Would a BaFin issued Crypto Custody License be EU-Passpotable?

(For German version click here)


In less than six month the new financial service of crypto custodian services will be introduced to the German banking regulatory law unless the German legislator does not change his mind. The decision to subject crypto custodians to BaFin authorization is currently being criticized and discussed massively. Especially the proposed introduction of section 32 subsection 1g into the German Banking Act (KWG) that would, if passed, only allow authorizations for companies that do not offer any other regulated banking or financial services is the subject of the criticism. The German blockchain community is asking itself if such a massive interference in the occupational freedom of the crypto custodians can be legally justified. The German federal government promised in 2018 within its coalition treaty to promote a sensible and reasonable legal framework for international and European crypto and token trading. It seems obvious that this idea has been abandoned in the meantime. Instead it seems as if the federal government plans a national solo effort in the regulation of cryptocurrencies.

Under What Circumstances is it Possible to Use a BaFin License in Other European Countries?

With the so-called European Passport, banks and financial service providers can use a license to operate their business that they obtained in a member state of the European Economic Area (EEA) also in other member states as long as they report the intended use to the authority that originally issued the license. As long as the regulatory supervision of the offered service in the issuing member state is comparable to the standards of the target member state the supervision is solely conducted by the originally issuing authority. Most of the laws regarding banking and financial services originate from European regulations and directives. A comparable standard of regulation is therefore in most cases ensured within the European Union. If e.g. a BaFin regulated German private bank wanted to offer loans to commercial customers in France it would be sufficient for them to inform BaFin about this intention and BaFin would inform the French ACPR.

What are the Limits of EU-Passporting?

The EU-Passporting of a license is not possible if the regulatory standards of the member states in question are not at a comparable standard. Consequently, EU-Passporting is not applicable if a member state decided to regulate an activity that it is not obligated to regulate according to the EU directives. The regulation of such an activity is unnecessary in the other member states because the activity in question is not subject to authorization there. Therefore, the standards of regulation are not comparable between those member states and so the EU-Passporting is impossible for a license regarding this activity. Regularly, the companies in these cases will not have any interest in passporting their license because they will be able to offer their services in the target member state even without any license. This becomes problematic if two or more member states regulate an activity differently from each other. In these cases, companies that operate in more than one member state or even in the entirety of the EWR would have to apply for a license in each of these member states separately in order to ensure a proper regulated business operation.

Is the Regulation of Crypto Custody Services Based on the 5. European AML Directive?

The German legislator used the transposition of the provisions of the 5. European AML Directive as an opportunity to regulate crypto custody services as financial services that are subject to authorization by BaFin. Nevertheless, the EU-Passporting will not be applicable to crypto custody services because the directive does not call for it to be a financial service that is subject to approval by the competent authority of the member states. The directive merely obligates the member states to order custodians of virtual currencies to comply with the due diligence obligations of the AML regulations. This primarily means that they have to identify new customers (KYC) and that they have to verify the identity when and if the customer receives or authorizes a bigger transaction or any if any other suspicious facts should arise. In this respect the introduction of crypto custody services as a financial service that is subject to authorization is a national solo effort that is not based on the AML Directive. Therefore, the German federal government massively hinders the European freedom of services of crypto service providers with this proposed legislation.


Attorney Lutz Auffenberg, LL.M. (London)


I.  https://fin-law.de

E. info@fin-law.de