Germany Tokenization Regulation: BaFin, Crypto Custody License, and the eWpG

Overview

Germany’s approach to digital asset regulation reflects its tradition of prescriptive statutory law and integrated financial supervision. Two legislative instruments are foundational: the crypto custody license under Section 1(1a) of the Kreditwesengesetz (KWG, Banking Act), in force since January 2020, which created Germany’s first purpose-built regulatory category for cryptocurrency custody; and the Gesetz über elektronische Wertpapiere (eWpG, Electronic Securities Act), in force since 2021, which introduced dematerialized electronic securities — including a DLT-based variant — into German securities law.

Germany is simultaneously one of Europe’s most developed crypto regulatory environments and one of the strictest: BaFin’s licensing process is demanding, its ongoing supervision active, and its enforcement posture consistent. For tokenization businesses, Germany offers substantial regulatory certainty but at the cost of compliance infrastructure that is significantly more burdensome than lighter-touch jurisdictions.

Primary Regulator: BaFin

BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht) is Germany’s integrated financial supervisor, covering banking, insurance, securities, and — since 2020 — crypto custody. BaFin acts as MiCA’s National Competent Authority (NCA) for Germany and is expected to be one of Europe’s most active MiCA supervisors given Germany’s significance as a financial center and its existing supervisory infrastructure.

BaFin coordinates with the Deutsche Bundesbank on macro-prudential matters and with the European Banking Authority (EBA) and ESMA on digital asset regulatory policy.

Crypto Custody License: Section 1(1a) KWG

The German legislature amended the KWG in January 2020 to add crypto custody business (Kryptoverwahrgeschäft) as a new regulated financial service under Section 1(1a) KWG. Any entity providing custody, management, or safeguarding of crypto assets or private keys on behalf of third parties requires BaFin authorization as a crypto custody institution.

Capital requirements: Minimum initial capital of €730,000 (reflecting the KWG requirement for investment firms). BaFin may require higher capital based on risk profile and business volume.

Organizational requirements: Crypto custody institutions must meet bank-comparable organizational standards: a two-member management board (four-eyes principle), a compliance function, internal audit, risk management, and IT security requirements per BAIT (Banking Supervisory Requirements for IT). Outsourcing of material functions requires BaFin notification.

20+ licensed custodians: By 2024, over 20 entities held BaFin crypto custody authorizations, including major banks (Bayern LB subsidiary, DekaBank), specialized custodians (Tangany, Finoa, Metaco Germany), and infrastructure providers. This makes Germany the European country with the highest concentration of licensed crypto custodians.

MiCA transition: BaFin has confirmed that entities holding a KWG crypto custody license are eligible for the MiCA grandfathering period (until December 30, 2025) and can continue operations while completing their MiCA CASP authorization application. The KWG crypto custody category maps most directly onto MiCA’s “custody and administration of crypto-assets on behalf of clients” service category.

eWpG: Electronic Securities Act (2021)

The Gesetz über elektronische Wertpapiere (eWpG), in force since June 2021, modernized German securities law to permit the issuance of dematerialized securities — without physical certificates — in two forms:

Central Register Securities (Zentralregister-Wertpapiere): Recorded in a central securities register (Zentralregister) maintained by a custodian licensed under KWG. Settlement is through conventional CSD infrastructure (Clearstream Banking Frankfurt). This is a dematerialization of existing processes rather than a DLT innovation.

Crypto Securities (Kryptowertpapiere): The more innovative category. A crypto security is a security recorded in a crypto securities register (Kryptowertpapierregister) — which may be maintained on a DLT network by a licensed crypto securities registrar (Kryptowertpapierregistrierungsstelle). The crypto security has the same legal character as a traditional bearer or registered security; transfer is effected by register entry rather than physical delivery.

Crypto Securities Registrar License: Operating a Kryptowertpapierregister requires BaFin authorization as a crypto securities registrar. The registrar must ensure the integrity and immutability of the register, provide a public lookup function, and maintain records sufficient for regulatory audit. Several entities have applied for or received this authorization, including Cashlink Technologies and SWIAT.

Scope limitation: Currently, the eWpG applies only to certain securities types — bonds (Schuldverschreibungen) and investment fund units. Equity securities (shares in German AGs) are not yet within scope, reflecting the more complex private law implications of DLT-based share registers.

MiCA: BaFin as National Competent Authority

BaFin is Germany’s designated NCA for MiCA’s full scope: authorization of CASPs, supervision of ART and EMT issuers, and enforcement of MiCA’s conduct obligations. BaFin has announced that it will apply its existing supervisory rigour to MiCA applications — applicants should expect detailed information requests, on-site inspections, and extended review periods relative to smaller NCAs.

Grandfathering period: Entities operating under the KWG crypto custody license (and other national authorizations) as of December 30, 2024 have an 18-month grandfathering period — until June 30, 2026 — to complete their MiCA CASP authorization. This is the maximum permissible grandfathering under MiCA Article 143.

BaFin has published detailed guidance on the MiCA application process, including required documentation for each CASP category, fit-and-proper assessment procedures, and capital verification methods.

AML/KYC Requirements

German digital asset businesses are subject to:

• Geldwäschegesetz (GwG — German Anti-Money Laundering Act): Crypto custody institutions and crypto securities registrars are obligated entities under GwG. Full KYC at onboarding, risk-based transaction monitoring, EDD for high-risk circumstances, and STR reporting to FIU Deutschland (the German Financial Intelligence Unit, operated under BKA).
• Travel Rule: Germany implemented the FATF Travel Rule for crypto transfers in 2023. Transfers of €0 and above require originator/beneficiary data under the EU Transfer of Funds Regulation — Germany applies the TFR zero-threshold from December 30, 2024 under full MiCA application.
• Sanctions: BaFin issues binding directions on sanctions compliance. Screening against EU consolidated sanctions list, UN list, and German national designations required.

Compliance Checklist: Germany Tokenization Operations

• If providing crypto custody services to German clients: apply for BaFin crypto custody license under Section 1(1a) KWG; prepare €730,000 minimum capital
• If issuing electronic securities: assess whether the instrument qualifies under eWpG as Schuldverschreibung or fund unit; engage licensed Kryptowertpapierregistrierungsstelle for DLT-based issuance
• If operating a Kryptowertpapierregister: apply for BaFin crypto securities registrar authorization
• If already holding KWG crypto custody authorization: file MiCA CASP application before grandfathering window expires (June 30, 2026)
• Implement GwG AML program: KYC, risk assessment, transaction monitoring, FIU Deutschland STR filing
• Implement EU Travel Rule (zero threshold as of December 30, 2024) under TFR
• Ensure management board composition meets KWG four-eyes principle; obtain BaFin approval for all managing directors
• Implement BAIT-compliant IT security program for customer-facing technology systems
• Engage Clearstream Banking Frankfurt if using central securities register for eWpG securities; engage licensed crypto registrar for Kryptowertpapier
• Monitor BaFin’s MiCA supervisory guidance for Germany-specific implementation requirements

Authority References

• ESMA — MiCA and BaFin NCA coordination
• EUR-Lex — MiCA Regulation full text
• BIS — Crypto regulatory policy

For comparison of BaFin MiCA processing vs. other EU NCAs, see the Licensing Matrix. For eWpG terminology and electronic securities definitions, see the Regulatory Encyclopedia. For the broader EU MiCA framework, see our MiCA analysis.