There are not only electronic securities but also crypto securities since the Act on Electronic Securities (eWpG) went into effect on the 10th of June 2021. According to the legal definition, the term also includes unsecured electronic bearer bonds which are registered in a crypto security register. The legislator simultaneously turned the operation of such crypto security registers into an activity which is subject to authorization by amending the German Banking Act (KWG) accordingly. Whoever intends to commercially operate a crypto security register in Germany is therefore obligated to obtain prior authorization from BaFin and to fulfill all the legal requirements to obtain such an authorization. However, looking at the eWpG and the KWG it is not absolutely clear who exactly is subject to this new obligation to obtain authorization. 


It is however certain according to the KWG, that only persons and businesses who actually operate a crypto security register can be subjected to this obligation. In order to determine who indeed operates a crypto security register, it first has to be clear what a crypto security register actually is. The eWpG does not provide a definition. It merely stipulates that crypto security registers are a subset of electronic security registers. Crypto securities are defined by the eWpG as electronic securities, which are registered with a crypto security register. It is furthermore defined in sec. 16 of the eWpG that crypto security registers have to be kept on a recording system that is forgery-proof, records the data in the correct chronological order and is secured against unauthorized deletion and subsequent changes. More informative than the eWpG itself is the associated explanatory memorandum, in which the legislator clarifies that not necessarily the operator of the register’s infrastructure is subject to the obligation to obtain authorization, but rather the body which is competent for the registration. The eWpG defines this as the person or entity, which has been named as the competent body for the registration by the issuer of the crypto security vis-à vis the bearer of the crypto security. Also the issuer itself can be the competent body for the registration. The definition of operating a crypto security registry in the KWG is therefore a somewhat unfortunate one. It would have been clearer and better to understand to explicitly regulate the activities of the competent bodies of registration which are connected to crypto securities as a financial service.


The operation of a crypto security register is regulated by the KWG as a financial service which is subject to authorization. It is therefore prohibited to operate a crypto security register without the proper authorization by BaFin. Market participants who do so without authorization commit a criminal offence and also conduct unauthorized business, which can immediately be prohibited and rescinded by BaFin. Problems may arise in this context, if companies which accompany token issuances offer to the issuer of a tokenized bearer bond to keep a register of data related to the issuance. The fact that crypto security registers have to be designed in a decentralized way and that the eWpG specifically determines which data has to be kept by the competent body of registration in the crypto security register merely stipulates an obligation for the competent body of registration. Conversely, infringements of these obligations cannot lead to the result that an activity as a competent body of registration is not given. This would reduce the new obligation to obtain authorization to the point of absurdity. At least as problematic as the aforementioned one is the case in which issuers of tokenized bearer bonds keep data related to the issuance themselves, without naming a competent body of registration. In these cases, they are considered by the eWpG as the competent body of registration themselves. According to the wording of the KWG, the operation of a crypto securities register is generally subject to authorization and it is not necessary that the activity is performed for a third party. It can therefore not be ruled out that the obligation to obtain authorization is applicable to the issuers of tokenized bearer bonds themselves.


BaFin should immediately issue a guidance to the abovementioned definition issues and also determine within its administrative practice at what point an activity as a competent body of registration is assumed. Considering the fact that up to this point in time no company has been issued the authorization to operate a crypto security register by BaFin, issuers and service providers accompanying issuances can right now only be advised to not design tokenized securities as bearer bonds, because the stipulations of the eWpG are currently only applicable to those. Tokenized securities which are designed as registered bonds are currently not included, so that they are not subject to the abovementioned risks.


Attorney Lutz Auffenberg, LL.M. (London)