LISTEN TO AUDIO VERSION:
Crypto-custody is a new business subject to authorization
What are crypto assets?
Crypto assets are financial instruments; the definition of which is expanded to include crypto assets (Section 1 (11) sentence 1, no. 10 of the German Banking Act). Crypto assets are defined as “digital representations of an asset which has not been issued or guaranteed by any central bank or public authority and does not have the legal status of currency or money, but which is accepted by natural or legal persons by virtue of an agreement or actual practice as a means of exchange or payment or for investment purposes and which can be transferred, stored and traded electronically.” (freely translated from the original German).
The term crypto assets is thus intended to cover tokens with exchange and payment functions, i.e. in particular cryptocurrencies such as Bitcoin or Ether, but also tokens issued for investment purposes, so-called security tokens or investment tokens. In addition, crypto-currencies will continue to be classified as legal units and thus financial instruments in accordance with § 1 (11) sentence 1, no. 7 of the German Banking Act in accordance with the usual practice of the German Federal Financial Supervisory Authority (BaFin). Depending on their design, security tokens can also fulfill the requirements of debt instruments, investments or investment funds in accordance with § 1 (11) sentence 1 nos. 2, 3 and 5 of the German Banking Act (KWG), in addition to the definition of crypto assets.
What is crypto-custody?
Crypto-custody business is elaborated in connection with the concept of crypto assets. The crypto-custody business is defined as “the safekeeping, administration and protection for others of crypto assets or private cryptographic keys which serve to hold, store or transfer crypto assets” (Section 1 (1a) sentence 2 no. 6 of the German Banking Act (KWG)). It is sufficient for a crypto-custodian to offer only one of the alternatives mentioned, e.g. only to hold or only to store crypto assets for others. Custody means “taking care of the crypto assets as a service for third parties”. This covers providers who store crypto assets for their customers in a collective inventory, whereby their customers themselves do not know the cryptographic keys used—i.e. private keys and possibly even public keys. “Administration, in the broadest sense, is the ongoing exercise of the rights from the crypto asset”. Security means the digital storage of private keys as a service for third parties as well as the storage of physical data carriers (such as USB sticks or paper) on which such key pairs are stored.
To be or not to be a crypto-custodian, that is the question?!
According to the BaFin interpretation, the mere offering of web hosting or cloud storage space does not fall under crypto-custody business (infosheet: Information about crypto-custody business dated March 2, 2020). In addition, merely providing hardware or software wallets which are operated by the users on their own responsibility does not constitute a crypto-custody transaction if the wallet provider does not have access to the stored data.
Service providers who already offer crypto-custody solutions will be granted a transitional period, as the implementation time frame is very ambitious. Even after the new KWG provisions come into force on January 1, 2020, they may continue to do so without a permit for the time being—provided they have notified the supervisory authority of their intention to submit a corresponding application for a permit by March 31, 2020 and submit a complete application for a permit by November 30, 2020. This is known as “grandfathering”.
Companies that have submitted a corresponding notification of intent are provisionally considered financial services institutions (Section 64y KWG). This means that they must now also meet the prudential requirements for such institutions. This includes a large number of organizational requirements; in particular, appropriate and effective risk management must be implemented (section 25a (1) of the KWG in conjunction with the Minimum Requirements for Risk Management (MaRisk)). Money laundering law requirements must also be observed. The BaFin expects that the institutions that have submitted a notification of intent have already been making corresponding efforts since January 1, 2020 to comply with the legal requirements quickly. According to BaFin, applicants who have not adapted their processes to supervisory requirements within the transitional period provided for by law despite having submitted an application, regularly cannot ensure they will properly carry out transactions. In such cases, the license applied for would have to be refused (BaFin, “Hinweise zum Erlaubnisantrag für das Kryptoverwahrgeschäft”, April 1, 2020). For these interim financial services institutions, this means that they already need to get down to work when notifying their intent at the latest.
Consequences and challenges
With the inclusion of crypto-custody in the German Banking Act, many small and young companies are now facing major challenges. In particular, start-ups that do not have the support of an established financial institution often lack the banking expertise to identify and implement relevant legal and regulatory requirements and thus meet the requirements for obtaining a license to provide crypto-custody services. In light of the ambitious timetable of the licensing procedure, companies are faced with many operational issues associated with establishing a proper business organization.
Functional model: How do I properly structure the organization as a financial services institution?
Many start-ups are companies that position themselves as innovative technology companies. When transforming the organization from a technology company to a financial services institution, different influencing factors must be weighed up. Regulatory requirements such as the separation of functions must be implemented, while at the same time the existing innovative strength must be maintained. In addition, conditions that allow future growth must be established. An increase in run costs can be expected as a result of the restructuring of the organization and the development of regulatory expertise. Running costs must be kept as low as possible by setting the organization up efficiently—for example by bundling functions.
Personnel: Which employees do I need to ensure a proper business organization?
A compliance officer, a anti-money laundering officer, a head of risk management, an information security officer, etc. Financial services institutions are required to have all of these employees and functions. Many start-ups do not yet have employees with adequate profiles to cover the new activities in the regulatory environment. When recruiting new personnel, it is crucial to find employees who both have banking expertise and experience in the relevant regulatory areas and whose personality matches the corporate culture of a start-up. Some activities must be reported to BaFin and must be accepted by the supervisory authority—a prior dialog with BaFin is advantageous in this regard. In addition, depending on the size and complexity of the institution, the question arises as to whether different functions can be bundled. MaRisk provides for this option primarily for smaller institutions.
Outsourcing: what impact do the requirements have on my existing contracts and how can I identify outsourcing issues?
Due to the small size of start-ups, an efficient and scalable organization can often only be created using outsourcing and third-parties, as the company’s own employees focus on the core business of the company. It is important for start-ups to obtain transparency on the entirety of all existing contracts and to categorize them in a standardized procedure and evaluate them according to their risk. This is the only way to determine whether the institution already outsources. With outsourcing, strict requirements must be taken into account in the drafting of contracts with providers. Important outsourcing solutions include for example cloud solutions (see BaFin bulletin) as well as customer identification and identity verification in accordance with the money laundering act by a third-party provider.
Money laundering: what are the consequences as a retroactive money laundering officer?
Companies that are provisionally considered financial services institutions are retroactively obliged under money laundering law and must ensure compliance with the requirements of the Money Laundering Act since January 1, 2020. If not already carried out, a key task is to get an overview of the existing customer base and carry out the identification process for these customers. In addition, it is mandatory to report a money laundering officer to BaFin, and knowledge of the Money Laundering Act and practical experience in this area are particularly important.
In order to process the operational and structural issues mentioned above in a structured manner, it is necessary to follow a clear top-down approach in order not to get lost in unnecessary detail:
Solution approach—transforming a start-up into a supervised financial services institution
During the transformation of a start-up into a supervised financial services institution, various subject areas are relevant, which include legal, procedural and organizational issues. To complete this transformation successfully, an integrated approach of legal and banking advice is necessary. One area of conflict here is the merging of the innovative and technology-driven world with the regulatory perspective, in which the assessment and documentation of risks is of great importance. A success factor for the transformation is a continuous transfer of knowledge and the creation of sensitivity with regard to regulatory requirements and issues. In order to include these elements in operational project work, close (digital) cooperation and communication between employees, lawyers and consultants is absolutely essential. Even if the topics are new to many start-ups, it is possible to fall back on tools that are already established in the company, e.g. shared drives to consolidate work results, Slack as a communication channel, daily stand-up meetings for status updates or Kanban boards to structure work packages.