The vast majority of goods and services that are purchased online is still paid for via credit card. This also applies companies from the blockchain industry since cryptocurrencies as a means of payment, even in this field of business, have not yet reached mass adoption. It is therefore crucial for e.g. crypto exchanges, token emitters and crypto custody service providers to offer the most common credit card schemes as a payment option for their customers. It is precisely these big, global credit card providers that classify crypto related businesses as High Risk Merchants already since 2018. If a crypto company therefore wants to be become a part of the Mastercard network, it must undergo a special due diligence process in order to comply with the current Mastercard Statutes since the inclusion of Cryptocurrency Merchants in the Mastercard Business Risk Assessment and Mitigation Program (BRAM) as of 16th April 2018.


Mastercard defines businesses that are related to crypto transactions as Crypto Merchants. According to Mastercard´s Security Rules and Procedures – Merchant Edition from 14th February 2019 (SPME) a crypto transaction in this sense is basically every incident in which a credit card holder uses an account to buy or sell cryptocurrencies. Therefore, all crypto related business that offer their customers the option to buy or sell cryptocurrencies are generally affected. These are first and foremost crypto exchanges but also e.g. token issuers wanting to sell their issued tokens to investors.


Strictly speaking Mastercard´s SPME do not obligate the crypto businesses directly but rather their merchant acquirers to account for a certain due diligence in relation to the crypto business. According to number 9.4.9 of the SPME, merchant acquirers of crypto businesses have to be supplied with copies of authorizations according to which the activities of the crypto business are authorized in the countries in which business is supposed to be conducted with card holders. If the activity is not subject to authorization in countries in which business is supposed to be conducted with card holders but e.g. subject to an entry in an official register, a copy of the register is sufficient. Most crypto services in Germany are subject to BaFin authorization. Crypto businesses therefore must supply their merchant acquirer with a copy of their authorization notification or e.g. an officially approved excerpt from the tied agents register if they act as tied agents. Companies that merely conduct passive business with German card holders, meaning that these companies do not actively target the German market, are not subject to BaFin authorization and in consequence do not have to provide the merchant acquirer with documents of the aforementioned kind. In any case, Crypto Merchants must provide their merchant acquirer with a reasoned legal opinion of a qualified law firm explaining the regulatory obligations of the crypto business as well as the card holders for every country in which Mastercard payments shall be accepted, no matter if the business is conducted actively or passively. The SPME states that these legal opinions have to be “acceptable to Mastercard” which means that a certain level of quality should be observed when creating the legal opinion. For the German market, FIN LAW offers the creation of such legal opinions. For legal opinions concerning other jurisdictions FIN LAW disposes of a broad international network of qualified partner law firms.

Attorney Lutz Auffenberg, LL.M. (London)