Crypto Custodians and AML – What Applies to Crypto Custodians?

(For German Version click here)

 

Last week BaFin published its long-awaited article concerning the AML obligations of financial service providers that intend to offer crypto custody services. The subject of crypto custody services therefore stays highly topical even during the corona crisis and BaFin continues its efforts to best inform the market participants with regards to the supervisory obligations of crypto custodians. Including its latest publication, the authority already published four leaflets addressing crypto custodians offering information concerning the interpretation of the Grandfathering regulation of sec. 64y of the German Banking Act (KWG), the authorization process for crypto custody service providers and its general interpretation of the definition of the new financial service of crypto custody business. Obviously, the authority intends to comprehensively inform market participants about the obligations before and under the ongoing supervision.

Which Explanations Does BaFin Offer to Crypto Custodians?

Nevertheless, the current publication concerning AML obligations of crypto custodians is rather general in its approach. In the first part of the article, BaFin references its other publications regarding crypto custody services as well as its publications that are directed at AML obliged market participants in general. After that, BaFin points out that service providers offering crypto custody services are considered AML obliged financial institutes in the sense of the German Money Laundering Act since the introduction of the crypto custody service into the KWG and therefore must comply with the applicable AML regulations - companies only offering crypto custody services as of the amendment on 1st of January 2020 and companies that then already qualified as credit institutions or financial service institutions even before. Finally, BaFin offers a short summary of the following main obligations that derive from the German Money Laundering Act: The implementation of an adequate risk management system, the performance of customer due diligence procedures (KYC) as well as the implementation of a reporting system.

Does the BaFin Article Contain Specific Notes for Crypto Custodians?

BaFins explanations concerning the performance of customer due diligence (KYC) and the implementation of a reporting system are rather general in this leaflet and only give a general overview of the obligations of AML obliged financial institutes. Only within the explanations concerning an adequate risk management system for crypto custody service providers, the authority highlights that this will also include the creation of a sophisticated risk analysis with regards to the specific business model of a crypto custodian. According to the authorities cautiously implied estimate, the risk analysis should probably focus on the specific product risks. According to BaFin, because of the complexity and novelty of the underlying technologies as well as the different designs of the potential anonymity features that are associated with individual crypto assets, the crypto custodians will at this point potentially have to apply higher analyzing standards than other financial institutes. As a matter of fact, the actual traceability of transactions ranges from very good to impossible, depending on the specific crypto asset.

Many Questions Remain Unanswered

In summary, the new BaFin article on AML obligations of crypto custodians provides only little guidance for the preparation of a sufficient AML manual for crypto custodians. It would have been preferable if the authority would have provided more specific information on the issue of KYC and have stated which customer information will at least have to be collected and verified by the obliged crypto custodians, especially since the FATF (Financial Action Task Force) already released corresponding recommendations on this question. Since the FATF recommendations are very far-reaching in some aspects - they recommend to not only collect the personal data from the participating parties of a crypto transaction but also the collection of that data from a possibly involved service provider - a clear positioning of the German supervisory authority concerning the FATF recommendations would have been helpful.

 

Attorney Lutz Auffenberg, LL.M. (London)

 

I.  https://fin-law.de

E. info@fin-law.de

Our Blog Articles in a Monthly Newsletter?

The FIN LAW Newsletter provides you with all blog articles of the month via monthly e-mail. Our newsletter is published regularly at the beginning of every month. Feel free to sign in to the FIN LAW Newsletter by clicking the button below. Of course can can sign off at any time if you do not wish to receive our newsletter anymore.