- Basic information on the license application
- Notes on procedures based on the transitional provision under Section 64y KWG
- Notes on the subject matter of the license application
(a) IT requirements
(b) Reliable and professionally qualified managers
(c) Number of managers required
(d) Prevention of money laundering and terrorist financing
(e) License issuing fee
*** Please note: This is not an official translation from the Federal Agency for Financial Market Supervision. Please refer to the German language version for binding information.***
The notes explain the main features of the licensing procedure for the crypto custody business and summarize the essential requirements for the granting of licenses.
The Act on the Implementation of the Amending Directive to the Fourth EU Money Laundering Directive (Federal Law Gazette I dated 19 December 2019, p. 2602, hereinafter referred to as the “Amending Law”) incorporated crypto custody business as a new financial service into the KWG. Since the Act came into force on January 1, 2020, companies intending to provide this service require a license from BaFin.
The present information provides companies who want to apply for a license for the crypto custody business within the meaning of Section 1 (1a) sentence 2 no. 6 KWG with initial indications as to which aspects are of particular importance in the licensing procedures from the perspective of BaFin. Information on the facts of the crypto custody business can be found in the corresponding information sheet.
The stated expectations expressly apply to the crypto custody business; not to the existing administrative practice with regard to banking transactions or other financial services. The information does not claim to be complete. The legal principles apply and the relevant applicable circulars, information sheets and overviews of BaFin and German Central Bank must be taken into account.
If companies have any questions regarding the crypto custody business, they can contact the IT Supervision Group of BaFin (firstname.lastname@example.org) or the German Central Bank’s Regional Head Office responsible for their region directly. Digital transmissions should always take place via secure communication channels. The IF department at BaFin is responsible for questions as to whether an activity requiring authorization is being performed.
1. Basic information on the license application
The licensing procedure for companies wishing to provide crypto custody services within the meaning of Section 1 (1a) sentence 2 no. 6 KWG is based on Section 32 (1) KWG and is thus comparable to licensing procedures already established for banking transactions or other financial services regulated before the Amending Law came into force. Therefore, the relevant ordinances, in particular the Ordinance on Notifications, which in § 14 AnzV contains more detailed provisions on the notifications and documents to be submitted, must also be applied. Applicants may, therefore, refer to the German Central Bank’s information sheet on the granting of a license to provide financial services dated 6 July 2018.
If the specific business model is not limited to the safekeeping, administration and securing of crypto assets within the meaning of Section 1 (11) No. 10 KWG, but rather to financial instruments pursuant to Annex I Section C of Directive 2014/65/EU (“MiFID II”), a license requirement for other banking transactions or financial services within the meaning of the KWG could also result. In cases where financial instruments within the meaning of MiFID II also become the object of business activity, the licensing procedure could be based not on Section 32 (1) sentence 1 KWG but on Delegated Regulation (EU) 2017/194. Further information on the authorization as an investment firm within the meaning of MiFID II required in such cases can be found on the website of BaFin.
The granting of a license requires the submission of complete application documents. Applicants should therefore not submit incomplete license applications. This also applies with regard to the transitional provision set out in Section 64y of the German Banking Act (KWG) and the deadline granted until 30 November 2020 (see also Section 2). If certain information and evidence is not yet available, a brief justification should be given and the date of the intended subsequent submission should be specified. If regulatory issues already arise during the preparation of the complete application for a license, the answers to which could foreseeably be critical for the granting of a license, companies may contact BaFin or the relevant German Central Bank head office directly. It should be noted that companies that are not subject to the transitional provision may only commence operations once BaFin has issued a legally effective license.
It should be noted that the application must be signed by persons authorized to represent the company. Alternatively, there is the possibility of digital submission exclusively in accordance with the requirements of § 3a VwVfG, i.e. as a rule by means of qualified electronically signed documents. Information on the legally effective transmission of electronic documents is available on the website of BaFin.
In addition, documents and declarations may be submitted in simple digital form, unless the legal basis does not provide for the submission of the original or a handwritten signature. This is the case, for example, with the submission of CVs (§ 5a (1) sentence 2 of the AnzV) and declarations of reliability (§ 5b (2) sentence 2 of the AnzV). Digital submissions should always be made via secure communication channels, for example via e-mails encrypted with PGP or S/MIME. More detailed information on the available procedures can be found on the BaFin website.
2. Notes on procedures based on the transitional provision under Section 64y KWG
With the transitional provision in Section 64y of the German Banking Act (KWG), the legislator has given companies that were already operating prior to the entry into force of the Amending Law sufficient time to adapt their internal systems and processes to the regulatory requirements of the KWG. However, the transitional provision provides for a fictitious permit as of January 1, 2020, which means that the companies are already institutions within the meaning of the KWG. The BaFin, therefore, expects that companies will already make corresponding efforts from January 1, 2020 to comply with the legal requirements as quickly as possible. Applicants who have not adapted their processes to supervisory requirements during the transitional period provided for by the legislator despite having submitted an application, regularly offer no guarantee for the proper execution of transactions. In such cases, the requested permission would have to be denied. BaFin, therefore, reserves the right to make inquiries, for example in order to obtain an impression of the preparatory actions carried out and planned, even before the time of granting the license. If companies have not yet implemented certain requirements at the time of applying for a license, these companies should be able to explain the reasons for this and submit a timetable for rapid implementation. The companies should independently analyze which (technical) risks they see during the ongoing implementation and how they will counteract them.
BaFin explicitly points out that the transitional provision does not apply to services requiring authorization which were already subject to authorization before the amendment to the law came into force. Reference is made to the published guidance on the interpretation of Section 64y KWG.
3. Notes on the subject matter of the license application
In the application for a license for the provision of the crypto custody business within the meaning of Section 1 (1a) sentence 2 no. 6 KWG, it must be demonstrated, among other things, that sufficient initial capital of at least EUR 125,000 is available and that the company has both reliable owners and reliable and professionally suitable managers. In addition, the application must be accompanied by a business plan which, in addition to plans for the balance sheets and income statement for the first three full financial years, must, in particular, include the organizational structure and a description of the planned internal control procedures. The accounting is based on the RechKredV. The companies must show that they have a proper business organization. In view of the technical focus of their business activities, information on the IT strategy and IT security, in particular, must be provided here (see below under item 3 lit. a). The specific information and evidence to be submitted is based on § 32 KWG and the more specific requirements of the Ordinance on Notification. In the authorization procedure, Section 14 of the Ordinance on Notification must be observed in particular.
The requirements of the Ordinance on the Control of Ownership apply to the evidence to be submitted by the natural and legal persons who have a significant share in the company, including applications for permission for the crypto custody business. The information sheet on ownership control dated 27.11.2015 can, therefore, serve as a guide. An overview of the annexes to be submitted is provided in the “List of Annexes” under item 6.4 of the “Acquisition Increase” form in the Annex to the Owner Control Ordinance, whereby different submission and verification requirements apply (cf. Art. 14 para. 5 AnzV).
In addition, the supervisory expectations for the performance of the crypto custody business for selected aspects will be specified in more detail below:
a) IT requirements
Adequate IT security is an essential component of a proper business organization within the meaning of Section 25a of the German Banking Act (KWG) and must be explained in the context of the presentation of the Institute’s planned internal control procedures (Section 14 (7) No. 3 of the Ordinance on the Introduction of Financial Reporting Standards). Both the minimum requirements for risk management (MaRisk) and the banking supervisory requirements for IT (BAIT) must be applied to the specific business activity – always taking into account the principle of proportionality – and must be taken into account when implementing risk management.
In particular, BaFin expects information on the design of the IT systems and the IT processes implemented. This information must be submitted both by those companies that benefit from the transitional provision of Section 64y KWG and by those that, irrespective of this transitional provision, submit an application for authorization for the crypto custody business within the meaning of Section 1 (1a) sentence 2 no. 6 KWG. When presented in the license application, the explanation of the implemented measures should focus on the security of the cryptographic keys. Documents to be submitted include, in particular, a description of the security strategy, the handling of security incidents and a risk assessment of the company as well as a description of the existing technical and organizational procedures for handling the cryptographic keys.
On the basis of the business model described, the company should explain how the technical safekeeping of the cryptographic values is carried out in practice, i.e. what form of storage (e.g. “hot wallet”, “cold wallet”) is used and whether and how cryptographic values for individual customers are kept in separate or bundled wallets.
Based on the description of the business activity, a comprehensive description of the implemented IT systems should be provided. The information and documents to be submitted should include the following points in particular:
- The company should submit a detailed description of its business strategy in relation to the planned activity.
- The IT strategy that must meet the requirements of AT 4.2 of MaRisk should be presented in detail. This includes in particular that the management defines a sustainable IT strategy in which the objectives, as well as the measures to achieve these objectives, are presented.
- A comprehensive description of the architecture of the IT systems should be included. This should contain both network and backup elements as well as specific hardware for the safekeeping of crypt values.
- The application should also be accompanied by a description of the security strategy. The technical and organizational security measures implemented should be explained, as well as the encryption methods used.
- Information should be provided on (significant) outsourcing and cloud solutions used. All cooperation partners who are involved in the implementation of the crypto custody business should be named and their respective roles explained. MaRisk AT 9 and the information sheet “Orientation Guide to Outsourcing to Cloud Providers” should also be taken into account.
- The company should carry out a risk assessment and explain the effects and measures, for example with regard to the protection requirements, the loss of cryptographic keys, but also other relevant data and the IT infrastructure.
- Furthermore, a detailed description of the cryptographic concept including the IT technical description of the cryptographic functions and procedures used should be submitted. Details of the emergency management in place and the measures taken to prevent the loss of the cryptographic values held in safe custody shall be provided.
- The company should identify the roles with access to sensitive data and the cryptographic keys kept in safe custody and provide details of the rights and role concept or authorization management (cf. Section 5 of the FOITT).
- The applicant should submit a description of the established monitoring procedures, such as the implemented monitoring of the systems.
The presentations must be made in accordance with the principle of proportionality and in each case in relation to the specific business model. The focus of the presentations should be on the specific characteristics of the company.
b) Reliable and professionally qualified managers
The managers of an institution must be professionally qualified and reliable and devote sufficient time to the performance of their duties (Section 25c (1) KWG). This also applies to the performance of the crypto custody business within the meaning of Section 1 (1a) sentence 2 no. 6 KWG. The lack of professional competence of a manager is a reason for the refusal of permission (Section 33 (1) No. 4 KWG).
Applicants can generally base their assessment of the reliability and professional competence of the managers on the “Information leaflet for managers pursuant to the German Banking Act, the German Insurance Supervision Act, and the German Investment Bank Act”, which is also applicable to the crypto custody business. The documents required for the examination of the request must, in particular, include a personally signed curriculum vitae as well as both a certificate of good conduct for submission to an authority (Section 30 (5) BZRG) and an extract from the Central Trade Register (Section 150 GewO). The BaFin has published a checklist as an annex to the above-mentioned leaflet, from which the documents to be submitted can be found.
The professional qualification to manage an institution within the terms of the KWG means that a manager has sufficient theoretical and practical knowledge of the business concerned and management experience (§ 25c (1) sentence 2 KWG). In the case of the crypto custody business, BaFin will take into account in its examination both the size and structure of the company and the fact that the crypto custody business is a new and previously unregulated financial service. BaFin has already adjusted its decision-making standards for traditional banking transactions with regard to the IT competence of the management (see BaFin Journal 12/2017, p. 15). Since the nature of the crypto custody business is based on technical processes and the security of the cryptographic keys held in safe custody is of particular importance, the BaFin will apply these decision-making standards to the crypto custody business. BaFin gives the technical expertise of a manager in the case of the crypto custody business a special role and will, therefore – limited to these facts – fully recognize technical expertise, e.g. relevant studies and profound practical experience with IT security issues, as professional qualification “in the relevant business” (Section 25c (1) sentence 2 KWG).
The BaFin will recognize activities for a company that falls under the transitional provision of § 64y KWG, which are specifically highlighted, i.e. correspondingly hierarchically high up in the hierarchy, as practical knowledge of the crypto custody business. However, it is expected that the managers will also use the time allowed by the transitional provision to acquire any knowledge that may not yet be fully available.
Furthermore, BaFin will examine in justified individual cases to what extent the personnel and organizational resources of the company as a whole are suitable to temporarily absorb a lower level of knowledge of a manager within the management. These are always decisions in individual cases, which also take into account the size and structure of the company and the specific transactions performed.
c) Number of managers required
If an institution exclusively holds crypto assets within the meaning of § 1 para. 11 no. 10 KWG, the appointment of a single manager is sufficient as a general rule – as a reverse conclusion from § 33 para. 1 no. 5 KWG. However, a different assessment may result if the crypto assets in question (also) fall under another category of financial instruments in § 1 (11) KWG or if the institution carries out further transactions.
Nevertheless, BaFin expressly points out that, notwithstanding this requirement, the appointment of one or more additional managers may be required by supervisory law in certain individual cases. The implementation of the dual control principle in the management is in any case necessary if, based on the size of the institution and the scope of its business activities, an orderly business organization within the meaning of § 25a KWG cannot be guaranteed with only one manager. BaFin will examine this on a case-by-case basis on the basis of the documents submitted in the approval procedure. For this reason, an organizational chart showing the responsibility of the management must also be attached to the approval procedure (Section 14 (7) sentence 1 no. 2 AnzV). It should also be clear from the submitted documents that the institute has sufficient personnel and technical/organizational resources to meet the legal requirements (§ 25c para. 4 and 4a no. 4 KWG). BaFin also draws attention to the fact that managers must devote sufficient time to their work in accordance with Section 25c (1) KWG.
d) Prevention of money laundering and terrorist financing
BaFin explicitly points out that the obligations under the Anti-Money Laundering Act must be fulfilled by the newly obligated parties even if permission is deemed to have been granted provisionally on the basis of the transitional provision under Section 64y KWG. In this respect, a prompt implementation of these obligations is expected, irrespective of the progress of the licensing procedure within the framework of the transitional provisions of Section 64y KWG. However, BaFin will apply the principle of proportionality with regard to possible sanctions on a case-by-case basis if certain requirements require a certain amount of time to be implemented operationally. In the event that institutions intend to outsource internal safeguards in the area of money laundering prevention, reference is also made to the obligation of prior notification pursuant to sections 6 (7) GwG and 25h (4) KWG. Similarly, the appointment of the anti-money laundering officer and the deputy anti-money laundering officer of BaFin must also be notified in accordance with Section 7 (4) GwG. A form for this can be downloaded from the BaFin website. With regard to the anti-money laundering obligations of the institutions providing the crypto custody business, BaFin will also publish a separate information sheet in the near future.
e) License issuing fee
The fee for the granting of a license is based on the annex to the FinDAGKostV. It amounts to EUR 10,750 if only the crypto custody business within the meaning of Section 1 (1a) sentence 2 no. 6 KWG has been applied for and crypto values within the meaning of Section 1 (11) no. 10 KWG is held in safekeeping, administered or secured for third parties. The fee is due upon granting of the permission. Please note that both the refusal of a permit and the withdrawal of a license application are subject to a fee (§ 3 para. 2 FinDAGKostV).
Source: BaFin (available only in German)