On the 1st of June 2022, BaFin published its eagerly awaited note concerning the financial service of operating a crypto security registry. The note specifically targets the upcoming authorization process of companies that intend to offer crypto security registry services in the future. According to the applicable interim regulation, companies which were interested in offering the services had the option to obtain a provisional authorization by informing Bafin about their intention until the 10th of October 2021 and starting the respective business activities on the 10th of December 2021 at the latest. The law also stipulates that operators of such provisionally authorized activities must submit a complete application to BaFin until 10th of June 2022. In case of missing the deadline, the provisional authorization must be revoked. With that in mind, the note of BaFin outlining the requirements that the authority applies to the application in terms of completeness of the authorization application are published only ten days prior to the expiration of the deadline and therefore quite late.
What Information does BaFin Provide on the Authorization Process for Crypto Securities Registrars?
The published note does not tackle every relevant aspect of the authorization process, but rather focusses on specific aspects. Next to explanations concerning the transitional period and the provisional authorization, the supervising authority also points out that the authorization process pursuant to section 32 subsection 1 of the German Banking Act (KWG) is based on the requirements stipulated by the reporting ordinance on the KWG. With regards to the content of the applications, BaFin clarifies that it expects the focus to be put on information security. BaFin also points out, that operators of crypto security registries must show a regulatory starting capital of at least 150,000 euro and that the applicable regulations only require the businesses to be managed by a single fit and proper director who is able to dedicate a sufficient amount of time to the business. Nonetheless, BaFin emphasizes that it will generally be appreciated, if two or more directors are simultaneously in charge in order to be able to comply with the doublecheck principle, which is applicable in many fields of financial services. Furthermore, the authority reminds the registrars of the fact that they will be subject to the stipulations of the German Money Laundering Act because they are financial service institutes and that they will have to fulfill their preventive obligations. Finally, BaFin informs about the fact that fees for the authorization process are not redeemable should the authorization be rejected.
What Are the IT Requirements for Operators of Crypto Security Registries?
The operation of a crypto security registry is necessarily a purely IT-based service. It is therefore not surprising that BaFin, just as with crypto custodians, places the regulatory focus on the security of the IT-systems and the general strategic direction of the businesses in the IT-area. BaFin already intends to focus the evaluation of the professional aptitude of directors of operators of crypto security registries on the technical and IT-specific skills of the potential directors. It is therefore required to comprehensively display the IT-strategy and architecture of the business within the application. The implemented technical and organizational security measurements must be explained. The security needs in the IT-area must be phrased and processes for the implementation have to be displayed. Specific must be met should businesses intend to use cloud-solutions. These include e.g. the guarantee that all data must be stored in Europe. Besides all this, information regarding the rights and role concept within the authorization management must be provided and an effective supervisory concept must be installed. Furthermore, BaFin’s supervisory minimum requirements concerning the IT of banks (BAIT) as published in the BaFin memo 10/2017 are applicable just as with all other financial services institutes.
Attorney Lutz Auffenberg, LL.M. (London)