Initial meeting

Category: blog EN

Oct 20, 2025

Payment Services in Online Gambling – Where Are the Limits for What Is Permissible?

Gambling regulation in Germany is fundamentally a matter for the federal states. The rules governing the permissibility or impermissibility of gambling are therefore regulated separately in each of the federal states in their respective gambling laws. However, in the area of online gambling, the federal states of Germany have decided to introduce uniform regulations that apply to the entire German territory. The creation of uniform rules for online gambling makes sense, especially since access to it does not usually stop at state borders. To achieve this goal, the sixteen German federal states concluded the State Treaty on Gambling (GlüStV) in 2021. In addition to some general provisions concerning stationary offerings, it also contains provisions for common regulations in the area of internet-based gambling and strict compliance obligations for organizers and intermediaries of online gambling. In addition to the requirement to obtain prior permission to organize virtual slot machine games, online casino games, or sports betting, for example, Section 4 (1) sentence 2 GlüStV provides for a so-called prohibition of contribution, which prohibits the provision of payment services to providers of illegal gambling. However, Section 4 (1) sentence 3 GlüStV extends this comprehensible principle to the extent that contribution to payment transactions for other services of a provider is also prohibited if the provider mixes fundamentally permissible services with the offering of unauthorized gambling.

Payment Institutions Must Fully Understand Their Customers’ Business Models

Compliance with the prohibition of contribution under Section 4 (1) sentence 3 GlüStV can be quite challenging for payment institutions. In order not to violate the prohibition of contribution, the payment institution must have a comprehensive understanding of the customer’s business model and be able to classify it under gambling law. If the services offered by a payment institution’s customer include gamification elements or simply random chances of winning, the payment institution must determine with legal certainty whether the customer’s business model contains elements of illegal gambling. In such cases, if a mixture of fundamentally permissible services and illegal gambling means that payments relating to these services cannot be clearly separated from payments relating to illegal gambling, and illegal payment flows are therefore not clearly identifiable, the prohibition of contribution under Section 4 (1) sentence 3 GlüStV applies. As a consequence, the payment service provider may not execute such payments or provide payment services in relation to such transactions. Payment institutions must therefore thoroughly review the business models of their commercial customers to determine whether they contain any elements of illegal gambling.

When is Gambling Considered Illegal?

The general requirement to obtain a license for organizing or brokering public games of chance is set out in Section 4 (1) sentence 1 GlüStV. Unauthorized gambling within the meaning of the prohibition of contribution is therefore any organization or brokering of public games of chance without the necessary license within the meaning of Section 4 (1) sentence 1 GlüStV. Section 3 (1) GlüStV defines what exactly the State Treaty means by gambling. According to this, gambling is when a fee is charged for the opportunity to win in a game and the decision on the winnings depends entirely or predominantly on chance. The concept of chance can be difficult to interpret, particularly in the case of sports betting, horse betting, and online poker, but the State Treaty clarifies in this regard that dependence on chance is to be assumed in any case if the uncertain occurrence or outcome of future events is decisive. A game of chance is considered public if a large, non-closed group of people has the opportunity to participate, but also if it involves games of chance that are habitually organized in clubs or other closed societies. The question of whether a license is required can be difficult in individual cases, especially in cases where the customer of the payment service provider does not actually intend to organize a public game of chance, but rather it is a random by-product, for example, as part of marketing measures, that is part of the customer’s range of services.

Attorney Dr. Lutz Auffenberg, LL.M. (London)

I.  https://fin-law.de

E. info@fin-law.de

subscribe to Newsletter

This Blog Article as Podcast?

The Gist of It:

Presentation

    Contact

    info@fin-law.de

    Oct 13, 2025

    Distributors within the Meaning of PSD3 – Are E-Money Agents a Disappearing Concept?

    Negotiations on the reform of European payment services law are already well advanced. In future, there will be two new European legal acts, the Payment Services Regulation (PSR) and the third Payment Services Directive (PSD3), which will set out both the private law regulations for payment services in Europe, directly applicable as a regulation (PSR), and the supervisory guidelines for the national legislators of the member states (PSD3). In addition to payment services, the new PSD3 will also regulate the supervisory requirements for companies that conduct business with e-money or issue it. Until now, the relevant provisions were regulated in the second E-Money Directive (EMD2), which is to be abolished when PSD3 comes into force. Art. 3 (4) EMD2 obliges Member States to grant e-money institutions in their respective national supervisory law the possibility of distributing and redeeming e-money via natural or legal persons, also known as e-money agents. However, the issuance of e-money units via e-money agents is not permitted. According to Art. 3 (5) EMD2, e-money units must be issued by the e-money institutions themselves. The German legislature has implemented these requirements in the Payment Services Supervision Act (ZAG). According to Section 1 (10) ZAG, an e-money agent is any natural or legal person who, as an independent commercial operator, distributes and redeems e-money on behalf of an e-money institution. Under the PSD3 regime, however, there will no longer be any e-money agents. The directive provides for the agent concept exclusively for payment services, but not for the new e-money services to be introduced. However, the new term “ distributor” is to be introduced.

    How is a Distributor Defined under PSD3?

    According to Article 2(36) of the European Commission’s draft directive (PSD3-E), a distributor is a natural or legal person who distributes or redeems e-money on behalf of a payment institution. This definition is very similar to the definition of e-money agents in the EMD2, which is to be replaced. As far as is apparent, the only difference between the definitions is the fact that distributors can be used by payment institutions and e-money agents by e-money institutions. However, since PSD3 also aims to abolish the concept of e-money institutions and instead allow payment institutions to apply for additional authorization to provide e-money services, the reference to payment institutions in the new definition is not surprising. The departure from the term “e-money agent” provided for in the draft PSD3 appears to serve the purpose of establishing a clearer conceptual distinction between agents that can be used for payment services and distributors that can be used for the distribution and redemption of e-money. It should be noted that, under the future PSD3 regime, e-money services are not intended to be payment services, but rather a separate type of regulated service for which payment institutions can obtain a license. Furthermore, it should be noted that distributors are not to be used to provide e-money services, but can only be subcontracted by payment institutions for the distribution and redemption of e-money. The two concepts differ significantly in this respect. The introduction of the concept of distributors therefore serves to clarify the situation.

    What May an Electronic Money Distributor Be Permitted to Do?

    According to Article 20(1) of the draft PSD3, Member States should allow payment institutions providing e-money services to use distributors for the distribution and redemption of e-money. In this context, Article 20(2) of the draft is, at the very least, misleadingly worded, as it stipulates that payment institutions must comply with the requirements for the use of payment agents set out in Article 19 PSD3-E if they intend to provide e-money services through distributors. Given the clear wording of the definition of distributor in Art. 2 para. 36 PSD3-E and the clear definition of e-money services in Annex II PSD3-E, which only covers the issuance of e-money, the management of payment accounts for e-money units, and the transfer of e-money units, but not the distribution and redemption thereof, the provision in Article 20(2) PSD3-E does not make sense. Until the final version of PSD3 is available, Article 20(2) of the draft should therefore be revised in any case. Instead, distributors should only be used for the distribution and redemption of e-money units. They will not be allowed to provide e-money services that require a license. In this respect, there will be little difference between e-money agents under EMD2 and distributors within the meaning of PSD3.

    Attorney Dr. Lutz Auffenberg, LL.M. (London)

    I.  https://fin-law.de

    E. info@fin-law.de

    subscribe to Newsletter

    This Blog Article as Podcast?

    The Gist of It:

    Presentation

      Contact

      info@fin-law.de

      Sep 29, 2025

      E-Money Services within the Meaning of PSD3 – What Exactly Will the New Activity Include?

      European legislators are working diligently to overhaul European payment services law. The final versions of the new Payment Services Regulation (PSR) and the third Payment Services Directive (PSD3) are expected to be adopted at the end of 2025 or early 2026. One of the main concerns of the proposed revisions is the abolition of the second E-Money Directive (EMD2) while incorporating the provisions on e-money into the new PSD3 and PSR. Under the current PSD2 and EMD2 regime, the EU Commission had found that there were differences in the practical interpretation of the directives by the supervisory authorities of the member states, particularly with regard to the distinction between payment and e-money products, which were exploited by applicant companies. In future, therefore, all supervisory and civil law provisions relating to payment services and e-money services are to be regulated uniformly by PSD3 and PSR. The term “e-money institution” will then no longer exist. Instead, payment institutions will be able to apply to BaFin or the competent authority in each individual case for a license to provide e-money services in addition to or exclusively for payment services. But what exactly will e-money services be in this context?

      E-Money Services as a New and Regulated Activity under Payment Services Law

      The regulatory treatment of e-money business is to be integrated in accordance with the current draft of PSD3 through the introduction of the new term “e-money services.” According to this, e-money services are to include the issuance of e-money, the maintenance of payment accounts for storing e-money units, and the transfer of e-money units. E-money services would thus not only be the original issuance of e-money, but also downstream services related to the storage of e-money and the transfer of e-money units. It is striking that the definition in the current PSD3 draft does not separate the three different activities of e-money services with an “or.” The draft’s provisions, for example, regarding the required initial capital that payment institutions providing e-money services must have, are also uniform at €400,000, regardless of whether e-money is issued or only transfer services are to be provided in relation to e-money that may not have been issued by the institution itself. Furthermore, the draft PSD3 distinguishes between whether a payment institution offers e-money services or not when calculating the required own funds. Institutions that exclusively offer e-money services must always apply Method D, according to which the institution’s own funds must always amount to at least 2% of the average e-money in circulation. These provisions lead to the conclusion that the provision of e-money services can only be uniform, meaning that, for example, simply offering a storage facility for third-party e-money units in a payment account would not be classified as an e-money service.

      Services Relating to E-Money Units without Issuer Characteristics Nevertheless Not Unregulated

      Services provided by payment institutions that do not themselves act as e-money issuers would nevertheless be covered by the new PSD3 and PSR regulations as regulated activities. This is because, according to the new definitions in PSD3, e-money units should always qualify as money. This means that e-money units are generally also potential subjects of traditional payment services. If, for example, a service provider wishes to offer to store e-money units issued by a third party in a payment account and to enable transfers of these units to and from the payment account, this activity could simply constitute deposit and withdrawal business within the meaning of No. 1 and/or 2 of Annex I to PSD3. The provider would then have to obtain a license as a payment institution for this activity. A license to provide e-money services would not be required. In the future, such demarcation issues could arise particularly frequently in the area of e-money tokens, which are also considered e-money under Article 48(2) MiCAR. It is in the nature of tokens that they cannot be held or transferred exclusively by the issuer. Consequently, it is also very likely that companies will use them to provide financial transfer services or other payment services, for example. In such cases, the additional question arises as to whether, in addition to a BaFin license for payment services, a license as a provider of crypto-asset services is also required.

      Attorney Dr. Lutz Auffenberg, LL.M. (London)

      I.  https://fin-law.de

      E. info@fin-law.de

      subscribe to Newsletter

      This Blog Article as Podcast?

      The Gist of It:

      Presentation

        Contact

        info@fin-law.de

        Sep 15, 2025

        Which Payment Services do Crypto Custodians Provide with EMT?

        Since the end of last year, the custody of crypto assets has been regulated as a crypto asset service in the Markets in Crypto Assets Regulation (MiCAR). Providers of this service must obtain a license in accordance with Art. 62 MiCAR from their competent supervisory authority—in Germany BaFin— prior to being permitted to hold crypto assets for clients. With such a license, crypto custodians are authorized to hold all tokens for clients that qualify as crypto assets under MiCAR. In addition to traditional crypto assets such as Bitcoin and Ether, this also includes special forms of crypto assets regulated by MiCAR, such as asset-referenced tokens (ART) and e-money tokens (EMT). Both of the aforementioned types of so-called stablecoins are characterized by the fact that they are designed to achieve value stability by referring to another stable value. In the case of ART, the reference value may be derived from other official currencies, securities, other crypto assets, or other items. If, on the other hand, the reference value of the token is a single official currency such as the euro, US dollar, or Swiss franc, for example, the token is classified as an EMT. Crypto custodians face additional regulatory issues when storing e-money tokens for their customers, as e-money tokens are not only classified as crypto assets under MiCAR, but also as e-money within the meaning of the Second E-Money Directive (2009/110/EC) applicable in the European Union. As a result, they are also considered funds within the meaning of the second Payment Services Directive (PSD2), as recently confirmed once again by the European Banking Authority (EBA).

        Crypto Custodians Will Forthcoming Require Permission Under the ZAG for Handling E-Money Tokens in Business

        In its no-action letter dated June 10, 2025, the EBA advises the supervisory authorities of the member states to only require market participants to comply with the regulatory obligations under PSD2, which are implemented in Germany in the Payment Services Supervision Act (ZAG), after March 2, 2026. However, crypto custodians who wish to offer their customers the custody of e-money tokens should already start preparing for the second stage following March 2, 2026, and apply for a ZAG license. The EBA advises supervisory authorities to deprioritize some of the obligations imposed on payment service providers. However, the basic additional licensing requirement still applies in all cases. Crypto custodians who also want to offer their customers the option of keeping EMT in their wallets and sending it to other wallets or receiving EMT from other wallets will then also be providing payment services. In these cases, the payment services of the placement of funds on payment accounts (Section 1 (1) sentence 2 no. 1 ZAG) and the withdrawal of funds from payment accounts (Section 1 (1) sentence 2 no. 2 ZAG) are particularly relevant. Payment transactions pursuant to Section 1 (1) sentence 2 no. 3 ZAG and payment transactions involving the granting of credit pursuant to Section 1 (1) sentence 2 no. 4 ZAG may also be relevant if crypto custodians send EMT from customers to other wallets.

        What Are the Alternatives for Crypto Custodians to Obtaining Their Own ZAG License?

        Applying for a separate license under Section 10 (1) ZAG for the provision of payment services does not make sense in every case. In individual cases, crypto custodians may have problems with the fact that their managers may have the professional qualifications for crypto custody, but may not yet have professional experience in the payment services business. It is not unlikely that BaFin will require the management to be changed or expanded to include qualified managers with ZAG experience in the relevant licensing procedures. In such cases, it may be possible to have the additional payment services arising in connection with the custody of e-money tokens provided by another institution, for example, via an outsourcing solution. In this case, it is not necessary to obtain a separate license for the provision of payment services. If the crypto custodian wishes to offer payment services to its customers itself, it may also consider whether the crypto custodian should become a payment agent for the other payment institution. It can then perform the regulated payment services on behalf of the other institution as an independent trader. Its actions are then attributed to the payment institution for supervisory and civil law purposes.

        Attorney Dr. Lutz Auffenberg, LL.M. (London)

        I. https://fin-law.de

        E. info@fin-law.de

        subscribe to Newsletter

        This Blog Article as Podcast?

        The Gist of It:

        Presentation

          Contact

          info@fin-law.de

          Sep 08, 2025

          New Implementation Guidance from BaFin on the Simplified ICT Risk Management Framework

          The EU Regulation on Digital Operational Resilience in the Financial Sector (DORA) has been in force since January 17, 2025, and must be implemented by the companies it regulates. Even more than seven months after its enactment, not all legal issues arising from DORA have been clarified. The competent authority for most German financial companies is the Federal Financial Supervisory Authority (BaFin). The term “financial institution” as defined by DORA covers a wide range of different companies in the financial sector, including credit institutions, payment institutions, account information service providers, e-money institutions, investment firms, crypto service providers, insurance and reinsurance companies, data provision services, and many more. This makes DORA the central legal act for strengthening the digital operational resilience of the financial sector when using information and communication technologies (ICT). One of the cornerstones of DORA is the obligation for financial companies to establish, maintain, and continuously improve an ICT risk management framework. The risks to which a financial company is exposed in individual cases can be as diverse as the number of regulated companies that qualify as financial companies. DORA therefore relies on the principle of proportionality. This is expressly enshrined in Article 4 of DORA and requires, among other things, that the size and overall risk profile of the financial company as well as the nature, scope, and complexity of its services, activities, and transactions be taken into account when fulfilling the ICT risk management requirements. The principle of proportionality is further reflected in the distinction between the generally applicable ICT risk management framework and the simplified risk management framework, which applies only to certain, mostly smaller financial institutions. BaFin has now provided some helpful guidance on the simplified ICT risk management framework described in Article 16 of DORA in a new supervisory notice dated August 21, 2025.

          Which Financial Companies Are Covered by the Simplified ICT Risk Management Framework?

          The companies to which the simplified ICT risk management framework applies in Germany are determined directly by DORA on the one hand and by national laws on the other. According to Article 16 DORA, small, non-interconnected investment firms and small occupational pension institutions are covered in Germany. In addition, the simplified ICT risk management framework has been extended at national level to other financial companies in the banking and insurance sectors by the Act on the Digitization of the Financial Market (FinmadiG). For example, a revision of the Insurance Supervision Act (Section 293 (5) VAG) now also subjects certain insurance holding companies to the requirements of Article 16 DORA. Furthermore, an amendment to the Banking Act (Section 1a (2a) KWG) requires all institutions not already covered by DORA to apply the regulation from January 1, 2027. For the latter institutions, which include, for example, guarantee banks and financial services institutions such as leasing and factoring companies and crypto-securities registrars, the BAIT will continue to apply until the end of 2026.

          What Specific Advice Did BaFin Give, and What Do Financial Companies Need to Pay Attention to Going Forward?

          The BaFin supervisory notice includes an overview of the documentation requirements for financial companies in accordance with Art. 16 DORA. This overview indicates which documentation, security measures, procedures, plans, processes, and guidelines BaFin considers necessary to meet the requirements of Article 16 DORA and the supplementary technical regulatory standards (RTS) for specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework. In this context, BaFin emphasizes that this is non-binding guidance and that the overview does not represent a binding interpretation by BaFin. Nevertheless, the overview ultimately reflects how BaFin, as the competent supervisory authority, interprets the DORA Regulation and thus provides the financial companies concerned with a concrete roadmap on the path to DORA compliance. However, the overview leaves open how the content of the listed documents should be structured. This makes sense, as the requirements in each individual case must be determined in accordance with the principle of proportionality. Furthermore, even if they fall under the simplified ICT risk management framework, it is important for financial companies to bear in mind that, despite the simplifications provided by the ICT risk management framework, there are no simplifications with regard to the other requirements of DORA. For example, the companies concerned must still comply with the principles for sound management of third-party ICT risk set out in Articles 28 to 30 of DORA.

          FIN LAW

          I. https://fin-law.de

          E. info@fin-law.de

          subscribe to Newsletter

          This Blog Article as Podcast?

            Contact

            info@fin-law.de

            Aug 25, 2025

            Will Supervisory Authorities Use AI Tools in Money Laundering Supervision?

            The use of innovative technologies such as Natural Language Processing (NLP) and AI promises unprecedented efficiency gains for companies. There is a whole wave of new AI companies taking advantage of the newly opened opportunities and developing new business models. It is still unclear whether the technologies, which are constantly evolving thanks to massive investments, will live up to the hype or whether a bubble is forming that threatens to burst like the dot-com bubble. At the moment, however, it seems certain that AI is here to stay and can no longer be ignored. European supervisory authorities also seem to have realized this, as shown by a report by the European Banking Authority (EBA) on the use of supervisory technology tools (known as SupTech) in money laundering supervision by national supervisory authorities. But how far has the SupTech revolution progressed in national supervisory authorities so far, and what are the consequences for supervised companies?

            AMLA and the Application of SupTech

            The new EU package to combat money laundering and terrorist financing of June 19, 2024 established, among other things, a new European supervisory authority to support national supervisory authorities by coordinating national money laundering authorities and ensuring uniform application of EU laws. The Anti-Money Laundering Authority (AMLA) began operations on July 1, 2025. EBA has taken the establishment of the AMLA and the associated increase in cooperation between supervisory authorities as an opportunity to examine how national authorities are already using SupTech. It summarized the results of the investigation in a report dated August 12, 2025. This report provides a good overview of current developments. The use of SupTech tools in the fight against money laundering and terrorist financing (AML/CFT supervision) is still in its infancy in the EU. Many authorities are in the exploratory or early implementation phase. However, there are also great opportunities. The increasing adoption of SupTech signals a shift towards more efficient, data-driven approaches to combating financial crime. Technologies used include AI, blockchain analysis, and the generation of synthetic data to improve risk assessments and increase operational efficiency. SupTech tools are designed to improve the ability to analyze large amounts of data and gain comprehensive insights into the activities of supervised companies, automate processes, optimize resources, and increase cooperation between authorities. However, challenges remain, such as poor data quality and governance, which hinder effective use, limited budgets and necessary technological adjustments, a lack of clarity in the regulatory framework, resistance to change, and a lack of digital skills among agency staff.

            FinTech Companies, Crypto Assets, and AI-Based Fraud in the Focus of the  Regulators

            Despite the implementation difficulties outlined above, it seems inevitable that supervisory authorities will also adopt new technologies and thereby exercise even more efficient and comprehensive supervision over the companies concerned. As a result, companies should be even more careful than before to ensure that they comply with their anti-money laundering requirements. The focus of supervision also appears to be increasingly on FinTech companies. For example, the EBA’s Opinion of the European Banking Authority on money laundering and terrorist financing risks affecting the EU’s financial sector dated July 28, 2025 states that 70% of competent authorities in the EU report high or increasing ML/TF risks in the FinTech sector. The market share of FinTech companies is growing rapidly and promises to improve the customer experience by providing access to innovations in financial services. Supervisory authorities fear that this rapid growth will lead FinTech companies to prioritize innovation and customer acquisition over compliance, resulting in inadequate AML/CFT controls. For FinTech companies, this means that they must take a particularly careful approach to money laundering compliance. Even though this represents a high bureaucratic burden, especially for smaller companies, it is essential that the legal obligations are complied with.

            FIN LAW

            I. https://fin-law.de

            E. info@fin-law.de

            subscribe to Newsletter

            This Blog Article as Podcast?

            The Gist of It:

            Presentation

              Contact

              info@fin-law.de

              Aug 18, 2025

              Are Stablecoins Suitable as a Means of Payment in Limited Networks?

              Stablecoins have been specifically regulated crypto assets since summer 2024 under the Markets in Crypto Assets Regulation (MiCAR). They can be issued either as E-Money Tokens (EMT) or as Asset Referenced Tokens (ART). In particular, the issuance of EMT or ART as an issuer is strictly and granularly regulated by MiCAR. The issuance of EMTs is reserved exclusively for electronic money institutions or credit institutions authorized in the European Union. The issuance of ARTs may only be carried out by companies explicitly authorized as ART issuers in accordance with Art. 16 ff. MiCAR or by credit institutions. However, it is not only the issuance of EMTs or ARTs that may be subject to licensing requirements. If EMTs or ARTs are accepted as means of payment, transaction support services may constitute activities subject to licensing that may not be provided without prior authorization from the competent supervisory authority, such as BaFin in Germany. It is not only MiCAR that plays a role in this, as crypto-asset services are regulated as activities subject to authorization. The provisions of the German Payment Services Supervision Act (ZAG), which is based on the requirements of the second Payment Services Directive (PSD2), may also have to be taken into account in individual cases.

              E-Money Tokens are Both Crypto Assets and E-Money

              Article 48(2) MiCAR provides for the special feature that E-Money Tokens are considered e-money. At the same time, however, they are also defined in Article 3(1)(7) MiCAR as crypto-assets whose value stability is to be maintained by reference to the value of an official currency. EMTs thus have a hybrid status for regulatory purposes. While they are subject to the provisions of MiCAR as a special form of crypto-asset, as electronic money within the meaning of Article 2(2) of the Second Electronic Money Directive (EMD2) and Section 1 (2) sentence 3 ZAG, they are also a form of monetary value within the meaning of Article 4 No. 25 PSD2 and can therefore be the subject of payment services requiring authorization. In this regard, the European Banking Authority (EBA) published a “no-action letter” on June 10, 2025, in which it advised national supervisory authorities in the European Union not to require compliance with the provisions of PSD2 in relation to the provision of payment services with EMT to affected companies until March 2, 2026. Currently, therefore, service providers offering customers custody or transaction-supporting services in connection with EMT must have authorization as a crypto asset service provider (CASP) pursuant to Art. 59 et seq. MiCAR. MiCAR does not provide for a sectoral exemption for limited networks, for exclusive use on enclosed business premises, or for limited ranges of services or goods. In this respect, there is no exemption from the general CASP authorization requirement in such constellations. However, for the period after March 2, 2026, business models falling under the exemptions for limited dealer networks may be able to avoid an additional licensing requirement under Section 10 (1) ZAG by making use of these exemptions.

              ART are Mere Crypto Assets and are Not Subject to the ZAG

              The situation is different for asset-referenced tokens in that, although they qualify as crypto assets under Article 3(1)(6) MiCAR, MiCAR does not contain any provision classifying ART as monetary amounts within the meaning of PSD2. ART are therefore not subject to the regulatory regime of the ZAG. Recital 62 MiCAR mentions, for example, that ART may pose a threat to the smooth functioning of payment systems, monetary policy transmission or monetary sovereignty, which at least places them in the realm of means of payment comparable to monetary amounts. However, in its “No-Action Letter” dated June 10, 2025, the EBA also clarified that it is of the opinion that ART should not be classified as monetary amounts within the meaning of PSD2. In light of this, based on the current legal situation, it can be assumed that only the provisions of MiCAR apply to the custody of and transaction support in connection with ART. Accordingly, service providers cannot take advantage of the exemptions under payment services law for closed networks or limited range of goods or services offerings. They must either obtain authorization under MiCAR as a CASP or seek to apply the exemptions set out in Art. 2 MiCAR to their business model, provided that this is possible in individual cases.

              Attorney Dr. Lutz Auffenberg, LL.M (London).

              I. https://fin-law.de

              E. info@fin-law.de

              subscribe to Newsletter

              This Blog Article as Podcast?

              The Gist of It:

              Presentation

                Contact

                info@fin-law.de

                Aug 11, 2025

                AI Compliance in Companies (Part III) – Scope of the GDPR and AI Act?

                With the rapid development of artificial intelligence, companies in the European Union are facing a complex regulatory landscape that is largely shaped by two pillars: the General Data Protection Regulation (GDPR) and the new Artificial Intelligence Regulation (AI Act). While the GDPR has been regulating the handling of personal data for years and has established itself as the standard for data protection, the AI Act is now the first comprehensive regulation specifically for AI systems. At first glance, both sets of regulations appear to pursue similar goals, such as protecting fundamental rights and building trust in new technologies. But how do these two comprehensive laws relate to each other? This question becomes particularly relevant when AI systems are trained or operate on the basis of personal data. Personal data is often the “fuel” of AI systems. This dual regulation raises crucial questions: Is compliance with one regulation sufficient, or are new, overlapping obligations emerging that could lead to costly pitfalls? If companies want to rely on the use of AI, they should first clarify the differences and similarities between the GDPR and the AI Act.

                Scope of the GDPR and the AI Act

                The GDPR focuses on the processing of personal data. Personal data is any information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR). Processing therefore includes virtually any handling of personal data, from reading and storing to transferring and deleting. The GDPR is designed to be technology-neutral, which means that its provisions apply regardless of the technology used, as long as personal data is processed. In contrast, the AI Act primarily regulates AI systems and AI models themselves. An AI system is defined as a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments;(Art. 3 No. 1 AI Act). The AI Act does not directly define what an AI model is. However, Recital 97 of the Regulation states that AI models are central components of an AI system, which become an AI system through additional components such as a user interface. In simple terms, the AI model is the neural network and thus the core of the AI system.

                Differences and Similarities

                The main objective of the GDPR is to protect the fundamental rights of natural persons against risks that may arise from data processing. The GDPR requires data controllers to take both technical and organizational measures to address the risks to data subjects (Articles 25 and 32 GDPR). Personal data may only be processed in accordance with the principles laid down in the GDPR. The controller is accountable to the data subjects in this regard (Art. 5(2) GDPR). The lawfulness of processing must be assessed in each individual case. In the case of the use of new technologies, which undoubtedly includes AI, a well-documented data protection impact assessment must also be considered (Art. 35 GDPR). The AI Act aims to ensure that AI is trustworthy and secure and is developed and used in accordance with fundamental rights. The AI Act is primarily product safety law that establishes uniform rules for the placing on the market, putting into service, and use of AI systems and AI models within the EU. In its implementation, the AI Act focuses primarily on classifying AI systems and AI models into specific risk categories, which are subject to different legal frameworks. The AI Act defines risk as the combination of the probability of damage occurring and the severity of that damage (Art. 3 No. 2 AI Act). The AI Act calculates the risks posed by AI by laying down specific rules for AI technologies and their application. Although the focus of the GDPR and the AI Act is different, they are closely linked in areas where AI systems process personal data. Both laws aim to minimize risk. The AI Act complements the GDPR by addressing specific risks posed by AI technologies. Although compliance with the AI Act can also help to meet the requirements of the GDPR, AI Act compliance alone is generally not sufficient for this purpose.

                FIN LAW

                I. https://fin-law.de

                E. info@fin-law.de

                subscribe to Newsletter

                This Blog Article as Podcast?

                The Gist of It:

                Presentation

                  Contact

                  info@fin-law.de

                  Jun 23, 2025

                  The Crypto Custody Agreement According to MiCAR – What Must Crypto Custodians Mandatorily Agree Upon With Their Customers?

                  The custody and management of crypto assets for others is a regulated crypto asset service under Art. 3 (1) No. 16 lit. a) MiCAR and Art. 3 (1) No. 17 MiCAR. It may therefore only be provided by companies that have been authorized as crypto asset service providers under Art. 59 MiCAR. In addition to the usual strict requirements that must be met by companies regulated under MiCAR in the European Union, such as sufficient initial regulatory capital, fit and proper managers, and proper business organization with regard to risk management, IT security, and money laundering prevention, among other things, crypto asset custodians must also fulfill specific supervisory compliance obligations. One of these special requirements for crypto custodians is the obligation to conclude a custody agreement with custody clients that includes the minimum content required under Article 75(1) MiCAR. Accordingly, MiCAR-compliant custody agreements must contain at least information on the identity of the contracting parties, a description of the type of crypto service offered, information on the custody strategy, the means of communication used and how customers authenticate themselves to the crypto custodian, the security systems used, the fees and costs, and the applicable law.

                  What Exactly Must a Crypto Custody Agreement Contain in Regard to the Custody Strategy?

                  MiCAR does not specify exactly what crypto custodians must agree with their custody clients with regard to the custody strategy. The development and implementation of a custody strategy is primarily a regulatory obligation that crypto custodians must demonstrate to the supervisory authorities that oversee them. Article 75(1) MiCAR, which regulates the minimum requirements for custody agreements, merely stipulates that the custody strategy is a minimum requirement for a crypto custody agreement. However, this provision is specified in more detail in Article 75(3) MiCAR, which provides for a right of custody account holders to receive a summary of the custody strategy in electronic form from their crypto custodians. In order to be able to meet this requirement, crypto custodians will have to maintain an electronic document summarizing the custody strategy. The actual agreement of the custody strategy with the customer or the attachment of the complete custody strategy, for example as an annex to the custody agreement, seems unnecessary, especially since any change to the strategy would require renegotiation or a new crypto custody agreement. This cannot have been in the interest of the MiCAR regulator. It should also be noted that, as a strategy document, the custody strategy should not contain any specific technical implementation measures or the names of employees or any third-party service providers that may be involved. A strategy generally formulates goals, objectives, and ways to achieve them.

                  What Details Regarding Security Systems Must Be Agreed Upon?

                  Art. 75 (1) (e) MiCAR requires that crypto custody agreements include a description of the security systems used by the custodian. In this respect, it is rather unlikely that there will be any room for negotiation, as crypto custodians will hardly be able to grant custody clients any leeway in this regard. In this regard, it is necessary to include details on the technologies used for the custody of private keys, information on any vulnerability tests and security audits carried out, the authentication mechanisms provided for clients, and other security measures used by the custodian to minimize the risk of loss of clients’ crypto assets or the associated private keys. Information may also be provided on how client crypto assets are separated from the crypto asset custodian’s own holdings in crypto assets or funds and are kept safe from insolvency. Here, too, it will not be necessary to name specific sub-custodians or banks that are used to segregate client assets. A description of the specific measures implemented by the crypto custodian to increase security for customers will in any case be sufficient for the purposes of the crypto custody agreement.

                  Attorney Dr. Lutz Auffenberg, LL.M. (London)

                  I. https://fin-law.de

                  E. info@fin-law.de

                  subscribe to Newsletter

                  This Blog Article as Podcast?

                  The Gist of It:

                  Presentation

                    Contact

                    info@fin-law.de

                    Jun 10, 2025

                    Token Sale to Private Purchasers – Can the Issuer Freely Choose the Applicable Law for the Token Terms?

                    The execution of token sales has been a strictly regulated undertaking in the European Union since the Markets in Crypto Assets Regulation (MiCAR) came into force. Issuers must prepare and publish a detailed crypto asset white paper before the token sale begins. They must also comply with regulatory requirements regarding how they market the crypto assets, how they deal with conflicts of interest, and the security of the systems and protocols they use. If the crypto assets offered by the issuer are asset-referenced tokens (ART) or e-money tokens (EMT), additional regulatory obligations apply. In contrast, issuers are relatively free to design the token terms underlying the crypto assets to be offered. Token terms can be used to link the ownership of crypto assets to a wide variety of rights. As utility tokens, they can grant their holders access rights to the issuer’s goods or services, embody access to information, voting or election rights, tokenize redemption rights in the underlying fiat currency in the case of ART or EMT, or be linked to other rights. MiCAR does set out basic requirements for the underlying contracts for certain types of crypto assets. However, the specific rights and obligations of token holders and issuers can be agreed upon in accordance with the applicable national private law. But are there limits that issuers must observe when determining the private law applicable to token terms?

                    In Principle, there is a Free Choice of Law under Article 6 of the Rome-I-Regulation

                    Firstly, the principle of free choice of law arising from Article 3 of the Rome-I-Regulation also applies to the creation of token terms. According to this principle, issuers of crypto assets are free to decide which law should apply to the contract with the purchasers of crypto assets when drafting their token terms. However, in the case of the offering of crypto assets to private purchasers, this principle applies only to a limited extent. This is because, according to Article 6(2) of the Rome-I-Regulation, a choice of law under Article 3 of the Rome-I-Regulation may not result in a consumer having weaker rights than if the law of his home country or the country in which he is habitually resident were applicable. The provision is intended to ensure that consumers in the European Union can always rely on the consumer protection rights they enjoy in their everyday lives in their country of habitual residence. In the area of token sales aimed at private purchasers, this would mean that private purchasers could potentially assert different consumer rights against the issuer in the context of a token sale, depending on their country of habitual residence. This result would be impractical and would run contra to the principle of equal treatment of all purchasers in a particular issue. In this context, the question arises as to whether the Rome I Regulation provides for an applicable exception for token sales to private purchasers.

                    In the Case of Public Offers of Financial Instruments, the Consumer Protection Privilege of Article 6(2) of the Rome-I-Regulation Does Not Apply

                    The question arises as to whether the exception in Article 6(4)(d) of the Rome-I-Regulation can also apply to crypto assets and contractual terms governing the issuance and public offering of crypto assets. According to the wording of the provision refers exclusively to financial instruments which, under EU law, are generally only instruments within the meaning of Article 4(15) of the EU Regulation on markets in financial instruments (MiFID2). The exception therefore applies in particular to transferable securities, units of investment funds, derivatives, or similar products. According to the alternative relationship between MiCAR and MiFID2 expressly provided for in Article 2(4)(a) MiCAR, crypto assets are not financial instruments. However, there are good arguments in favor of applying the exception in Art. 6(4) of the Rome-I-Regulation by analogy, as the interests of issuers and purchasers are comparable in the case of token sales of uniformly structured crypto assets. The European regulator appears to have simply overlooked the problem of consumer protection privileges for token sale participants with consumer status when MiCAR was introduced, so that this is likely to be an unintended regulatory gap. However, Article 6(4) provides for an exception for contracts for financial services. This makes sense because financial services only relate to a financial instrument and do not specify the specific rights and obligations arising from it. Since a comparison with the area of crypto assets can also be affirmed in this respect, the exception should also apply mutatis mutandis to downstream services – in this case, crypto asset service listings within the meaning of Article 3(1)(16) MiCAR.

                    Attorney Dr. Lutz Auffenberg, LL.M. (London)

                    I.  https://fin-law.de

                    E. info@fin-law.de

                    subscribe to Newsletter

                    This Blog Article as Podcast?

                      Contact

                      info@fin-law.de

                      Jun 02, 2025

                      AI Compliance in Companies (Part II) – When Does an AI Model Fall Within the Scope of the GDPR?

                      The General Data Protection Regulation (GDPR) was deliberately drafted in a technology-neutral manner, so it is not surprising that the long arm of the GDPR also extends deep into processes involving AI. This is somewhat inevitable, as the development of Large Language Models (LLMs) requires the processing of ever-larger data sets. The development of an AI system can undoubtedly involve a number of activities relevant to data protection law on the part of the controller, from the development phase to the deployment phase. At the heart of every AI system is the underlying AI model, the neural network developed using machine learning. This requires training data to be collected and processed, and the AI model must then be trained. The collection and preparation of data may constitute processing within the meaning of the GDPR if the training data is personal data. Anonymizing personal data prior to training also constitutes processing, which is why the GDPR must be observed. In the deployment phase, i.e., when the AI system is used, the processing of personal data is often also envisaged, which must also be reviewed from a data protection perspective. However, in addition to these more obvious forms of personal data processing, the question arises as to whether an AI model that has been trained with personal data itself contains personal data. In other words, whether the AI model itself can be subject to data subject rights under Art. 12 et seq. GDPR. In addition, supervisory authorities could order remedial measures to remedy the unlawfulness of the processing of personal data in the development phase of an AI model. These include fines, temporary restrictions, the deletion of unlawfully processed data sets (in whole or in part), or even the deletion of the AI model itself.

                      Is an AI Model Anonymous or Do they Contain Personal Data?

                      Whether an AI model itself is anonymous depends on whether the AI model contains personal data. According to Art. 4 No. 1 GDPR, personal data is any information relating to an identified or identifiable natural person. In contrast, the GDPR does not apply to anonymous data, i.e., data that does not relate to an identified or identifiable natural person, or personal data that has been anonymized in such a way that the data subject cannot be identified or is no longer identifiable. If an AI model has been trained (also) with personal data, the question arises as to what extent the AI model contains personal data as a result of this training. In this context, the Hamburg Commissioner for Data Protection and Freedom of Information stated in its discussion paper “Large Language Models and Personal Data” on the applicability of the General Data Protection Regulation (GDPR) to large language models that the mere storage of an LLM does not constitute processing within the meaning of Art. 4 No. 2 GDPR, as no personal data is stored in LLMs themselves. This is justified by the fact that LLMs work on the basis of tokens (linguistic fragments) and embeddings (mathematical representations of the relationships between tokens) and represent “highly abstracted and aggregated data points from the training data and their relationships to each other without concrete characteristics or references to natural persons.” In a recent statement “on certain data protection aspects of the processing of personal data in the context of AI models,” the EDPB has now refuted the Hamburg Data Protection Commissioner’s thesis. The EDPB clarifies that an AI model trained with personal data cannot be considered anonymous in all cases. The claimed anonymity must therefore be examined by the competent supervisory authorities on a case-by-case basis.

                      How Will the Distinction Be Made?

                      An AI model can only be considered anonymous if two cumulative conditions are met: The probability of direct (including probabilistic) extraction of personal data about the individuals whose data was used for training, and the probability that such personal data will be obtained through intentional or unintentional queries, must be negligible for each individual concerned. This is to be agreed with, as information may also refer to a natural person if it is encoded in such a way that the relationship is not immediately apparent. Although AI models do not usually contain direct records of personal data, but only parameters that represent probabilistic relationships between the data contained in the AI model, it is possible to derive information from the AI model. Under certain circumstances, statistically derived personal data can be extracted from the AI model. The probability assessment to be carried out should take into account all means likely to be used by the controller or another person acting in the exercise of their normal activities, including the unintended (re)use or disclosure of the AI model. According to the EDPD, the criteria for assessing the residual probability of identification should include the characteristics of the training data set (e.g., uniqueness of the data sets, accuracy), the methods used for training, and the implementation of technical and organizational measures to reduce identifiability (e.g., regularization methods, differential privacy). The results of structural tests that check resistance to attacks such as attribute and membership inference, exfiltration, or regurgitation of training data, the context in which the AI model is released and/or processed (e.g., public availability versus internal use), and additional information that could be available to another person for identification must also be taken into account. Controllers must document the measures taken to reduce the probability of identification and the possible remaining risks, not least because this documentation in particular is to be taken into account by the competent authorities in order to assess the anonymity of an AI model. If, after reviewing the documentation and the measures implemented, the competent authority cannot confirm anonymity, it can be assumed that the controller has not fulfilled its accountability obligations under Article 5(2) GDPR. Careful documentation is therefore strongly recommended.

                      FIN LAW

                      I.  https://fin-law.de

                      E. info@fin-law.de

                      subscribe to Newsletter

                      This Blog Article as Podcast?

                        Contact

                        info@fin-law.de

                        May 26, 2025

                        Descoping MiCAR – Are NFTs the Last Stronghold of the Unregulated Crypto Market?

                        For a long time, the crypto market fascinated many of its participants with its lack of regulation and oversight. While the unregulated environment did provide fertile ground for dubious and criminal activities, it also undoubtedly enabled numerous technical innovations in just a few years that would have been virtually impossible in a regulated environment. The regulatory framework is too restrictive for the implementation of new ideas and the use of technologies that are not yet established, meaning that market participants must carefully consider whether they are willing to accept the risks of entirely unpredictable reactions from regulatory authorities to innovative approaches or whether they would be better off relying on best practices and traditional business models. If the crypto market had been comprehensively regulated from the outset, today’s technical possibilities would hardly have been able to evolve to this point. In any case, with the introduction of MiCAR, the European crypto market has left the “Wild West” behind and is now comprehensively regulated. Of course, there are good reasons for regulation, especially since crypto assets are not infrequently used for money laundering and terrorist financing, and such practices must be stopped. However, innovation is extremely difficult in the new regulated market, as the rules and their interpretation by ESMA, EBA, and the competent authorities, such as BaFin in Germany, leave little room for interpretation. However, so-called non-fungible tokens (NFTs) are excluded from the scope of MiCAR pursuant to Art. 2 (3) MiCAR. Crypto assets that qualify as NFTs can therefore not be the subject of crypto asset services. Nor can their issuance on the market constitute a public offer that would trigger an obligation to prepare a crypto asset white paper. There is therefore still considerable scope for innovation in this area.

                        What Precisely is an NFT in the Context of MiCAR?

                        In order to fall under the exemption provided for in Article 2(3) MiCAR, a crypto asset must, according to the wording of the provision, first be unique and not fungible with other crypto assets. The text of the regulation itself does not impose any further requirements. However, recitals 10 and 11 preceding the text of the regulation provide further guidance as to which specific crypto assets the regulator intended to exclude from the scope of MiCAR as NFTs. This makes it clear that the key factor is the uniqueness of a crypto asset. If a crypto asset is not readily exchangeable for another crypto asset and its relative value cannot be determined by comparison with an existing market or an equivalent asset due to its uniqueness, it should be considered an NFT within the meaning of the exemption in Article 2(3) MiCAR. In recital 11, however, the regulator emphasizes that unique characteristics of crypto assets that, despite having unique characteristics, are ultimately part of a large series or collection should not be considered unique within the meaning of MiCAR. Simply numbered crypto assets that differ only in their serial number are therefore certainly not to be classified as NFTs eligible for exemption, to give an obvious example. Similarly, according to the intention of MiCAR, a crypto asset should not constitute an NFT if its de facto characteristics or de facto intended use make it an interchangeable and non-unique crypto asset, even if it appears to be unique at first glance. In this respect, the economic approach should be decisive.

                        What are Examples of NFTs That Do Not Fall Under MiCAR and What Else Needs to Be Considered?

                        In recitals 10 and 11, digital art and collectibles are explicitly mentioned as NFTs. Similarly, the regulator does mention non-fungible services such as product warranties and non-exchangeable assets such as real estate. However, the specific examples cited should not obscure the fact that the legal classification of a crypto asset must be based on the requirements set out above and that, therefore, a tokenized service such as car washing would not qualify as an NFT within the meaning of MiCAR if the car is driven by a different person depending on the token used. This would not be sufficient to ensure that the tokens are individually identifiable. Further examples of NFTs include crypto assets in areas of application such as voting at general meetings of stock corporations, product supply chain or identity management, or in access and authorization management. NFTs are likely to be particularly interesting in the future in the fight against AI-generated counterfeits, as they can be used to provide unique proof of authenticity. Even if crypto assets qualify as NFTs within the meaning of Art. 2 (3) MiCAR in individual cases, they may still be regulated on other legal grounds, for example as financial instruments under MiFID2 or as cryptographic instruments within the meaning of the German Banking Act (KWG). Start-ups with promising ideas in the NFT sector should definitely take advantage of the current legal situation while it lasts.

                        Attorney Dr. Lutz Auffenberg LL.M. (London)

                        I.  https://fin-law.de

                        E. info@fin-law.de

                        subscribe to Newsletter

                        This Blog Article as Podcast?

                          Contact

                          info@fin-law.de

                          to top