As of the 1st of January 2020, BaFin will accept applications for authorization for the new financial service of crypto custody services. Several national and international market participants already display a keen interest in obtaining the authorization for said financial service. Even though it remains to be seen which companies actually apply for authorization and which of those applicants will be approved by BaFin, it nonetheless seems likely that in the course of 2020 several companies will be authorized for crypto custody services, so that crypto custody from then on will take place under BaFin supervision in Germany. Since the legislator took his time with the final version of the amendments to the German Banking Act (KWG), the authority did not have a lot of time to develop an administrative practice for the authorization and supervisory process. Since the crypto custody service is hardly comparable to any other regulated financial or banking service, BaFin has to apply due diligence when developing the requirements to be demanded under the ongoing supervision of crypto custody services in the future. One of the main aspects will be the risk managing strategy of crypto custody service providers since these businesses are subject to very specific risks compared to other institutions.
WHAT ARE THE GENERAL FACTORS THAT MUST BE MET BY FINANCIAL SERVICE PROVIDERS REGARDING THEIR RISK MANAGING STRATEGY?
The establishment, implementation and constant development of an adequate risk managing strategy is a key aspect of financial services supervision. The KWG requires financial institutions to develop and implement a procedure to determine and ensure its risk-bearing capacity. A careful and restrictive determination of the risks and the necessary risk coverage potential has to be the basis for the aforementioned procedures. In principle, the institutions are obliged to autonomously decide on how they implement the legislative requirements. BaFin as the supervisory authority is merely tasked to reprehend grievances and intervene if it comes to the conclusion that an institution does not fulfill the aforementioned legislative requirements. In order to facilitate the fulfilment of these obligations, BaFin substantiated its administrative practice and published the minimum supervisory requirements to risk management (MaRisk). Therefore, supervised institutions know what the competent authority requires of them and can navigate along the requirements of the MaRisk when developing their risk managing strategy. In addition to the specifications regarding the general risk managing strategy and risk-bearing capacity, the MaRisk also includes the minimum requirements for the design of internal monitoring systems and stress tests as well as design and process requirements for the technical and staff capacities and IT-emergency plans.
WHAT ARE THE ADDITIONAL RISKS THAT CRYPTO CUSTODY SERVICE PROVIDERS WILL FACE?
Crypto custody service providers in comparison to other financial service providers will face additional, crypto-specific risks. One of those crypto-specific risks is the risk of losing the private keys to customer’s crypto assets, especially since these keys cannot be replicated and losing the private key equates to losing the crypto asset itself. The risk managing strategy of crypto custody service providers will therefore have to address this issue extensively. Another aspect that has to be addressed in the risk managing strategy of crypto custody service providers will be the adequate protection against unauthorized third party access of customer private keys, since the knowledge of the private key equates to the possibility of disposition regarding the associated crypto asset. If a third party obtains knowledge of the private key, they will have the option to transfer the associated crypto asset to another wallet and therefore finally deprive it from the crypto custody service provider’s area of disposition. It must be taken into consideration that attacks on custody wallets are not necessarily unrelated third party attacks from outside but potentially can also be executed internally by employees. Crypto custody service provider will have to protect themselves from these risks through the usage of multisig-wallets and careful selection of employees with access rights. Another question that will arise with regards to the IT-equipment is to what extend the systems can be connected to the internet or to cloud solutions to minimize the danger of external hacker attacks.
BAFIN DEVELOPS ADMINISTRATIVE PRACTICE REGARDING CRYPTO CUSTODY SERVICES
BaFin already announced that it is developing an administrative practice concerning crypto custody services. Companies that already expressed interest in applying for authorization to conduct crypto custody services will be individually informed by BaFin as soon as the authority substantiated its administrative practice in order to allow the future applicants a thorough and comprehensive application preparation. This will certainly take a while. Nonetheless, future crypto custody service providers should start to grapple with the requirements now in order to keep the application preparation time as short as possible.
Attorney Lutz Auffenberg, LL.M. (London)