German regulatory framework for market participants in crypto assets

By Hans Stamm; Matthias Meinert, Dechert LLP

Published: 21 March 2022

While crypto assets and some of the associated services have started to be covered by the traditional financial supervisory regulations (such as MiFID II), in recent years the European Union and some individual EU member states have aligned and strengthened their supervisory regulations to deal with the rapid innovations in this area. These adjustments were intended to prevent an unregulated market for virtual currencies and other digital assets, especially against the background of high money laundering risks. In addition to the legislative changes regarding the regulatory treatment and classification of crypto assets, the German regulator, the Federal Financial Supervisory Authority (BaFin) has issued several information letters and guidance that further clarify these European and German regulations.1  

This article provides a brief overview of BaFin’s regulatory principles with regard to crypto assets and the associated services under German law. Please note that this can only be a preliminary assessment. In particular, the application of the existing regulations and interpretation by BaFin in the field of decentralised finance (DeFi) applications are currently subject to a considerable degree of uncertainty.

Types of ‘crypto assets’

The starting point for a regulatory classification of crypto assets should be a conceptual differentiation of the terminology for different types of digital assets. Defining crypto assets as tokens is too vague, because the term ‘token’ is only understood as a generic term of virtual assets or crypto assets. A more precise and legalistic distinction between the digital assets, such as virtual currencies, security tokens and utility tokens is crucial for answering any subsequent regulatory questions. In particular, the functionality (use case) of the digital asset must be taken into account. All crypto assets are based on a blockchain technology.

Legal definition: crypto assets

According to section 1 para. 11 sentence 4 of the German Banking Act (KWG) rypto assets are defined as: “Digital representations of a value that has not been issued or guaranteed by any central bank or public body and does not have the legal status of a currency or money, but is accepted by natural or legal persons as a means of exchange or payment or serves investment purposes on the basis of an agreement or actual exercise and which is transmitted electronically, can be stored and traded.” 

This definition reflects the EU definition in the 5th EU Anti-Money Laundering Directive2 and includes digital units of value such as currency or payment tokens, which are often also referred to as virtual currencies.3 Government-issued currencies are by definition not crypto assets, as well as e-money, interconnection payment systems and payment transactions of providers of electronic communications networks or services.

Pursuant to section 1 para. 11 sentence 1 no. 10 KWG, crypto assets also qualify as financial instruments. Since crypto assets can already fall under one of the other categories of financial instruments due to their diverse characteristics, section 1 sec. 11 sentence 1 no. 10 KWG was designed as a catch-all to avoid regulatory gaps for virtual currencies.

Tokenised assets (security tokens)

The holder of security tokens is entitled to membership rights or claims to a certain asset under the law of contracts. These claims or rights are “embodied” in the token created on a blockchain and comparable to the rights of a security holder. Examples are claims for dividend-like payments, co-determination, repayment claims or interest payments.

Security tokens designed under German law regularly represent other forms of securities (e.g. tokenized bonds), or qualify as original digital securities after the introduction of the Act on Electronic Securities (eWPG),4 which came into force on June 10, 2021. As a consequence, German securities law applies to security tokens, i.e. the Prospectus Regulation, the German Securities Prospectus Act (WpPG) and the German Securities Trading Act (WpHG) or, if designed accordingly, also as an investment fund unit within the meaning of the German Capital Investment Code (KAGB). At the same time, security tokens are considered financial instruments under the KWG, due to the technology-neutral definition of the “financial instrument” in MiFID II as “transferable securities”5  according to Article 4 para. 1 no. 44 MiFID II.

Utility tokens

Utility tokens provide the holder with access or usage rights to certain services or products. A repayment of the purchase price or granting of property rights is usually excluded. From this point of view, pure utility tokens can be compared with tickets or vouchers and are therefore not financial instruments. However, distinguishing them from tokenised assets or, if a payment function is integrated, from virtual currencies can sometimes be difficult and depends on the main function of the token’s use case.

Financial services related to crypto assets

Regulatory authorisations are required in Germany for commercial services related to tokens that are classified as crypto assets, financial instruments, securities, investments or investment units. The required authorisation differs depending on the actual service and regulatory classification of the crypto assets. It should be noted (for providers as well as for users) that even if these services are offered from outside Germany to German users in a targeted manner, this may trigger a German authorisation requirement.

Depending on the factual design of the transaction, it may qualify, for example as a banking transaction, i.e. as a financial commission transaction or underwriting business. In addition, an authorisation as a financial service may be required where the service involves investment brokerage, investment advice, operation of a multilateral or organised trading system, placement business, brokerage, financial portfolio management, proprietary trading, or investment management. In this respect, there is no difference to traditional financial instruments, with BaFin referring to the ‘technology neutrality’ of the financial regulations.

Crypto custody business

With the inclusion of crypto assets in the definition of financial instruments in Germany, a new financial service for the custody of crypto assets was introduced.6 This financial service is defined as the “custody, management, and securing of crypto assets or private cryptographic keys used to hold, store, and transfer crypto assets for others”. BaFin has described the relevant criteria and requirements in detail in its guidance notice on crypto custody business.7

Whether the activity conducted by the service provider is a regulated activity often depends on if the service provider holds the private cryptographic key in its systems on behalf of the client and so has access to the decentrally stored crypto assets. 

The result may be different if the service provider only offers a software that interacts with crypto exchanges, for example via interfaces called application programming nterfaces (APIs), without ever having contact with the private cryptographic keys. BaFin has expressly stated that the production or distribution of hardware or software to secure the crypto assets or the private cryptographic keys, which are operated by the users on their own responsibility, are not covered by the crypto custody business definition if the service providers do not have access to the crypto assets or private cryptographic keys held by the user. These software-as-a-service business models usually do not constitute a regulated activity under German law.

Effects of these principles on the regulatory authorisation requirements of DeFi Services – ‘staking’ and  ‘lending’

Any regulatory authorisation requirements for DeFi-Services (such as staking or lending) must also be assessed. Staking is where crypto assets are stored in a special blockchain address (wallet), blocked for the holder’s dispositions, to serve the validation of transactions on the blockchain (referred to as ‘proof-of-stake mechanism’). For the holding period of the staked tokens, their holders are rewarded with transaction fees of the blockchain (staking rewards). Another use case is liquidity staking’, in which the crypto assets are made available to increase the trading liquidity of automated trading venues (automated market making) of decentralised exchanges (DEX) (referred to as ‘liquidity pools’). As a fee, the holders will usually receive a part of the trading fees of the DEX.

Another very common form of DeFi is crypto lending, where units of crypto assets (e.g. in the form of stable coins) or money loans are transferred for use for a fee. The lending is remunerated, for example, in the form of interest or additional units of a crypto asset. 

Typically, the granting of the loan is not based on the creditworthiness of the borrower, but by depositing crypto assets as collateral. For example, Bitcoin can be lent up to a certain value. In this respect, this is comparable to repo transactions in the traditional securities market, with the essential difference that the lending, control and, if necessary, utilisation of the collateral is handled automatically via a smart contract. A distinction must also be made between this form of financing through a decentralised blockchain protocol and providers who offer secured crypto loans directly: centralised finance (CeFI).8 

It is still unclear if these types of transactions may qualify as regulated lending (banking) activities under German law which, in general, require authorisation from BaFin.

Extension of the licensing requirements by the proposed EU regulation ‘MiCA’

On 24 September 2020, the European Commission published its proposal for a Markets in Crypto Assets Regulation (MiCA Regulation) as part of the package for the digitisation of the financial sector. This is a package of measures to further develop and promote the innovation and competitive potential of digital finance as well as to mitigate possible risks associated with digital finance. The regulation is currently in the consultation process and is expected to enter into force in the third quarter of 2022.

Among other things, the MiCA Regulation pursues the goal of creating legal certainty regarding crypto assets that are not covered by existing EU legislation in the financial services sector. The future harmonised rules for issuers of crypto assets and crypto service providers are intended to create a common, ‘sound’ regulatory framework and a single market. It will replace national rules for crypto assets that are not covered by existing EU financial services legislation.

The proposal of the MiCA Regulation shows that there is now greater momentum at EU level regarding the regulation of crypto assets and crypto service providers. This will further reinforce the rapid developments in national legislation in recent years as well as in the corresponding interpretative decisions of BaFin.

Issuers and service providers, as well as users and investors in crypto assets, should therefore keep an eye on the dynamic regulatory developments at national and EU level.

1 BaFin – Advisory Letter (WA) - GZ: WA 11-QB 4100-2017/0010; BaFin – Guidance Notice: Second Advisory Letter - GZ: WA 51-Wp 7100-2019/0011 and IF 1-AZB 1505-2019/0003; BaFin – Guidance notice: Guidelines concerning the statutory definition of crypto custody business.

2 Directive (EU) 2018/843 of 30 May 2018.

3 Among the most well-known virtual currencies are, for example, Bitcoin, Ether, Litecoin and Ripple. A list of virtual currencies can be found on the website

4 Law on Electronic Securities (eWpG), promulgated as Art. 1 G of 3.6.2021 (Federal Law Gazette I p. 1423); Entry into force in accordance with Article 12 of this G on 10.6.2021.

5 “Categories of securities which may be traded on the capital market: with the exception of from Payment instruments [...]”.

6 Section 1 para. 1a sentence 2 no. 6 KWG

7 BaFin - Guidance notice – guidelines concerning the statutory definition of crypto custody business.

8 e.g.