Under Directive (EU) 2018/843, commonly referred to as the fifth anti-money laundering directive (5AMLD), so-called 'custodian wallet providers' (CWPs) became subject to EU regulatory obligations in relation to anti-money laundering and anti-terrorist financing for the first time.
Germany has transposed the 5AMLD via an implementing law that took effect on 1 January 2020.
Legislative goldplating in Germany
The German implementing law significantly 'goldplates' the 5AMLD.
Licensing requirements
The directive only requires that CWPs register. But the German law requires 'crypto custodian businesses' – defined as businesses involved in the ‘holding, managing and safeguarding of crypto assets or private cryptographic keys that serve to hold, store and transfer crypto assets’ – to have the appropriate financial services licence to operate.
So instead of just registering, CWPs must apply to be licensed as a 'crypto custodian business'. Once licensed, they are subject to the prudential supervision of Germany's federal financial supervisory authority (Bundesanstalt für Finanzdienstleistungsaufsicht or BaFin).
Crypto assets
The 5AMLD defines CWPs as entities that provide services to safeguard private cryptographic keys on behalf of their customers, to hold, store and transfer virtual currencies.
Among other things, the directive characterises virtual currencies as a means of exchange, ie a means of payment. This comprises payment tokens but, in most cases, not tokens that represent shares or bonds (so called 'investment tokens' or 'securities tokens').
However, the German implementing law introduces 'crypto assets' as a type of financial instrument that, by definition, also covers digital units that 'serve investment purposes'. This means that CWPs for securities tokens are subject to the new licensing regime too.
The classification of crypto assets as financial instruments will also extend the scope of licensable financial services to companies that provide such services in relation to crypto assets, such as crypto exchanges.
This becomes relevant for financial services in respect of two groups of crypto assets:
- it creates legal certainty for virtual currencies, which BaFin views as financial instruments (although this view was contested by a court decision); and
- it covers security tokens to the extent that they did not already qualify as tradeable securities under MiFID II.
We have seen how the 5AMLD describes CWPs as entities that provide services to safeguard private cryptographic keys. In contrast, the German legislator decided to regulate the 'holding, managing and safeguarding of crypto assets or private cryptographic keys' (emphasis added).
This wording aims to prevent regulatory arbitrage and capture situations where the crypto assets themselves are safeguarded by a CWP. This apparently tries to cover arrangements where the crypto assets of several clients are 'pooled' by generating only one public key for several clients’ crypto assets.
Germany's legislative goldplating of the 5AMLD means that CWPs may become subject to the German licensing regime even though they are not subject to similar requirements in other EU member states.
Providing licensable crypto-custody services 'in Germany'
Like all regulated banking activities and financial services, a German licence is only required if the crypto-custody business provides services in Germany.
Under BaFin guidance, a financial service (or banking activity) is provided in Germany if the service provider has its registered office or ordinary residence either:
- in Germany; or
- outside of Germany and targets the German market in order to offer banking products or financial services repeatedly and on a commercial basis to companies and/or persons having their registered office or ordinary residence in Germany.
Targeting the German market may, for instance, be established by soliciting the specific service on a website, whose domain name, content or German contact details indicates that the website is targeted at German clients. A licensing requirement may, however, be avoided if the German client approaches the foreign provider on its own, exclusive initiative (so-called 'reverse solicitation').
Both EEA and non-EEA providers of crypto-custody services should therefore review whether a German financial services licence is required. Since crypto-custody services are not investment services under MiFID II, it is also not possible for EEA CWPs to make use of the EU passport for their German activities.
If a licence is required, providers will generally have to establish a licensed German subsidiary.
Foreign CWPs may also apply for an exemption from the licensing and other governance requirements or establish a branch that applies for the crypto-custody licence. The exemption and the licence for a branch will, however, require that the foreign CWP is sufficiently supervised in its home state. Currently, it is uncertain how CWPs can fulfil this requirement.
A two-stage licence application process
While the German law that implements the 5AMLD entered into force on 1 January 2020, the licence application process is being phased in.
Licensable crypto-custodian businesses must, by 31 March 2020, formally notify BaFin that they intend to apply for a licence. (BaFin has provided a German-language notification template on its website.) A full licence application must be submitted by 30 November 2020.
The introduction period applies to entities that provided crypto-custody services before 1 January 2020 either on their own account or on the account and under the liability of a credit institution or investment firm and were registered with BaFin as a so-called 'contractually tied agent'.
To help make the transition to the new regime smoother, in December 2019, BaFin issued a voluntary, informal and non-binding call for expressions. It allows crypto-custody companies to submit information about their business and ask questions.
However, according to BaFin, participating in this process neither replaces the need to formally notify BaFin of the intention to apply for a licence nor affects the outcome of a licence application.
Outlook
With BaFin yet to provide specific guidance on how it will administer the licensing process and supervise CWPs once licensed, CWPs face a significant challenge to align their business with the new licensing regime.
They should therefore consider participating in the call for expressions to get answers to some of their more general questions before beginning the actual licence application process.
BaFin intends to update its website regularly, particularly to provide further guidance on how to complete the licence application (currently only available in German).
