The new Crypto Securities Act has provided a little more regulatory clarity for German crypto service providers. The eWpG still has pitfalls. In his guest article, specialist lawyer Lutz Auffenberg explains what operators of crypto securities registers and other service providers now have to pay attention to.
This article first appeared on the Fin Law Blog.
Since the law on electronic securities (eWpG) came into force on June 10, 2021, there have been electronic securities as well as crypto securities. According to the legal definition, the term includes electronic bearer bonds without documentary securitization that are entered in a crypto securities register. The legislature has made the management of such crypto securities registers an activity that requires a permit through a simultaneous expansion of the German Banking Act (KWG). Anyone wishing to keep a crypto securities register in Germany for commercial purposes must therefore obtain permission from BaFin beforehand and meet the legal requirements for the issuing of a license. According to the eWpG and the KWG, however, it is not entirely clear who exactly the new authorization requirement is supposed to affect.
Who is the operator of a crypto securities register?
It is clear that the authorization requirement under the KWG can only affect people and companies that actually keep a crypto securities register. However, in order to be able to determine who keeps a crypto securities register, it must first be clearly defined what is meant by a crypto securities register. Unfortunately, the eWpG does not contain a definition for crypto securities register in its definitions. It merely stipulates that crypto securities registers are a special form of electronic securities registers. Crypto securities are defined by the eWpG as electronic securities that are entered in a crypto securities register.
In addition, § 16 of the eWpG stipulates that crypto securities registers must be kept on a forgery-proof recording system in which data is logged in the time sequence and saved against unauthorized deletion and subsequent changes. More informative than the eWpG itself is its legal justification, in which the legislature clarifies for the introduction of the new financial service of crypto registry management that the licensing requirement should not necessarily affect the operator of the registry infrastructure, but the registrar.
The eWpG understands this to mean the person who is named by the issuer to the holder of the crypto security as the registrar, whereby the issuer can also act as the registrar himself. In this respect, the definition of crypto securities registry in the KWG is very unfortunate. It would have been more understandable to expressly regulate the activity as a registrar in connection with crypto securities as a financial service.
Can a cryptocurrency registry be accidentally operated?
The keeping of a crypto securities register is regulated as a financial service requiring a license according to the KWG. Anyone who therefore maintains a crypto securities register without the corresponding permission from BaFin is liable to prosecution and engages in unauthorized business that can be prohibited and reversed immediately by BaFin. In this respect, it can be problematic if companies involved in the issue offer the issuer of a tokenized bearer bond to keep a register of issue-related data.
The fact that crypro securities registers must be designed in a decentralized manner and that the eWpG specifies which data register-keeping agencies must include in crypto-securities registers only regulates the obligations of registry-keeping agencies. Conversely, however, breaches of these obligations cannot result in no activity as a register-keeping body. This would make the new licensing requirement for crypto securities register management ad absurdum.
At least as problematic in this context is the case in which issuers of tokenized bearer bonds hold issue-related data themselves without having named a register-keeping body. In this case, according to the eWpG, they are themselves the registrar. Since the authorization in the KWG generally makes crypto securities register management subject to authorization, the wording of the facts does not require that the activity be carried out for someone else. It cannot therefore be ruled out that issuers of tokenized bearer bonds may also be subject to the authorization requirement themselves.
How can issuers and service providers accompanying issues avoid these risks?
BaFin should provide a leaflet on the delimitation questions presented as soon as possible and, for its administrative practice, stipulate when an activity as a registrar will be accepted. Taking into account the fact that to date no company has received approval as a crypto securities registry from BaFin, issuers and companies involved in issuance can currently only be advised not to design tokenized securities as bearer bonds, especially since the provisions of the eWpG have so far only been applicable to these . Security tokens designed as registered bonds, for example, are not recorded, so that the risks presented should not arise according to the current legal situation.