(For German version click here)
The German legislator intends the introduction of electronic securities. It is intended that securities no longer necessarily have to be issued in paper form in order to be tradable in a bone fide, unencumbered way through the introduction of an Electronic Securities Act (eWpG) and several amendments and changes to the German Banking Act, the Securities Deposit Act and other applicable regulations regarding securities. New legislative regulations for this subject are long overdue and could help facilitate the trade of tokenized securities (security tokens) and could possibly also help making security tokens eligible before a listing on stock exchanges. By the proposed new rules, the legislator intends to treat tokenized securities as a special form of electronic securities. While electronic securities will be mandatorily registered in an electronic security registry, which will necessarily have to be managed by an authorized central securities depository (CSD) such as e.g. Clearstream AG, crypto securities on the other hand will need to be registered with a crypto security registry. But who will manage such a crypto security registry, how will it be designed and what are the regulatory requirements for the management of it?
Management of Crypto Security Registries Only with BaFin Authorization
The management of a crypto security registry shall only be conducted by entities that obtained a prior, corresponding authorization by BaFin. For this reason and according to the current version of the proposed bill, the legislator intends the introduction of a new financial service in the German Banking Act (KWG). In future, the “management of a crypto security registry” shall be an activity that is subject to authorization. Interestingly enough, the proposed wording of the draft does not call for a service element to be fulfilled to trigger the necessity for authorization. Therefore, issuers of crypto securities intending to register their issued crypto securities themselves will have to be authorized to manage crypto security registries. According to the wording of the proposed legislation the manager of a crypto security register will be the entity appointed by the issuer. The issuance of crypto securities will therefore be impossible without the assistance of specialized service providers. Applicants for authorization will have to show a regulatory starting capital of at least 730,000 euros in order to be authorized to conduct the managing of a crypto security register. Additionally, they will also have to fulfil all the standard criteria for a BaFin application for authorization to conduct a financial service, meaning they will have to submit a sustainable business plan and provide proof of sufficient internal control mechanisms. One of the most important aspects will most likely be the internal IT security processes of the applicant.
How are Crypto Security Registries Supposed to be Equipped Technically?
According to the current draft of the legislation regarding the introduction of the new financial service, crypto security registries have to mandatorily be kept on a recording system that is decentralized and forgery-proof, that records the data in the correct chronological order and that is secured against unauthorized deletion and subsequent changes. According to the explanatory memorandum of the draft legislation, the wording of the aforementioned technical requirements is intended to be as tech-neutral as possible. Even though the most obvious choice to fulfil the requirements would probably be a distributed-ledger-structure, other technical solutions will still be a possible option. Unfortunately, the draft legislation is not clear on what the requirements for the decentralization part are. It is only pointed out that next to “public permissionless” also “private permissionless” DLT structures may be used. The wording setting out that the recording system must be “forgery-proof” is also somewhat unfortunate, because a 100% data security in an IT system cannot be guaranteed, not even by the use of public permissionless blockchain structures.
Crypto Security Registry Management is not Crypto Custody Services
It is important to emphasize that according to the draft legislation, an authorization for managing crypto security registries does not also allow for the provision of crypto custody services. It is intended for the two activities to each be subject to an individualauthorization. The draft legislation therefore explicitly intends to add the custody of private keys for crypto securities to the wording of the crypto custodian business.
Attorney Lutz Auffenberg, LL.M. (London)
Our Blog Articles in a Monthly Newsletter?
The FIN LAW Newsletter provides you with all blog articles of the month via monthly e-mail. Our newsletter is published regularly at the beginning of every month. Feel free to sign in to the FIN LAW Newsletter by clicking the button below. Of course can can sign off at any time if you do not wish to receive our newsletter anymore.