Usually, these are exclusively, or among other things, a private means of payment. They are not issued by a central bank and can be subdivided into tokens without any intrinsic or reference value (such as bitcoin and similarly designed tokens) and tokens with a reference value (known colloquially as stablecoins). They usually have no other function, or only limited functions, beyond this.

Asset-referenced tokens are crypto assets of non-governmental origin whose performance is linked to legal tender (e.g. US dollar or euro) or other assets (such as gold, securities, other crypto assets or any combination of these). The idea is that a stable relationship is established between the token and the reference asset, and a wide variety of processes are used to try to achieve this. These can include, for example, a reserve being held on the blockchain (on-chain) or apart from the blockchain (off-chain) or the use of algorithmic processes. For this reason, asset-referenced tokens are supposed to be more stable than other crypto assets. In contrast to security tokens (see below), however, the underlying assets or associated rights are not necessarily embodied in the token. Stablecoins sometimes show dramatic differences in terms of their legal, technical, functional and economic design. What these private crypto assets all have in common is the fact that their price stability cannot be equated with the stability of the assets referenced, particularly not with that of state currencies.

Outlook: European regulation

The draft of a regulation of the European Union (EU) for crypto assets and related business activities (Markets in Crypto-Assets Regulation – MiCA) differentiates between two sub-types of tokens linked to a reference value: electronic money tokens (e-money tokens – EMTs), which reference a single currency, and asset-referenced tokens (ARTs), which reference other assets (including crypto assets and currencies) or combinations thereof.

Additional information on MiCA, including EMTs and ARTs, can be found in a separate overview.

Utility tokens essentially make it possible to buy goods or services. They are often designed to be used only on the issuer’s network. Utility tokens can be very complex in terms of how they work and also how they are classified under supervisory law – especially if they are designed to be hybrid (for information on hybrid tokens, see separate section).

NFTs are cryptographic tokens which, as the name implies, are not fungible (not interchangeable) with each other in terms of their technical characteristics and are therefore unique. They are usually designed to serve as evidence of the authenticity of digital and real objects and/or the personal rights (of ownership) in them.
The name NFT is the name most often used on the market if the underlying smart contracts involve the use of a technical industry standard that assigns each token a unique identifier, making it possible for the token to be unambiguously identified and individually linked to an address. In the case of fungible tokens, meanwhile, it is not an individual token that is linked to each address but the portion of a total quantity.

The criterion of uniqueness here only refers to the technical characteristics and the individual identifier (token ID), but not necessarily the content which the token represents. For example, a smart contract can store a large number of NFTs that all have individual identifiers, but which all have the same rights or content assigned to them.
A token issued by an NFT standard can thus be unique from a technical perspective but in terms of its content still be interchangeable – and thus “fungible”.

In terms of a supervisory assessment, there are no particular differences between the approach to NFTs and existing supervisory practice with respect to fungible cryptographic tokens. In particular, the interpretive letters and guidance notices published by BaFin on this topic can also be used for the supervisory classification of NFTs.

Further background information on NFTs and their regulatory classification can be found in a feature article in the BaFin Journal (03/2023).

The term “security token”, or “investment token” or “asset token”, is used to summarise those tokens whose characteristics are similar to those of traditional financial instruments such as shares, debt instruments or shares of investment funds.

Due to their comparability with traditional financial instruments, such security tokens are often also classified as regulated financial instruments (“substance over form”). Security tokens are tokens that embody rights that are the same as or comparable to conventional securities, for example. Rights comparable to securities is understood to mean membership rights or contractual claims involving assets, similar to the rights associated with shares or debt instruments. Such tokens then generally constitute securities within the meaning of Regulation (EU) 2017/1129 (EU Prospectus Regulation), the German Securities Prospectus Act (Wertpapierprospektgesetz – WpPG) and the German Securities Trading Act (Wertpapierhandelsgesetz – WpHG) or financial instruments within the meaning of the German Banking Act (Kreditwesengesetz – KWG) and the German Investment Firm Act (Wertpapierinstitutsgesetz – WpIG).

The German Electronic Securities Act (Gesetz über elektronische Wertpapiere – eWpG) introduced the possibility to issue securities under civil law by means of an electronic register entry, i.e. without securitising them in a physical certificate.

As things currently stand, bearer bonds (section 1 of the eWpG) and investment share certificates (section 95 (1) of the German Investment Code (Kapitalanlagegesetzbuch – KAGB) can be issued electronically. This alternative is not yet permissible for shares.

Among the subsets of electronic securities are also crypto securities and crypto fund units. Crypto securities and crypto fund units normally constitute financial instruments within the meaning of banking and securities supervision law.

The obligations under supervisory law in this context are essentially comparable to those applicable to traditional securities. This generally includes, for example, prospectus requirements for an offer to the public and an authorisation requirement for conducting banking business or providing financial or investment services. Further details can be found in the section “Prospectus and authorisation requirements“ below.

The electronic register (see “electronic securities”) used to register these electronic securities can also be operated on the basis of DLT systems (“crypto securities registers”, section 16 of the eWpG). If an electronic security is created by an entry in a crypto securities register under the eWpG, it is called a crypto security (section 4 (3) of the eWpG). If it is entered in a central register, it is called a central register security (section 4 (2) of the eWpG). A security token is therefore only a crypto security if it has been entered in a crypto securities register under the eWpG. Crypto securities are usually to be categorised as securities as defined under supervisory law. With regard to the resulting supervisory obligations, please refer to the above information on security tokens.

The KWG now also contains a new authorisation requirement for the maintenance of a crypto securities register (section 1 (1a) sentence 1 no. 8 of the KWG). In addition, there are special authorisation requirements for the safeguarding of the associated private cryptographic keys for others (crypto custody business). More information on these two financial services and the related requirements can be found on the BaFin website on the pages relating to the maintenance of crypto securities registers and crypto custody business.

Just as the eWpG has made it possible to issue crypto securities, the German Regulation on Crypto Fund Units (Verordnung über Kryptofondsanteile – KryptoFAV) has paved the way for the issuance of electronic investment fund unit certificates by means of entry in a crypto securities register as “crypto fund units”.

Crypto fund units are largely subject to the provisions of the eWpG (see also “crypto securities”). For more on this topic, please refer to the information on the KryptoFAV.

Crypto fund units are units of investment funds within the meaning of section 1 (1) of the KAGB that have been launched in the form of common funds. The launch and administration of common funds are subject in particular to the authorisation, issuance and marketing requirements of the KAGB. In addition, banking business and financial/investment services provided by third parties with regard to crypto fund units must comply with the authorisation and good conduct requirements of the KWG, the WpIG and/or the WpHG.

The term crypto asset is primarily a statutory definition and less an economic or technical name (as opposed to payment tokens, for example). The concept of “crypto assets” can cover many of the aforementioned types of tokens. More detailed information on what a crypto asset is and how it can be distinguished from other instruments can be found in the following description of crypto assets under “Supervisory classification of crypto tokens”.

Under section 1 (11) sentence 4 of the German Banking Act (Kreditwesengesetz - KWG), crypto assets are defined as

• a digital representation of value that
• is not issued or guaranteed by a central bank or public authority and
• does not possess a legal status of currency or money, but
• is accepted by natural or legal persons
o as a means of exchange or payment
o by virtue of an agreement or actual practice or
o is used for investment purposes and
• which can be transferred, stored and traded electronically.

The definition of crypto assets does not apply to domestic or foreign legal tender that is recognised in Germany. In addition, section 1 (11) sentence 5 of the German Banking Act (Kreditwesengesetz - KWG) provides for an exception in the case of electronic money, network-based payment systems and payment transactions of electronic communication network or service providers. The definition also does not apply, in particular, to purely electronic vouchers for goods or services provided by the issuer or a third party in exchange for the equivalent amount that are only intended to be attributed an economic function through redemption with the issuer and are therefore non-tradable and that, due to their specific characteristics, do not reflect any investment-like expectations, in value or accounting terms, as to the performance of the voucher or the general business development of the issuer or a third party. The same applies for electronic tokens in multi-partner programmes where these cannot be traded and are not suitable as general means of exchange and payment and are not intended to be used as such.

Depending on their specific design in individual cases, crypto assets may also have to be assigned to another category of financial instruments within the meaning of section 1 (11) sentence 1 of the German Banking Act (Kreditwesengesetz - KWG) and/or section 2 (5) of the WpIG. In addition to referring to tokens with an exchange or payment function – which are already addressed as units of account within the meaning of section 1 (11) sentence 1 no. 7 of the KWG – the definition of crypto assets also includes tokens used for investment purposes, e.g. security tokens and investment tokens which may also be classifiable as debt securities, non-securities investment products or investment funds under section 1 (11) sentence 1 nos. 2, 3 and 5 of the KWG.

Crypto securities are therefore essentially crypto assets; however, the provisions of supervisory law concerning electronic securities are applied to crypto securities, as these are more specific and therefore have priority.

More detailed information on what a crypto asset is can be found in BaFin´s guidance notice on crypto custody business, point I. 1.

Transferability can be assumed if the token can be transferred to other users (without any changes in its legal and/or technical substance). This is the case for the vast majority of the token standards existing on the market (e.g. ERC-20).

Negociability in respect of tokens describes a minimum level of standardisation, and hence the properties of the tokens featuring the same rights. The tokens must be comparable with each other in the sense of a “class” and be able to be traded in accordance with their class. In addition, online crypto trading platforms may meet the definition of a financial market.

By contrast, securitisation is not necessary for the supervisory definition of securities used by BaFin. Rather, it is sufficient if the holder of the token and the rights embodied in the token can be documented, for example by means of distributed ledger or blockchain technology, or through comparable technologies.

A token embodies rights similar to securities in any event if the token conveys to its holder an equity interest comparable to that of a shareholder or an interest in debt comparable to a bondholder. To make the token comparable with a security as defined in the EU Prospectus Regulation and the German Securities Prospectus Act (Wertpapierprospektgesetz - WpPG), it must therefore convey either investment or membership rights. A token embodies membership rights if it conveys a form of a stake in the company, e.g. participation and voting rights.

Investment rights can be assumed if the token denotes that there are claims to a financial payment (e.g. interest, profit participation) against the token issuer or a third party. A strong indicator of this would be obligations to repay the invested capital that depend on the maturity date or a termination

If the crypto tokens constitute securities within the meaning of the EU Prospectus Regulation or the German Securities Prospectus Act (Wertpapierprospektgesetz - WpPG) or non-securities investment products within the meaning of the German Capital Investment Act (Vermögensanlagengesetz – VermAnlG), these laws lay down a prospectus requirement for the offer of such tokens to the public. Article 2(d) of the EU Prospectus Regulation (also in conjunction with section 2 no. 2 of the WpPG), defines an offer of securities to the public as “a communication to persons in any form and by any means, presenting sufficient information on the terms of the offer and the securities to be offered, so as to enable an investor to decide to purchase or subscribe for those securities. This definition also applies to the placing of securities through financial intermediaries.”

BaFin is the competent authority if securities are offered to the public in Germany. A connection to Germany is deemed to exist if the offering is to be addressed to investors domiciled in Germany. Such a connection is generally assumed if the offer can be accessed from Germany. Whether an offer to the public has a connection to Germany can be inferred from indicators in the individual case; an overall assessment of the matter is necessary in every case. If there is unrestricted online access to an offer to the public, for example, this means that the offer is addressed to the global public; consequently, a prospectus is required in Germany.

In certain circumstances, issuers have to comply with prospectus requirements – and potentially also authorisation requirements.

Under the prospectus requirement, a prospectus must be drawn up and published before securities can be offered to the public or admitted to trading on a regulated market. The securities prospectus must contain all material information on the issuer and the securities being offered. It is meant to enable investors to obtain an accurate picture of the offer and to make their investment decision under these conditions. The basis for the drawing up, approval and validity of the prospectus is Regulation (EU) 2017/1129 – the EU Prospectus Regulation. The contents and the structure of the prospectuses are specified in European Delegated Regulations (EU) 2019/979 and (EU) 2019/980.

Non-securities investment products also may not be offered to the public without a prospectus. The prospectus for these investment products must be drawn up in accordance with the German Capital Investment Act (Gesetz über Vermögensanlagen – VermAnlG). Its content and structure are governed by the German Investment Prospectus Regulation (Vermögensanlagen-Verkaufsprospektverordnung – VermVerkProspV).

Certain activities such as crypto token-related banking, financial and investment services may not be conducted without prior authorisation from BaFin.

In connection with the issue of the authorisation requirements, however, a distinction should be drawn between two phases of the intended activities. For example, even the issuance of crypto tokens or pre-launch advertising for such tokens may be activities requiring authorisation. On the other hand, activities carried out by the provider or by third parties downstream from the issuance of the tokens, such as the subsequent trading with tokens, may trigger authorisation requirements or cause involvement in third-party business activities requiring authorisation. A key factor in determining whether such downstream activities require authorisation is the supervisory classification of the tokens themselves.

For the issuer, the first issuance of crypto tokens may trigger authorisation requirements. If the issuance is advertised beforehand, the advertising activities may also require authorisation. The following information describing where the criteria may have been met is not exhaustive; instead, it addresses the issues that have proven to be common in BaFin’s past experience. In practice, it is generally necessary to conduct a comprehensive assessment of the individual case to be able to assess possible authorisation requirements.

Deposit business: There may be an authorisation requirement under the German Banking Act (Kreditwesengesetz - KWG) if the issuer accepts legal tender in exchange for tokens and gives buyers an unconditional promise of repayment. This would be the case, for example, if the issuer promises to buy back the tokens for at least the issue price later on. In this case, the sale of the tokens could constitute the conduct of deposit business within the meaning of section 1 (1) sentence 2 no. 1 of the KWG, which requires authorisation under section 32 (1) of the KWG. More details can be found in BaFin’s Guidance Notice on deposit business, available on the BaFin website.

Electronic money (e-money) business: Depending on the type of the tokens in question, the own issue of such tokens may constitute e-money business under section 1 (2) sentence 2 of the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG). This is the case, for example, if the tokens can be bought using legal tender such as euros or US dollars, they embody a claim against the issuer and they are accepted by third parties as payment. The issuer of such tokens would then be conducting e-money business and would require authorisation from BaFin for issuing the tokens under section 11 of the ZAG (for details on e-money business, see BaFin’s Guidance Notice on the Payment Services Supervision Act (Hinweise zum Zahlungsdiensteaufsichtsgesetz (ZAG)), which is also available on the BaFin website). Tokens that are issued solely in exchange for virtual currencies such as ether or bitcoin, however, do not constitute e-money; the issuance of these tokens does not trigger in itself an authorisation requirement for e-money business.

Investment business: The issuance of tokens may also trigger authorisation requirements under the German Investment Code (Kapitalanlagegesetzbuch – KAGB). This may be the case, for example, if the issuer of the tokens promises customers a collective investment of funds or virtual currencies received from an ICO, following a defined investment strategy, and if the holders of the tokens participate in the profits and losses of this investment activity – for example, in the form of distributions later on or redemption on the part of the issuer. In this case, the issuer could be deemed the operator of an asset management company. This type of activity would only be permitted if the issuer has first registered with or obtained authorisation from BaFin (section 44 (1) sentence 1 no. 1 and section 20 (1) of the KAGB).

More information can be found in BaFin’s interpretive letter on the scope of the KAGB and the term “investment fund” (Anwendungsbereich des KAGB und zum Begriff des Investmentvermögens), available on the BaFin website.

It is possible for business activities to require authorisation not only in connection with the issuance of tokens, but also in the case of downstream activities (of the issuer or third parties).

If the tokens are crypto assets within the meaning of section 1 (11) sentence 4 of the KWG and thus financial instruments within the meaning of section 1 (11) no. 10 of the KWG, the conduct of banking business and the provision of financial and/or investment services in relation to crypto assets generally require authorisation.

Business activities involving tokens conducted downstream of the actual issuance may trigger numerous authorisation requirements if they are conducted in Germany commercially or on a scale which objectively requires commercially organised business operations. If the tokens are to be classified as financial instruments within the meaning of section 1 (11) of the KWG, activities on the secondary market may – depending on the specific nature of the activities – constitute the conduct of banking business, for example principal broking services (section 1 (1) sentence 2 no. 4 of the KWG) or underwriting business (section 1 (1) sentence 2 no. 10 of the KWG). They may also constitute the provision of financial services, such as investment broking, investment advice, operation of a multilateral or organised trading facility, placement business, contract broking, portfolio management, dealing on own account and investment management. These legal definitions are just as applicable to crypto tokens that are deemed financial instruments as they are to conventional financial instruments.

Holders of authorisation for the conduct of banking business or the provision of financial or investment services that generally relates to financial instruments do not need any separate or renewed authorisation to be able to additionally conduct these activities in connection with crypto assets. Where services are not provided solely with respect to crypto assets and units of account, but also with respect to other financial instruments, there may be an authorisation requirement under the German Investment Firm Act (Wertpapierinstitutsgesetz - WpIG).

The situation is different, however, in the case of crypto custody business (section 1 (1a) sentence 2 no. 6 of the KWG) and – for crypto securities – the maintenance of a crypto securities register (section 1 (1a) sentence 2 no. 8 of the KWG). These activities always require separate authorisation to be granted. BaFin has published advisory letters and explanations on this subject.

In cases of doubt, the supervisory laws provide for BaFin to have the power to make a binding declaratory decision, carrying a fee, as to whether a company is subject to supervision under the KWG, the German Insurance Supervision Act (Versicherungsaufsichtsgesetz – VAG), the KAGB or the ZAG.

In practice, this individual declaratory decision is only brought to bear in special cases, as all four relevant laws generally allow, and normally require , BaFin to intervene by issuing a cessation and/or winding up order if business operations are found to be unauthorised. In the reverse case, a negative statement regarding a potential authorisation requirement for a business project only makes sense as a non-regulatory form of information, as BaFin cannot decide that an entity is not subject to an authorisation requirement unless it has assessed the entity´s entire business. In both cases, BaFin’s contact form provides a straightforward digital channel for making initial contact with BaFin.

Based on the draft MiCA regulation, which is currently still under negotiation, there are unlikely to be any additional requirements for activities relating to tokens that are already deemed financial instruments within the meaning of the second Markets in Financial Instruments Directive (Directive 2014/65/EU, MiFiD II). In particular, this covers securities within the meaning of German financial markets supervision law.

There are often hybrid forms of these types of token, referred to as “hybrid tokens”. In particular, many providers are aiming for their utility tokens to be used as a mode of payment in the future.

In these cases, the decisive factor is the functions that are the focus of the respective token. A decision can only be made based on the specific circumstances in the individual case. For example, if a utility token is also used as a means of exchange or payment or for investment purposes, it may be categorised as a crypto asset within the meaning of the KWG/WpIG or as a security within the meaning of the KWG, WpIG and WpHG.

A typological designation is not a determining factor, although a categorisation – for example as an "payment token", "security token" or "utility token" – may give an initial indication of the token type. However, such a categorisation cannot replace a comprehensive, binding supervisory classification. BaFin therefore examines possible prospectus and authorisation requirements in each individual case, regardless of what the token is called.

In an initial coin offering (ICO), initial token offering (ITO) or security token offering (STO), a company raises funding for a business idea. Investors then receive tokens in return for the funding.

For ICOs, “white papers” are often produced. These documents can contain information on the intended purpose of the business, the persons involved and the technical details of the tokens. However, these white papers are not yet* regulated and those who issue them are free to design their form and content as they choose. White papers are used primarily for PR and communication. It has become clear that information in white papers is often not comprehensive and precise enough, that the content of white papers is changed during the course of the ICO, and that the information provided in white papers does not necessarily have to correspond to the actual design of the token. This means that investors are not sufficiently protected. White papers are not comparable with prospectuses for securities and capital investment or with legally prescribed information sheets, as they are not information documents for which the company is liable.

*European legislators are proposing to issue a regulation to regulate crypto assets and related activities, the “Markets in Crypto-Assets Regulation” (MiCA). This regulation is also intended to place white papers under a regulatory regime.

Different rules now apply to investments for the guarantee assets of insurance undertakings since the fundamental regulatory framework Solvency II was introduced. The rules set out in Solvency II apply to insurers, reinsurers and insurance groups that have their registered office in the European Union. However, there is an exemption for small insurance undertakings whose annual gross written premium income does not exceed EUR 5 million and whose total technical provisions, gross of the amounts recoverable from reinsurance contracts and special purpose vehicles, do not exceed EUR 25 million (section 211 (1) of the German Insurance Supervision Act (Versicherungsaufsichtsgesetz – VAG) in conjunction with Directive 2009/138/EC). It is possible that these thresholds will be adjusted or increased as part of the Solvency II review.

1. In principle, insurers that are subject to the provisions of Solvency II have freedom of investment. However, they must invest all of their assets in accordance with the “prudent person” principle. This means, in particular, that insurers are required to observe the legal requirements of section 124 of the VAG and the rules set out in guidelines 27 to 35 issued by the European Insurance and Occupational Pensions Authority (EIOPA) regarding the system of governance. The decision about whether investments in crypto assets are possible is one that has to be made independently by the insurer based on its specific circumstances, taking into account supervisory requirements, and the insurer must specify this decision in their risk management policy. However, proving that the risks associated with crypto assets (such as price volatility, loss of access and liquidity risks) can be adequately identified, assessed, monitored, managed and controlled may present insurers with considerable challenges.

Due to the freedom of investment, Solvency II undertakings are in principle permitted to acquire investments that do not fulfil every qualitative characteristic (as long as the security, quality, liquidity and profitability of the portfolio as a whole are ensured). However, this does not mean that these investments are necessarily also added to the guarantee assets. With respect to the guarantee assets of Solvency II undertakings, section 125 (1) of the VAG sets out which assets are primarily to be added to the guarantee assets. Only if there are not enough of the assets specified in this list to cover the minimum amount of guarantee assets can other investments also be added to the guarantee assets. This provision serves to ensure, in a broader sense, that the quality of the assets in the guarantee assets is sufficient. Crypto assets are not listed under section 125 (1) of the VAG.

With regard to the investment principle of profitability, we refer here to BaFin’s long-standing administrative practice in accordance with BaFin Circular 11/2017.

2. For all insurance undertakings that are not subject to the rules set out in Solvency II (Solvency I insurance undertakings), section 215 (2) of the VAG and the German Investment Regulation (Anlageverordnung – AnlV) act as a point of reference for the investments that can be added to the guarantee assets. Crypto assets are not included in section 215 (2) of the VAG or in the schedule of investments in the AnlV. Under the currently applicable supervisory legislation for Solvency I insurance undertakings, crypto assets are not permissible as investments for guarantee assets.

In BaFin’s opinion, investments in crypto assets are associated with considerable risks and are often speculative, with the result that the investment principle of security is jeopardised. We see frequent evidence of the susceptibility of crypto assets to extreme price jumps and volatility. In light of this, the European Supervisory Authorities (ESAs) issued a statement on 17 March 2022 to warn consumers about the risks of crypto assets. BaFin has also issued a number of warnings in connection with crypto assets, most recently on 22 August 2022.

In Germany, it is not permitted to issue exchange-traded funds (ETF) that track only one single crypto asset such as bitcoin. The reason is that an exchange-traded open-ended retail fund that tracks the performance of one single asset – in this case, the crypto asset bitcoin – would contradict the basic principle of risk diversification, both under German national product rules and the European Union’s harmonised rules for undertakings for collective investment in transferable securities (UCITS). The principle of risk diversification aims at protecting investors and is fundamental to this type of fund.

Under current legislation, UCITS are also not permitted to invest directly in crypto assets such as bitcoin. They can only participate in the price development of crypto assets indirectly by means of “delta-one” certificates. These certificates are designed to track the price development of the underlying asset at a one to one ratio; however, in addition to the risks inherent in the asset tracked (e.g. volatility, hacker attacks, etc.), these certificates also entail their own specific risks (e.g. higher costs, additional counterparty risks or, depending on their structure, even the risk of early termination on the part of the offeror). Further information on certificates based on crypto assets can be found here.

A bitcoin ETF would thus not be eligible for authorisation in Germany or Europe – whether as an investment product issued in Germany or as a UCITS suitable for cross-border distribution issued in other member states.