Directive (EU) 2018/843, commonly referred to as the fifth anti-money laundering directive (5AMLD), for the first time subjected so-called ‘custodian wallet providers’ (CWPs) to EU regulatory obligations in relation to anti-money laundering and anti-terrorist financing. The German legislation transposing the 5AMLD took effect on 1 January 2020. It provided for the new licensable activity of ‘cryptocustody business’.
On 2 March 2020, Germany's federal financial supervisory authority (Bundesanstalt für Finanzdienstleistungsaufsicht,‘BaFin’) issued initial guidance (currently only available in German) on how it interprets the activity of ‘cryptocustody business’.
Licensing requirements for custodian wallet providers
The German implementing law significantly ‘goldplates’ the 5AMLD. While the directive only stipulates that CWPs are subjected to a registration obligation, German law requires entities engaging in ‘cryptocustody business’ – defined as the business of ‘safekeeping, administration and safeguarding crypto-assets or private cryptographic keys that serve to hold, store or transfer crypto-assets’ – to have the appropriate license as a financial services institution to operate. So instead of just registering, CWPs active in Germany must apply to be licensed as a ‘cryptocustody business’. Once licensed, they are subject to the ongoing prudential supervision of BaFin.
The 5AMLD defines CWPs as entities that provide services to safeguard private cryptographic keys on behalf of their customers, to hold, store and transfer ‘virtual currencies’. The directive characterises virtual currencies as a means of exchange, i.e. a means of payment. This comprises payment tokens but, in most cases, excludes tokens that are similar to shares or debt instruments (such as bonds) (so called ‘investment tokens’ or ‘securities tokens').
German law introduces ‘crypto-assets’ as an additional type of financial instrument within the meaning of the German Banking Act (Kreditwesengesetz, ‘KWG’) and goes beyond the definition in 5AMLD. It defines ‘crypto-assets as ‘a digital representation of an asset which has not been issued or guaranteed by any central bank or public authority and which does not have the legal status of a currency or money, but which is accepted by natural or legal persons as a means of exchange or payment on the basis of an agreement or actual practice, or which serves investment purposes, and which can be transferred, stored and traded electronically’. In its initial guidance, BaFin re-emphasises the German legislator’s general stance that the definition of ‘crypto-assets’ is intentionally broad to capture all forms of tokens relevant for the financial market.
The broad definition of crypto-assets has the following implications specifically for the German market:
- It creates legal certainty for virtual currencies or payment tokens, which BaFin has qualified as financial instruments (units of account) since 2011;
- it covers security tokens even to the extent that they do not already qualify as transferable securities under MiFID II; and
- it potentially covers utility tokens to the extent that they serve investment purposes.
Accordingly, entities providing custody of securities tokens (even if such tokens do not already qualify as MiFID financial instruments) are also subject to the new licensing regime where such tokens ‘serve investment purposes’.
In addition, the definition will likely also cover at least some so-called ‘utility tokens’ (i.e. tokens that entitle the holder to a service or a good), in particular where a utility token can be traded and may thus be the object of (often: speculative) investments. The explanatory memorandum already makes clear that electronic gift vouchers for goods and services of an issuer or a third party that are granted in exchange for specific compensation and whose economic function is limited to redemption with the issuer, which, for this reason, are not tradable and which, due to their design, do not represent an ‘investor-like expectation’ regarding the development of the value of the voucher or the general development of the issuer or a third party are not covered by the definition of crypto-assets. BaFin explains further that also electronic vouchers in ‘multi-partner (loyalty) programmes’ are exempted from the definition to the extent they cannot be traded and are not suitable as general means of payment and exchange or are used as such.
However, BaFin does not offer additional guidance with regard to the question when utility tokens may potentially qualify as crypto-assets. Against the explanations offered in the explanatory memorandum and BaFin’s guidance, one may assume that utility tokens that are tradable and that represent an ‘investor-like expectation’ will likely qualify as ‘crypto-asset’. Given the ongoing discussion in practice whether custody of utility tokens is covered by the new rules, a clarification would be highly welcome.
The 5AMLD describes CWPs as entities that provide services to safeguard private cryptographic keys.
In contrast, the German legislator decided to regulate the ‘safekeeping (‘Verwahrung’), administration (‘Verwaltung’) and safeguarding (‘Sicherung’)’ of crypto-assets and private cryptographic keys.
Any of the three activities will trigger a license requirement. The legislative memorandum (and, following it closely, BaFin’s guidance) describes the three activities as follows:
- In line with BaFin’s administrative practice on (securities) custody business, ‘safekeeping’ is defined as the taking into custody of crypto-assets as a service for third parties. This is intended to capture pooled custody (‘Sammelverwahrung’) where clients do not have knowledge of the keys.
- ‘Administration’ is, in the broadest sense, the continuous exercise of rights arising from the crypto-asset.
- ‘Safeguarding’ (the term also used in 5ALMD) is the digital storage of private cryptographic keys, as well as the storage of physical data carriers (such as USB sticks) on which private cryptographic keys are stored.
During the legislative procedure, the Bundesrat (Federal Council) had raised the question of whether an MTF operator that disposes of private cryptographic keys or crypto-assets for a transaction – even if only for a ‘legal second’ – also provides cryptocustody business. This was not further clarified during the legislative procedure. BaFin’s guidance explains that the possibility of accessing private cryptographic keys is generally sufficient for a firm to be held to provide cryptocustody business, as the private cryptographic keys grant full authority to transfer the relevant crypto-assets. It remains unclear, however, whether this also applies in cases envisaged by the Bundesrat, i.e. the safeguarding of crypto-assets or private cryptographic keys only for a very short amount of time.
Germany’s legislative goldplating of the 5AMLD means that CWPs may become subject to the German licensing regime even though they are not subject to similar requirements in other EU/EEA Member States.
Providing licensable cryptocustody services ‘in Germany’
Like all regulated banking activities and financial services, a German license is only required if the cryptocustody business provides services ‘in Germany’. Under BaFin guidance, a financial service (or banking activity) is provided in Germany if the service provider has its registered office or ordinary residence either:
- in Germany; or
- outside of Germany and targets the German market in order to offer banking products or financial services repeatedly and on a commercial basis to companies and/or persons having their registered office or ordinary residence in Germany.
A company will generally target the German market where it markets the specific service on a website, whose domain name, content or German contact details indicate that the website is targeted at German clients. In contrast, no licensing requirement is triggered if the German client approaches the foreign provider on its own, exclusive initiative (so-called ‘reverse solicitation’).
Both EU/EEA and non-EU/EEA providers of cryptocustody services should therefore review whether a German financial services license is required. As cryptocustody services are not investment services under MiFID II, it is generally not possible for EU/EEA CWPs to apply the EU/EEA passport for their German activities. This position is also taken by BaFin in its guidance. However, it appears possible to argue that EU/EEA providers of the MiFID II ancillary service of ‘safekeeping and administration of financial instruments for the account of clients’ may well be able rely on the MiFID and CRD passports, at least to the extent that the ‘crypto-assets’ in question also qualify as MiFID II financial instruments.
If a license is required, providers will generally have to establish a licensed German subsidiary. Foreign CWPs may also consider applying for a waiver from the licensing and other governance requirements or establish a third-country branch that applies for the cryptocustody license. The waiver and the license for such a branch will, however, require that the foreign CWP is sufficiently supervised in its home state. Currently, it is uncertain how CWPs can fulfil this requirement.
Relationship between cryptocustody and other licensable activities of the custody type
According to BaFin and the explanatory memorandum, the new financial instrument of ‘crypto-asset’ shall act as a ‘catch-all clause’. BaFin stresses, however, that ‘crypto-assets’ may also qualify as other types of financial instruments, such as ‘units of account’ in case of virtual currency or debt instruments in case of certain security tokens. In other words, the various categories of financial instruments are not mutually exclusive. Entities that provide custody services with regard to virtual currencies will thus be captured by the license requirement for cryptocustody business.
Depending on whether the crypto-asset held in custody also qualifies as a particular type of security, a cryptocustodian may require additional or different licenses:
- BaFin states (in line with the explanatory memorandum) that cryptocustodians providing custody services with regard to crypto-assets that also qualify as securities pursuant to the German Custody Act (Depotgesetz, ‘DepotG’) a (securities) custody business license (i.e. a banking license) will be required. This may potentially be in addition to a license as a cryptocustodian (i.e. a financial services license) if the entity also takes into custody other crypto-assets not qualifying as securities within the meaning of the DepotG. However, as explained by BaFin, crypto-assets currently do not qualify as securities pursuant to the DepotG (which require a physical (paper) certificate). This may change should the legislator decide to amend the legislative framework to permit ‘electronic bonds’ or ‘electronic shares’ issued on distributed ledger technology.
- Further clarification would also be required in respect of ‘limited custody business’ which is defined as the ‘safekeeping and administration of securities exclusively for alternative investment funds (AIFs)’. The BaFin guidance (again broadly in line with the explanatory memorandum) states that such license will be required if crypto-assets that are taken into custody qualify as debt instruments within the meaning of the KWG and as securities within the meaning of the legislative framework on prospectus requirements. However, ‘limited custody business’ has traditionally been interpreted by BaFin as a sub-category of (securities) custody business, meaning that it is limited to custody of securities covered by the DepotG. It is unclear why BaFin takes a different view where the assets taken into custody qualify as crypto-assets.
- Again, in line with statements made during the legislative process, BaFin clarifies that an entity that is licensed as a central securities depository (CSD) pursuant to the Central Securities Depository Regulation (‘CSDR’) will not require an additional license for cryptocustody business for the safekeeping of crypto-assets that qualify as securities pursuant to MiFID II and CSDR. On the other hand, an entity providing cryptocustody services will only require a license as a CSD if (i) the crypto-assets in question qualify as MiFID financial instruments, (ii) the entity operates a securities settlement system in accordance with Section A of the Annex to the CSDR (i.e. within the meaning of the Settlement Finality Directive (‘SFD’)) and (iii) the entity provides at least one other core service listed in Section A of the Annex. In addition, should crypto-assets qualify as transferable securities pursuant to MiFID II and CSDR and if they are admitted to trading or traded on trading venues pursuant to MiFID II (regulated market, MTFs or OTFs), they need to be initially recorded in book-entry form in a CSD at issuance. The initial recording of securities in a book-entry system (‘notary service’) and the provision and maintenance of securities accounts at the top tier level (‘central maintenance service’) as core services of CSDs are only licensable where the entity also operates a securities settlement system within the meaning of the SFD.
Whether a license as a CSD is required will be a question of the individual design of the safekeeping or storage, of the technical functionality on which the security token is based and the contractual relationship between the parties.
The transitional regime: A two-stage process
While the German law transposing the 5AMLD entered into force on 1 January 2020, a transitional period applies for those business that provided cryptocustody services in Germany prior to that date, either for their own account or as a ‘tied agent’. The transitional regime is not available for entities taking up cryptocustody business on 1 January 2020 or later. These businesses need to apply for a license and cannot commence business activities prior to the license being granted.
To be able to benefit from the transitional regime, cryptocustody businesses generally qualifying for the regime must, by 31 March 2020, formally notify BaFin of their intention to apply for a license. BaFin has provided a German-language notification template on its website. This formal notification will be required even where firms have participated in BaFin’s previous voluntary, informal and non-binding call for expressions.
A full license application must be submitted by 30 November 2020. The transitional regime then applies until BaFin’s decision on the license application.
On 17 January 2020, BaFin has further clarified its interpretation of the transitional regime. In particular, BaFin clarified that the transitional regime can also be used by providers of cryptocustody business that have provided their services on a cross-border basis into Germany prior to 1 January 2020. Such service providers will be able to continue providing cross-border cryptocustody business if they comply with the relevant notification and application deadlines set out above. In order to obtain a license, however, they will have to establish a subsidiary in Germany. Accordingly, the cross-border provision of cryptocustody services will only be able to continue for a limited amount of time (i.e. until BaFin has granted the German entity the relevant license). BaFin has not clarified whether a firm providing cross-border cryptocustody services into Germany will, in order to benefit from the transitional regime, need to have established a German entity by 31 March 2020 already (the German entity filing the notification of intent to apply for a license) or whether it is sufficient to do so until 30 November 2020 (with the German entity filing the application, but not the notification of intent). Affected service providers should therefore contact BaFin well ahead of the 31 March 2020 deadline to clarify the application of the transitional period.
While BaFin has provided valuable guidance on the transitional regime and its interpretation of the licensable service of cryptocustody business, important questions still remain unanswered. These relate, for instance, to the scope of the licensable activity itself (such as whether cryptocustody business is also provided if the private cryptographic keys are only safeguarded for a short amount in time), but also on the definition of ‘crypto-assets’ (such as whether utility tokens are also covered by the regulation). And while the BaFin guidance clarifies the activities that trigger a license requirement for cryptocustody business, it does not set out the supervisory expectations on ongoing regulatory obligations, e.g. on internal governance, fit & proper and IT-related questions such as cyber-security requirements for cryptocustodians. Further guidance on these questions would be highly welcome.
Notwithstanding the fact that cross-border provision of cryptocustody will remain possible under the transitional regime for a certain period of time, it is clear that the general lack of a cross-border passport for cryptocustody business will put firms operating from another EU/EEA Member State at a disadvantage to their German counterparts. This is all the more problematic as the license requirement is goldplating 5AMLD requirements. It is to be hoped that the European Commission will, as part of its work on a European framework for markets in crypto-assets, end such legal fragmentation and establish a harmonized regulatory framework and a level playing field across the EU/EEA, not just for CWPs, but for all service providers in the crypto ecosystem.