In Germany, crypto custody is already an activity requiring a license under the German Banking Act (KWG). With the Markets in Crypto Assets Regulation (MiCAR) coming into effect, it will also constitute a regulated crypto asset service at the European level in close future, which may only be provided with a previously obtained BaFin license. However, the licensing requirement itself is not the only regulatory obligation of future crypto custodians under MiCAR. Rather, the new regulation provides for a number of special obligations for crypto custodians that they will have to fulfill both as part of the MiCAR licensing process to be completed and in their subsequent ongoing business operations. Specifically, MiCAR imposes legal requirements on the content of crypto custody agreements, the segregation of client crypto assets from the crypto asset service provider’s own holdings, sub-custody relationships and internal procedures to ensure the proper business organization of crypto custodians.

Requirements Regarding the Content of Crypto Custody Agreements

MiCAR also strengthens the private rights of crypto custody clients vis-à-vis crypto custodians. Thus, MiCAR establishes some minimum requirements that must be regulated in crypto custody contracts. In addition to the identities of the contracting parties, a description of the custody services, the definition of the means of communication for the contractual relationship, the regulation regarding fees as well as the applicable law, custody contracts according to MiCAR must in the future also contain explanations regarding the security systems and the custody policy of the provider. Every crypto custodian must have a custody policy. It is intended to outline the internal procedures and processes to secure clients’ crypto assets to minimize risks resulting from fraud, cyberattacks, or negligence. Crypto custody agreements will be required by MiCAR to include a summary of the custody policy. With respect to the liability of crypto custodians, MiCAR does allow for an aggregate limitation of liability to the equivalent value of lost crypto assets at the time of loss. However, it will not be possible to exclude liability for acts of ordinary negligence. Furthermore, crypto custodians will be obliged to keep a constantly updated inventory register of the crypto assets held in custody for each customer. In the event of, for example, airdrops or fork events, the customers will also be legally entitled to any new crypto assets created as a result. Crypto custodians will also have to inform their customers in advance about such events and, if necessary, obtain instructions.

Strict Requirements for Sub-Custody

MiCAR imposes particularly strict obligations on crypto custodians with regard to the use of sub-custodians. If crypto custodians wish to have crypto assets entrusted to them by clients held in custody by a third-party provider, they must disclose this to their client in any case. Sub-custody without prior information of the customer will therefore always be inadmissible. Furthermore, crypto custodians shall only be allowed to use crypto custodians as sub-custodians under MiCAR who themselves hold a license under MiCAR to provide crypto custody services. The use of sub-custodians that either do not possess a license at all or only possess a license from an authority outside the European Economic Area (EEA) for crypto custody is therefore not possible under MiCAR. In this respect, MiCAR will ensure that third-party custody of crypto assets for clients in Europe will only be possible under the application of MiCAR regulations.

Atty. Lutz Auffenberg, LL.M. (London)