This translation is furnished for information purposes only. The original German text is binding in all respects.

I. The statutory definition of crypto custody business

Under section 1 (1a) sentence 2 no. 6 of the KWG crypto custody business is defined as the custody, management and protection of cryptoassets or private cryptographic keys used to keep, store or transfer cryptoassets for others.

Crypto custody business was introduced as a financial service through the German Act Implementing the Amending Directive on the Fourth EU Anti-Money Laundering Directive¹ (hereinafter: the “Amending Directive”) of 12 December 2019 (Federal Law Gazette I p. 2602; Gesetz zur Umsetzung der Änderungsrichtlinie zur Vierten EU-Geldwäscherichtlinie – GwRLÄndG). The GwRLÄndG and the Amending Directive stipulate, inter alia, a widening of the group of obliged entities under money laundering legislation, particularly in the field of so-called “virtual currencies”. Service providers which offer the exchange of virtual currencies into legal tender and vice versa and into other cryptoassets are generally already financial services institutions and therefore obliged entities under money laundering legislation, since cryptoassets may be financial instruments within the meaning of section 1 (11) sentence 1 of the KWG, depending on their specific characteristics. The exchange of cryptoassets which are classifiable as financial instruments within the meaning of the KWG falls under the scope of the list of banking and financial services transactions in section 1 (1) sentence 2, (1a) sentence 2 of the KWG².

Commercial trading of cryptoassets which are not units of account within the meaning of section 1 (11) sentence 1 no. 7 of the KWG and which are not included in the other categories defined in section 1 (11) sentence 1 of the KWG was previously not covered. Accordingly, in order to identify all of the forms of use of cryptotokens which are relevant for the financial market, the Act has established a broad cryptoasset definition and has introduced this as a new financial instrument and crypto custody business as a new financial service³.

The statutory definition of crypto custody business is

• the custody, management and protection
• of cryptoassets or private cryptographic keys which are used to keep, store or transfer cryptoassets
• for others.

1. Cryptoassets or private cryptographic keys

Cryptoassets are also financial instruments within the meaning of section 1 (11) sentence 1 no. 10 of the KWG. They are defined in section 1 (11) sentence 4 of the KWG as

• a digital representation of value which
• has neither been issued nor guaranteed by a central bank or public body;
• it does not have the legal status of currency or money but,

• on the basis of an agreement or actual practice,

  • is accepted by natural or legal persons
  • as a means of exchange or payment or
  • serves investment purposes;
• it can be transferred, stored and traded by electronic means.

Pursuant to section 1 (11) sentence 5 of the KWG, the following are not cryptoassets within the meaning of the KWG:

• electronic money within the meaning of section 1 (2) sentence 3 of the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG) or

• a monetary asset that

  • fulfils the requirements of section 2 (1) no. 10 of the ZAG (payment systems used in limited networks or with a very limited product range and instruments used for social or tax purposes) or
  • is used only for payment transactions under section 2 (1) no. 11 of the ZAG (payment transactions in case of electronic communication networks/services).

Section 1 (11) sentence 1 no. 10 of the KWG is designed as a catch-all provision, since cryptoassets may already be included in one of the other categories of financial instruments provided in section 1 (11) sentence 1 of the KWG due to their various specific characteristics. At the same time, the existing categories are not sufficient in order to cover all of the potential purposes of use of virtual currencies, as envisaged by recital 10 of the Amending Directive.

The term “cryptoassets” (“Kryptowerte”) which is used throughout the KWG is based upon the statutory definition in Art. 3 no. 18, as amended by the Amending Directive. According to this definition, virtual currencies are “a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored and traded electronically”.

However, due to the limitation to means of exchange the term “virtual currencies” only covers a subset of the digital units of value which can be found on the market. These are generally referred to as tokens or coins and are summarised internationally as “crypto assets” or “virtual assets” (“Crypto-assets Work underway, regulatory approaches and potential gaps” of 31 May 2019⁴ p. 10: “Crypto-asset: a type of private asset that depends primarily on cryptography and distributed ledger or similar technology as part of their perceived or inherent value.” The Financial Action Task Force (FATF) provides the following definition of a “virtual asset”: “A virtual asset is a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes”⁵.

Since the individual categories of financial instruments overlap to a greater or lesser extent, due to their specific characteristics in individual cases cryptoassets may also belong to another category of financial instrument within the meaning of section 1 (11) sentence 1 of the KWG. As well as tokens with an exchange or payment function – which are already covered as units of account within the meaning of section 1 (11) sentence 1 no. 7 of the KWG – the definition of cryptoassets also includes tokens used for investment, e.g. security tokens and investment tokens which may also be classifiable as debt securities, investment products or investment funds under section 1 (11) sentence 1 no. 2, 3 and 5 of the KWG. However, according to the current legal situation security tokens are not securities within the meaning of the German Safe Custody Act (Depotgesetz – DepotG); providing custody and management does not therefore fall under the scope of section 1 (1) sentence 2 no. 5 of the KWG. However, as securities within the meaning of the EU Prospectus Regulation⁶ and Directive 2014/65/EU (MiFID II)⁷ they fall under the scope of the provisions of securities prospectus legislation, inter alia, if they are transferable, tradeable and endowed with rights similar to securities⁸.

The definition of cryptoassets does not include domestic and foreign legal tender. Pursuant to section 1 (11) sentence 5 of the KWG, electronic money, network-based payment systems and payment transactions of electronic communication network or service providers are also exempted⁹. This complies with recital 10 of the Amending Directive.

Nor does the definition include, in particular, purely electronic vouchers relating to goods or services of the issuer or a third party in exchange for the equivalent amount, which are only intended to acquire an economic function in relation to the issuer upon redemption and are not therefore tradeable and which, due to their specific characteristics, do not reflect any quasi-investor expectation, in value or accounting terms, as to the performance of the voucher or the general business development of the issuer or a third party¹⁰. The same applies for electronic tokens in multi-partner programmes where these cannot be traded and are not suitable as general means of exchange and payment or are not intended to be used as such.

From a technical point of view, cryptoassets are generally based on distributed ledger technology (DLT) or blockchain technology. Both use a form of asymmetric encryption in order prevent unauthorised access to the system. This encryption method is based on the use of key pairs consisting of a public and a private cryptographic key in the form of alphanumeric character strings. The public key serves as the user’s account address within the system, since this is normally publicly viewable and identifies within the scope of a specific system the recipient and sender account addresses involved in a transaction. The cryptoassets supported by the system in question can be allocated to this public key. The private key which matches the public key is generally only known to the authorised holder and is necessary in order to transfer the cryptoassets allocated to the account address. Cryptoassets can only be transferred from one user to another by means of this private key. Due to this extensive control over cryptoassets, the definition of crypto custody business will already be fulfilled where access to the private keys is possible.

2. For others

“For others” covers any form of providing custody, management or storage for one or more persons other than the undertaking providing such services, except if this is provided by way of direct representation, including the conclusion of the agreement on the provision of crypto custody business. In any of the definitional scenarios, the other person may also be the issuer of the cryptoassets.

In particular, if the holder itself provides custody, management or storage for its own cryptoassets or does so through its employees or, within the scope of a division of labour, through other partners by way of a genuine partnership-based network then it will not do so “for others” and is thus not covered by the definition. In principle, management of cryptoassets, free-of-charge, for members of an immediate family network is likewise not covered by the definition.

3. Custody, management and protection

The definition covers the custody, management and protection of cryptoassets or private cryptographic keys which are used to keep, store or transfer cryptoassets for others. The authorisation requirement under section 32 (1) sentence 1 of the KWG will apply if the provider implements one of these alternatives. According to the wording of this provision, it is not necessary for cryptoassets or other private cryptographic keys which are used to keep, store or transfer cryptoassets also to be held in custody, managed or protected.

Custody within the meaning of this provision means taking care of cryptoassets as a service for third parties. This thus includes, in particular, service providers which hold cryptoassets of their customers collectively, without their customers being familiar with the cryptographic keys used.

Management broadly means ongoing fulfilment of the rights resulting from the cryptoassets.

Protection means both the digital storage of third parties’ private cryptographic keys which is provided as a service and safekeeping of physical data media (e.g. a USB stick or a piece of paper) on which such keys are stored. The mere provision of storage space, e.g. by web hosting or cloud storage providers, will not fulfil the definition unless these providers expressly offer their services for the storage of private cryptographic keys.

Nor does the definition include the mere manufacture or sale of hardware or software for the protection of cryptoassets or private cryptographic keys which are operated by users on their own responsibility, insofar as the providers are not intended to have access to the cryptoassets or private cryptographic keys which the user thus holds in custody.

Accordingly, the key point is always the possibility of access to the public addresses where the cryptoassets are locally stored which is granted by means of the private cryptographic key.

II. Differentiation from other regulated activities

Insofar as cryptoassets, as debt securities within the meaning of section 1 (11) sentence 1 no. 3 of the KWG, are also securities within the meaning of provisions of securities prospectus legislation and are exclusively managed or held in custody for alternative investment funds within the meaning of section 1 (3) of the German Investment Code (Kapitalanlagegesetzbuch – KAGB), this activity falls under the scope of the more specific provision of restricted custody business within the meaning of section 1 (1a) sentence 2 no. 12 of the KWG. Where cryptoassets are covered by the definition of securities provided in the DepotG, custody will entail safe custody business with the meaning of section 1 (1) sentence 2 no. 5 of the KWG; this has priority over section 1 (1a) sentence 2 no. 6 of the KWG¹¹.

Where cryptoassets are covered by the definition of financial instruments provided in Art. 2 (1) no. 8 of Regulation 2014/909/EU (Central Securities Depository Regulation, CSDR)¹² and where a securities settlement system, as defined in Part A of the Annex to the Central Securities Depository Regulation, and at least one further core service listed in Part A of the Annex are provided, then the cryptoassets will be held in custody by a central securities depository within the meaning of section 1 (1) sentence 2 no. 6 of the KWG; this has priority over section 1 (1a) sentence 2 no. 6 of the KWG¹³. If an undertaking is thus already authorised as a central securities depository under Art. 16 (1) of the CSDR, it will not require any separate authorisation to conduct crypto custody business in order to hold in custody security tokens which, on account of their specific characteristics, are securities within the meaning of the CSDR and MiFID II, since the authorisation requirement stipulated in the CSDR is the more specific provision in this respect and thus has priority. In principle, security tokens which are transferable securities within the meaning of Art. 2 (1) no. 35 of the CSDR and Art. 4 (1) no. 44 of MiFID II must be initially entered in the systems of a central securities depository as “transferable securities” pursuant to Art. 3 of the CSDR as of their issue, if they are admitted to trading on a trading venue pursuant to MiFID II (regulated market, multilateral or organised trading facility) or are traded there. Initial recording in book-entry form of securities (“notary service“) and the provision and management of securities accounts at the highest level (“central maintenance service”) as core services of the central securities depository will only require authorisation if the undertaking is also the operator of a securities settlement system within the meaning of Directive 98/26/EC (Settlement Finality Directive, SFD)¹⁴ in accordance with the definition of a central securities depository provided in Art. 2 (1) no. 1 of the CSDR. It is not possible to specify in general terms whether solutions provided by the undertakings which hold security tokens or the related private cryptographic keys on behalf of customers and which also transfer these to third parties on behalf of customers will require authorisation as a central securities depository. This will depend on the specific form of custody or storage, the mode of operation of the underlying technology for the security tokens and the contractual relationships between the parties involved.

Where credit or financial services institution provide services relating to cryptoassets within the scope of an existing authorisation, e.g. principal broking services, placement or underwriting business (section 1 (1) sentence 2 no. 4, 10, (1a) sentence 2 no. 1c of the KWG), they will not require any separate authorisation to conduct crypto custody business for their necessary dealings with their customers’ cryptoassets for the purpose of the intended form of settlement of these transactions¹⁵.

III. Authorisation requirement for crypto custody business

According to section 32 (1) sentence 1 of the KWG, the conduct of banking business or the provision of financial services in Germany on a commercial basis or to an extent which requires the establishment of a commercial enterprise will require written authorisation from BaFin¹⁶ The fulfilment of one of these alternatives will suffice in order to establish the authorisation requirement for the business in question. The legal form of the undertaking (natural person, partnership, legal entity) is irrelevant.

Even if the volume of this business objectively does not require the establishment of a commercial enterprise, banking and financial services will be provided on a commercial basis if this business has been established for a certain period of time and if the operator is pursuing this business in order to generate a profit. The latter includes the intention to avoid losses.

The criterion of the requirement of the establishment of a commercial enterprise applies as an alternative. It is irrelevant whether a commercial enterprise is actually managed. The sole key point is whether, for the financial services enterprise, the establishment of such an enterprise is objectively necessary according to the prevailing view in the banking sector (i.e. from the point of view of an orderly businessman). This must be determined on a case-by-case basis. If multiple types of banking/financial services business are provided at the same time, this may apply even in case of a relatively limited volume.

This business will only be subject to the authorisation requirement under section 32 (1) of the KWG if it is (also) conducted in Germany. This business will be conducted in Germany if the undertaking's registered office is situated in Germany, even if it deliberately only conducts this business from Germany with persons not residing in Germany. This business will also be conducted in Germany if the undertaking establishes a legally dependent branch office or maintains another physical presence here from where it conducts this business, even if it deliberately does so with persons not residing in Germany.

Finally, a connection to Germany will apply if, from outside Germany, the offering is also, and in particular, aimed at legal entities or natural persons whose registered office or habitual residence is situated within the Federal Republic of Germany, while using means of distance communication and exclusively by way of cross-border provision of services, without maintaining a network of intermediaries or a physical presence. Further information may be found in the guidance notice “Guidelines on the authorisation requirement under section 32 (1) of the KWG in conjunction with section 1 (1) and (1a) of the KWG for cross-border banking business and/or cross-border financial services”¹⁷.

The possibility of pursuing cross-border activity by means of a notification process (“European passport”) which is available to institutions in the European Economic Area for other types of banking business and financial services does not apply in case of crypto custody business (section 1 (1a) sentence 2 no. 6 of the KWG). Its statutory definition is the result of Germany’s transposition of the Amending Directive, which has not been uniformly prescribed within the EU.

IV. Transitional provision in section 64y of the KWG

The comments in the relevant advisory letter apply in regard to the transitional provisions¹⁸.

V. Information and addresses

This guidance notice provides basic information on the definition of crypto custody business. It is not intended to provide an exhaustive presentation of all of the questions relating to this statutory definition. In particular, it is not a substitute for a case-by-case application for authorisation submitted to BaFin or to the competent regional office of Deutsche Bundesbank.

Full documentation of the contractual agreements serving as the basis for conduct of crypto custody business is required for a conclusive assessment of possible authorisation requirements.

The officers of BaFin and Deutsche Bundesbank are obliged to maintain confidentiality regarding any information provided (section 9 of the KWG).

In case of doubt, the question of whether an undertaking is subject to the authorisation requirement under section 32 (1) of the KWG will be decided by

If you have any further questions concerning this guidance notice, you may also first of all contact your local regional office of Deutsche Bundesbank. It will then forward your questions to BaFin, where applicable including its own opinion.

For Berlin and Brandenburg:

For North Rhine-Westphalia:

For Hessen:

For the Free and Hanseatic City of Hamburg, Mecklenburg-Western Pomerania and Schleswig-Holstein:

For the Free Hanseatic City of Bremen, Lower Saxony and Saxony-Anhalt

For the Free States of Saxony and Thuringia:

For Rhineland-Palatinate and Saarland:

For Baden-Württemberg:

For the Free State of Bavaria:

Deutsche Bundesbank’s network of regional offices means that a contact is available to assist you in your local region.

Footnotes: