For Startups

The BaFin License to be Required for Crypto Custodians in Germany

The BaFin License to be Required for Crypto Custodians in Germany

The 5th EU Anti-Money Laundering Directive (the “Directive”), the very same that has brought blockchain assets under the scope of the European AML/CFT framework, compels the EU Member States to make changes to their local legislation to be compliant with the Directive`s provisions by January 10, 2020.

In line with that, Bundesregierung (The Cabinet of Germany) has approved the Draft Law on the Implementation of the Directive, Amending the 4th EU Money Laundering Directive (the “Draft Law”).

Virtual Currencies (re)Defined 

The Draft Law proposes changes to the German Banking Act (Kreditwesengesetz, KWG) that will define cryptoasset (Kryptowert) as adigital representation of value that is not issued or guaranteed by any central bank or public authority and that does not have a legal status of currency or money but is accepted by natural or legal persons under agreements or practice as means of exchange or payment, or serves for investment purposes and which can be transferred, stored and traded electronically.

Unlike the Directive, the Draft Law does not limit the use of cryptoassets to simply medium of exchange but also considers other functions normally associated with money that a cryptoasset can potentially perform: means of payment and store of value.

New Regulated Activity: Cryptoasset Custody 

Under the Draft Law, custody, safeguarding and protection of cryptographic keys, used to hold, store and transfer virtual currencies on behalf of the customers, becomes a financial service, making it a regulated activity, authorized by the Federal Financial Supervisory Authority (“BaFin”).

The Draft Law proposes to addend the §32 Permit section of the KWG with a paragraph that will prohibit businesses to perform any other regulated activity, that is subject to authorization under the KWG if a company already provides cryptoasset custody services. 

Basically, this means that a traditional financial or credit institution would not be able to engage in cryptoassets` custody, but rather forced to either outsource custody services, or utilize a holding corporate structure with separate permits.

As stated in a supplementary note to the Draft Law, this is mostly because of cybersecurity risks accompanying blockchain technology, which might have potentially jeopardized other business activities, should a financial institution have carried them out. 

In case a company currently provides custody serviced in regards to cryptoassets, it would have to notify BaFin in writing by February 1, 2020, and submit a full authorization application by no later than June 30, 2020.

Catch Them All

The reasoning behind the Draft Law is that as of now, the German AML framework does not capture crypto-custody services, as well as trading cryptoassets that are not financial instruments.

According to the note, other blockchain businesses like, for example, blockchain exchanges (both crypto-crypto and crypto-fiat), are already regulated activities, as depending on their design, blockchain assets may be considered financial instruments, such as investments, debt securities, units in collective investment funds, foreign currencies or units of account. In this case, exchange services fall under the already existing list of financial services, which is right now not the case for custodians. 


By adopting the Draft Law with a broad definition of cryptoassets and a permit requirement for custody providers, Germany would ensure that all cryptocurrency-centered businesses are obliged entities under the local AML legislation, compliant with the Directive.

However, we find it very interesting to see Germany go beyond requirements of the AMLD5, making the provision of custody services by already authorized businesses impossible. Regardless, we will continue to monitor any potential changes to blockchain regulation to come in 2020 and notify you of the most interesting updates.


Disclaimer: the information in this article is provided for informational purposes only. You should not construe any such information as legal, tax, investment, trading, financial, or other advice.

Some of the regulatory provisions that have not entered into legal force are referenced above and are subject to change.

Nik Kliapets, Legal Counsel at Legal Nodes

Legal Nodes Blog

For Startups
Ultimate guide to connecting Virtual Data Protection Officer

Connecting Virtual DPO can greatly reduce start-up’s data protection costs. This article explains who the Data Protection Officer is, why you should consider outsourcing DPO services, and how to pick one that matches the needs of your business....

Legal Nodes Team
Privacy (GDPR)
Cookie Policy: How to Track Website Users Lawfully

The recent study of the Nederlandse Omroep Stichting (the ‘NOS’), a Dutch news media, showed that more than 1,300 Dutch websites violate the privacy of their users. The violation found by the NOS is simple - the users cannot use the websites wit...

Legal Nodes Team
For Startups
Why Your Startup Needs a Founders' Agreement + Template 2021

Founders Agreement – the key step to set clear intentions for you and your partners and to avoid misunderstandings in the future. In a new post on the Legal Nodes blog, we explain what a Founders Agreement is, reasons for your startup to prepare...

Legal Nodes Team
For Startups
Terms of Use that your users will actually read

In this article Legal Nodes Team talks about Terms of Use, how to write them effectively and why you need them in the first place. You could find a FREE template at the end of this article....

Legal Nodes Team
Privacy (GDPR)
How Can You Leverage a Privacy Kit More Effectively?

In this article, Punit Bhatia, a leading privacy expert, shares how small businesses can become privacy compliant by using Privacy Kits in an effective and why just branding the documents and templates in name of your company is not a good idea....

Punit Bhatia
Legal Nodes Updates
Legal Nodes in 2020: A Year in Review

Despite the fact that for many 2020 will be strongly associated with the coronavirus pandemic and lockdown measures, it would be a mistake to forget all the good things that happened this year. Especially when the festive season approaches, and ...

Legal Nodes Team
Privacy (GDPR)
Internet data mining. Is it legal in the EU?

Data mining is the process of collecting and analyzing human-readable data for own purposes. More and more businesses are built on that concept, scientists and medics also use automatically combined data from different sources to spawn predictio...

Ewa Wojnarska-Krajewska
Privacy (GDPR)
11 simple (but complete) steps towards the GDPR compliance in 2020

The GDPR can be a wake-up call to sort out your processes, procedures and technology and thereby run a more successful organisation. Data is now more essential than ever, regardless of your activities or market sector. Not only will efficiencies...

Thomas Hayes
Contract Work
Force Majeure Clauses and the Effect of Coronavirus on Businesses

The coronavirus pandemic has made force majeure clauses one of the hottest legal topics worldwide. To help businesses navigate this issue, we asked Tom Bohills, an English qualified lawyer and the Founder of Chronos Law, to explain the backgrou...

Tom Bohills