After the highly anticipated debate in the German Bundestag regarding the transposition of the provisions of the fifth European AML Directive only marginally included a discussion of the introduction of crypto custody services as a new financial service, it is still not foreseeable if the proposed draft, prior to the final vote will be revised following the criticism of the German Bundesrat or not. It has to be assumed that on 1st January 2020 crypto custody services will be included into the catalogue of sec. 32 of the German Banking Act (KWG) as proposed by the Federal Government. If so, it will not be possible for companies to commercially store, manage or secure crypto assets or corresponding private keys for customers as a crypto custody service without prior BaFin authorization. The legal design of crypto custody services in the German law will at that point in time substantially exceed the requirements of the fifth European AML Directive, which merely requires the operators of electronic wallets to actively enforce AML measurements and does not call for an authorization obligation. But who will be subject to this German solo effort and what is exactly will be considered as a crypto custody service by this regulation?
CRYPTO CUSTODY APPLIES TO THE CUSTODY OF PRIVATE KEYS FOR CRYPTO ASSETS
The term “custody” is, from a technical point of view somewhat misleading. It stems from the physical taking of objects, as e.g. security certificates. Things are different with crypto assets: They are only digitally existing information of the allocation of tokens to a certain address of the underlying blockchain. This information can only be changed if someone uses the corresponding private key of the blockchain address in order to transfer the tokens to a different blockchain address. The information which token is allocated to which address is stored decentralized on the blockchain itself and therefore on numerous so called “full nodes” that are operated all over the globe. Crypto custody therefore cannot refer to the storage of tokens on local storage media, but only to the case in which virtual tokens are received on a blockchain address to which the custodian holds the private key.
IS THE SAFEKEEPING OF PRIVATE KEYS TO MULTISIG WALLETS A CRYPTO CUSTODY SERVICE?
Multisignature wallets require private keys of two or more users in order to transfer tokens. This ensures that wallet holders can only collectively dispose of the tokens allocated to that wallet. Multisig wallets are e.g. used if crypto assets are temporarily kept in fiduciary capacity to settle transactions. The fiduciary cannot dispose over the wallet balance without the client and vice versa. This ensures a safe transaction settlement for all participants. According to the wording of the draft, this would constitute a crypto custody service by the fiduciary because he would hold private keys that are intended to transfer or manage crypto assets for his client. The definition draft of crypto custody services does in no way require the sole power of disposition over the crypto assets or private keys by the service provider.
CAN IT BE INTENDED TO REGULATE FIDUCIARIES USING MULTISIG WALLETS AS CRYPTO CUSTODY SERVICE PROVIDERS?
According to the explanatory memorandum to the draft proposal of the German Government, it is intended that especially service providers storing their client’s crypto assets in a collective holding without the client’s knowledge of the cryptographic key are subject to this regulation. In contrast to that, the mere providing of hard- or software to secure customer private keys without the provider having access to the stored data to use them shall not be subject to the regulation as long as the customer is solely responsible for the storage. Multisig fiduciaries, which are not explicitly addressed by the explanatory memorandum are in between the two alternatives. It is therefore unclear if the German Government wants to subject them to the regulation or not. According to the explanatory memorandum the overall reason for the regulation of crypto custody services are AML considerations. The business model of Multisig fiduciaries, the settling of transactions, is rather prone for money laundering which is a good argument for their subjection to the regulation. On the other hand, fiduciaries are already subject to the Money Laundering Act which only in certain cases subjects them to AML obligations. It seems as if at first BaFin as the competent authority and maybe later the administrative courts will have to define the details of this regulation via administrative practice or rather via judgement.
Attorney Lutz Auffenberg, LL.M. (London)