Following publication of the draft law, the German Bundesrat issued a statement on 20 September 2019 requesting clarification of certain aspects of the proposed law. The authorisation requirement is to apply from as early as 1 January 2020, and with the law yet to be passed and questions outstanding, the timing appears tight.
What are crypto assets?
The government has adopted the following definition of ‘crypto assets’ in the draft law: “digital representations of value which have not been issued or guaranteed by any central bank or public authority and which do not have the legal status of a currency or money, but which are accepted by natural or legal persons as a means of exchange or payment or serve investment purposes on the basis of an agreement or actual practice and which can be transmitted, stored and traded electronically.”
Excluded from the definition are domestic and foreign legal tender, electronic money, assets used in interconnected payment systems and payment transactions of providers of electronic communications networks or services, as well as non-tradable electronic vouchers for the purchase of goods or services.
What is crypto custody business?
In the draft law, crypto custody business (das Kryptoverwahrgeschäft) is defined as “the custody, management and securing of crypto assets or private cryptographic keys used to hold, store or transfer crypto assets for others”. According to the explanatory notes to the draft law, it is not necessary for the service provider to offer all three services (i.e. “custody, management and securing”) in order to be subject to the licensing requirement.
- ‘Custody’ entails taking custody of crypto assets as a service for others. In particular, this includes collective custody solutions, where the customer would have no knowledge of the cryptographic key.
- ‘Management’ includes the ongoing administration of rights in connection with the crypto assets.
- ‘Securing’ of crypto assets and cryptographic keys includes both the digital storage of the private cryptographic keys and the storage of the physical data carriers, such as paper or USB sticks, on which such keys are kept.
What is not crypto custody business?
According to the explanatory notes, the mere provision of software or hardware to secure crypto assets or cryptographic keys that are operated by users at their own discretion is not covered by the definition of crypto custody business, unless the provider intends to have access to the stored data. This means, for example, that the mere provision of a web hosting service or cloud storage space, or even hardware or software, would not per se fall under the definition of crypto custody business.
What are the requirements for obtaining authorisation pursuant to Section 32 KWG?
Anyone wishing to offer custodial services in respect of crypto assets on a commercial scale requires authorisation pursuant to Section 32 KWG and will be subject to ongoing supervision by BaFin. Among others, the following requirements must be satisfied in order for permission to be granted:
- The entity providing the service (for the purposes of this article, the Custodial Service Provider) must show that it does not perform any other activity regulated pursuant to the KWG.
- The Custodial Service Provider must have its main registered office or a branch office in Germany.
- The Custodial Service Provider must have at its disposal initial capital of at least €125,000 and other resources necessary for its business operations.
- The Custodial Service Provider must show that it has a viable business plan setting out its business, structural organisation and planned internal control mechanisms.
- There must be at least two managing directors who have the necessary professional competencies to manage the crypto custody business and who are deemed reliable.
- The significant shareholders must be deemed reliable.
- Members of the Custodial Service Provider’s administrative and supervisory boards must be deemed reliable and to have the requisite expertise.
It should also be borne in mind that, as a financial service provider, the Custodial Service Provider will need to comply with the requirements of the German Money Laundering Act (Geldwäschegesetz).
What is the relationship between crypto custody business and other financial services, in particular safe custody (depositary) services under Section 1 para. 1 No. 5 KWG?
The explanatory notes to the draft law clarify that if crypto assets fall under the definition of securities within the meaning of the Safe Custody Act (Depotgesetz, DepotG), the provisions of the DepotG and the KWG relevant to safe custody (rather than the custody of crypto assets) will apply.
As the law presently stands (see 'What is contained in the statement of the German Bundesrat of 20 September 2019?' below relating to possible changes), ‘securities’ within the meaning of DepotG presupposes some form of certification of the securities, meaning that, for example, the DepotG would not apply to the storage and custody of security tokens, which otherwise exhibit the characteristics of securities.
The draft law and explanatory notes make clear that crypto custody business is a residual category of financial service, meaning that if the activity in question fulfils the requirements of another form of regulated activity, the provisions of law applicable to such regulated activity will take precedence.
Given that the draft law prevents a company from offering custodial services in respect of crypto assets at the same time as other forms of financial services, in practice a company wanting, for example, to conduct proprietary trading in crypto assets while offering custodial services in respect of crypto assets would have to set up a subsidiary for the latter activity and apply for separate authorisation.
Is there a transitional period?
The draft law affords a transitional period to providers of custodial services in respect of crypto assets who at the time the law is to come into effect – 1 January 2020 – are already providing such services.
In order to benefit from the transitional period, the service provider must notify BaFin in writing by 1 February 2020 of its intention to apply for a permit and submit a complete application by 30 June 2020. The service provider is then deemed authorised until BaFin has made a final decision on the application for authorisation.
Companies which commence crypto custody business activities from 1 January 2020 will not benefit from the transitional period. Instead, they would have to wait for express authorisation from BaFin before commencing such business activities.
What is contained in the statement of the German Bundesrat of 20 September 2019?
In addition to its request that the federal government clarify certain aspects of the draft law, the German Bundesrat has requested a further legislative procedure to review whether it would be possible to dispense with the planned separate authorisation for crypto custody business.
One of the reasons behind the request is likely to be a conclusion drawn from the German Government’s Blockchain Strategy (see “Blockchain-Strategie der Bundesregierung” published in September 2019), which states, among others, that German law should be opened up to cater for electronic securities, starting with bonds (Schuldverschreibungen). This in turn could expand the scope of applicability of the DepotG, removing the need to introduce crypto custody business as a separate financial service within the meaning of the KWG.
Client Alert 2019-258