Apr 22, 2025

MiCAR Transition – What are BaFin’s Obligations towards CASPs under MiCAR Grandfathering?

The regulations on the authorization requirement and compliance with specific compliance obligations for crypto asset service providers (CASP) have been in force since December 30, 2024. Companies that were already providing services in an EU or EEA member state prior to this date in accordance with the law applicable at that time, which are now classified as crypto asset services within the meaning of MiCAR, may continue to offer these services to their customers for the time being, even if they have not yet obtained MiCAR authorization from the competent authority. In this respect, the new regulation provides for a transitional arrangement in Article 143(3) MiCAR, also known as grandfathering. Article 143(3) MiCAR provides that the continuation of legal activities prior to December 30, 2024, without the required MiCAR authorization is possible until July 1, 2026, or until the date on which the competent national supervisory authority has made a positive or negative decision on the company’s MiCAR authorization application. Under the MiCAR grandfathering rule, it is not necessary for the company to actually submit the license application at a specific point in time. Nor does the transitional provision specify whether the application for a MiCAR license must have a certain scope, in particular whether it must cover all transactions continued under the grandfathering provision. However, member states alone have the option of limiting the period of grandfathering for their jurisdiction. They are not entitled to restrict the scope of Article 143(3) MiCAR or the specific crypto services eligible for grandfathering.

Dangers Await CASPs with MiCAR Passporting

Shortly before the transitional provision on MiCAR grandfathering came into force, the European Securities and Markets Authority (ESMA) published an opinion in December 2024 on the handling of the MiCAR transitional rule for CASPs. Essentially, ESMA warned both CASPs and the national supervisory authorities responsible for them of problems with the grandfathering regime in the case of companies offering crypto asset rservices in several EU member states. Problems could arise insofar as individual member states have made very different use of their option to impose stricter time limits on grandfathering than the maximum provided for in MiCAR. While, for example, a maximum grandfathering period of 12 months applies in Germany and Austria, the Netherlands, Poland, and Finland allow only six months. France, Denmark, and the Czech Republic, on the other hand, grant CASPs that make use of grandfathering up to 18 months to fully implement the MiCAR requirements and obtain the necessary authorization. These differences pose risks for CASPs operating in countries with both 12-month and six-month periods if, for example, they wish to use their license obtained in Germany for business in the Netherlands by way of passporting, but BaFin does not grant the required MiCAR license until after the six-month transition period applicable in the Netherlands has expired. In this scenario, the crypto asset service provider in question would face the threat of having to cease its business in the Netherlands, as it would no longer be able to invoke Article 143(3) MiCAR after six months.

BaFin is Required to Monitor the Overall Situation Regarding the Processing of License Applications

The ESMA recommendations are addressed to both CASPs and the supervisory authorities responsible for processing MiCAR authorization applications. The crypto asset service providers are strongly advised to submit their MiCAR authorization applications as soon as possible to enable the authorities to process them within the grandfathering period. In addition, CASPs are urged to identify any problems arising from the different durations of the transitional provisions in the individual member states as quickly as possible so that, if necessary, applications for the required MiCAR license can also be submitted in member states with short transition periods. However, ESMA also expects the competent supervisory authorities to act proactively. They should engage in a detailed exchange with applicants at an early stage in order to be informed about business conducted in other member states. In this context, BaFin will have to consult with the supervisory authorities of the other member states as early as possible and on an ongoing basis in order to prevent avoidable disruptions due to a lack of authorizations after the expiry of the grandfathering periods. BaFin will also have to prioritize applications from affected CASPs.

Attorney Lutz Auffenberg, LL.M. (London)

I.  https://fin-law.de

E. info@fin-law.de

subscribe to Newsletter

This Blog Article as Podcast?

    Contact

    info@fin-law.de

    Apr 07, 2025

    Offering AI Investment Tools: A Regulated Activity?

    Artificial intelligence (AI) or, more specifically, large language models (LLM) are no longer just on the rise, but have already arrived in many areas of business and private life. The use of chatbots and other AI applications is increasingly becoming part of everyday life. A chatbot can now answer questions that previously required extensive Google searches and visits to many different websites, including maneuvering annoying cookie banners and often a flood of unwanted advertising, in just a few seconds. The added value of web searches by chatbots for users cannot be denied. It is therefore no surprise that trust in and the desire for AI-supported tools is increasing in more and more areas of life. One possible use of AI/LLMs may be to use them to assist in investment decisions. Recently, ESMA also felt compelled to publish a warning about the risks of using AI in financial investments. This was also published on the BaFin website on March 28, 2025. According to BaFin, consumers should be particularly careful when buy and/or sell signals are artificially generated. AI tools and apps could provide tips or recommendations that may be inaccurate or misleading. Those who invest based on them risk significant financial losses. AI tools and apps are neither authorized nor supervised by financial regulators. This notice once again provides reason to examine the previous classification of providers of automated software-based investment services and, in this context, to examine under which conditions providers of dedicated AI investment tools require a license from BaFin.

    The So-Called Robo-Advice

    BaFin has been dealing with the topic of automated distribution of financial instruments and similar digital offers for quite some time. In an article from the 2017 annual report, BaFin already summarizes these under the term robo-advice and states that such advice generally meets the legal definition of investment advice or financial portfolio management and therefore requires a license under banking or commercial law. In a later article from 2020, BaFin reiterated its view that robo-advice can be legally classified as investment advice, financial portfolio management, acquisition brokerage or investment brokerage in an article entitled “Robo-Advice – Automated Investment Advice and Financial Portfolio Management”. In its 2022 information notice “Automatisierte und signalbezogene Beratungs- und Handelssysteme” (Automated and Signal-Based Advisory and Trading Systems), BaFin once again emphasized that a conclusive regulatory assessment is only possible if BaFin is provided with the contractual agreements between the provider and its customers in individual cases. Liability for robo-advice has also been addressed in case law. In a judgment dated May 30, 2018 – 12 U 95/16 – the Higher Regional Court of Hamm ruled that in the case of automated online trading in financial products, proprietary trading (which does not require a license) is deemed to have taken place by the person “who decides on the fundamental settings and specifications of the software”. The court stated that the decisive factor is not who actually makes the settings or where the software is installed (on the customer’s hardware or in the cloud). The court regards the main criterion as being who made the “decisive specifications” in the relationship between the parties. In the legal literature, it has been argued, among other things, that in the case of software with abstractly defined trading algorithms, the software provider has no discretion. The user is responsible for the use of the software. The decisive factor is which contractual partner can ultimately decide on its use or non-use (usually the user). Therefore, automated portfolio management should at least not be subject to authorization as financial portfolio management.

    What are the Arguments For and Against Requiring Permission for Providers of AI Investment Tools?

    First of all, it must be noted that the judgment of the Higher Regional Court of Hamm cannot be applied across the board to all robo-advisers and AI investment tools, since it is based on a case in which the investor himself actually provided essential specifications for the software. Furthermore, investors require the same level of protection with AI systems as they would with advice or management from a human. The mere power of disposition of the investor (activation/deactivation) does not change the lack of predictability of the AI decisions. LLMs are characterized precisely by the fact that they do not merely follow predefined algorithms. Without predictability for the investor, an investment decision should not be attributable to the investor. If an investor uses an ordinary AI chatbot and asks it for help with investment decisions, it is unlikely that the provider of this chatbot can be said to be performing an activity that requires a license. The situation could be different if AI-supported software is explicitly offered that automatically manages the investor’s portfolio and makes buy and sell decisions for the investor. Providers of AI investment tools should therefore check in each individual case whether their own application includes activities that require a license. If necessary, the business model should be adapted to avoid authorization requirements or to obtain a license. Consideration could also be given to cooperating with market participants who already have the necessary authorizations. After analyzing one’s own business model, an inquiry should first be made to BaFin to clarify one’s own intentions before the AI investment tool is offered to investors in Germany.

    Attorney Anton Schröder

    I.  https://fin-law.de

    E. info@fin-law.de

    The lawyer responsible for questions relating to AI Investment Tools, Robo-Adviser and IT law at our law firm is Attorney Lutz Auffenberg LL.M. (London) with assistance of Attorney Anton Schröder.

    subscribe to Newsletter

    This Blog Article as Podcast?

    The Gist of It:

    Presentation

      Contact

      info@fin-law.de

      Mar 31, 2025

      Issuance of Stablecoins with a Value of up to EUR 5 Million – What Advantages Does MiCAR Offer Small ART Issuers?

      So-called Asset-Referenced Tokens (ART) have been strictly regulated under the Markets in Crypto Assets Regulation (MiCAR) since the summer of 2024. According to the MiCAR definition, ARTs are a special form of crypto-assets that attempt to maintain value stability by referencing one or more other assets, without being classified as E-Money Tokens (EMT). According to the new supervisory regime for crypto-assets in the EU, in principle, initially only credit institutions and issuers specifically authorized for the issuance of ARTs are permitted to issue Asset Referenced Tokens and offer them to the public. However, MiCAR allows for an exception to this principle for micro-issuances if the equivalent value of the ART issued by the respective issuer has not exceeded the threshold of EUR 5 million over a period of twelve months. The average outstanding value is to be calculated at the end of each calendar day. If these conditions are met, the issuer of the Asset Referenced Tokens does not require a MiCAR license and does not subsequently have to apply for admission to the competent authority – in Germany, the BaFin. However, this does not eliminate all the other requirements for ART issuers that the MiCAR imposes.

      The Obligation to Prepare a Crypto-Assets White Paper Also Applies to ART Issuers under the 5-Million Exception

      One of the key obligations of issuers of crypto-assets under MiCAR is the requirement to prepare and publish a crypto-assets white paper. ART issuers, in particular, are required to prepare a crypto-assets white paper for the stablecoins they issue. The MiCAR specifies in great detail the content that must be included in the document. Under the exemption for ART issuances below the 5 million threshold, only the requirement to obtain MiCAR authorization as an issuer of Asset Referenced Tokens or to be a credit institution is waived. However, the text of the regulation explicitly requires the preparation of an ART white paper even in cases where the exemption is applied. The exemptions for issues of other crypto-assets – such as offers to no more than 150 investors per member state or free offers of crypto-assets – are generally not applicable to issues of ART. ART issuers therefore cannot get around the obligation to create a white paper, even if they always remain below the equivalent of EUR 5 million with the ART they issue.

      BaFin Does Not Have to Authorize ART White Papers under the 5-Million Exception

      MiCAR requires that white papers for ART crypto-assets must be explicitly authorized by the competent authority. This significant difference compared to the white paper to be prepared for other crypto-assets can be explained by the fact that the regulatory requirements for ART issuers are significantly more extensive than those for issuers of other crypto-assets that do not qualify as ART or EMT. However, the requirement to publish a white paper does not apply to issuers operating under the exemption for ART issuances of less than 5 million. This regulation causes problems in that it creates legal uncertainty with regard to the question of exactly how micro-issuers of ART must publish their white paper. This is because the MiCAR regulation on the disclosure requirement on the issuer’s website refers, according to its wording, exclusively to crypto-assets white papers for Asset-Referenced Tokens that have been authorized. The Central Bank of Ireland therefore asked ESMA for clarification on this issue in August 2024. However, ESMA’s response is still pending and is still being reviewed by the EU Commission. However, issuers of ART issues below the equivalent of EUR 5 million will be well advised to also publish the white paper on their own website in any case and to keep it available there from the start of the public offering and only remove it when no third party no longer holds any of the issued ART.

      Attorney Lutz Auffenberg, LL.M. (London)

      I.  https://fin-law.de

      E. info@fin-law.de

      The lawyer responsible for regulatory questions relating to the authorization as an issuer of asset referenced tokens and for the related exemptions at our law firm is Attorney Lutz Auffenberg, LL.M. (London).

      subscribe to Newsletter

        Contact

        info@fin-law.de

        Mar 25, 2025

        Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier

        Last Friday, we were pleased to welcome a large number of academic guests at our premises at the Senckenberg Tower in Frankfurt. The guests included Dr. Johannes Meier and Prof. Dr. Sebastian Omlor, along with their academic entourage from the Marburg Institute for the Law of Digitalization (IRDi) and numerous other authors of the MiCAR Handbook, which was recently published by Erich Schmidt Verlag and edited by Dr. Johannes Meier. After a brief welcome by Attorney Lutz Auffenberg, LL.M., FIN LAW Attorney Anja von Rosenstiel, LL.M., who was live-streaming from Boston, Massachusetts, provided some insights into the current state of crypto regulation in the US, which is also the subject of her chapter contribution to the MiCAR Handbook. Afterwards, editor Dr. Johannes Meier and his academic teacher Prof. Dr. Sebastian Omlor expressed their thanks and praise for the work and its creators, and then celebrated the publication of the handbook with a successful get-together with wine and snacks, enjoying the view of the metropolis on the Main.

        subscribe to Newsletter

        This Blog Article as Podcast?

        The Gist of It:

        Presentation

          Contact

          info@fin-law.de

          Mar 24, 2025

          Qualified Crypto Custody – Are NFTs Regulated as Cryptographic Instruments in Germany?

          The Markets in Crypto Assets Regulation (MiCAR) has been fully applicable in the European Union for almost three months now, imposing uniform compliance and licensing requirements on crypto service providers throughout the Union. The national crypto regulation previously in force in Germany has thus become obsolete. However, a small remnant of national regulation remains for the area of crypto custody even under the MiCAR regime. In the course of the implementing law regulating the transition to the MiCAR regime, the German legislator had to find a solution for those companies that, with their national crypto custody license, were allowed to hold crypto assets prior to the entry into force of the MiCAR, which now fall outside the scope of the MiCAR. The rationale of the government for the Financial Market Digitization Act, which implemented the transition to MiCAR, was that the transition should not limit the scope of the custody portfolios of crypto-custodians with a national KWG license. In particular, this issue concerned crypto assets that also meet the requirements for a financial instrument within the meaning of the MiFID2 regulation. MiCAR explicitly excludes such financial instruments from its scope of application. Also excluded from the scope of MiCAR are so-called non-fungible tokens (NFT), i.e. crypto assets that are individually designed and not interchangeable with other crypto assets of the same type and quality.

          Can an NFT be a Cryptographic Instrument within the Meaning of the KWG?

          To solve this problem, the German legislator introduced the new regulatory category of cryptographic instruments. It is important to understand that cryptographic instruments are not financial instruments within the meaning of the KWG, but a special category of instruments that only play a role to the extent that only financial services institutions with a license for qualified crypto custody are allowed to hold cryptographic instruments. Cryptographic instruments do not play a role for other types of permission. Cryptographic instruments are defined in the KWG in continuation of the former national crypto-value concept – which was to be abolished – as digital representations of a value that has not been issued or guaranteed by any central bank or public authority and does not have the legal status of a currency or money, but is accepted by natural or legal persons as a means of exchange or payment or for investment purposes on the basis of an agreement or actual practice and can be transferred, stored and traded electronically. The KWG also explicitly excludes four types of instruments from the definition, namely e-money, monetary values in closed-loop models, crypto assets under MiCAR and securities within the meaning of the German Securities Deposit Act (Depotgesetz). Accordingly, to the extent that an NTF meets the legal definition in an individual case and constitutes a cryptographic instrument, the custody of the NFT in Germany may require a license from BaFin to provide qualified crypto custody. In particular, this may apply to NFTs that are used for investment purposes.

          BaFin May also Grant an Isolated License for Qualified Crypto Custody Business in Accordance with the KWG

          The custody of NFTs or cryptographic keys (private keys) for NFTs for customers can therefore qualify as a qualified crypto custody transaction, even if the custody is offered, for example, only as an additional service to the operation of an exchange platform for the NFTs. Qualified crypto custody is a fully-fledged financial service within the meaning of the KWG, so that in such cases an application for a corresponding license can be submitted to BaFin. It is irrelevant whether the applicant company in question also has a license under the MiCAR for crypto custody or another crypto service. A license under the KWG and an authorization under the MiCAR can be granted concurrently. The requirements for a license application under the KWG are extensive. In particular, the applicant must present a viable business plan for the first three financial years, have reliable and professionally suitable managers who can devote sufficient time to managing the business, and be able to demonstrate that it has a business organization that meets the minimum regulatory standards with regard to risk management, IT security, money laundering compliance and emergency management. The regulatory minimum capital that qualified crypto custodians must be able to demonstrate at all times is 150,000 euros, provided they do not also trade in financial instruments for their own account.

          Attorney Lutz Auffenberg, LL.M. (London)

          I.  https://fin-law.de

          E. info@fin-law.de

          The lawyer responsible for regulatory questions relating to NFTs and authorization BaFin procedures at our law firm is Attorney Lutz Auffenberg, LL.M. (London).

          subscribe to Newsletter

            Contact

            info@fin-law.de

            Mar 17, 2025

            DORA in Action: What are Critical or Important Functions and Why Does It Matter?

            Regulation (EU) 2022/2554, also known as DORA, has come into force and presents new challenges for financial entities. This regulation aims to minimize the risks arising from digital transformation and increasing interconnectedness in the finance and insurance industry. DORA focuses on managing threats such as cyberattacks and business interruptions in order to strengthen operational resilience. The requirements that DORA places on financial enteties are complex and involve a considerable amount of red tape. Nevertheless, the regulation promotes important minimum standards in the area of digital operational resilience. DORA is supplemented by regulatory technical standards (RTS) and implementing technical standards (ITS), which are developed by the European Supervisory Authorities (EBA, EIOPA and ESMA) in collaboration with national supervisory authorities and adopted by the Commission. Many of these RTS have already entered into force and provide financial companies with specific guidelines for implementing the DORA requirements. However, despite the broad applicability of DORA and the RTS, uncertainties remain in the interpretation and implementation in individual cases. The lack of binding interpretation guidelines makes it difficult for financial enteties to fulfill the numerous new obligations. In many areas, there is still a great deal of uncertainty among financial companies. A concrete example of the existing difficulties faced by financial companies can be found in the supposedly simple task of creating a register of information, filling it out correctly and then providing it to BaFin in a timely manner. Aside from the technical difficulties, the biggest problem here is that the preceding question must be answered, whether a function provided by a third-party ICT service provider is important or critical.

            Important or Critical Function – Why is Classification Practically Relevant?

            So what are critical or important functions in the sense of the DORA regulation? The regulation does not define what a function is in the sense of DORA. It is possible that the European legislator took for granted what is meant by this and therefore refrained from providing a definition. From the context and the objectives of the regulation – namely to strengthen the digital operational resilience of business operations – it can be concluded that functions in the sense of DORA means operational and business functions of a financial entity. DORA defines in Art. 3 no. 22 a critical or important function as a function whose failure would materially impair a financial entities financial performance or the soundness or continuation of its operations and services, or whose interrupted, defective, or omitted performance would materially impair a financial entites continued compliance with the licensing conditions and obligations or its other obligations under applicable financial services law. In short, these are functions whose failure would have a significant adverse effect on: financial performance, business continuity or regulatory compliance. This classification is of practical relevance for ICT third-party service providers that provide such critical or important functions or support significant parts of them. Among other things, this means that the requirements for the design of the contract are much more extensive. Furthermore, only the direct ICT third-party service provider has to be specified in the register of information for non-critical functions. For critical or important functions, on the other hand, all subcontractors in the ICT service chain must also be recorded.

            The Register of Information and Initial Guidance from BaFin

            Pursuant to Article 28 (3) DORA, financial entities must maintain a register of information (RoI) that covers all contractual agreements on the use of ICT services provided by third-party ICT service providers. The register is to be made available to the competent authorities on an annual basis. Initially, the registers are to be submitted to the BaFin on April 11, 2025. The requirements for the registers of information are set out in Commission Implementing Regulation (EU) 2024/2956 (RTS RoI). On March 6, 2025, the BaFin hosted a workshop on the submission of the registers of information to provide guidance and assistance to the financial entities concerned. BaFin is visibly endeavoring to support financial entities in implementing DORA. The registers of information must be created as structured files according to the ESAs taxonomy. The BaFin provides an Excel template for this purpose and also accepts registers that have been created using this template. In order to make it easier for smaller financial entities in particular to submit the information, BaFin will convert the completed Excel templates into the target format. During the workshop, BaFin also addressed the question of how to determine whether a subcontractor in the ICT service chain is to be included in the register of information. BaFin has proposed three orientation questions for this purpose:

            1. Is there a direct dependency between the ICT service and the subcontractor?
            2. Does the subcontractor ensure the provision of essential parts of the ICT service to support a critical or important function?
            3. Could a disruption at the subcontractor affect the security or continuity of the ICT service?

            BaFin also pointed out that the principle of proportionality and a risk-based approach must be taken into account. The interpretation proposed by BaFin is to apply subject to any later conflicting interpretations by the ESAs. Despite the proposed systematic questions, uncertainties remain for financial entities. After all, they have to decide on a case-by-case basis whether or not to include a subcontractor in the chain of subcontractors. The effort required to identify all subcontractors in the chain is a major undertaking in itself. In addition, each subcontractor must be considered.

            Attorney Anton Schröder

            I.  https://fin-law.de

            E. info@fin-law.de

            The lawyer responsible for questions relating to DORA and IT law at our law firm is Attorney Lutz Auffenberg LL.M. (London) with assistance of Attorney Anton Schröder.

            subscribe to Newsletter

              Contact

              info@fin-law.de

              Mar 11, 2025

              Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo

              We are pleased that the renowned WirtschaftsWoche (WiWO) has once again named our founding partner Lutz Auffenberg, LL.M., as a top lawyer in banking and finance law. The WiWo has also once again named the FIN LAW law firm as a top law firm in the area of banking and finance law. As a basis for the award, the Handelsblatt Research Institute conducted surveys among a total of 1,900 lawyers from 146 law firms and evaluated these surveys by a jury of experts. In the end, 25 law firms and 37 lawyers were honored. We are extremely proud that both Attorney Lutz Auffenberg, LL.M., and FIN LAW as a whole have once again managed to make it to the top of this prestigious ranking. We also congratulate all other awarded law firms and colleagues and would like to express our sincere thanks for the great trust and appreciation of our work.

              subscribe to Newsletter

                Contact

                info@fin-law.de

                Mar 07, 2025

                The New FIN LAW Website – Familiar Quality in a New Design

                We are pleased to present the new FIN LAW website. Our website is now faster and more modern than before and also looks better. Of course, the redesign of the website has no negative impact on our services. On the contrary: in particular, the clearer design of our blog makes it even easier for interested website visitors to find information on their respective areas of interest.

                The posts on the various topics are now linked by keywords. This allows interested visitors to quickly and easily view our posts on the respective topics without having to click through all of our blog posts. We hope all our visitors enjoy the new site.

                subscribe to Newsletter

                  Contact

                  info@fin-law.de

                  Nov 20, 2024

                  Attorney Lutz Auffenberg Comments on Art. 36 to 47 MiCAR in Kalss/Krönke/Völkel

                  As the first legal commentary on the new Markets in Crypto Assets Regulation (MiCAR) in the German-speaking area, the book “Crypto Assets” by the editors Prof. Dr. Susanne Kalss, Prof. Dr. Christoph Krönke and Attorney Dr. Oliver Völkel, LL.M. has now been published by the publishing house C.H. Beck. Our founding partner, Attorney Lutz Auffenberg, LL.M., contributed the commentary on Art. 36 to Art. 47 MiCAR. The articles commented on by him concern the provisions on the reserve of assets to be held by issuers of asset-referenced tokens (ART) (Art. 36 – 40 MiCAR), the takeover of issuers of asset-referenced tokens (Art. 41 and 42 MiCAR), the classification of asset-referenced tokens as significant (Art. 43 to 45 MiCAR) and the provisions on the recovery plan and the redemption plan (Art. 46 and 47 MiCAR). In addition to the commentary on the MiCAR, the book “Crypto Assets” contains commentaries on the DLT pilot regime, relevant passages of MiFID II and the EU Prospectus Regulation, MAR and the Second E-Money Directive, the European Anti-Money Laundering Directive, and the draft of the German Crypto Markets Supervision Act (KMAG) for the implementation of the MiCAR provisions, which is currently being ready for vote at the German Bundestag.

                  subscribe to Newsletter

                    Contact

                    info@fin-law.de

                    Nov 14, 2024

                    Attorney Lutz Auffenberg LL.M. (London) as Guest in Web3 NextLevel Podcast

                    Our partner, Attorney Lutz Auffenberg, LL.M. (London), was a recent guest on André and Jasmin’s Web3 NextLevel Podcast. The Web3 NextLevel Podcast is a weekly business podcast that primarily covers topics such as Web3, blockchain and cryptocurrencies. In this episode, André, Jasmin and Lutz discuss, among other things, the historical development of crypto regulation in Germany and Europe, the future of that regulation, particularly under the MiCAR regulation that will soon be applicable throughout Europe, and the impact of this development on business models related to crypto assets and cryptographic currencies. Lutz shares insights from his advisory practice and also provides some advice for both young and established companies that want to gain a foothold in this area. Interested listeners can access the podcast episode (German language only) with Lutz on MiCAR regulation here from 13 November 2024.

                    subscribe to Newsletter

                      Contact

                      info@fin-law.de

                      Nov 11, 2024

                      MICAR Transition Without National Framework Legislation – What Happens if the German Parliament Does Not Pass the KMAG by the End of the Year?

                      The governing coalition in the German Parliament consisting of the SPD, the Green Party and FDP is history. All that is left of the so-called “traffic lights coalition” that started about three years ago is a pedestrian light without a yellow phase. For the federal government, this means that majorities must be sought and formed in parliament for all legislative proposals still to be passed. The support of the opposition parties in the parliament, which have not themselves helped to shape draft legislations that are ready to be voted on, is likely to be granted only in a few cases, particularly in view of the election campaign that began immediately after the end of the governing coalition. The fate of the draft legislation under the Financial Markets Digitization Act (FinmaDiG), which has been on the table for many months, and the associated draft regulations on the MiCAR transition, namely the MiCAR Application Regulation and the MiCAR Transit Regulation, is therefore more than uncertain. It seems very unlikely that the proposals can still be adopted by 30 December 2024. From this date, the provisions of MiCAR will have direct legal effect in their entirety in EU member states. For companies with crypto-related business models, this means that they must have an authorization or notification under the new Regulation on the basis of which they are allowed to provide their crypto services. But what is the legal situation for the German crypto industry if the German legislator does not manage to enact national framework legislation by the time the new regulatory regime under MiCAR comes into force?

                      Draft of the KMAG is to Create a Legal Basis for the Application for Approval in Accordance with MiCAR

                      With the Crypto Markets Supervision Act (KMAG), the German legislator plans to create the national legal framework for the implementation of the MiCAR regulations. In particular, the KMAG is intended to define BaFin’s responsibility for supervising compliance with the provisions of the new regime. In particular, BaFin is to be responsible for processing applications for authorization under MiCAR and the ongoing supervision of crypto-asset service providers. Additionally , the KMAG is to establish BaFin’s competence for, e.g. acquisition control proceedings under the new regime and the prosecution of crypto services operated without required authorization under MiCAR. The draft legislation also contains a number of other special rules, such as supplementary provisions to the regulations set out in MiCAR and a comprehensive catalogue of administrative offenses for cases in which it or the KMAG are violated. However, the actual procedures for submitting an application for a MiCAR license or for using the notification option for existing institutions with an existing license under national financial supervisory law are defined by the MiCAR itself, with the exception of a few detailed questions. It is therefore only imperative that the German legislator legally regulates which national authority will be the competent authority within the meaning of MiCAR by the time it comes into force. Without this definition, there will be no legal basis for submitting applications to BaFin under MiCAR, with the result that BaFin will not be able to process such applications.

                      What Applies to Existing Institutions and Institutions with a Provisionally Granted License in Accordance with Section 64y KWG?

                      If the German Parliament does not pass the KMAG in time before 30 December 2024, only the MiCAR will apply to existing institutions and crypto service providers already operating legally. The transitional provisions therein stipulate that providers of crypto-asset services that provided their services under current law before 30 December 2024 may continue to do so until 1 July 2026 at the latest or until the date on which they receive an authorization or denial under the provisions of MiCAR. The starting point for the deemed approval is therefore solely the question of whether the company in question provided crypto-asset services under applicable law prior to 30 December 2024. In particular, the wording makes no distinction as to whether a company had a provisional or final license to provide crypto asset services before 30 December 2024. As a result, if the German legislator fails to act on national framework legislation for the MiCAR transition, crypto custodians with a provisional KWG license could also continue to operate their business for the time being. It is true that MiCAR provides national legislators with the option of deciding not to make use of the transitional regulation for crypto asset service providers. However, such a decision is likely to require an active legislative act, which has not yet taken place and is unlikely to be adopted by 30 December 2024.

                      Attorney Lutz Auffenberg, LL.M. (London)

                      I.  https://fin-law.de

                      E. info@fin-law.de

                      The lawyer responsible for questions relating to MiCAR, the transition to the MiCAR regime and related transitional provisions at our law firm is Attorney Lutz Auffenberg, LL.M. (London).

                      subscribe to Newsletter

                        Contact

                        info@fin-law.de

                        Nov 04, 2024

                        Getting Ready for DORA (Part VI) – Only a Financial Company or Already ICT Third-party Service Provider?


                        From 17 January 2025, companies will be required to comply with the new requirements introduced by DORA. This regulation specifically addresses the challenges of digital transformation and increasing interconnectedness in the financial industry. In this context, DORA aims to minimize risks such as cyberattacks and operational disruptions. Financial institutions and their ICT service providers must take comprehensive measures to improve their digital resilience and thereby promote the security and stability of the entire industry. DORA is an extremely complex set of rules. The regulation comprises 64 articles, which are supplemented by a series of Regulatory Technical Standards (so-called RTS). The RTS are intended to create uniform standards throughout the EU, so that all affected financial institutions throughout the Union must meet the same requirements. RTS specify and clarify the general requirements of DORA. They are being developed jointly by the relevant European Supervisory Authorities (ESA), EBA, EIOPA and ESMA. Even though many of these RTS have now been published or are available as drafts, DORA still raises a number of questions of interpretation. This is particularly precarious as the time until DORA comes into force is getting shorter and shorter and the affected companies need to prepare for the regulation. One of these questions concerns the applicability of DORA to a financial company that provides services for another financial company. When can we assume that this is an ICT service that makes the providing financial company an ICT third-party service provider within the meaning of DORA? Do the requirements of DORA now also have to be met between two companies that are already regulated by the supervisory authorities? This question has significant consequences, since classifying a financial company as an ICT third-party service provider would, among other things, have far-reaching consequences for the contractual relationship between the ICT third-party service provider financial company and the client financial company.

                        Unclear Provisions in DORA Regarding the Term ICT Third-Party Service Provider

                        DORA defines ICT third-party service providers as companies that provide ICT services. In addition, recital 63 states that financial institutions that provide ICT services to other financial institutions should also be considered ICT third-party service providers under the regulation. Thus, it is clear that financial institutions can in principle also be ICT third-party service providers if they provide ICT services to other financial institutions. According to the DORA, third-party ICT services are digital and data services that are provided on a permanent basis to one or more internal or external users via ICT systems, including hardware as a service and hardware services, which also includes technical support provided by the hardware provider by means of software or firmware updates, with the exception of traditional analog telephone services. This definition is, as intended by the regulator, very broad. This is clarified in recital 35 of the DORA, which emphasizes that it is intended to address all risks arising from all types of ICT services. To this end, the definition of ICT services in the context of DORA should be interpreted broadly to include digital services and data services provided on an ongoing basis to one or more internal or external users via ICT systems. Furthermore, recital 79 mentions examples of ICT services as the use of cloud computing services, software solutions and data-related services. Assuming that a financial company regulated under MiFID II or MICAR provides a regulated financial service to another financial company and makes the financial service available to it on a permanent and digital basis, this raises the question of whether the requirements of DORA would have to be met in addition to the existing requirements for the financial service. The definition would readily allow for such a view, which would mean increased bureaucracy and additional costs for financial companies – all for the benefit of the digital operational resilience of the financial market. However, it remains questionable whether traditional financial services should automatically be classified as ICT third-party service providers just because they are provided digitally.

                        The Industry Calls for Binding Clarification

                        In their FAQ as part of the “DORA 2024 Dry Run Exercise on Reporting of Registers of Information”, the ESAs comment on the interpretation of ICT services to the effect that if a financial entity requires authorization, licensing or registration as a financial entity to provide a service, then that service is a regulated financial service and not an ICT service for the purposes of DORA. This interpretation would make it possible to exclude purely financial services that are not traditional cloud computing services, software solutions or data-related services from the scope of the DORA. On October 1, 2024, the trade and interest associations FIA, AFME, EACH, ECSDA and FESE issued a joint statement on this topic in which they call on the ESAs to adhere to the view from the Dry Run for the upcoming DORA and to determine as quickly as possible that financial services should not be treated as ICT services for the purposes of the DORA. They also call for clarification that regulated financial services include all services and activities subject to the supervision of a financial services regulator, including any ancillary or delegated services. This call is to be welcomed. Clarification is urgently needed to create legal certainty in the implementation of DORA. Regulated financial firms are already subject to extensive obligations and meticulous supervision with regard to their supervised business activities. Any application of DORA going beyond this would mean additional work and expense, with only a negligible added value in terms of financial market security. However, it remains to be seen how the ESAs will position themselves.

                        Attorney Anton Schröder

                        I.  https://fin-law.de

                        E. info@fin-law.de

                        The lawyer responsible for questions relating to DORA and IT law at our law firm is Attorney Lutz Auffenberg LL.M. (London) with assistance of Attorney Anton Schröder.

                        subscribe to Newsletter

                          Contact

                          info@fin-law.de

                          to top