In the legislative proposal to implement the fifth European Anti-Money Laundering Directive, Germany’s federal government proposes many amendments compared to the initially published first draft proposal by the Ministry of Finance – not all for the better.
On 31 July 2019 Germany’s federal government published its legislative proposal to implement the fifth European Anti-Money Laundering Directive (Directive (EU) 2018/843 – AMLD5). The first draft proposal by the Federal Ministry of Finance (BMF) was published in May 2019. We discussed some major points at an earlier time. The crypto sector that already needed to brace for impact after the first draft proposal, faces even harder blows now proposed by the official draft legislation. Regarding the performance of anti-money laundering due diligence by third parties the draft bill by the federal governments corrects unpractical requirements for cross-border matters proposed by the ministry.
Sonderweg in Germany’s crypto sector will be a very rocky road
The BMF, in its first draft bill to implement AMLD5, proposed what is called in Germany a special path (Sonderweg) exceeding by far the required minimum of the European legislator. With an implementation of AMLD5’s crypto registration requirements not just in the German Anti-Money Laundering Act (Geldwäschegesetz – GwG), but in the German Banking Act (Kreditwesengesetz - KWG), the ministry planned to introduce crypto depository services (Kryptoverwahrgeschäft) as a license-requiring financial service. Providers of electronic wallets would become obliged entities under the GwG and require a license issued by the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin).
The Ministry’s proposal also introduced the term crypto assets as a financial instrument. This would even turn those businesses into obliged entities that simply exchange token.
So far, so ambitious was the first draft proposal by the Federal Ministry of Finance.
The draft bill by the federal government, which will now go through the parliamentary legislative process, goes even further. In the spirit of a separate banking system, crypto depository services must be separated from any other financials service. A license for crypto depository services will only be issued to entities that do not offer any other service that requires a license according to the German Banking Act (Kreditwesengesetz – KWG). A later application for any other such license must be preceded by the explicit surrender or other forfeiture of the crypto-license. This means, banks cannot offer accounts or depots for crypto tokens (including crypto currencies) to their customers, without transferring this business to a completely separate entity, undergoing again the entire process to obtain a BaFin-license. The federal government claims that IT-risks associated with the crypto business pose a significant threat to other financial business. Whether these risks can only be mitigated through such a separation, and whether classic banking business is not exposed to IT-risks that need to be (and are) addressed by the banks anyways, is debatable at the least.
The transition period proposed by the bill is pretty short. After the yet to perform entire legislative process, all businesses that will become a financial services provider by the new year must indicate no later than 1 February 2020 by a letter to BaFin that they intend to continue working in the crypto business and will undertake the necessary steps to obtain the required license. These businesses must then comply with the new regulation (including a possible separation of businesses) and apply for a license by 30 June 2020. The same procedure applies to all businesses operating with the new financial instrument of crypto assets and thus need a BaFin-license.
On a positive note, the government clarifies in the reasoning to the draft bill that the mere provision of hardware or software to store or secure crypto assets or the respective cryptographic private key which are self dependently managed by the users, is not covered by the definition of crypto depository services as long as the provider does not have operational access to the stored data.
Regarding the classification of utility token as crypto assets, the government’s bill, just as the ministry’s proposal, misses a clarification. The exchange character of a utility token which is practically a digital voucher, however, can hardly be denied. A strict interpretation would thus classify utility token as crypto assets. Germany’s federal government aims for Germany to become the number one country for blockchain, DLT and crypto-business. This proposal is hardly a step in the right direction, but on the contrary a contradiction.
Anti-money laundering due diligence by third parties
Businesses may rely on (by law) trusted third parties to meet their anti-money laundering customer due diligence requirements. According the BMF’s proposal these businesses were required to make sure, their trusted third parties outside of Germany comply with German Anti-Money Laundering Act. This proposal is now mitigated to cover trusted third parties within Germany only. This means, for the identification of e.g. a Dutch customer, a German bank may continue to rely on the identification procedure of a Dutch bank (banks are usually generally trusted third parties by law) that gathered all information required by the AMLD. In the spirit of the European single market, the return to this principle facilities cooperation between banks especially because no further specific contracts and procedures to comply with German law outside of Germany by non-German obliged entities are necessary.
One more amendment compared to the first draft is the standardization of BaFin’s regulatory practice on transferring information into law. The government’s draft bill correcting the BMF’s approach proposes to accept data for identification purposes in the case this data was gathered for a different identification purpose at an earlier time. The BMF wanted the time period for this data to be valid not to exceed 24 months. Financial institutions are obliged to regularly update their customer data as part of their customer due diligence work. The federal government now intends to allow for these updates to qualify as the starting point for the 24-month period to reuse this data for a different identification process as well. This update enhances the usability of data in regulatory practice as well as encourages the cooperation between institutions. Customers do not have to undergo the same procedure over and over for different products.