In March 2020, the German Federal Financial Supervisory Authority (BaFin) published its long-awaited guidance notice on the crypto-custody business, which has already been included in the scope of the German Banking Act (Kreditwesengesetz) by qualifying as an activity subject to licensing. There was, however, no written administrative practice for crypto custodians, which changed with BaFin's guidance notice.

Crypto custody business subject to licensing

The need for authorisation arose from the fourth amended Money Laundering Directive (known as the 5th Money Laundering Directive), which required that all potential applications of virtual currencies be covered by money laundering law.

It was thought this goal would be best achieved by making this activity subject to licensing, which opened up the scope of application of the Money Laundering Act (Geldwäschegesetz). As a result, the crypto-custody business now qualifies as a financial service subject to licensing.

Differentiation required subject to licensing

In its guidance notice, BaFin makes it clear that the crypto-custody business is designed as a "catch-all" measure (Auffangtatbestand). This means that other activities covered by regulatory law, which may also be fulfilled by the concrete design of the business model, must be given priority.

Crypto assets are classified as financial instruments. Depending on their design, they can simultaneously qualify as accounting units, debt instruments, investment products or investment funds. E-money, electronic voucher cards or payment systems are not classified as crypto assets. The circumstances of each individual case are decisive for concrete classification.

Licensing procedures applies to crypto custodians

Crypto custodians must have initial capital of at least EUR 125,000 at their disposal. In addition, the license holder must meet the requirements for regulatory reliability and guarantee the prudent management of his business. The managers of the crypto custodian must be reliable and possess all necessary professional qualifications.

Crypto custodians must comply with requirements for a proper business organisation, including sound risk management in accordance with MaRisk requirements, which also includes a compliance and audit function and the creation of structures that enable compliance with IT regulations. All reports and notifications required by law must be made to the supervisory authority.

As a financial services provider, a crypto-custodian is obliged to appoint an auditor who, in addition to auditing annual financial statements, should examine the soundness and effectiveness of risk management, remuneration and IT security.

"Fly-in Crypto-Business"

Offers coming from abroad addressed to (legal or natural) persons in Germany using remote communication (i.e. via online services, without an intermediary network or physical presence) also require a license. This also applies if a crypto custodian based in Germany only addresses persons who reside abroad.

No Passporting

Banking business and financial service providers can carry out cross-border activities on the basis of a notification procedure known as the EU passport. In order to rely on the EU Passport, an existing license in a country of the European Economic Area is required, but this possibility does not exist for the crypto-custody business. The regulated activity of the crypto-custody business was not created on a European basis.

Crypto-custody provider as obliged party

As a financial service provider under the German Banking Act, crypto custodians are obliged to comply with the German Money Laundering Act. As a result, crypto custodians must appoint a money laundering officer, maintain a risk management system to prevent money laundering and the financing of terrorism, prepare a risk analysis and develop internal security measures, among other duties.

Crypto custodians must also create principles, procedures and controls that serve to prevent money laundering and the financing of terrorism. Employees must be trained and checked for reliability. Persons associated with business relationships or transactions must be identified in accordance with the Money Laundering Act. In addition, all suspicious cases must be reported to the Central Office for Financial Transaction Investigations.


By publishing this guidance notice for the crypto custody business, BaFin has given crypto custody a written administrative practice as a new financial service and integrated it into the everyday life of financial market supervisory law.