The Authorization Process for Crypto Custodians – The New BaFin Guidelines

(For German version click here)


Companies that offer their customers the storage of crypto assets and/or private keys that are used for the transfer of crypto assets had to notify BaFin of their intention to apply for authorization as a crypto custodian until the 31st of March 2020. Companies that used this option are now obliged to submit a complete application to BaFin until the 30th of November 2020. In the Meantime, the companies that made use of the aforementioned option are allowed to legally continue to offer crypto custodian services thanks to a legal fiction. But this so-called “Grandfathering” option should not obscure the fact that the affected companies are considered financial institutes in the sense of the KWG already since the introduction of the crypto custody service in the German Banking Act (KWG) on the 1st of January 2020. They therefore already have to fulfill certain supervisory obligations. BaFin offered more guidance last week with the publication of the "Guidelines on application for authorization for crypto custody business" to companies that now have to prepare the application process.

Do All Crypto Custodians have to Fulfill the Same Requirements for a Successful BaFin Authorization Application?

In general, the principle “equal law for all” applies to all market participants. Two companies having exactly the same business model and offering exactly the same services would therefore have to fulfill exactly the same requirements in their authorization application. Differences could arise if the business models of two crypto custodians would differ in detail. In this context the most important distinguishing criteria is the portfolio of crypto tokens for which the crypto custodian intends to offer custodian services. Applications from businesses that intend to offer crypto custody services exclusively for crypto tokens that qualify solely as crypto assets and not additionally as another financial instrument - e.g. as bonds, stocks or shares of investment funds in the sense of the AIFM-Directive - must meet the requirements of sec. 32 para. 1 KWG and the corresponding ordinance. Crypto custodians that intend to offer their services for crypto assets that also qualify as securities in the sense of the MiFID II regulation of the European Union have to apply on basis of the Delegated Regulation (2017/1943/EU) and the corresponding implementing regulation (2017/1945/EU). Additional difference in the application process of two crypto custodians can arise from the specific design and conduction of processes within the individual business.

What Are the Specific Characteristics of an Authorization Process for Crypto Custodians?

In the recently published guidance, BaFin points out that crypto custody business is first and foremost a tech service. The authority therefore emphasizes that it will focus within the authorization process of a crypto custodian on the technical handling of customer private keys for crypto assets. Therefore, applicants will have to provide in-depth and detailed information about the technical processes regarding the safeguarding of customer crypto assets and how the storage of these will be done. This includes information about the storage of cryptographic keys in so-called hot wallets and cold wallets and if the customer keys are kept in collective or individual wallets. All business processes have to comply with the “Supervisory Requirements for IT in Financial Institutions” (BAIT) and with the “Minimum Requirements for Risk Management” (MaRisk), both published by BaFin. With regards to the professional competence of the managing directors BaFin will focus also on the technical abilities and credentials of the proposed candidates, making these positions available for candidates with tech job and managing experience. BaFin will also consider that the crypto custody business is a completely new regulated activity and that at this point there ishardly anyone who could proof his or her professional competence through relevant experience in this field of work. Regarding the obligations of crypto custodians in the field of anti-money laundering prevention, a specific guidance with relevant information for crypto custodians will shortly be published.


Attorney Lutz Auffenberg, LL.M. (London)




Our Blog Articles in a Monthly Newsletter?

The FIN LAW Newsletter provides you with all blog articles of the month via monthly e-mail. Our newsletter is published regularly at the beginning of every month. Feel free to sign in to the FIN LAW Newsletter by clicking the button below. Of course can can sign off at any time if you do not wish to receive our newsletter anymore.