockchain is used is open for the registrar to decide. Both are legally possible. Generally, besides allowing reversal of transactions, the systems used by the crypto securities registrar must be capable of securing the integrity, availability and authenticity of the data and particularly the safety against unauthorized access by third parties, using state of the art technologies. Details are stipulated in an ordinance for crypto registers.

In its guidance note, BaFin also explains the difference between acting as crypto securities registrar and acting as securities custodian or crypto custodian (both of which are also regulated activities under the KWG).

A license as a securities custodian is required to hold securities (including crypto securities) for customers. In other words, the securities custodian would have a control over a wallet in which the securities are held, normally an omnibus wallet, but theoretically there could also be segregated per-customer-wallets. Securities custodians are not per se allowed to act as crypto securities registrars unless they have the necessary additional license.

If a custodian does not hold the crypto securities but holds only the cryptographic keys to access the wallet, this will require a license for crypto-custody (which would also include the right to act as custodian for crypto assets which are not securities, e.g. holding crypto currencies for customers).

5. International scope of application

The German crypto share regime is only available for German stock corporations. Nothing speaks against debt securities being issued on the blockchain by non-German issuers.

Crypto registrars will need to be based in Germany. German license requirements kick in when foreign crypto registrars have German offices or have some other physical presence, according to BaFin, even if only in the form of a “fully automated infrastructure”, or if German intermediaries or other service providers are used to transact business in Germany. In addition, even without such presence, a German license requirement will be triggered if a foreign registrar offers its services to the German market, i.e. to German issuers.

6. The European perspective – DLT Pilot Regime and MiCAR

The German crypto securities regime must also be viewed against the background of the EU’s DLT pilot regime (Regulation (EU) 2022/858 of 30 May 2022 on a pilot regime for market infrastructures based on distributed ledger technology), which allows on a temporary basis the establishment of crypto-exchanges and crypto settlement systems (or a combination of the two) for the trading of security tokens. Such exchanges and settlement systems would not need to hold “traditional” licenses to operate as a multilateral trading facility or any central custody license and operate in a sandbox environment.

The volume is restricted to shares of issuers with a market capitalization of less than EUR 500 million and for bonds, other forms of securitized debt or money market instruments of less than EUR 1 billion and fund units for funds with assets under management of less than EUR 500 million. Moreover, the overall market capitalization of the market infrastructure shall not exceed EUR 6 billion. The regime has a limited life with permissions being granted for a period of up to 6 years and whether it will be terminated or continued will depend on a report from ESMA to be issued in 2026.

Conclusion

As a final clarification, readers should note that security tokens, including those under the eWpG, have been carved out from the application of the Markets in Crypto Assets Regulation (MiCAR), which will enter into force on 30 December 2024. So in the future, it is very important to understand whether a particular instrument is a financial instrument, in particular a security, in which case EU capital markets law will apply (prospectus regime, market abuse regime, regime for investment firms) or any other crypto asset (“plain” crypto currencies, stablecoins, utility tokens and certain non-unique NFTs). MiCAR rules are in large parts very similar to capital markets law (e.g. there is a regime prohibiting insider trading and market manipulation), but remain conceptually different and different types of licenses are required for crypto asset services providers.