AMLD5 in Germany: Implementation provides far-reaching licensing requirements for crypto-asset service providers
German draft bill for the implementation of the 5th EU Anti-Money Laundering Directive provides for licensing requirements and an expansion of the address of the anti-money laundering obligations with regard to crypto-asset service providers.
On 31 July 2019 the Federal Cabinet published a draft bill implementing the Amending Directive to the 4th EU Anti-Money Laundering Directive (Directive [EU] 2018/843) into German law (”AMLD5””). The bill introduces, amongst other things, changes to the German Anti-Money Laundering Act (Geldwäschegesetz – GwG) and to the German Banking Act (Kreditwesengesetz – KWG) and new provisions for electronic wallet providers and exchange platforms for crypto-assets. The draft bill will become effective on 1 January 2020 and will have a big impact on the crypto-assets industry as it extends the scope of anti-money laundering and countering financing of terrorism (AML/CFT) duties to providers engaged in exchange services between virtual currencies and fiat currencies (that is to say electronic coins, banknotes and electronic money of a country that are accepted as a medium of payment or exchange) as well as custodian wallet providers.
The draft bill also reflects the ongoing discussions between the EU and national authorities as to whether and to what extent innovative FinTech business models need more regulation and clarity at the EU level (see ESMA’s report dated 12 July 2019 “Licensing of FinTech business models”).
- Crypto-assets qualify as financial instruments within the meaning of the German Banking Act (KWG). Any person wishing to provide financial services related to crypto-assets in Germany commercially or on a scale which requires commercially organised business operations, will require authorisation from BaFin.
- The new “crypto custody business” covers by definition not only the use of crypto-assets for exchange purposes, but also as a means of payment and investment. In this way the German draft bill gold plates the European definition.
- The new “crypto custody business” introduces a statutory license requirement pursuant to section 32 KWG. Providers of crypto custody services will therefore be classified as financial institutions under the KWG and GwG and will therefore need to observe the respective requirements.
- The license for “crypto custody business” is exclusive, i.e., investment firms which are already authorized to provide financial or banking services subject to the KWG cannot apply for an additional license covering “crypto custody business”, but need to separate such business from their other financial services or banking business.
- New rules also affect non-German services providers with German clients.
Growth of crypto-assets industry in Germany
According to the legal reasons in the draft bill, virtual currencies have gained importance in recent years. Worldwide market capitalization reached its peak in January 2018 at around €700 billion, although this has reduced in the last few months in 2019. According to the draft bill the risks associated with virtual currencies have also increased, as they become more widespread. In particular, the anonymity of virtual currencies would allow their potential misuse for criminal and terrorist purposes. The G20 have therefore agreed to regulate virtual currencies in order to combat money laundering and terrorist financing. The AMLD5, which will be implemented into German law by the German draft bill, extends the material scope of the 4th Anti-Money Laundering Directive to service providers that offer exchange services of virtual currencies as well as to providers of electronic wallets.
Regulation of crypto-asset providers in the EU
AMLD5 extends the scope of the “obliged entities” subject to AML/CFT obligations to crypto-asset providers as follows:
- providers engaged in exchange services between virtual currencies and fiat currencies
- custodian wallet providers
The new terms “virtual currencies” and “custodian wallet provider” are defined in Article 3 of AMLD5 as follows:
- "virtual currencies means a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored and traded electronically"
- "custodian wallet provider means an entity that provides services to safeguard private cryptographic keys on behalf of its customers, to hold, store and transfer virtual currencies"
The AMLD5 provides only for minimum harmonization. This means that stricter national regulations are possible.
The German implementing legislation of the AMLD5 and change of Regulatory Framework for Crypto Currencies
In contrast to AMLD5, the current draft bill reflects the changes not by way of amendment the German GwG, but rather by inclusion of “crypto-assets” (Kryptowerte) as a financial instrument in the German KWG. As a consequence, the German implementing legislation will also change the regulatory framework for certain services on crypto currencies by qualifying service providers in the area of crypto-assets as financial institutions. In addition to that, the German draft bill extends the scope of existing financial services pursuant to section 1 para. 1a KWG by the new created financial service “crypto custody business” (Kryptoverwahrgeschäft).
Crypto custody business is defined as follows:
- “The custody, safekeeping, and administering of crypto-assets or private cryptographic keys that serve to hold, store, and transfer crypto-assets for others qualifies”
The draft bill partly goes beyond the legislation of AMLD5 as the German definition of “crypto-assets” does not only (as is the case with the European Directive) cover virtual currencies for exchange purposes, but also includes the use of crypto-assets as a “means of payment or investment”. According to the explanation, the draft bill thereby follows the intention of AMLD5 in covering all potential uses of virtual currencies.
When the draft bill enters into force, providers of financial services in Germany related to crypto-assets must therefore apply for a license from the German BaFin pursuant to section 32 KWG and must comply with the AML/CFT requirements pursuant to the German GwG.
Under the draft bill crypto custody businesses would only be entitled to apply for a license where no other financial services requiring permission under the KWG are provided. Consequently, investment firms or banks which currently undertake crypto custody business and apply at a later stage for separate permission to conduct other banking business or financial services must expressly waive their permission to conduct crypto custody business. Failing this, BaFin will not grant the requested license. As a result, banks need to separate their crypto custody business from other regulated business. By this “separation”, the German legislator intends to avoid IT-related risks connected with crypto custody business spilling over into other banking or financial services where those services are provided by the same entity.
Furthermore the government bill includes transitional periods, according to which companies that need to apply for a license due to the new financial service of “crypto custody business” or due to the extension of the term “financial instruments” to include crypto-assets would have to notify BaFin in writing of their intention to continue crypto custody business by 1 February 2020 and submit their license application according to section 32 KWG by 30 June 2020.
Fortunately, the government bill also clarifies that the mere provision of hardware or software for securing crypto-assets or private cryptographic keys operated by the clients on their own responsibility, is not covered by “crypto custody business” as long as the providers do not have proper access to the stored data. A clarification as to whether “utility tokens” are also covered by the term “crypto-assets” is, however, not provided by the government draft bill. With respect to pure utility tokens (app tokens, product use tokens, consumption tokens), BaFin noted in an earlier statement in August 2018 that the focus of utility tokens is basically on the sole use for purchasing real-economy goods or services and not on a financial consideration.
With the draft bill the German legislator is also taking up a key finding of two ESMA’s surveys, which have been the basis for the “Licensing of FinTech business models”-report published on July 12, 2019, in which the national competent authorities (NCAs) called for more guidance from the EU authorities with regard to the definition of financial instruments and the legal nature of crypto-assets.
Consequences for non-German service providers to German clients
As electronic wallet providers and exchange platforms for crypto-assets operate frequently across borders, providers that intend to offer services from offshore into Germany or to German residents will need to establish a German subsidiary in order to obtain the license required under section 32 KWG.
Crypto-asset providers domiciled in another EU/EEA state may provide financial services in Germany, either through a branch or by providing cross-border services, without authorization from BaFin if the provider has been approved and is supervised by its home state authorities and if the business conducted is covered by the approval granted (the so-called MiFID passport). The current draft bill does not address how crypto-asset providers are able to make use of the MiFID passport or whether there are any facilitations with regard to further licensing.
This situation is particularly problematic since the classification of crypto-assets as financial instruments and the provision of services related to crypto-assets as financial services within the meaning of the MiFID regime is not harmonized throughout the EU, but is subject to national law. Due to the absence of a harmonized legal framework for crypto-assets and related services within the EU, respective providers may face a range of different, and eventually contradicting, regulatory national standards when providing or marketing services on a cross-border basis. Crypto-asset providers should therefore carefully consider on a jurisdiction by jurisdiction basis whether the intended services fall within the scope of applicable license requirements or financial rules before undertaking business activities offshore.
This update was authored by Hans Stamm and Dr. Denise Blessing.