Security Tokens of German issuers so far have been issued solely as securities according to the German Securities Prospectus Act respectively the EU Prospectus Regulation. They are designed as identical and freely tradable blockchain tokens that grant its owners certain investor rights such as a return on investment and a repayment claim. Security tokens can be held by the owner on a blockchain address to which only he knows the private key. But what are the options for investors who want their tokens stored and managed by a service provider? Can security tokens be professionally stored by service providers or does that kind of service require a BaFin authorization?


In German private law, securities are traditionally paper documents and therefore objects that can be owned and transferred according to German property law. This means that an unencumbered, bona fide acquisition is possible if e.g. the seller of the security was not the owner or the security was burdened with third-party rights. Even though security transactions in Germany are (corresponding to international standards) these days done by simple account postings at the security depository banks, the legal construction of the transfer of the security in question still includes and depends on the transfer of ownership of the paper document that embodies it. As long as the securities are not traded at stock exchanges or any other public marketplace, the paper documents can be held by the investors themselves. Alternatively, they can be handed to banks that are authorized to handle customer securities. If, on the other hand, the securities can be traded on the capital markets the EU Central Securities Depositories Regulation (CSD) requires that the securities are booked into a securities register at an authorized securities depository bank. This enables the quick, non-physical and electronic transfer of securities at stock exchanges and other public marketplaces.


The German legislator decided to define the custody of crypto assets as a financial service that will require prior authorization from BaFin as of 2020. In the future, crypto assets will be defined in the German Banking Act (KWG) as financial instruments. According to these plans, the definition of crypto assets will include crypto assets that are used either as alternative means of payment or as investment vehicles. Both can be crypto assets as long as they are digital embodiments of value that are electronically transferrable, storable and tradable and that are not issued by an official authority. Security tokens will fall under that definition. Therefore, they can only be stored as crypto assets by service providers that are BaFin authorized for the new financial service of crypto custody. These crypto custody service providers are, according to the legislative plans, exclusive service providers. This means that BaFin can only authorize service providers as crypto custody service providers if these companies do not engage in any other activity that requires authorization according to the German Banking Act (KWG). According to the explanatory memorandum to this law, the legislator wanted to prevent that IT-related risks that arise from crypto custody services impact banking or other financial services.


According to the German Banking Act (KWG) the depository and management services for securities are subject to authorization. It is, as of this point in time, legally unclear if security tokens qualifying as securities in the regulatory sense are also to be qualified as securities in the sense of the securities deposit business. In support of this, the German Banking Act does not explicitly specify that securities have to be paper documents and that from a regulatory point of view, security tokens are digitalized securities. On the other hand, “deposit” in the sense of the depository business means “physical storage with custody” which is obviously unnecessary, even impossible, when it comes to the storage of digital tokens respectively the digital private keys. This legal uncertainty in German regulatory law will be eliminated with the exclusivity of crypto custody services in the future. If security tokens were to be defined as securities in the sense of the depository business, they could neither be stored for customers by security depository banks nor by crypto custody service providers. Due to the exclusiveness of the new financial service, the crypto custody service providers could not additionally get licensed for the security depository business and the security depository banks could not be authorized for offering crypto custody services. Investors could only rely on holding and storing the tokens themselves. This means that the depository banks in the future will not be able to serve the tokenized securities market and will have to leave the field to the crypto custody service providers.

Attorney Lutz Auffenberg, LL.M. (London)