Counterfactual wallets: do you need a permit as a crypto custody business?

Crypto wallets are of central importance for users to participate in the crypto market. They are therefore also of crucial importance for providers of crypto services and often a central component of the business model operated. In the classic design – one private key per wallet – only those who have the associated private keys can access the crypto assets in the wallet. In business models that include wallet services, the private keys regularly remain with the provider, while the user can only interact with the provider using his login data in order to have the crypto assets in the wallet available to him.

The main risk for the provider in these cases is losing the private keys, since it is then no longer possible to dispose of the crypto assets held in the wallet. With classic crypto wallets, lost private keys can only be recovered using a so-called seed, which can also be lost. In the event of the loss of private keys and seed, the provider will generally be liable to its customer and will have to pay compensation.

These are counterfactual wallets

Counterfactual wallets are smart contracts executed on a blockchain. As such, they offer some advantages over classic cryptowallet software. In particular, the private keys required to trigger crypto transactions are not connected to the wallet as is usual with classic wallet software. Rather, it is possible to exchange lost or compromised private keys for counterfactual wallets. A further advantage lies in ensuring that only current versions can be used. The current version of a counterfactual wallet is retrieved from the underlying smart contract.

If the code of the smart contract is updated or expanded, all counterfactual wallets based on it will immediately receive an update, for example to close security gaps or expand the functions. The first possibility of restoring access to counterfactual wallets can work, for example, via a so-called social recovery feature. A group of other participants in the blockchain is automatically defined, which can change the private keys of the crypto wallet in question through majority cooperation at the request of the wallet owner. Such participants, also known as “guardians”, never have access to the private keys of the crypto wallet themselves, for which they can change the private keys, since they do not know each other and technically only fractions of the private keys of the counterfactual wallet are stored with them.

What about the permit requirement?

According to the wording of the law, the crypto custody business, which requires a license, includes the safekeeping, management and security of crypto assets or private cryptographic keys. Whether the management of counterfactual wallets can also be included in these three alternative offenses has not yet been discussed in BaFin’s previous publications on the crypto custody business. The decentralized design of counterfactual wallets could initially argue against a permit requirement for providers. However, this is supported by the fact that there are also private keys for counterfactual wallets, which must be kept, managed and secured against unauthorized access by third parties.

In crypto services with integrated wallet services, the provider always takes on this task for its customers. In the case of counterfactual wallets, there is also the task of setting guardians. If social recovery is required, the provider must request it and again properly store, manage, and secure the new private keys. The fact that counterfactual wallets are not executed centrally in the IT structure of a provider, but via a smart contract on a blockchain, is irrelevant with regard to the handling of the associated private keys. The crypto custody business will therefore in all probability be relevant in most cases of offering counterfactual wallet management to customers.