Anyone wishing to provide certain banking and financial services in Germany requires authorisation from BaFin. The type of authorisation required depends on the planned business model and the legal and actual design of the planned products and services. The question of whether a business model requires authorisation, which type of authorisation is required and what scope the authorisation must have is determined on a case-by-case basis. Non-binding information and guidelines on market entry can be found on the BaFin website.

Providers of purely technical services do not require authorisation from BaFin to conduct their activities as long as these activities are not classified as banking business or financial services. However, if they provide services for companies supervised by BaFin, their services may constitute material outsourcing by the supervised entity. For example, services are deemed to constitute material outsourced activities and processes if the services provided are critical for the supervised entity. This is also the case if the services concern the compliance obligations, for example in relation to money laundering prevention, the internal audit function or risk management, incumbent upon the entity outsourcing its activities or processes. If a technical service constitutes material outsourcing, the supervised entity must fulfil certain minimum requirements set out by BaFin when designing the contract with the outsourcing company. Alongside numerous other requirements, it must in particular be ensured that the supervised institution, alongside BaFin and any auditors, receive unlimited information rights with regard to the services provided, and that the institution has the power to issue instructions in order to comply with supervisory obligations at all times. Appropriate termination periods must also be agreed. Supervisory obligations incumbent on the institution that outsources its activities and processes can therefore have implications for technical service providers through such contractual agreements.

With the entry into force of the Act to Strengthen Financial Market Integrity (Gesetz zur Stärkung der Finanzmarktintegrität – FISG), BaFin received further powers and, as of 2020, has direct access to banks’ outsourcing providers. The FISG spells out which information and inspection rights BaFin has: previously, BaFin’s only means of intervention was via the banks, but now it has direct powers to intervene in order to avoid or remedy irregularities at companies to which functions are outsourced. BaFin may now also impose administrative fines on such companies. If institutions outsource activities to companies domiciled in third countries outside the European Economic Area, both parties must contractually appoint a person authorised to accept service to whom inspection orders may be served by BaFin at short notice, for example. Furthermore, the FISG has reintroduced the notification requirement for material outsourcings, thereby ensuring that BaFin has a comprehensive overview of the outsourced activities and processes and accompanying (concentration) risks.

A collection of all FAQs on FinTech can be found on our overview page.

Answer: In accordance with section 64 (3) of the German Securities Trading Act (Wertpapierhandelsgesetz – WpHG) and Articles 54 and 55 of Delegated Regulation (EU) 2017/565, the suitability of the portfolio management is determined based on whether or not the investment strategy recommended to the client, and the investment risks that arise from that strategy, match the client's investment objectives. In addition, the recommended strategy must take into account the client's ability to bear losses based on their investment objectives. Furthermore, of particular importance is whether or not the clients, based on their knowledge and experience, can understand the investment risks inherent in the recommended portfolio management approach.

Along with theoretical knowledge, asset managers are required to possess sufficient practical knowledge in the field of portfolio management as well as managerial skills. They must be able to demonstrate their practical knowledge and managerial skills by means of relevant work experience. The required knowledge and experience must, in particular, enable the asset manager to make investment decisions for customers (within the scope of the existing discretionary powers) in such a way that these decisions match the customers' investment objectives and only involve the sort of investment risks that the customers can afford to take.

Answer: Asset managers who are not authorised to acquire ownership or possession of client funds must have an initial capital of 75,000 euros available. Furthermore, they must comply with the capital requirements as stipulated in the European Capital Requirements Regulation (CRR). These include a Common Equity Tier 1 capital ratio of 4.5 percent, a Tier 1 capital ratio of 6 percent and a total capital ratio of 8 percent. In the calculation of the capital ratios, the fixed overheads of the respective asset manager play an important role.

As soon as an investment recommendation is made, a statement on suitability must be prepared and made available to the investor. In the case of robo-advice, this means that the person to whom the automated investment advice can be attributed must be identified.

As with the first question above, it is necessary to identify the person to whom the automated investment advice must be attributed. This person must then be reported to the Employee and Complaints Register.

The authorisation requirement for investment advice is not determined by which customer information is obtained but whether a recommendation is made. At the same time, an additional deciding factor is whether or not the service provider gives the impression of having considered the investor's personal circumstances when making their recommendation. Here, too, BaFin is only able to provide a conclusive assessment on a case-by-case basis. If the criteria for investment advice are fulfilled, it is obligatory under supervisory requirements to obtain the necessary information from the respective investor.

In general, this make no difference. As regards the authorisation requirement for the platform operator, it is generally not a decisive factor how signal providers manage their securities accounts. Instead, it depends on whether and how the platform executes or passes on the orders from the customers/followers and whether or not it can exercise discretion in this regard.

Under certain circumstances, the platform's activities may include the communication of investment recommendations, which must be notified pursuant to section 86 of the WpHG. In accordance with BaFin's administrative practice, an investment recommendation is deemed communicated if the analysis is made accessible by a person (in this case, for example, the platform) other than the person who is responsible for preparing said recommendation (in this case the signal provider/trader). This only applies, however, if the activity of the signal provider/trader can be deemed to be the provision of investment recommendations in accordance with the explanations given above. However, BaFin cannot issue a binding assessment until the individual circumstances of a given case have been evaluated. In cases of doubt, the operator of the platform should seek an assessment from BaFin in relation to their specific case.

BaFin is generally only able to provide a conclusive supervisory assessment, in particular of the requirement for an authorisation under section 32 (1) sentence 1 of the KWG or section 15 (1) of the WpIG, where information is provided regarding the contractual agreements which are intended to form the basis of the respective business.

The assessment of the business model essentially depends on the structure of such a financial instrument and on the platform's involvement in the purchase of the financial instrument by the customer.
If the financial instrument includes a capital guarantee, for instance, which guarantees repayment of the full amount, the issuer of the financial instrument may fulfil the criteria for deposit business, which is subject to an authorisation requirement. Further information on this can be found in the Guidance Notice on deposit business (Merkblatt zum Tatbestand des Einlagengeschäfts).

With regard to the platform's involvement in the purchase of the financial instrument by the customer, the following generally applies: the activity is not subject to an authorisation requirement if the platform operator is not involved in the purchase of the signal-projecting financial instruments and, above all, does not pass on any declarations of intent relating to their purchase. Anyone who merely refers to a particular transaction on the purchase or sale of financial instruments without deliberately and conclusively appealing to the investor in order to precipitate investor willingness is not deemed to be involved in investment broking. Further information on this subject can be found in the Guidance Notice on Investment Broking (Merkblatt zum Tatbestand der Anlagevermittlung). Here, too, BaFin cannot issue a binding assessment until the individual circumstances of a given case have been evaluated. In cases of doubt, the operator of the platform should seek an assessment from BaFin in relation to their specific case.

BaFin is generally only able to provide a conclusive supervisory assessment, in particular of the requirement for an authorisation under section 32 (1) sentence 1 of the KWG or section 15 (1) of the WpIG, where information is provided regarding the contractual agreements which are intended to form the basis of the respective business.

Anyone seeking to provide certain banking services in Germany requires authorisation from BaFin, regardless of the technology used to provide these services. Depending on the type and scope of the business model, a distinction is made between a “full banking licence” and a “partial banking licence”. A full banking licence allows an institution to conduct all significant types of banking business. As a rule, banks with a full banking licence operate as “universal banks”. By contrast, institutions with a partial licence may only conduct individual types or one specific type of banking business. Banks that provide only individual types or one specific type of banking business are also called “specialised banks”.
While banks typically offer their services directly to their customers, some white labelling services are offered through third-party intermediaries. These third parties can be a neobank or a challenger bank that offers the bank’s services under their own brand. In this case, these third parties do not require their own authorisation from BaFin because they are not providing banking services themselves.

Whether you require authorisation depends on how payments are processed and on the contracts that form the basis of your business activities. In general, the following applies: if the service provider takes possession of customer funds, either by accepting them in the form of cash or into accounts, this is likely to require authorisation for payment services or e-money business. If the service provider issues a monetary asset in return for payment of a monetary amount, this can constitute e-money business. The legal basis in both cases is the Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG).

If the company simply provides the technology without itself being involved in processing payments, and this is instead carried out by a partner payment service provider, the company may be able to benefit from the exception for technical service providers. The important factor here is that the partner payment service provider must conclude contracts with users regarding the provision of payment services. The users must be able to exercise their contractual rights vis-à-vis the payment service provider. Contracts that the other company concludes with the users of the payment services must be restricted to technical services.

Even if the company offering innovative payment methods co-operates with a payment service provider that itself has the required authorisation from BaFin, this may be of relevance from a supervisory perspective. This is the case if the company concerned is providing payment services as an agent on behalf of a payment institution, is acting as an e-money agent and distributing e-money on behalf of an e-money institution, or is an external service provider for a payment service provider.

You can find information and other resources on this under “Authorisation procedure under PSD2 and ongoing supervision”.

An overview of the supervisory regime for authorised payment service providers and e-money institutions can be found under “Payment services and PSD2”.

The term insurance intermediary is defined in section 59 of the Insurance Contract Act (Versicherungsvertragsgesetz – VVG). Insurance intermediaries within the meaning of the VVG are insurance agents and insurance brokers. The most important distinguishing criteria are as follows:
An insurance agent is anyone contracted by an insurance undertaking or another insurance agent to mediate insurance contracts on a commercial basis;

An insurance broker is anyone who mediates or concludes insurance contracts for a client on a commercial basis without having been contracted to do so by an insurance undertaking or insurance agent. Insurance brokers operate exclusively in the interests of their clients.

The following are not insurance intermediaries:
Insurance consultants; these require separate authorisation from the chamber of industry and commerce. An insurance consultant is anyone that advises third parties on a commercial basis in respect of concluding, changing or reviewing insurance contracts or making claims under insurance contracts, or anyone that represents the policyholder out of court vis-à-vis the insurer without receiving an economic benefit from an insurer or being dependent on the insurer in any other way;

The German Industrial Code (Gewerbeordnung – GewO) regulates whether insurance intermediaries need authorisation for their activities (section 34d of the GewO). The responsible body is the local chamber of industry and commerce. The GewO essentially distinguishes between activities that require authorisation and those that do not.

There is a wide variety of possible business models for insurtech companies along the value chains of insurance products. To describe the various business models of insurtech companies, many different terms are used (e.g. on-demand insurance, peer-to-peer insurance, open insurance etc.). Insurtech companies can also provide support to insurers during the technical transformation of particular points in the value chain (e.g. product design, claims processing) or bring about new trends on the market. The use of innovative technologies is often in the foreground here , including big data and artificial intelligence as well as distributed ledger technology, e.g. in the context of smart contracts.

If insurtech companies wish to bear the risks inherent in an insurance contract themselves, they require authorisation from BaFin to carry on insurance business under section 8 (1) of the Insurance Supervision Act (Versicherungsaufsichtsgesetz – VAG). Applicants may also find it helpful to refer, early on in the process, to the information provided in the expert article "Starting out is always expensive", published on the BaFin website on 12 February 2021. Insurtech companies that wish to apply for such authorisation are subject to the same legal requirements as other insurance companies. In BaFin’s day-to-day supervision, it does not differentiate between traditional insurers and insurtech companies. However, its experience supervising insurtech companies has shown that uncertain forecasts for the future represent a particular risk factor, which in part requires supervisors to define particular areas of focus.

Insurtech companies fall within the remit of insurance supervision if they carry on insurance business. When such companies have their registered offices in Germany, they require authorisation from the German supervisory authority, which is usually BaFin. The legal basis for this is in sections 8 to 11 and sections 23 to 33 of the VAG. Under section 8 (2) of the VAG, authorisation to carry on insurance business may only be granted to stock corporations, mutual societies and corporations and institutions governed by public law. The requirements for authorisation depend on the class of insurance. Furthermore, certain classes of insurance cannot be grouped together under one company (section 8 (4) sentence 2 of the VAG). Section 9 of the VAG sets out the documents to be provided when applying for authorisation to carry on insurance business. One key document is the business plan (section 9 (1), (2) and (3) of the VAG). For newly established companies in particular, the calculations contained in the business plan should be carried out conservatively. Other essential requirements that, under section 9 (4) of the VAG, are to be observed right from the application stage, relate to the company’s business organisation (section 23 et seq. of the VAG), the requirements for persons who effectively run the company or assume responsibility for other key tasks (section 24 of the VAG), and the company’s financial resources, which must be sufficient to safeguard the interests of the policyholders (section 9 (2) no. 4 in conjunction with section 9 (3) of the VAG and sections 89 to 95 of the VAG).

In the application process, the rules stipulated in section 15 of the VAG regarding non-insurance business must also be observed.

The requirements associated with the day-to-day supervision of the pursuit of insurance business are set down in the VAG, as well as in regulations, circulars and interpretative decisions issued by BaFin, which should also be taken into consideration. In addition to the VAG, it also important to mention in particular Commission Delegated Regulation (EU) 2015/35 and the subject-specific technical standards produced by EIOPA, as well as the supervisory guidelines and recommendations produced by EIOPA.

Under section 34d of the German Industrial Code (Gewerbeordnung – GewO), insurance intermediaries requiring authorisation should apply for authorisation from the local chamber of industry and commerce.
Companies wishing to apply for authorisation to carry on insurance business should check the relevant requirements in advance. Our experts are available at short notice to discuss specific details regarding preparation for the authorisation procedure and BaFin’s expectations. Legal services such as advice or contract-writing as offered by lawyers to protect companies’ interests do not fall within BaFin’s remit or sphere of responsibility.

Under section 1 (33) of the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG), a payment initiation service is a service in which a payment order is initiated on the instructions of the payment service user with respect to a payment account held at another payment service provider. For example, payment initiation services enable service providers in this area to give beneficiaries the assurance that a payment has been initiated so that they can make goods or services available promptly.

Under section 1 (34) of the ZAG, an account information service is an online service that provides consolidated information on one or more payment accounts – within the meaning of section 1 (17) of the ZAG – held by the payment service user with one or more payment service providers. As a result, the payment service user receives in real time a consolidated overview of their financial situation at a given time.

In accordance with section 10 (1) sentence 1 of the ZAG, authorisation from BaFin is required in order to provide payment initiation services. Those who intend to provide account information services exclusively must fulfil the registration requirements under section 34 (1) sentence 1 of the ZAG. Such an authorisation/registration under the ZAG can be granted/approved by BaFin only if the applicable requirements under the ZAG and the ZAG Reports Regulation (ZAG-Anzeigenverordnung – ZAGAnzV) are met. In the authorisation procedures under the European Second Payment Services Directive (PSD2), BaFin also applies the EBA’s Guidelines on authorisation and registration under PSD2 (EBA/GL/2017/09).

In contrast to other “conventional” payment services, a feature of payment initiation services and account information services is that the service provider does not at any stage of the payment chain enter into possession of client funds. Special rules therefore apply to these payment services, e.g. in relation to the documents and proof that must be submitted in the authorisation/registration procedure. For instance, companies that provide payment initiation services or account information services must, in accordance with section 16/section 36 of the ZAG, take out and maintain professional indemnity insurance or an equivalent guarantee during the period in which the authorisation/registration is valid.

BaFin offers a wide range of information on its website about payment services and the authorisation and supervision of these services under “Payment services and PSD2“. Moreover, BaFin has published some frequently requested information, which can be accessed here directly, too. BaFin’s contact form can also be used if you have any further questions. In addition, the Deutsche Bundesbank has provided information on its website about PSD2 and related payment services, as payment and e-money institutions are subject to the Bundesbank’s ongoing supervision, in addition to being supervised by BaFin.

Supervised companies can either make regtech applications themselves or outsource the creation of regtech applications to another company. In such cases, however, as with any other outsourcing arrangement, ultimate responsibility remains with the outsourcing company’s management. The outsourcing company must also comply with the applicable supervisory requirements for outsourcing.

As a result of their technical and procedural design, regtech applications may entail a wide range of risks that must be analysed and assessed on a case-by-case basis.

High-quality data is essential due to the significant extent to which certain regtech applications are data-driven. Shortcomings in the data basis can also lead to inadequate or erroneous conclusions. It is also important to ensure that the data used for analysis is the data that is relevant for the specific purpose – and not (just) the data that is easily available.

The acquisition of regtech can lead to additional risks due to concentration effects. Acquiring regtech applications from just a few or even one provider(s) entails concentration risks. There may even be systemic risks if key business processes are affected.

In the case of regtech (and other) outsourcing arrangements, companies must ensure that qualified staff who are familiar with the relevant applications are available in-house at all times in order to fulfil the requirements regarding proper business organisation. In addition, companies should take regtech applications into account in their risk management systems based on how significant they are.

There are also risks pertaining to data protection law, e.g. when pooling and analysing the data gathered from market participants while monitoring transactions.

Under section 1 (11) sentence 4 of the German Banking Act (Kreditwesengesetz - KWG), crypto assets are defined as

• a digital representation of value that
• is not issued or guaranteed by a central bank or public authority and
• does not possess a legal status of currency or money, but
• is accepted by natural or legal persons
o as a means of exchange or payment
o by virtue of an agreement or actual practice or
o is used for investment purposes and
• which can be transferred, stored and traded electronically.

The definition of crypto assets does not apply to domestic or foreign legal tender that is recognised in Germany. In addition, section 1 (11) sentence 5 of the German Banking Act (Kreditwesengesetz - KWG) provides for an exception in the case of electronic money, network-based payment systems and payment transactions of electronic communication network or service providers. The definition also does not apply, in particular, to purely electronic vouchers for goods or services provided by the issuer or a third party in exchange for the equivalent amount that are only intended to be attributed an economic function through redemption with the issuer and are therefore non-tradable and that, due to their specific characteristics, do not reflect any investment-like expectations, in value or accounting terms, as to the performance of the voucher or the general business development of the issuer or a third party. The same applies for electronic tokens in multi-partner programmes where these cannot be traded and are not suitable as general means of exchange and payment and are not intended to be used as such.

Depending on their specific design in individual cases, crypto assets may also have to be assigned to another category of financial instruments within the meaning of section 1 (11) sentence 1 of the German Banking Act (Kreditwesengesetz - KWG) and/or section 2 (5) of the WpIG. In addition to referring to tokens with an exchange or payment function – which are already addressed as units of account within the meaning of section 1 (11) sentence 1 no. 7 of the KWG – the definition of crypto assets also includes tokens used for investment purposes, e.g. security tokens and investment tokens which may also be classifiable as debt securities, non-securities investment products or investment funds under section 1 (11) sentence 1 nos. 2, 3 and 5 of the KWG.

Crypto securities are therefore essentially crypto assets; however, the provisions of supervisory law concerning electronic securities are applied to crypto securities, as these are more specific and therefore have priority.

More detailed information on what a crypto asset is can be found in BaFin´s guidance notice on crypto custody business, point I. 1.

In certain circumstances, issuers have to comply with prospectus requirements – and potentially also authorisation requirements.

Under the prospectus requirement, a prospectus must be drawn up and published before securities can be offered to the public or admitted to trading on a regulated market. The securities prospectus must contain all material information on the issuer and the securities being offered. It is meant to enable investors to obtain an accurate picture of the offer and to make their investment decision under these conditions. The basis for the drawing up, approval and validity of the prospectus is Regulation (EU) 2017/1129 – the EU Prospectus Regulation. The contents and the structure of the prospectuses are specified in European Delegated Regulations (EU) 2019/979 and (EU) 2019/980.

Non-securities investment products also may not be offered to the public without a prospectus. The prospectus for these investment products must be drawn up in accordance with the German Capital Investment Act (Gesetz über Vermögensanlagen – VermAnlG). Its content and structure are governed by the German Investment Prospectus Regulation (Vermögensanlagen-Verkaufsprospektverordnung – VermVerkProspV).

Certain activities such as crypto token-related banking, financial and investment services may not be conducted without prior authorisation from BaFin.

In connection with the issue of the authorisation requirements, however, a distinction should be drawn between two phases of the intended activities. For example, even the issuance of crypto tokens or pre-launch advertising for such tokens may be activities requiring authorisation. On the other hand, activities carried out by the provider or by third parties downstream from the issuance of the tokens, such as the subsequent trading with tokens, may trigger authorisation requirements or cause involvement in third-party business activities requiring authorisation. A key factor in determining whether such downstream activities require authorisation is the supervisory classification of the tokens themselves.

For the issuer, the first issuance of crypto tokens may trigger authorisation requirements. If the issuance is advertised beforehand, the advertising activities may also require authorisation. The following information describing where the criteria may have been met is not exhaustive; instead, it addresses the issues that have proven to be common in BaFin’s past experience. In practice, it is generally necessary to conduct a comprehensive assessment of the individual case to be able to assess possible authorisation requirements.

Deposit business: There may be an authorisation requirement under the German Banking Act (Kreditwesengesetz - KWG) if the issuer accepts legal tender in exchange for tokens and gives buyers an unconditional promise of repayment. This would be the case, for example, if the issuer promises to buy back the tokens for at least the issue price later on. In this case, the sale of the tokens could constitute the conduct of deposit business within the meaning of section 1 (1) sentence 2 no. 1 of the KWG, which requires authorisation under section 32 (1) of the KWG. More details can be found in BaFin’s Guidance Notice on deposit business, available on the BaFin website.

Electronic money (e-money) business: Depending on the type of the tokens in question, the own issue of such tokens may constitute e-money business under section 1 (2) sentence 2 of the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG). This is the case, for example, if the tokens can be bought using legal tender such as euros or US dollars, they embody a claim against the issuer and they are accepted by third parties as payment. The issuer of such tokens would then be conducting e-money business and would require authorisation from BaFin for issuing the tokens under section 11 of the ZAG (for details on e-money business, see BaFin’s Guidance Notice on the Payment Services Supervision Act (Hinweise zum Zahlungsdiensteaufsichtsgesetz (ZAG)), which is also available on the BaFin website). Tokens that are issued solely in exchange for virtual currencies such as ether or bitcoin, however, do not constitute e-money; the issuance of these tokens does not trigger in itself an authorisation requirement for e-money business.

Investment business: The issuance of tokens may also trigger authorisation requirements under the German Investment Code (Kapitalanlagegesetzbuch – KAGB). This may be the case, for example, if the issuer of the tokens promises customers a collective investment of funds or virtual currencies received from an ICO, following a defined investment strategy, and if the holders of the tokens participate in the profits and losses of this investment activity – for example, in the form of distributions later on or redemption on the part of the issuer. In this case, the issuer could be deemed the operator of an asset management company. This type of activity would only be permitted if the issuer has first registered with or obtained authorisation from BaFin (section 44 (1) sentence 1 no. 1 and section 20 (1) of the KAGB).

More information can be found in BaFin’s interpretive letter on the scope of the KAGB and the term “investment fund” (Anwendungsbereich des KAGB und zum Begriff des Investmentvermögens), available on the BaFin website.

It is possible for business activities to require authorisation not only in connection with the issuance of tokens, but also in the case of downstream activities (of the issuer or third parties).

If the tokens are crypto assets within the meaning of section 1 (11) sentence 4 of the KWG and thus financial instruments within the meaning of section 1 (11) no. 10 of the KWG, the conduct of banking business and the provision of financial and/or investment services in relation to crypto assets generally require authorisation.

Business activities involving tokens conducted downstream of the actual issuance may trigger numerous authorisation requirements if they are conducted in Germany commercially or on a scale which objectively requires commercially organised business operations. If the tokens are to be classified as financial instruments within the meaning of section 1 (11) of the KWG, activities on the secondary market may – depending on the specific nature of the activities – constitute the conduct of banking business, for example principal broking services (section 1 (1) sentence 2 no. 4 of the KWG) or underwriting business (section 1 (1) sentence 2 no. 10 of the KWG). They may also constitute the provision of financial services, such as investment broking, investment advice, operation of a multilateral or organised trading facility, placement business, contract broking, portfolio management, dealing on own account and investment management. These legal definitions are just as applicable to crypto tokens that are deemed financial instruments as they are to conventional financial instruments.

Holders of authorisation for the conduct of banking business or the provision of financial or investment services that generally relates to financial instruments do not need any separate or renewed authorisation to be able to additionally conduct these activities in connection with crypto assets. Where services are not provided solely with respect to crypto assets and units of account, but also with respect to other financial instruments, there may be an authorisation requirement under the German Investment Firm Act (Wertpapierinstitutsgesetz - WpIG).

The situation is different, however, in the case of crypto custody business (section 1 (1a) sentence 2 no. 6 of the KWG) and – for crypto securities – the maintenance of a crypto securities register (section 1 (1a) sentence 2 no. 8 of the KWG). These activities always require separate authorisation to be granted. BaFin has published advisory letters and explanations on this subject.

In cases of doubt, the supervisory laws provide for BaFin to have the power to make a binding declaratory decision, carrying a fee, as to whether a company is subject to supervision under the KWG, the German Insurance Supervision Act (Versicherungsaufsichtsgesetz – VAG), the KAGB or the ZAG.

In practice, this individual declaratory decision is only brought to bear in special cases, as all four relevant laws generally allow, and normally require , BaFin to intervene by issuing a cessation and/or winding up order if business operations are found to be unauthorised. In the reverse case, a negative statement regarding a potential authorisation requirement for a business project only makes sense as a non-regulatory form of information, as BaFin cannot decide that an entity is not subject to an authorisation requirement unless it has assessed the entity´s entire business. In both cases, BaFin’s contact form provides a straightforward digital channel for making initial contact with BaFin.

Based on the draft MiCA regulation, which is currently still under negotiation, there are unlikely to be any additional requirements for activities relating to tokens that are already deemed financial instruments within the meaning of the second Markets in Financial Instruments Directive (Directive 2014/65/EU, MiFiD II). In particular, this covers securities within the meaning of German financial markets supervision law.

There are often hybrid forms of these types of token, referred to as “hybrid tokens”. In particular, many providers are aiming for their utility tokens to be used as a mode of payment in the future.

In these cases, the decisive factor is the functions that are the focus of the respective token. A decision can only be made based on the specific circumstances in the individual case. For example, if a utility token is also used as a means of exchange or payment or for investment purposes, it may be categorised as a crypto asset within the meaning of the KWG/WpIG or as a security within the meaning of the KWG, WpIG and WpHG.

A typological designation is not a determining factor, although a categorisation – for example as an "payment token", "security token" or "utility token" – may give an initial indication of the token type. However, such a categorisation cannot replace a comprehensive, binding supervisory classification. BaFin therefore examines possible prospectus and authorisation requirements in each individual case, regardless of what the token is called.

In an initial coin offering (ICO), initial token offering (ITO) or security token offering (STO), a company raises funding for a business idea. Investors then receive tokens in return for the funding.

For ICOs, “white papers” are often produced. These documents can contain information on the intended purpose of the business, the persons involved and the technical details of the tokens. However, these white papers are not yet* regulated and those who issue them are free to design their form and content as they choose. White papers are used primarily for PR and communication. It has become clear that information in white papers is often not comprehensive and precise enough, that the content of white papers is changed during the course of the ICO, and that the information provided in white papers does not necessarily have to correspond to the actual design of the token. This means that investors are not sufficiently protected. White papers are not comparable with prospectuses for securities and capital investment or with legally prescribed information sheets, as they are not information documents for which the company is liable.

*European legislators are proposing to issue a regulation to regulate crypto assets and related activities, the “Markets in Crypto-Assets Regulation” (MiCA). This regulation is also intended to place white papers under a regulatory regime.

Different rules now apply to investments for the guarantee assets of insurance undertakings since the fundamental regulatory framework Solvency II was introduced. The rules set out in Solvency II apply to insurers, reinsurers and insurance groups that have their registered office in the European Union. However, there is an exemption for small insurance undertakings whose annual gross written premium income does not exceed EUR 5 million and whose total technical provisions, gross of the amounts recoverable from reinsurance contracts and special purpose vehicles, do not exceed EUR 25 million (section 211 (1) of the German Insurance Supervision Act (Versicherungsaufsichtsgesetz – VAG) in conjunction with Directive 2009/138/EC). It is possible that these thresholds will be adjusted or increased as part of the Solvency II review.

1. In principle, insurers that are subject to the provisions of Solvency II have freedom of investment. However, they must invest all of their assets in accordance with the “prudent person” principle. This means, in particular, that insurers are required to observe the legal requirements of section 124 of the VAG and the rules set out in guidelines 27 to 35 issued by the European Insurance and Occupational Pensions Authority (EIOPA) regarding the system of governance. The decision about whether investments in crypto assets are possible is one that has to be made independently by the insurer based on its specific circumstances, taking into account supervisory requirements, and the insurer must specify this decision in their risk management policy. However, proving that the risks associated with crypto assets (such as price volatility, loss of access and liquidity risks) can be adequately identified, assessed, monitored, managed and controlled may present insurers with considerable challenges.

Due to the freedom of investment, Solvency II undertakings are in principle permitted to acquire investments that do not fulfil every qualitative characteristic (as long as the security, quality, liquidity and profitability of the portfolio as a whole are ensured). However, this does not mean that these investments are necessarily also added to the guarantee assets. With respect to the guarantee assets of Solvency II undertakings, section 125 (1) of the VAG sets out which assets are primarily to be added to the guarantee assets. Only if there are not enough of the assets specified in this list to cover the minimum amount of guarantee assets can other investments also be added to the guarantee assets. This provision serves to ensure, in a broader sense, that the quality of the assets in the guarantee assets is sufficient. Crypto assets are not listed under section 125 (1) of the VAG.

With regard to the investment principle of profitability, we refer here to BaFin’s long-standing administrative practice in accordance with BaFin Circular 11/2017.

2. For all insurance undertakings that are not subject to the rules set out in Solvency II (Solvency I insurance undertakings), section 215 (2) of the VAG and the German Investment Regulation (Anlageverordnung – AnlV) act as a point of reference for the investments that can be added to the guarantee assets. Crypto assets are not included in section 215 (2) of the VAG or in the schedule of investments in the AnlV. Under the currently applicable supervisory legislation for Solvency I insurance undertakings, crypto assets are not permissible as investments for guarantee assets.

In BaFin’s opinion, investments in crypto assets are associated with considerable risks and are often speculative, with the result that the investment principle of security is jeopardised. We see frequent evidence of the susceptibility of crypto assets to extreme price jumps and volatility. In light of this, the European Supervisory Authorities (ESAs) issued a statement on 17 March 2022 to warn consumers about the risks of crypto assets. BaFin has also issued a number of warnings in connection with crypto assets, most recently on 22 August 2022.

In Germany, it is not permitted to issue exchange-traded funds (ETF) that track only one single crypto asset such as bitcoin. The reason is that an exchange-traded open-ended retail fund that tracks the performance of one single asset – in this case, the crypto asset bitcoin – would contradict the basic principle of risk diversification, both under German national product rules and the European Union’s harmonised rules for undertakings for collective investment in transferable securities (UCITS). The principle of risk diversification aims at protecting investors and is fundamental to this type of fund.

Under current legislation, UCITS are also not permitted to invest directly in crypto assets such as bitcoin. They can only participate in the price development of crypto assets indirectly by means of “delta-one” certificates. These certificates are designed to track the price development of the underlying asset at a one to one ratio; however, in addition to the risks inherent in the asset tracked (e.g. volatility, hacker attacks, etc.), these certificates also entail their own specific risks (e.g. higher costs, additional counterparty risks or, depending on their structure, even the risk of early termination on the part of the offeror).

A bitcoin ETF would thus not be eligible for authorisation in Germany or Europe – whether as an investment product issued in Germany or as a UCITS suitable for cross-border distribution issued in other member states.

MiCAR defines crypto-assets as a digital representation of value or rights which may be transferred and stored electronically using distributed ledger technology or similar technology (point 2 of Article 3(1) of MiCAR).

MiCAR does not apply to crypto-assets which are classified under Article 2(4) of MiCAR as follows:

1. financial instruments as defined in point 15 of Article 4(1) of Directive 2014/65/EU (MiFID 2);
2. electronic money (e-money) as defined in point 2 of Article 2 of Directive 2009/110/EC (EMD 2), except where they qualify as electronic money tokens under MiCAR;
3. deposits as defined in point 3 of Article 2(1) of Directive 2014/49/EU (Deposit Guarantee Directive) of the European Parliament and of the Council;
4. structured deposits as defined in point 43 of Article 4(1) of Directive 2014/65/EU (MiFID 2);
5. securitisation as defined in point 1 of Article 2 of Regulation (EU) 2017/2402 (Securitisation Regulation) of the European Parliament and of the Council

MiCAR defines and provides requirements for the issuance and trading of the following crypto-assets:

• asset-referenced tokens (ARTs),
• money tokens (EMTs) and
• crypto-assets that are neither ARTs nor EMTs and also do not fall under the exemptions provided for in MiCAR (see question “Which crypto-assets do not fall under the scope of MiCAR?”).

An asset-referenced token (ART) is a type of crypto asset that is not an e-money token and that purports to maintain a stable value by referencing another value or right or a combination thereof, including one or more official currencies (point 6 of Article 3(1) of MiCAR).

An e-money token (EMT) is a type of crypto asset that purports to maintain a stable value by referencing the value of one official currency (point 7 of Article 3(1) of MiCAR).

For issuers of those ARTs that are not financial instruments as defined by currently applicable supervisory legislation, MiCAR stipulates authorisation requirements and ongoing issuer obligations. The offering of ARTs to the public and their admission to trading on a trading platform for crypto-assets generally requires authorisation by the supervisory authority (Article 16 in conjunction with Article 20 of MiCAR). Furthermore, the regulation stipulates that only legal entities that have a registered office in the European Union (EU) can be granted authorisation. MiCAR requires issuers to publish a white paper, which must be submitted to the supervisory authority as part of the application for authorisation. If authorisation is granted, the white paper is deemed to be approved (Article 21(1) of MiCAR).

Under Article 16, the issuance of ARTs is exempted from the authorisation requirement if:

• over a period of 12 months, calculated at the end of each calendar day, the average outstanding amount of ARTs does not exceed EUR 5,000,000, or the equivalent amount in another currency;
• the offer to the public of the ARTs is solely addressed to qualified investors and the ARTs can only be held by such qualified investors.

Furthermore, MiCAR provides for simplified requirements in the case of credit institutions within the meaning of point 28 of Article 3(1) of MiCAR. Notwithstanding the exemptions from the authorisation requirement, issuers of ARTs must draw up a crypto asset white paper in accordance with Article 16(2) of MiCAR and submit this white paper to the competent authority of their home Member State for approval and comply with the other requirements of the Title III. The content and form of the white paper are governed by Article 19 of MiCAR.

MiCAR provides for a number of obligations and requirements for issuers of ARTs (Article 16 et seq. of MiCAR). In addition to various obligations regarding communication with clients, publication, marketing communications, complaint handling, disclosure, governance and business organisation, MiCAR stipulates that issuers of ARTs must hold a sufficient level of own funds, create a recovery plan and a redemption plan and hold a reserve in the amount of their commitments arising from the issuance of tokens. In addition, the Regulation stipulates how the reserve assets are to be held in custody and invested.

Where ARTs are classified as significant by the European Banking Authority (EBA) based on some of the criteria defined in Article 43 of MiCAR (size, volume, interconnectedness, etc.), issuers must fulfil additional obligations set out in Article 45 of MiCAR. In this case, the EBA becomes the supervisory authority responsible.

Authorisation to issue EMTs is not granted to just anyone or any company. No EMTs are to be offered to the public in the EU or admitted to trading on a trading platform for crypto-assets unless the issuer of such EMTs

1. is authorised as a CRR credit institution or e-money institution and
2. has submittted a crypto-asset white paper to the competent authority and published this crypto-asset white paper in accordance with Article 51 of MiCAR.

It is thus not possible to apply for separate authorisation to issue EMTs; existing authorisation for credit institutions or e-money institutions constitutes the prerequisite for additionally issuing EMTs.

Since e-money tokens, as their name implies, are closely related to e-money, EMTs are explicitly to be regarded as e-money. In addition, EMT issuers are expected to comply to a large extent with the provisions of Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009 on the taking up, pursuit and prudential supervision of the business of electronic money institutions amending Directives 2005/60/EC and 2006/48/EC and repealing Directive 2000/46/EC (EMD2), with only a few specific adjustments. Key aspects include the token holder’s right to the reimbursement of the EMTs at par value at any moment and compliance with the security requirements under EMD2.

Anyone wishing to conduct crypto custody business in Germany commercially or on a scale which requires commercially organised business operations needs prior written authorisation from BaFin in accordance with section 32 (1) sentence 1 of the KWG.

For the majority of financial services under section 1 (1a) of the KWG, companies that hold authorisation to provide a specific financial service may also provide that service in relation to crypto assets. This does not apply to crypto custody business, however, as those who already hold authorisation to provide financial services require an additional authorisation to conduct crypto custody business.

Detailed information on the definition of crypto custody business and the authorisation requirement can be found in BaFin’s Guidance Notice on the statutory definition of crypto custody business.

The authorisation procedure for companies seeking to conduct crypto custody business within the meaning of section 1 (1a) sentence 2 no. 6 of the KWG is based on section 32 (1) of the KWG. The general outline of the authorisation procedure for crypto custody business and the main requirements for granting authorisation can be found in BaFin’s guidelines on the authorisation procedure (only available in German). Crypto custody business is also subject to the Deutsche Bundesbank’s Notice on the granting of authorisation to provide financial services of 6 July 2018.

BaFin has established a central contact point for crypto custody business. Companies considering applying for authorisation can contact either BaFin or the competent Regional Office of the Deutsche Bundesbank before starting the application process. BaFin’s central point of contact can be reached here:

Please note the following information on secure e-mail communication with BaFin.

As a general rule, every application for authorisation is different since the issues that need to be examined depend on the business activities that require authorisation and the type, scope and complexity of the business model, business organisation and owner structure. The duration of the authorisation procedure therefore depends on various factors. Some of these factors include the amount of time the applicant takes to respond to any queries that BaFin has and, in particular, the quality and completeness of the documents and information provided. As a result, it can take several months or even longer for a decision to be reached after an application for authorisation has been submitted.

BaFin charges fees for individually attributable official acts (see section 1 of the Fees Regulation in respect of Financial Services Supervision (Finanzdienstleistungsaufsichtsgebührenverordnung – FinDAGebV)). These acts include granting authorisation to provide financial services under the KWG. In most cases, no. 5.1.12.1.2.2 of the schedule of fees (Annex to section 2 (1) of the FinDAGebV) applies to the authorisation to conduct crypto custody business. An individual fee for processing the application is then calculated based on the amount of time required for processing, which is measured in working hours. The general hourly rates for federal administrative staff (see section 3 of the FinDAGebV) set out in Annex 1 Part A of the General Fees Regulation (Allgemeine Gebührenverordnung) are applicable for the hours worked by federal administrative staff.

Yes, institutions may simultaneously hold authorisation to conduct crypto custody business within the meaning of section 1 (1a) sentence 2 no. 6 of the German Banking Act (Kreditwesengesetz – KWG) and to provide crypto securities registration services within the meaning of section 1 (1a) sentence 2 no. 8 of the KWG.

The explanatory memorandum on the implementation of the Amending Directive on the Fourth EU Anti-Money Laundering Directive sets out that all digital representations of value are covered under section 1 (11) sentence 4 of the KWG in the interest of ensuring the prevention of money laundering comprehensively. In addition to tokens with an exchange or payment function – which are already covered as units of account within the meaning of section 1 (11) sentence 1 no. 7 of the KWG – the definition of crypto assets also includes tokens used for investment, e.g. security tokens and investment tokens which may also be categorised as debt securities, investment products or investment funds under section 1 (11) sentence 1 nos. 2, 3 and 5 of the KWG. In addition, the explanatory memorandum sets out that a crypto asset can also serve investment purposes if the asset is designed to reflect, in a way that can be valued or calculated, expectations similar to what investors would expect from the asset’s performance or the general business performance of the issuer or a third party. However, crypto assets may, due to their specific characteristics in individual cases, belong to another category of financial instruments within the meaning of section 1 (11) sentence 1 of the KWG. For example, if crypto assets fall under the definition of

BaFin’s guidance on anti-money laundering requirements offers an overview of the anti-money laundering requirements that must be met by institutions conducting crypto custody business as newly obliged entities under the German Money Laundering Act (Geldwäschegesetz – GwG). Moreover, obliged entities that transfer crypto assets are required to fulfil specific due diligence requirements under the German Crypto Asset Transfer Regulation (Kryptowertetransferverordnung – KryptoWTransferV). This includes the requirement that the crypto asset service provider submit the name, address and wallet address of the payer and that the payee’s crypto asset service provider verifies this data, in line with the requirements under the EU’s Funds Transfers Regulation. In certain circumstances, an exemption from these requirements may be granted after a notification has been submitted to BaFin.

Under the German Act on the Introduction of Electronic Securities (Gesetz zur Einführung von elektronischen Wertpapieren) crypto custody business was incorporated into the KWG as a new financial service. Since the act came into force on 10 June 2021, companies wishing to provide this service have required authorisation from BaFin. Information about authorisation for operating a crypto securities register can be found in a Guidance Notice issued by BaFin.

In accordance with the prospectus requirement, a prospectus must be drawn up and published before securities can be offered to the public or admitted to trading on a regulated market. The securities prospectus must contain all material information on the issuer and the securities being offered. It is meant to enable investors to obtain an accurate picture of the offer so that they can make their investment decision accordingly. Information about the prospectus requirement can be found on the BaFin website and in an advisory letter on prospectus and authorisation requirements in connection with the issuance of crypto tokens.

The development of a blockchain strategy to support the digital transformation of the economy was announced in the coalition agreement signed between the CDU/CSU and the SPD to form the government for the 19th legislative period of the German parliament (Bundestag) in 2018. A key measure contained in the Blockchain strategy subsequently issued by the federal government is the inclusion of electronic securities in German legislation. In 2019, the Federal Ministry of Finance (Bundesministerium für Finanzen – BMF) and the Federal Ministry of Justice and Consumer Protection (Bundesministerium für Justiz und Verbraucherschutz – BMJV) agreed on a Key-issues paper on the regulatory treatment of electronic securities and crypto tokens. On 3 June 2021, the Act on the Introduction of Electronic Securities was published in the Federal Law Gazette.

The data on which BDAI/ML methods are based should be viewed as a starting point and a success factor. Unstructured data can now be exploited by and for BDAI/ML methods. In addition, BDAI/ML methods allow for calculations that factor in a large number of determinants, which in turn may lead to overfitting. When large volumes of data are used, the quality of this data must be continuously ensured. This not only applies to model development and validation but also applies to model application. (See BaFin/Bundesbank, Consultation 11/2021 – Consultation paper: Machine learning in risk models – Characteristics and supervisory priorities)

As the complexity and the number of dimensions of a model’s hypothesis space increase, it becomes more difficult to describe the functional relationship between input and output either verbally or with mathematical formulas. The calculations are then more difficult to understand for those modelling, using, validating and supervising the model in question. It can also be more complicated to check the validity of the model’s output. User acceptance may suffer, too. Although such a “black box” characteristic may be justified, e.g. if this results in higher predictive performance, it can lead to potentially greater model risk. Explainable AI (XAI) methods have been developed to address this risk appropriately. But even if XAI methods seem highly promising from a supervisory perspective as a means to mitigate the impact of this “black box” characteristic, these XAI methods are also models with assumptions and weaknesses, and, in many cases, they are still being tested. (See BaFin/Bundesbank, Consultation 11/2021 – Consultation paper: Machine learning in risk models – Characteristics and supervisory priorities)

In the banking sector, institutions are required to report changes to Pillar 1 models to supervisory authorities, and, in some cases, they may implement these changes only after they have been approved. There is no clear-cut distinction between regular model maintenance and model changes, especially since the meaning of the term “model change” also depends on the relevant supervisory context. The flexibility and, in some cases, high-frequency adaptivity of BDAI/ML processes make it more difficult to draw a clear line between adjustments and changes; such a clear distinction, however, is indispensable for supervisory purposes.
As a general rule, the need for high-frequency adaptivity should be thoroughly justified. From a supervisory perspective, it is crucial to adapt the training cycle to the specific use case and to provide the necessary justification in order to achieve a balance between ensuring that the data is up-to-date and ensuring that models can be explained and validated.
(See BaFin/Bundesbank, Consultation 11/2021 – Consultation paper: Machine learning in risk models – Characteristics and supervisory priorities)

Creating and sustaining a stable quantum state, which is necessary in order to shield against external influences, is one of the technical challenges that exist alongside reliable programmability. For example, due to the specific characteristics of qubits, which are basic computing units that can exist as a simultaneous combination of one and zero (also referred to as “quantum uncertainty”), it can be challenging to programme quantum computers in such a way to ensure that the results are not purely random.

Besides the positive changes associated with quantum computers, there are still risks involved, particularly for IT security. The security of digital infrastructures is currently based in part on asymmetric cryptography (public key cryptography), which, in theory, can be broken by quantum computers. This risk is also referred to as post-quantum cryptography, and it is seen as a challenge to be taken seriously by the IT industry. The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI) is keeping an eye on these risks and is already working on a number of defence strategy concepts.

Due to the particular technical challenges involved, only a few quantum computers are currently being used in practice to perform very specific tasks. Quantum computing research and development is being actively pursued worldwide as a key technology for the future.The widespread use of quantum computers still depends on future technical and economic developments and, according to current heuristic estimates, could become more likely in a ten-year horizon (see also: Paper by German Federal Office for Information Security, BSI: "The status of quantum computer development", Bonn, November 2023).