The crypto custody business (also called ”crypto custody“) is a financial service in accordance with the German KWG relating to crypto assets and crypto securities. It includes the custody, management, and protection of crypto assets and private cryptographic keys for others. BaFin distinguishes between these two alternative facts.
According to §1 para. 1a sentence 2 no. 6 KWG, the crypto custody business is defined as: ”the custody, management and protection of crypto assets or private cryptographic keys used to hold, store or dispose of crypto assets for others, as well as the protection of private cryptographic keys used to hold, store or dispose of crypto securities for others in accordance with Section 4 paragraph 3 of the Electronic Securities Act”.
Anyone wishing to carry out the crypto custody business in Germany on a commercial basis requires written permission from the German supervisory authority BaFin before starting business in accordance with Section 32 (1) sentence 1 KWG. A corresponding request for permission must be submitted for this purpose.
The crypto custody business distinguishes between two different forms. The first form describes the crypto custody business in relation to crypto assets. According to this form, the crypto custody business operates who
a) stores, manages or protects,
b) crypto assets or private cryptographic keys that are used to hold, store or dispose of crypto assets,
3) for others.
The crypto custody business therefore differentiates between services ”custody“, ”management“ and ”protection”. Even when carrying out the activity of only one of the three services, a license is required, provided that the activity is not carried out for oneself but for “others” . BaFin defines the services as follows:
Custody
“Custody means taking care of cryptoassets as a service for third parties. This thus includes, in particular, service providers which hold cryptoassets of their customers collectively, without their customers being familiar with the cryptographic keys used.”
Management
“Management broadly means ongoing fulfilment of the rights resulting from the crypto assets.”
Protection
“Protection means both the digital storage of third parties’ private cryptographic keys which is provided as a service and safekeeping of physical data media (e.g. a USB stick or a piece of paper) on which such keys are stored.”
The second form of the crypto custody business describes it in relation to crypto securities. According to this form, the crypto custody business operates who
a) protects,
b) private cryptographic keys that are used to hold, store or dispose of crypto securities for others in accordance with Section 4 (3) eWpG.
The crypto custody business can also be found at European level in the “Markets in Crypto Assets Regulation” (MiCAR). The rights and licensing requirements under MiCAR and German KWG are very similar, but there are some deviations. For example, MiCAR places the requirement on crypto custodians to keep all of their own assets separate from customers’ assets. According to KWG, there is no such explicit requirement. In addition, the facts differ due to their underlying definition of crypto assets. When it comes to crypto assets, MiCAR distinguishes between E-money tokens, asset-referenced tokens, utility tokens and other types of tokens, but excludes tokens that are to be regarded as securities in accordance with MiFID II. This includes, for example, securitytokens sui generis, which, however, also fall under the definition of crypto assets in accordance with the KWG.
Anyone who wants to operate the crypto custody business service in Germany must meet the requirements for operating a licensed business in accordance with KWG. This means that the crypto custodian in particular need to comply with the requirements of the German MaRisk (”Minimum requirements of risk management“) and German BAIT (”Banking supervisory requirements for IT“). Due to the nature of the business, the supervisory authority particularily focusses on IT and IT security, money laundering prevention and general professional competence.
In October 2023, the Federal Ministry of Finance published a draft resolution for the German FinmadiG. This is used to implement various EU-wide regulations, including MiCAR, at national level. Among other things, FinmadiG provides for the adjustment of existing facts — including the crypto custody business. For example, the term “cryptographic instrument” is to be introduced in the future and a distinction should be made between the crypto custody business in accordance with MiCAR and the “qualified crypto custody business” in accordance with the KWG. The latter should be defined as follows:
“Custody, management and protection of cryptographic instruments or the securing of private cryptographic keys for others that are used to store or dispose of cryptographic instruments, crypto securities within the meaning of § 4 paragraph 3 eWpG or crypto fund shares within the meaning of § 1 sentence 2 KryptoFAV”.
We provide you with comprehensive consulting on all topics relating to the crypto custody business!
In particular, our support includes the following services: