All questions
Introduction to the legal and regulatory framework
As early as 2013 – shortly after virtual currencies gained public attention and the first investor risk warnings could be heard2 – the German financial regulatory authority (BaFin) was quick to bring virtual currencies like Bitcoin within the general financial services licensing scheme (see Section III.i). Distributed ledger technology (DLT) has developed since and brought with it various business models based on a multitude of tradable token types as digital representations of value.
While Germany has no specific regulatory framework for virtual currencies and other virtual assets in place yet, the general financial regulatory regime applies instead, and brings various types of DLT tokens within the ambit of capital markets, banking, financial services, anti-money laundering (AML) and other laws. In some aspects, the application of these legal regimes for virtual currencies has recently been clarified by the German law on electronic securities (eWpG) (e.g., use of digital registers for dematerialised securities).3 BaFin itself, in line with the European Union, emphasises a reasonable approach, aiming to eliminate risks to financial stability and consumers through virtual currencies, while not stifling innovation. However, the complexity of this regulatory regime with numerous and partially overlapping German and EU sources of law, as well as the initial lack of clarity in regulatory guidance by BaFin and the European Securities and Markets Authority (ESMA),4 have led to some legal uncertainty. Regulators meanwhile acknowledge the wide variety of cryptoassets and seem to keep pace with new guidance,5 emphasising the need for a case-by- case analysis, a technology-neutral approach, and a level playing field for similar activities and assets regardless of their form.6 However, a clear overall picture for the vast number of applications and business models is only emerging slowly. Against this background, the recently adopted Markets in Crypto-Assets Regulation (MiCA)7 not only has the potential to provide for an EU harmonised regulatory framework for cryptoassets, but also could be a catalyst for the development of a consistent approach to the panoply of cryptoasset-related business activities. While MiCA, by virtue of its nature as a directly applicable regulation, will shape the future of cryptoasset regulation in Germany, it does not determine the present regulation yet. With MiCA (to a large extent) only applying from 30 December 2024, this chapter will refrain from discussing MiCA in more detail and leave that to future editions.
As a basis for this chapter, we make a distinction between three types of tokens that has proven useful in practice, namely:
- cryptocurrency tokens, which are mainly designed as a means of payment or store of value, and thus shall serve as decentralised virtual currencies for transactions with third parties or marketplaces (with Bitcoin as the prominent example);
- security tokens, which confer upon their holders access to future profits, interest or possibly some control rights over the issuer (e.g., voting rights on certain business decisions, projects, investments), and are therefore in their function similar to rights typically conferred by securities; and
- utility tokens, which do not entitle the holder to payment, but confer access to certain products or services (e.g., specific functions of the respective DLT network) that may already exist or will be developed in the future. Provided that the tokens can be traded on secondary markets, however, holders also may generate profits from the sale of utility tokens.
This classification provides a mere rule of thumb, as hybrid token forms can be easily designed and exist in various business models. Utility tokens especially may take such hybrid forms if their value proposition is not mainly access to services, but also it depends on future developments and thus may have a speculative investment component driven by profit expectations through subsequent sales on secondary markets. For such tokens, the regulatory regime is briefly as follows:
- cryptocurrency tokens are regulated under banking laws (but are not considered securities) and related services may require a licence in Germany;
- security tokens are now also regulated under banking laws and they will often be considered securities, which means various capital market and investment laws (with prospectus requirements) may apply;
- the regulatory treatment of utility tokens is rather unclear, with good arguments that their service-related (rather investment-related) characteristics justify not applying capital market laws, as typical investor information asymmetries are not concerned; and
- AML rules may apply to all of them.
In any case, the German regulator will engage in an individual case-by-case assessment based on the specific functional token design (form follows function).8
Securities and investment laws
This section provides an overview of the qualification of tokens under securities laws, prospectus requirements and liability, asset management regulation and market integrity laws.
i General qualification of tokens under securities laws
The qualification of tokens as financial instruments and, in particular, securities under the securities laws constitutes the linchpin for the application of any financial and capital market regulation. Under German and European law, a commonly accepted or uniform definition of the notion of a security – such as the Howey test under US securities laws9 – does not exist. Any legal assessment of cryptocurrency tokens, security tokens or utility tokens therefore applies only with respect to the corresponding legal act.
Within an increasingly interlinked framework of EU financial regulation, the revised EU Markets in Financial Instruments Directive 2014/65/EU (MiFID II) constitutes the central reference point, as most EU regulatory acts – including prospectus laws and market abuse laws – refer to the MiFID definition of financial instruments. Under Germany’s securities and banking laws, however, a different definition applies (see Section III).
Article 4 Paragraph 1 No. 15 and Section C of Annex I of MiFID II define the term financial instrument under an exhaustive enumeration of different types of instruments of which transferable securities are the most relevant in the context of token sales. Under Article 4 Paragraph 1 No. 44 MiFID II, the notion of transferable securities is defined as:
those classes of securities which are negotiable on the capital market, with the exception of payment instruments, such as: (a) shares in companies and other securities equivalent to shares in companies . . . (b) bonds or other forms of securitised debt . . . (c) any other securities giving the right to acquire or sell any such transferable securities.
The decisive characteristic for classification as a security is therefore tradability on the capital market. This requires, more specifically, that a security – under a case-by-case-assessment – meets the formal criteria of transferability, standardisation and tradability, and is comparable to the examples of the definition from a functional perspective.
First, as regards transferability, it may generally be assumed that tokens can be transferred freely among holders, for example, by way of assignment, and that crypto exchanges allow for liquid secondary markets in those tokens (i.e., that the first criterion will regularly be met).
Second, a token will require a sufficient degree of standardisation. Currently, virtual currencies are standardised in the sense of a uniform structure within one issuance of tokens only, but there is no uniform token standard among different categories and types in the sense of a common protocol or platform. Taking into account that standardisation serves the purpose of tradability to allow for efficient trading, however, it becomes clear that a standardisation on the level of the individual issuance should be deemed sufficient.
Third, the actual trading of tokens on crypto exchanges indicates their tradability on a capital market. To the extent that tokens – immaterial by nature – cannot be acquired in good faith,10 this does not lead to a different result: distributed ledger or blockchain technology serves as a functional equivalent of a bona fide acquisition, as transactions may not be reversed for technical reasons.11
Fourth, and most importantly, according to the prevailing interpretation of securities requirements, a token must be functionally comparable to one of the examples listed in the definition. This criterion substantially limits the scope of tokens qualifying as securities as it requires the token to be similar to shares, bonds or other securities traded on capital markets. Where a token promises access to future revenue streams (e.g., profit-based or interest-like) and possibly control rights, such a securities token will likely be comparable to traditional securities. Where, in contrast, the characteristics of tokens are rather comparable to traditional money, they should not constitute securities, as the definition explicitly excludes payment instruments.
Utility tokens that promise future access to goods or services, however, prove difficult to qualify and should be carefully assessed in light of their individual characteristics: if a token, from an objective point of view, may be regarded as an investment promising an increase in value and serves as a corporate financing instrument rather than a means of direct or immediate access to goods or services, it could potentially qualify as a security.12 Simply put, if a token embeds ‘hope and expectations’ rather than access to use, its qualification as a security for the purposes of MiFID II appears likely. Utility tokens will be in the scope of MiCA.
ii Prospectus requirements and liability
To provide investors with sufficient information to make an informed investment decision, thereby reducing informational asymmetries and allowing for an efficient allocation of capital, securities laws set out formal prospectus requirements.
As of 21 July 2019, the Prospectus Regulation13 provides a common legal basis for securities offerings in the European Union. The German Securities Prospectus Act (WpPG), which originally implemented the Prospectus Directive,14 now provides rules complementing the Prospectus Regulation. Both legal acts require, first and foremost, securities within the meaning of MiFID II to be offered to the public. In addition, under the WpPG, issuers of electronic securities within the meaning of the eWpG have to publish a security information sheet, which can be described as a mini-prospectus.15 With respect to investments that do not qualify as MiFID II securities, prospectus requirements under asset management laws may apply (see below).
Securities must be offered to the public or admitted to trading on a regulated market. With respect to (securities) token issuances, an admission to trading on a regulated market appears unlikely, as these are authorised and regulated public law institutions under the German Stock Exchange Act that require participants to be formally admitted to trading. An offer may, however, constitute an offer of securities to the public, given that the definition includes communication in any form and by any means that presents sufficient information on the terms of the offer and the securities to be offered.16
The Prospectus Regulation and the WpPG contain certain exemptions. In particular, thresholds with respect to institutional offerings or small offerings to retail investors apply. The Prospectus Regulation sets out detailed criteria on the content of the prospectus that the issuer is obliged to draw up, submit to the national regulator for approval and publish thereafter. However, EU companies that qualify as small and medium-sized enterprises (SMEs)17 that do not fall under the exemption thresholds may also offer securities tokens to the public by taking advantage of a new simplified prospectus regime (the EU Growth prospectus).18
Where the prospectus (e.g., in the case of token sales often labelled as a white paper) does not provide sufficient information – that is, all necessary information material to an investor for making an informed decision – or no prospectus exists at all, the issuer or other persons responsible may be held liable towards investors.19 Such liability may apply to the initiator or sponsor of a token sale (as the issuer) or any third party offering tokens to investors (as the offeror).
Aside from liability provisions under the prospectus laws, issuers or offerors may be subject to prospectus liability under general civil law, which is not limited to the notion of securities under MiFID II. In this case, liability does not result from a responsibility regarding information in a prospectus, but rather the violation of an independent pre-contractual duty of disclosure.
iii Asset management regulationCollective investment undertakings
The German Capital Investment Code (KAGB) provides a comprehensive regulatory framework for the distribution, management and safekeeping of investment funds, and sets out organisational and transparency requirements for their managers and depositaries. It implements undertakings for collective investment in transferable securities (UCITS)20 and the Alternative Investment Fund Managers Directive (AIFMD).21 Prospective investors must be provided with detailed information in the form of a prospectus or offering memorandum. Failure to comply with the pertinent requirements will expose managers to liability claims.
The KAGB defines the central notion of investment undertaking broadly as a ‘collective investment undertaking, which raises capital from a number of investors, with a view to investing it in accordance with a defined investment policy for the benefit of those investors and which is not an operative undertaking outside the financial sector’.22 This definition, which is rooted in the AIFMD, may apply in particular to investment funds investing into cryptocurrency tokens, security tokens or utility tokens (crypto funds) or to crypto-mining ventures (mining pools) – that is, the pooling of resources to share processing power over a network and split the rewards according to the individual contribution to the pool.
The scope of requirements under the KAGB further depends on the type of fund. In this respect, the KAGB distinguishes between alternative investment funds (AIFs) that are available to professional and semi-professional investors only (special AIFs),23 and public investment funds,24 such as public AIF and UCITS funds, that are available to retail investors. With respect to crypto funds, both closed and open-ended special AIF may, at least to a certain extent (20 per cent of their assets), invest in cryptoassets as defined under the German Banking Act (KWG). As opposed to that, public AIFs and UCITS may only invest in virtual currencies if, among other things, these qualify as securities as defined under UCITS.25
Mining pools are likely to qualify as investment funds in the form of an AIF if the manager – irrespective of the legal structure – offers to external investors a pooled investment that diversifies risk and does not undertake any further operative business. This may be the case where cloud or hardware-based mining pools collect revenues to allow for a probabilistic distribution of mining rewards. A contribution in the form of tokens such as cryptocurrency tokens will likely qualify as the raising of capital for the purposes of the definition of an investment fund, but would constitute a contribution in kind. Under the KAGB, this form of contribution is permitted with respect to special AIFs, but not with respect to public AIFs and UCITS.26
Asset investments
Complementary to the KAGB, the German Asset Investment Act (VermAnlG) sets out further requirements for investments offered publicly to retail investors. It only applies to asset investments that do not qualify as investment funds under the KAGB or as securities under the WpPG, and that are distributed in a public offering. These rules may apply to tokens of any type (i.e., cryptocurrency tokens, security tokens or utility tokens), in particular where a securities token embeds certain characteristics of an investment (e.g., the promise of future revenues) but does not meet all criteria required for the qualification of a transferable security under MiFID II (e.g., where it lacks tradability owing to insufficient standardisation or barriers to transferability).
Under the VermAnlG, a token could qualify as an asset investment as defined under an exhaustive list. These include investments that grant a participation in the profits of a company, trust assets, participatory or subordinated loans, profit participation rights, registered bonds or other investments that promise interest and repayment.27
In the context of a typical initial coin offering (ICO), the private placement exemption under the VermAnlG is unlikely to apply as it requires that no more than 20 instruments are offered, the volume of all investments offered within 12 months does not exceed €100,000 or the minimum investment exceeds €200,000 per investor.28 Issuers of certain types of asset investments may, however, benefit from privileges applicable to crowdfunding and social or charitable projects if the total volume of the issuance does not exceed €6 million in case of crowfunding and €2.5 million for social or charitable projects and certain other conditions are met.29
Unless an exemption from the prospectus requirements applies, issuers of such asset investments are required to prepare and publish a sales prospectus and an investment information sheet that are both subject to prior BaFin approval. Anyone who assumes responsibility for a prospectus and those who are assumed to have issued a prospectus may be held liable for incorrect or incomplete information in that prospectus or in the information sheet, or for the lack thereof.
iv Market abuse rules
The efficient allocation of capital and the orderly functioning of the capital markets require rules that ensure the integrity of the financial markets and investor confidence. To that effect, market abuse laws prohibit unfair market practices. Effective as of 2016, the Market Abuse Regulation (MAR)30 provides a common framework that prohibits the unlawful disclosure of inside information and market manipulation (market abuse). Both insider trading and market manipulation constitute criminal offences and may entail severe administrative fines.
MAR applies to any type of financial instrument that is traded or admitted to trading on a regulated market or a multilateral trading facility, as defined under MiFID II, as well as to financial instruments the price of which depends on, or has an effect on, such traded financial instruments (e.g., over-the-counter derivatives).31 As set out above, tokens that qualify as financial instruments under EU law (i.e., security tokens and certain utility tokens) will generally be within the scope of MAR. Nothing else follows from national provisions32 that expand the scope of MAR to goods and foreign currencies that are being traded on a domestic exchange because such an exchange – irrespective of the potential qualification of tokens as goods – includes regulated public exchanges only.
Crypto exchange operators that provide a venue to buy or sell financial instruments will typically not qualify as a regulated market but may qualify as an alternative trading venue in the form of a multilateral trading facility provided that they match buying and selling interests in a non-discretionary manner (see also Section III.i). The consent of the issuer, an approval or listing is not required: that is, the trading of tokens on a venue that qualifies as a multilateral trading facility as such may bring it into the scope of market abuse rules.
For the purposes of MAR, inside information comprises any precise information relating to a token or its issuer that ‘would be likely to have a significant effect on the prices’: that is, that reasonable investors would be likely to use such information as part of the basis of their investment decisions.33 Anyone who possesses inside information is prohibited from trading the respective instrument for its own account or that of a third party, and from recommending another person to do so, or inducing another person to do so, as such activity would constitute insider dealing.34
In addition, MAR also prohibits engaging in or attempting to engage in market manipulation. This concept includes any transaction, order or behaviour that could or is likely to give false or misleading price signals, or to secure prices at an abnormal or artificial level, or that employs a form of deception or contrivance as well as the dissemination of false or misleading signals or rumours in relation to a financial instrument and the transmission of such information in relation to a benchmark.35
Certain aspects of MAR apply to benchmarks, such as indices to which financial instruments as defined under MiFID II make reference.36 As benchmarks may be based on any type of input data, they can relate to security tokens, cryptocurrency tokens or utility tokens. In addition, Regulation (EU) 2016/1011 on indices used as benchmarks sets out detailed requirements for the provision and use of benchmarks. Crypto market data providers may therefore, without issuing financial instruments themselves, be subject to registration or authorisation requirements.
Banking and money transmission
The core issues in the realm of banking and money transmission regimes are the statutory licence requirements that may arise under various laws and bring with them, inter alia, specific supervisory, process and compliance as well as AML obligations (see Section IV).
i German Banking Act and German Investment Institution Act
For many years in Germany, prudential rules for both banking business and investment services were set out in the KWG. Following the example of EU legislation, the German legislator decided to create a dedicated prudential regime for the provision of investment services under the Investment Institution Act (WpIG). The WpIG largely mirrors the structure and regulatory approach of the KWG, while providing regulatory relief for, in particular, small and medium-sized investment institutions. In line with EU law, very large and systemically important investment institutions continue to be subject to banking regulation under the KWG.
Banking Act and Investment Institution Act licence requirements
The KWG and the WpIG entail, in line with various EU laws, the general regulatory regime for banking, financial and investment services in Germany. They set out strict licence requirements not only for classical banking but also for various financial and investment services, together with, inter alia, minimum capital requirements; management requirements (e.g., fit-and-proper tests) and risk management rules; AML and know your customer (KYC) principles complementing AML duties and responsibilities described in Section IV.iii below; supervision requirements; and a detailed framework on various other issues.
The licence requirements depend, inter alia, on the types of assets and regulated business activity in question (see below).
Failure to obtain the necessary licences may have harsh consequences: not only can administrative proceedings be brought by BaFin,37 but this may trigger criminal proceedings against responsible persons such as founders or CEOs,38 who may also face personal civil liability.
For cross-border operations, which are typical for DLT networks, BaFin takes the stance that German regulation applies not only for domestic businesses with a seat or branch in Germany,39 but also where cross-border services (e.g., crypto exchanges located abroad) actively target the domestic market (taking into account, for example, means of advertising, language, share of transactions in Germany; however, the mere accessibility of websites in Germany is unlikely to suffice as such). However, only businesses domiciled in Germany can obtain a German banking licence. A licensed financial service business can passport a German licence throughout the European Union (and vice versa). In practice, cooperation with licensed banks or financial services providers is also conceivable, with the caveat that control over the business will rest with the licensed business.40
Regulatory trigger: tokens as financial instruments
What constitutes financial services is exhaustively defined in the KWG and what constitutes investment services is exhaustively defined in the WpIG, in both cases entailing several activities related to financial instruments. One core question is, therefore, whether tokens qualify as financial instruments within the meaning of the KWG or WpIG.41 This term does not fully correspond with the same term under the German Securities Trading Act (WpHG) and MiFID II,42 but is broader and encompasses, inter alia, units of account, which BaFin has applied under the current law since 2013 in standing practice to virtual currencies (cryptocurrency tokens). This approach was confirmed in both its 2018 ICO notice43 and its second notice on prospectus and licence requirements in connection with the issuance of tokens,44 where it reiterated its position that several cryptoasset-related activities may require a licence under the KWG (see below). Differentiated by token, the regulatory approach under these notices was therefore as follows: cryptocurrency tokens qualify as financial instruments under the KWG (but not MiFID II) in the specific form of units of account.45 This category, which has so far covered units of value such as the International Monetary Fund’s special drawing rights or privately issued complementary currencies, had evolved to be the new main regulatory anchor for cryptocurrencies. Although this administrative practice finds support in the legal literature, a German appellate court rejected this approach in criminal proceedings involving the operation of a Bitcoin exchange.46 The court had doubts that such a broad reading of regulatory licensing requirements that are subject to criminal penalties is compatible with legal certainty.
However, the discussion on whether cryptocurrency tokens are units of account has become moot in the course of the implementation of Directive (EU) 2018/843, which extends anti-financial crime rules to virtual currencies, into German law. A KWG amendment, which came into force on 1 January 2020, has explicitly added cryptoassets to the key concept of financial instruments47 and, upon enactment of WpIG, cryptoassets were also included in the list of WpIG financial instruments.48 The KWG and the WpIG expressly define ‘cryptoassets’ widely as digital representations of a value that is neither issued nor guaranteed by a central bank or public entity and does not enjoy the status of a currency or money, but is accepted by natural or legal persons, as agreed or customarily, as a means of exchange or payment, or for investment purposes, and that can be transferred, stored or traded electronically (excluding e-money).49 In particular, the KWG and the WpIG include a broad range of tokens and are not confined to currency tokens, such as the amended AML Directive, but also cover security tokens by making explicit reference to ‘investment purposes’. Security tokens falling under MiFID II already usually qualify as financial instruments within the meaning of the KWG and the WpIG.50 Given that cryptocurrency tokens are already considered units of account, BaFin understands the new category of cryptoassets as a wide definition to catch all forms of use of crypto tokens relevant for financial markets, even where some forms may already be covered by other KWG or WpIG licensing requirements.51 However, some uncertainty remains regarding whether other categories of tokens that neither serve as a means of exchange or payment nor for ‘investment purposes’ will also qualify as financial instruments within the meaning of the KWG and the WpIG in the future.52 In that regard, BaFin’s statements explicitly exclude electronic vouchers for the purchase of goods and services, which cannot be traded and do not represent investment expectations in the gain of value of such vouchers or the issuer’s business.53 Hybrid forms of utility tokens especially will be more likely to qualify as financial instruments the more their characteristics resemble security tokens or cryptocurrency tokens. If utility token transactions also involve cryptocurrency tokens or security tokens, licence requirements may already be triggered by the latter and apply to the whole transaction.54
Regulation of token-related business models
Provided that tokens qualify as financial instruments, KWG or WpIG licences are required for a broad range of business activities if they are performed as commerce or on a scale requiring a commercial business organisation.55
A KWG or WpIG licence is particularly relevant and usually necessary for crypto exchange platforms and similar token trading models. In addition, the KWG amendment that entered into force on 1 January 2020 has expressly brought ‘crypto custody business’ within the ambit of KWG financial services, but not within the scope of WpIG investment services. ‘Crypto custody business’ within the meaning of the KWG is defined as the safekeeping, administration or safeguarding of cryptoassets or private cryptographic keys used to hold, store or transfer cryptoassets and the safeguarding of private cryptographic keys used to hold, store or transfer crypto securities within the meaning of Section 4 Paragraph 3 eWpG for others.56 Safekeeping of cryptoassets includes, in particular, the storage of cryptoassets in a collective inventory where the customers have no knowledge of the cryptographic keys used. Administration of cryptoassets includes the exercise of rights resulting from a cryptoasset, such as collection activities or notification services. Safeguarding of cryptoassets includes not only the service of digital storage of private cryptographic keys, but also the storage of physical data storage devices (e.g., USB sticks) on which such keys are saved. The mere offering of hardware and software that is operated by users for such purposes without access of providers to cryptographic keys is not subject to licensing requirements. The same is true for web hosting or cloud storage providers as long as they do not explicitly offer key storage.57 This broad definition has also brought wallet providers within the scope of financial services, but is not limited to such services. In this respect, again, the KWG amendment goes beyond the definition of Directive (EU) 2018/843 as the new regulated activity also extends to safekeeping and administration services as well as to the concept of cryptoassets. A recent legislative proposal may further improve custody laws by (1) introducing requirements for the cryptoasset custodian to segregate cryptoassets and private keys and introduce certain safekeeping rules for cryptoassets held in omnibus accounts (implementing MiCA requirements) and, consequently, (2) to deem cryptoassets held in custody to belong to the customer and treat such assets as insolvency remote.58
Another KWG amendment, which took effect on 1 July 2021, has brought the maintenance of a crypto security register within the scope of KWG financial services, but not within the ambit of WpIG investment services.59 Crypto security registers within the meaning of the KWG allow for the issuance of electronic securities that are created by making a register entry into such a crypto security register.60
Aside from the crypto custody business and the maintenance of a crypto security register, licensing requirements that were previously discussed may still have relevance for related services61 on the basis that such activities may constitute investment broking62 (where broking transactions involve the purchase and sale of financial instruments, which may also be done through an electronic platform)63 or the operation of a multilateral trading facility64 (which brings together multiple third-party buying and selling interests in financial instruments in the system, in accordance with non-discretionary rules and in a way that results in a contract).65 Business models should also be assessed as to whether they might be considered as financial broking services66 (with the purchase and sale of financial instruments in a service provider’s own name but on a third party’s account)67 or contract broking68 (where the aforementioned purchase and sale occur in a third party’s name on its account).69 The further case of proprietary trading70 is quite broad, and involves the purchase and sales of financial instruments as a market maker, systemic internaliser or participant in markets with high-frequency trading systems, and also cases where purchases and sales on a person’s own account are offered as a specific service for others.71 This may be relevant, for example, for solicited regular buying and selling activities in virtual currencies if such activities involve a further services element (e.g., if the entity has better access to the market or creates a market by regular trading activities that would otherwise not be available for others).72 In any case, this will require a case-by-case assessment of the technical and functional details. The provision of these related services can be combined with a cryptocustody or a crypto security register licence under the KWG if they remain confined to cryptoassets, but do not extend to other types of financial instruments. In the latter case, a separate WpIG licence is required and these services cannot be provided by the KWG regulated entity providing cryptocustody services.
BaFin further states that in the context of ICOs, depending on the individual circumstances, underwriting business73 (with the taking over of financial instruments at one’s own risk for placement)74 or placement business75 (with the placement of financial instruments without a firm commitment basis)76 require a licence.
Other typical regulated financial intermediary activities may also require a prior KWG or WpIG licence if such activities are offered in connection with virtual currency business models. This may be the case for rendering investment advice77 (in the form of personal recommendations for transactions in specified financial instruments, based on an examination of an investor’s personal circumstances and not exclusively announced through information distribution channels or to the public)78 or financial portfolio management79 (with discretionary management of individual investments in tokens as financial instruments for others).80
Within that framework, other actors in a DLT ecosystem normally do not need a KWG or WpIG licence. The mere use of virtual currencies as a means of payment does not require any licence; neither does operating a DLT network for token transactions as such, given that the network is a mere technical facility for effecting transactions and not an entity for trading and, in particular, not a multilateral trading facility.81 Finally, whether operations of miners will in the future fall under the activities regulated by the KWG and the WpIG remains to be seen. For now, this could be the case for specific services, such as organising mining pools. Where a central pool operator would sell mined virtual currency to third parties and disburse collected money or virtual currency to individual miners, the operator could be considered as acting for a third person and engaging in proprietary trading services.
ii German Payment Services Supervision Act
Further licence requirements, which may potentially be relevant for virtual currencies, exist under the Payment Services Supervision Act (ZAG). This law, which implements the Payment Services Directive82 and the E-money Directive,83 regulates in essence two types of business activities, namely rendering certain (enumerated) payment services and issuing e-money. For such business activities, the ZAG sets out certain requirements, inter alia, as to management qualifications, capital requirements and risk management.84 Structurally similar to the KWG, foreign entities require a licence if their business activities target the German market, and a ZAG licence can be passported throughout the European Union. For some KWG-licensed entities (Capital Requirements Regulation credit institutions), no additional ZAG licence is necessary.85
E-money
A licence is required for engaging in the business of issuing e-money.86 E-money is defined as electronically (including magnetically) stored monetary value represented by a claim against the issuer, which is issued against the receipt of funds for the purpose of making payment transactions, and which is accepted by a natural or legal person other than the electronic money issuer.87 Thus, where a company provides an electronic monetary value in exchange for an equal amount of (fiat) money, it will serve as an electronic means of payment for the substitution of cash. The ZAG licence covers not only issuing e-money, but also ancillary activities such as related payment services and the operation of payment systems.
While tokens can take various forms, the currently prevailing opinion is that virtual currency tokens – unlike electronic cash cards – are in the majority of cases not e-money. First, these tokens would have to be issued in exchange for (fiat) money (which is conceivable, for example, in the case of pre-mined tokens, but is not the general case).88 Second, this would require a monetary claim against a specific issuer, which virtual currency tokens (especially cryptocurrency tokens) normally do not confer.89 Third, even if a token was seen as e-money, the ZAG licence would be the responsibility of the issuer, not the miner, for example.
Payment services
The ZAG further sets out an exhaustive list of regulated payment services.90 Given that all such services are related to money in cash, bank accounts or e-money, but not (yet) to virtual currencies,91 a ZAG licence becomes relevant where virtual currency transactions involve some element of processing fiat money (rather than being wholly virtual currency transactions). It is mainly for the issuing of virtual currency tokens and exchanges that the question arises of whether they are involved in rendering payment services. As such, the most relevant issues in a virtual currency context include payment initiation services92 (which allow access to payment accounts, but without acquiring possession of the transferred money); issuing of payment instruments or acquiring of payment transactions, or both;93 or, as a broad catch-all clause,94 money remittance services,95 where a payer (without any payment accounts created) pays funds to a payment service provider with the aim of transferring a corresponding amount to a payee (or another payment service provider acting on the payee’s behalf), or where such funds are received on behalf of and made available to the payee, or both.
Thus, if an issuer or trader of virtual currency tokens collects fiat money to broker it on a platform with token purchasers, this may, depending on technical and functional details, constitute a regulated payment services business. The transferor and transferee of tokens are normally not subject to a ZAG licence; neither would a DLT network operator (if any) be regulated. The operation of miners does normally not fall under ZAG-regulated activities, and it is also doubtful whether operating virtual currency wallets (unlike e-money wallets) as such would require a ZAG licence.96
Even if activities are related to payment services, some exceptions may apply, for example, for mere technical support service providers who do not obtain possession of funds (including, for example, data processing and storage, trust and privacy protection services, authentication and communication, unless they are payment initiation and account information services),97 or commercial agent models98 (who are authorised via agreement to negotiate or conclude the sale or purchase of goods or services on behalf of only the payer or only the payee).
Anti-money laundering
i General framework
Several actors in a DLT ecosystem may be subject to AML laws, namely the German Anti-Money Laundering Act (GwG), which provides, together with some AML-related provisions in the KWG,99 the main legal basis for AML requirements under German law. The GwG transposes the Fourth Anti-Money Laundering Directive (AMLD)100 into German law and was recently amended (see Section III) to implement the amendments to the Fourth AMLD at EU level.101 The amended AMLD further tightens AML rules as part of the European Commission’s 2016 AML action plan, which also responds to the Panama Papers revelations.
Currently, AML rules are based on a wide understanding of property that may be involved in money laundering, including assets of any kind (corporeal or incorporeal, movable or immovable, tangible or intangible),102 so that any kind of tokens involved in criminal acts can be the object of money laundering activities. This concerns not only transactions with tokens (as the main subject matter of the transaction), but also payments with tokens (a typical virtual currency case), as long as the transacting entity is subject to the AML rules.103
The amended AMLD explicitly defines virtual currencies,104 and brings entities that provide services such as holding, storing and transferring virtual currencies into the scope of the AML obligations, which most notably apply to crypto exchanges as well as to wallet providers. The amendment to the KWG (see Section III.i), which defines cryptoassets as a new category of financial instruments, goes beyond the scope of the AMLD and substantially expands the scope of AML requirements for actors in cryptoasset ecosystems.
ii AML subjects
Generally, German AML rules are based on certain listed types of obliged entities that engage in specific activities susceptible to money laundering activities.105
As far as is relevant in the context of virtual currencies, banking and financial service institutions that require a KWG licence (first and foremost token exchanges: see Section III.i) must generally comply with AML rules.106 Thus, the implementation of the amended AMLD into German law has broadened the scope of AML subjects to the extent that they require a KWG licence for operating crypto custody business or for engaging in the maintenance of a crypto security register.
Similarly, AML obligations apply to undertakings if they render certain payment or e-money services and require a ZAG licence as payment institutions and e-money institutions (see Section III.ii).107 In the (currently infrequent) event that tokens should qualify as e-money, the issuer as well as the merchant accepting such payments are also subject to AML rules.108 Previous ambiguities with regard to the classification under AML laws (e.g., qualification of token transactions as trades in goods)109 are likely to lose relevance in the course of the implementation of the amended AMLD owing to the explicit classification of a large number of tokens as cryptoassets (i.e., as financial instruments) and the related fact that a large number of intermediaries will qualify as obliged entities. However, this should still be in line with the government’s previous statements that the mere holding or use of cryptographic currencies, for example as a means of payment (as opposed to rendering services related to cryptocurrency and other tokens) should not fall under the AML rules.110
Finally, neither the network operation (if any such entity exists at all in a decentralised system) nor mining as such are currently regarded as AML-relevant activities.
iii AML duties and responsibilities
Entities subject to German AML rules must comply with various duties and responsibilities, most notably:
- establishing an adequate and effective risk management system with ongoing analysis of activity-related risks, and with customer and business-related internal security measures, which may include, for example, procedures and controls, codes of conduct or reliable compliance processes;111
- the appointment of a sufficiently equipped AML officer at management level in Germany (and a deputy) who is responsible for ensuring AML compliance;112
- customer due diligence (customer due diligence (CDD), as a KYC principle), which aims at identifying and verifying customers and beneficial owners, for example, when entering into a business relationship, where transaction values exceed certain thresholds, where indicators of suspicious transactions exist or when information provided by customers seems to be inaccurate.113 The scope of CDD is subject to proportionality and depends on certain risk-based criteria, which may limit114 or broaden115 the CDD scope. Since 2021, general CDD is required for any transfer of cryptoassets of an equivalent value of €1,000 or more.116 As of 2023, a prohibition to purchase German real estate with cash, cryptoassets, gold, platinum or precious stones applies.117 In addition, CDD requires the identification of politically exposed persons; and
- reporting of suspicious transactions to the Central Financial Transaction Investigation Unit where circumstances indicate that assets originate from criminal offences relevant to AML, are related to terrorist financing or where necessary identification documents have not been provided.118
Entities subject to German AML rules that are involved in the transfer of cryptoassets are subject to the German implementation of the travel rule (i.e., the obligation to collect, store and transfer information relating to a transfer of cryptoassets and the parties to such transfer). To this end, the German Federal Ministry of Finance has issued a cryptoasset transfer regulation119 mirroring the recommendations of the Financial Action Task Force’s Guidance for a Risk-Based Approach to Virtual Currencies.120 Thereby, Germany pre-empts EU legislative efforts121 to bring cryptoasset transfers within the scope of the EU transfer of funds regulation,122 which, upon its entry into force on 30 December 2024, will cause the repeal of the German cryptoasset transfer regulation.123
Regulation of exchanges
German law provides no specific regulation of virtual currency exchanges; however, the general rules apply and, since 2020, explicitly include the operation of crypto exchanges and wallet providers for cryptoassets as financial services, which require a licence. Depending on the specific activity and type of token traded, laws on securities (see Section II), banking laws (see Section III) and AML rules (see Section IV) may be applicable.
Regulation of miners
German law provides no specific regulation of miners; however, the general rules set out in this chapter apply. Normally, mining as such will require no licence, except in special cases (e.g., commercial operation of mining pools; see Section III.i).
Regulation of issuers and sponsors
For regulation of issuers, the general rules set out in this chapter apply. Depending on the specific activity and type of token traded, laws on securities (see Section II), banking laws (see Section III) and AML rules (see Section IV) may be applicable.
Criminal and civil fraud and enforcement
In addition to specific criminal regulations – as set out above for insider trading and market manipulation,124 failure to meet prospectus requirements,125 lack of required financial licences under the KWG,126 KAGB127 or ZAG,128 or money laundering129 – virtual currency-related fraudulent activities will normally fall within the scope of general criminal law (most notably computer fraud,130 unauthorised access to data131 or interference with data).132 In 2017, the German Federal Supreme Court133 convicted operators of a botnet for mining cryptocurrency tokens that used the power of infiltrated computers for several offences of data criminality.134 Hacking and the misuse of private keys may be sanctioned as computer fraud within the context of data processing. Cases of market manipulation or transactions or ICOs with fraudulent information might also be pursued as general fraud135 or criminal breach of trust.136 Any proceeds from such activity may be the object of money laundering. Virtual currencies as proceeds from criminal offences – regardless of their legal character137 – may be subject to forfeiture.138
Criminal liability will usually coincide with civil law damages and restitution claims,139 but procedural details for virtual currencies have not yet been litigated in Germany.140 A transfer of virtual currencies in such cases can be enforced, for example, by handing over a private key to avoid – as generally under German civil procedure law – a penalty payment or imprisonment.141 For virtual currencies stored in wallets, claims against the wallet provider could also be seized.142
Apart from criminal sanctions and private civil law enforcement, administrative enforcement is the most used measure to ensure regulatory compliance in the authorities’ toolbox. In 2020 and 2021, BaFin warned investors of the risks posed by ICOs and by fraudulent online trading platforms and prohibited a number of unlicensed market participants from operating.
Tax
While virtual currency tax issues are extensively discussed, authoritative guidance is still limited, but growing. In the absence of specific virtual currency-related regulation, general German tax laws apply.
Value added tax (VAT), following the European Court of Justice Hedqvist judgment143 and guidance of the German Federal Ministry of Finance,144 will not be triggered by a conversion of cryptocurrency tokens to fiat money (and vice versa).145 Despite some uncertainties at the EU level,146 the Ministry of Finance further states the same for transaction fees (or cryptocurrency tokens) received by miners.147 In contrast, fees for services providing a wallet148 or a cryptocurrency token exchange149 (unless trading cryptocurrency token as intermediary on its own behalf)150 may trigger VAT. The mere use of cryptocurrency tokens as a means of payment (instead of fiat money) has normally no influence on the qualification of transactions under tax laws,151 but may require documenting exchange rates.152 For utility tokens and security tokens, the absence of authoritative statements leads to some uncertainties. Some authors argue that the issue of security tokens will not trigger VAT, but that the issue and sale of utility tokens may be subject to VAT.
As regards taxes on profits, in May 2022, the German Federal Ministry of Finance issued a circular setting out its stance as to the income tax treatment of virtual currencies: virtual currencies are immaterial assets, and profits (e.g., as the difference between the acquisition price and disposal price, or for ICOs between the book value and issue price, after the deduction of losses and expenses like platform operating costs) can, in principle, be taxed as personal income. In particular, the issuer of utility tokens in an ICO may have accounting profits taxed if a utility token is issued in exchange for cryptocurrency tokens. According to statements of the Federal Ministry of Finance, profits from occasional mining of virtual currency may also be taxed as income.153
Details of the tax regime vary depending on whether transactions are carried out in a private or commercial context, and by whom. In a private context, tax on personal income will accrue for individuals who realise profits such as gains in virtual currency value,154 but only if in this context virtual currencies are held less than a year.155 If virtual currencies are created or bought as a commercial activity, earnings from a sale or exchange may be subject to taxation as business income.156 If done by commercially acting individuals or partnership companies, taxes will accrue as private income tax at the shareholder level; and if done by (both public and private) limited liability companies, taxes will accrue at the corporate level.
Other issues
Anyone commercially involved in a virtual currency business must refrain from false advertising and supplying misleading information. Thus, even in the absence of specific prospectus obligations (see Section II.ii), ICO white papers must be correct and not omit relevant information, and information on the prospects of success and economic development must not be misleading. This follows from German unfair competition law,157 which is quite effectively enforced by competitors, business associations and consumer organisations. Furthermore, potential contractual parties are required to act truthfully, and may under special circumstances have to disclose information that is important but unknown to the other party proactively under general civil law. If they withhold such information or provide false information, they may be held liable.158 It is argued that this may apply also for issuers of tokens.
Operators of internet platforms where virtual currency tokens are commercially offered may also have to comply with general e-commerce and consumer protection laws.159 Because the legal nature of tokens may vary, some uncertainties exist as to the applicability of such regulations. While the European Central Bank has stated that neither consumer rights nor e-commerce regulations are applicable to cryptocurrency token transactions,160 it is conceivable that at least utility tokens could be subject to such regulation. If applicable, this would include extensive information duties (e.g., on entrepreneur’s identity, modalities of online contract formation, characteristics of goods and services, costs)161 and – rather theoretically – customer withdrawal rights in some cases.162
Looking ahead
While the current virtual currency regulation and regulatory practice are still, to some extent, shaped by legal uncertainty and the various national approaches of EU Member States (which means that business models have to be discussed with individual regulators), with MiCA ante portas, the regulatory framework for virtual currencies will be largely harmonised across EU Member States in the foreseeable future.
In addition to the regulatory (i.e., public law) aspects discussed in this chapter, the legal discussion about the issuance, administration and servicing of tokens increasingly takes civil and corporate law aspects into consideration. More fundamentally, use cases and activities related to securities tokens raise the question of potential efficiency gains in post-trade activities; that is, the holding, clearing and settling of securities through custody chains governed by DLT protocols. In this context, two technical concepts appear to emerge: the issuance of tokens linked to securities held by the German central securities depository (CSD) (mirror DLT securities) and the genuine issuance of tokens on a DLT platform in book-entry form (genuine DLT securities). By enacting the eWpG, German lawmakers have taken a first step to foster the issuance of genuine DLT securities. While limited to electronic bonds and investment fund units initially, German lawmakers have recently proposed to expand its scope to electronic shares.