This article is first on the Fin Law Blog appeared.
On June 1, 2022, BaFin published a long-awaited letter of information on the new financial service of keeping crypto securities registers. Specifically, these are instructions from the supervisory authority on the upcoming approval procedures for companies that want to offer crypto securities register management in the future. According to a legal transitional provision, companies interested in providing crypto securities register management were able to obtain provisional permission to provide such information by submitting a corresponding notification of intent by October 10, 2021 and starting business activities by December 10, 2021.
However, the law also requires providers of temporarily permitted activities to submit a complete license application to BaFin by June 10, 2022 at the latest. If they miss this deadline, the provisional permit must be withdrawn. Against this background, the information letter from BaFin on its requirements for the completeness of a license application comes very late only ten days before the deadline.
What information does BaFin provide on the authorization process for crypto securities register keepers?
The information letter does not deal with all relevant aspects of a permit procedure, but sets thematic priorities. In addition to the statements on the transition period and the provisional permit, the supervisory authority explains that the permit procedure is based on Section 32 (1) of the German Banking Act (KWG) and the specifications in particular of the notification ordinance on the KWG. In terms of content, BaFin makes it clear that the clear focus of the license applications should be on information security according to their expectations.
It also points out that crypto securities register keepers must prove regulatory initial capital of at least EUR 150,000 and that, according to the legal requirements, the companies only need a professionally qualified, reliable and sufficiently timely available manager. Nevertheless, BaFin emphasizes that it generally welcomes the presence of two or more managers in order to be able to comply with the four-eyes principle, which is fundamentally necessary in many areas.
The authority also reminds companies that, as financial service providers, they are subject to the provisions of the Money Laundering Act and must ensure compliance with the resulting prevention obligations. Finally, BaFin provides information on the fee incurred for the authorization procedure, which is incurred both in the case of authorization being granted and in the event that the authorization is refused or the application is withdrawn.
What are the IT requirements of cryptocurrency securities registrars?
Keeping cryptocurrency securities registers is, by necessity, a pure IT service. It is therefore not surprising that BaFin, as in the case of the crypto custody business, places the supervisory focus on the security of IT systems and the general strategic orientation of companies in the area of IT. When assessing the professional suitability of managers, BaFin would therefore like to focus on the technical and IT-specific knowledge of crypto securities register keepers.
The application for a permit therefore requires a detailed IT strategy and a comprehensive description of the company’s IT architecture. Implemented technical and organizational security measures must be explained. Likewise, protection requirement goals in the area of IT must be formulated and processes for their realization must be presented. If companies use cloud solutions, special requirements must be met, such as ensuring that all data is stored in Europe.
In addition, information on a rights and role concept must be provided in an authorization management and effective monitoring mechanisms must be set up. As for all other financial services institutions, the requirements of the banking supervisory requirements for IT (BAIT), which BaFin published in its circular 10/2017, also apply.