Crypto Licence in Germany

German authorities recognise the following tokens which also determine the application of laws and licensing requirements:

• • Cryptocurrency tokens – a means of payment or store of value, that serve as decentralised virtual currencies for transactions with third parties or marketplaces; they’re regulated under banking laws and accordingly require a licence
  • Security tokens – the means to receive access to future profits, interest or certain control rights (e.g., voting, investment decisions) over the issuer; they’re regulated under banking and securities laws
  • Utility tokens – no entitlement to a payment, but similarly to vouchers, they give access to certain products or services provided on a particular DLT platform (they are tradable on secondary markets though and can therefore generate profit); they aren’t strictly regulated under the financial market legislation due to their characteristics

• Crypto Legislation in Germany

Cryptocurrency businesses operating in Germany are subject to general legislation which is applied depending on the specific characteristics of cryptocurrencies in use. However, in response to the swift growth of cryptocurrency businesses, some of the legal acts are already amended to include cryptoassets.

In Germany, the following legislation is applicable to cryptocurrency businesses:

• The German Securities Trading Act and the Markets in Financial Instruments Directive (MiFID II)
• The German Securities Prospectus Act
• The German Capital Investment Act
• The German Law on Electronic Securities
• The Anti-Money Laundering Act
• The German Banking Act
• The Insurance Supervision Act
• The Payment Services Supervision Act
• The Investment Code

The German Banking Act recognises cryptoassets as financial instruments. A cryptoasset is defined as a digital representation of value that hasn’t been issued or guaranteed by a central bank or public authority, and which isn’t recognised as legal tender but on the basis of an agreement or actual practice is still accepted by natural or legal persons as a means of exchange or payment or for investment purposes, and it can be transferred, stored and traded by electronic means. It’s worth noting that in certain cases cryptoassets may also fall under a different category of financial instrument which is why it’s important to consider each crypto business on a case-by-case basis when it comes to deciding which legislation is applicable. Our team here at Regulated United Europe (RUE) is well-prepared to help you untangle the regulatory complexities.

In addition to national legislation, German cryptocurrency businesses should also be aware of the regulatory developments at the EU level. In 2022, the Economic and Monetary Affairs Committee approved the Markets in Crypto-Assets (MiCA) for a vote by the full European Parliament and the EU member states which is one of the most significant legislative pieces setting standards for the rest of the world. MiCA’s regulations should enter into force between early 2023 and before the end of 2024 and will harmonise regulations related to the prevention of the misuse of cryptoassets, as well as encourage the development of DLT-based innovations.

MiCA is introducing, inter alia, the following changes:

• Cryptocurrency businesses will be obligated to contribute to the reduction of the high carbon footprint of cryptocurrencies by publishing information related to the environmental impact (e.g., the levels of their energy consumption) on their business websites and reporting to the national authorities
• The supervision of stablecoins will be assigned to the European Banking Authority (EBA) who’ll be responsible for enforcing such rules as building up a sufficient liquid reserve with a 1:1 ratio and partly in the form of deposits which will allow every stablecoin holder to be offered a claim by the issuer at any time and free of charge
• The European Banking Authority (EBA) will maintain a public register and conduct enhanced AML/CFT checks of crypto businesses that are categorised as non-compliant crypto asset service providers (CASPs)

In addition to the above-mentioned changes, the Pilot DLT Market Infrastructure Regulation (PDMIR) is planned to come into force in March 2023 and provide a legal framework for the trading and settlement of transactions in cryptoassets that are categorised as financial instruments under Markets in Financial Instruments Directive 2 (MiFID 2). It will provide opportunities for cryptocurrency businesses to experiment with DLT-based trading facilities and settlement systems for financial instruments. It will also give an opportunity to operate a combined trading and settlement facility.

Requirements Concerning Anti-Money Laundering and Counter-Terrorist Financing

AML/CFT regulations are enforced by BaFin’s Department for the Prevention of Money Laundering. To comply with the regulations, every crypto company must have internal procedures that would enable the detection of suspicious transactions. These procedures should protect the reputation and financial strength of the cryptocurrency company, as well as guarantee the integrity and stability of the entire financial market by ensuring transparency in business relationships and transactions through the use of a combination of precautionary measures.

The first important pillar of the prevention of money laundering is risk management. Every crypto company should have a risk management function corresponding with the type and scope of the business. It includes risk analysis processes and internal risk measures. A risk management function is effective if it takes all the company’s economic activities into account, including individual risks, and has a regular assessment of internal anti-money laundering procedures in place. The risk analysis helps to determine and assess risks concerning money laundering and terrorist financing and it must be clearly documented and regularly reviewed to determine whether updates are necessary. Considering the novelty and complexity of cryptographic technologies and the different levels of anonymisation inherent to crypto activities, it’s imperative to focus on the product risks.

Another important AML/CFT pillar is customer due diligence processes. A crypto company must identify the contracting party and, where applicable, the person acting on their behalf, the beneficial owner, the purpose and intended nature of the business relationship, and establish if the contracting party or the beneficial owner is a politically exposed person. Risk-management processes will help decide whether simplified due diligence requirements or enhanced due diligence requirements are to be fulfilled.

Engaging in continuous monitoring of the business relationship or transactions and reporting are crucial responsibilities of a crypto company. It’s important to ensure that the relevant documents and information are updated without delays, in line with the internal policies and legal requirements. These measures enable the retracing of cash flows and identifying suspicious business transactions. If such a transaction is identified, the crypto company must report it to the Central Customs Authority’s Financial Intelligence Unit immediately. Money laundering activities are prosecuted at a regional level by appropriate offices of state prosecutors. Investigations are carried out by the State Office of Criminal Investigations and local police.

General Requirements for Crypto Businesses

Although there are several types of crypto licence, many of the requirements are generally applicable to every crypto business seeking to operate in Germany. They’re mainly related to AML/CFT regulations which apply across the financial market regardless of the business model. Other applicable legislation differs depending on the characteristics of the cryptoassets, and the business model.  If intended economic activities include financial instruments pursuant to MiFID II, the crypto authorisation process might be based on Delegated Regulation (EU) 2017/194 instead of the German Banking Act. If you’re not sure how to determine what German and EU laws apply to your specific crypto project, our team here at Regulated United Europe (RUE) will gladly provide clarification in a personalised meeting which you can request to schedule now.

If a company engages in several different crypto-related economic activities, each of them requires separate authorisation from BaFin. This also applies if the company carries out its own business as a member or participant of an organised market or a multilateral trading system or with direct electronic access to a trading venue or with commodity derivatives, emission allowances, or derivatives on emission allowances. New authorisation from BaFin is also required if an authorised crypto custodian sells its own financial instruments unless this is already classified as conducting a banking business or providing a financial service.

To be considered for a crypto licence, every applicant must submit an application accompanied by the following:

• Proof of required initial capital
• A viable business plan for the first three years
• Information about the company directors, including proof of their reliability, professional suitability, and ability to dedicate sufficient time to perform their duties
• The statement of facts indicating a close connection between the institution and other natural persons or other companies
• If significant participations are held in the institution, the details of the holders, the amount of the holdings, and the information required to assess the reliability of these owners or legal representatives or personally liable partners
• If these holders have to prepare annual accounts, the annual accounts for the last three financial years along with audit reports from independent auditors
• If these owners belong to a group, information on the group structure and, if such accounts are to be prepared, the consolidated group accounts of the last three financial years along with audit reports from independent auditors
• The details of the members of the administrative or supervisory body along with the information required to assess their reliability, expertise, and ability to dedicate sufficient time to the performance of their duties

The business plan must include the following information:

• The nature of the planned transactions
• The organisational structure of the institution, specifying parent companies, financial holding companies and mixed financial holding companies within the group
• Intended internal control procedures and policies
• A comprehensive description of the implemented IT systems

It’s important to note that German is the official language at BaFin. If there’s an intention to submit a document in another language, it must be discussed and agreed upon with BaFin in advance. Otherwise, if you require a certified translator, our team will be happy to assist you.

CRYPTO REGULATION IN GERMANY

Crypto Licence for a Crypto Custody Business

As of January 2020, pursuant to the German Banking Act, crypto values (i.e., cryptoassets) are treated as financial instruments and the provision of crypto custody services in Germany requires a licence from BaFin. Crypto exchanges are as well affected by the categorisation of cryptocurrencies as financial instruments.  The licence is required not only in the case of the crypto custodian being located in Germany and serving customers residing in Germany but also when a crypto custodian is based in Germany but serves persons residing abroad. Moreover, crypto custodians located outside of Germany who offer their services to legal and natural persons residing in Germany, are also required to obtain a crypto custody licence. The list of supervised companies with permission to provide crypto custody business can be found in BaFin’s company database.

According to the German Banking Act, crypto custody is defined as the safekeeping, administration or storage of crypto values or private crypto keys used to hold, store or transmit crypto values for others. Crypto values are defined as digital representations of a value which hasn’t been issued or guaranteed by any central bank or public body and which doesn’t have the status of legal tender but is nevertheless accepted by natural or legal persons as a means of exchange or payment or for investment purposes and which can be transferred, stored and traded electronically. Cryptocurrencies and crypto securities fall within the definition of crypto values. The definition excludes e-money.

Key requirements for crypto custodians:

• The initial capital of at least 125,000 EUR
• The directors must be reliable and possess all necessary professional qualifications and competence in adhering to regulations
• Sound risk management in accordance with MaRisk requirements, including a compliance and audit function, processes of reporting to the supervisory authority, as well as infrastructure and policies compliant with IT regulations
• Appointment of an auditor who should audit annual financial statements, as well as monitor the soundness and effectiveness of risk management, remuneration and IT security
• Creation of a risk management system in accordance with the German Anti-Money Laundering Act to prevent money laundering and the financing of terrorism
• Appointment of an anti-money laundering officer
• Preparation of a risk analysis and development of internal security measures
• Employees must be checked for reliability and trained in accordance with AML/CFT requirements

The crypto custody licence isn’t based on EU legislation which means crypto custody businesses aren’t permitted to avail of the passporting opportunities within the EU. Having a licence from another member of the EEA doesn’t automatically allow them to operate in Germany. Also, a licence granted in Germany can’t replace the local registration in another EU country.

Crypto Securities Registration

Pursuant to the German Banking Act, crypto securities registration is a financial service requiring authorisation, and it is subject to requirements regarding the business organisation and the conduct of business. Essentially, crypto securities are regulated by the German Electronic Securities Act.

The German Electronic Securities Act entered into force in June 2021 and enabled the issuance of securities through entry into an electronic securities register without the requirement to issue a physical certificate. In accordance with the act, crypto securities registration is defined as a financial service. Electronic securities that are issued through entry in a crypto securities register are referred to as crypto securities. This crypto securities register can be operated on the basis of distributed ledger technology (DLT) systems and is used for the initial issuance of electronic securities. From a legal perspective, an electronic security only comes into existence when it’s entered into the register.

The transfer of electronic securities will generally continue to be governed by the provisions of the German Civil Code. The crypto securities register should facilitate the creation of secure, decentralised databases that are also designed to record securities transactions. Moreover, the lawmakers adopted an option to facilitate the introduction of crypto funds by this regulation, which are defined as unit certificates issued through a crypto securities register. Such a regulation would be issued by the Federal Ministry of Justice and Consumer Protection and the Federal Ministry of Finance.

BaFin is authorised to keep the crypto securities register with the aim to enforce the protection of investors and to ensure that market activities are transparent, and smooth, and guarantee market integrity. The process of maintaining the register will probably be automated and based on algorithms. BaFin will also publish a public list of the crypto securities on Bundesanstalt für Finanzdienstleistungsaufsicht website which is only for information purposes and doesn’t give rise to any legal effects. When the number of notifications reaches a certain level, an electronic interface to BaFin will be set up for crypto securities issuers. This will be the way for the issuers to submit the required information which includes the issuer’s name, registrar entity, date of entry of the crypto securities into the crypto securities register, and changes made to the crypto security.

It’s necessary for the crypto securities register to define a liable person which is a party that can be dealt with as a legal entity, under the German Electronic Securities Act referred to as the registrar entity. In the crypto securities register, this is the person that’s designated as the registrar entity by the issuer who’s responsible for ensuring clarity in relation to this aspect. If the registrar entity isn’t clear, the issuer itself is treated as the registrar entity and consequently becomes a person liable for the same supervisory requirements. When the authorisation is granted, the registrar entity can set up a crypto securities register, the purpose of which will be to register crypto securities. This licence can’t be passported, as it’s not harmonised with EU legislation.

Crypto Licensing Process in Germany

Crypto authorisation applications are submitted to BaFin which handles all licensing procedures. Only complete applications accompanied by all required documents are accepted by the authority. If required information or documentation isn’t yet available, the justification should be provided, with the estimated date of submission. Upon grant of authorisation, every applicant is normally obligated to pay a fee of 10,750 EUR. A fee will also apply if the application is rejected and also in case of the withdrawal of the application for authorisation. A fee may also be charged for the suspension of the authorisation procedure since it also requires administrative resources.

Once the applicant has submitted a complete application, BaFin must inform the applicant whether authorisation is granted or refused within six months. However, the duration of the authorisation process depends on the individual case and is significantly determined by the complexity of the applicant’s business model, and the quality and completeness of the submitted documents.

If during the process of the application preparation questions related to supervisory legislation arise, and the answers to these questions are considered likely to be critical for the granting of this authorisation, applicants can contact either BaFin or their Deutsche Bundesbank regional office. It’s strictly forbidden to start operating prior to receiving appropriate authorisation.

The applications must be signed by persons authorised to represent the crypto company and can be submitted digitally, in line with the requirements of section 3a of the German Administrative Procedure Act, i.e., only if signed with a qualified electronic signature. Documents and declarations can be submitted in a simple digital format if the relevant statutory provisions don’t require the submission of the original or a handwritten signature. Documents submitted digitally should always be sent through secure communication channels (e.g. PGP or S/MIME-encrypted emails).

The annual supervision fees are defined based on individually attributable public services provided by Bafin within the applicable regulatory framework and depending on the complexities of the supervised business can reach up to 500,000 EUR.