BaFin Digital Asset Supervision: Crypto Custody and MiCA Implementation

Overview

The Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, or BaFin) is Germany’s integrated financial market regulator, supervising banks, insurance companies, securities markets, and investment services across the largest economy in the EU. BaFin’s digital asset regulatory framework is distinctive for two features: Germany’s early decision to classify crypto custody as a regulated financial service requiring BaFin licensing under the Banking Act (Kreditwesengesetz, KWG), implemented in January 2020; and the Electronic Securities Act (Gesetz über elektronische Wertpapiere, eWpG), enacted in June 2021, which created a legal basis for electronic securities — including blockchain-based securities — under German law.

BaFin’s role in the MiCA era is especially significant because Germany is the home jurisdiction for several of the largest crypto-asset businesses operating in the EU, making BaFin the de facto home NCA for major CASP authorization applications that will be passported across the EU market.

Crypto Custody as a Licensed Financial Service: KWG Section 1(1a)

In January 2020, Germany amended the KWG to add crypto custody as a new category of financial service under Section 1(1a) sentence 2 No.6. The amendment required any entity providing the safekeeping, management, or securing of crypto assets or private cryptographic keys for others on a commercial basis in Germany to obtain a BaFin license for crypto custody before the end of 2020 (with a transitional period for firms operating prior to January 2020).

This legislative step — which preceded MiCA by more than four years — made Germany one of the first major EU jurisdictions to create a formal licensing requirement for crypto custody, and it has produced the most developed body of EU regulatory practice on crypto custody compliance. BaFin has granted more than 20 crypto custody licenses, with applicants including Coinbase Germany GmbH, Bitpanda Technology Solutions, the Stuttgart-based BISON exchange (operated by Boerse Stuttgart Digital), and Tangany GmbH.

The KWG crypto custody license requirements include: minimum initial capital of EUR 125,000 (aligned with the MiFID II minimum capital for ancillary financial service providers), fit and proper assessment of management board members and qualifying shareholders, organizational requirements for AML/CFT systems, technology risk management consistent with BaFin’s banking supervision circular standards, and reporting obligations to BaFin on business activities and incidents.

Electronic Securities Act (eWpG): Tokenized Securities Under German Law

Germany’s eWpG, enacted in June 2021, created a legal framework for electronic securities — including crypto securities (Kryptowertpapiere) registered on a DLT system. Prior to eWpG, German securities law required physical certificates or book-entry registration with a recognized CSD (Clearstream Banking AG); blockchain-based recordkeeping had no legal status under German securities law.

The eWpG distinguishes between:

Central Register Securities (Zentralregisterwertpapiere): electronic securities registered in a central electronic securities register maintained by a licensed entity (CSD, credit institution, or investment firm). The register operator must meet BaFin licensing requirements specific to the central register function.

Crypto Securities (Kryptowertpapiere): electronic securities registered on a decentralized DLT system (blockchain). Crypto securities do not require a central register operator — the DLT system itself serves as the register — but the issuer must notify BaFin of the issuance and the DLT system used.

The eWpG currently covers bearer bonds (Inhaber-Schuldverschreibungen) — a category that encompasses most German corporate bonds and structured notes — and has been extended to fund units. Coverage of equity (shares in German stock corporations) requires further legislative development of the German stock corporation law (Aktiengesetz), which still requires physical share registers.

BaFin oversight of eWpG crypto securities involves: receiving issuance notifications from issuers, publishing the public crypto securities register, and supervising the conduct obligations applicable to entities providing services connected to electronic securities.

MiCA Implementation: Germany as Home NCA

Germany’s significance in MiCA implementation exceeds its domestic market size. Several of the largest crypto-asset businesses in Europe have chosen Germany as their MiCA home member state, making BaFin the NCA responsible for their CASP authorization and ongoing supervision — with passporting rights across all 27 EU member states.

BaFin has published transitional provisions for entities that held KWG crypto custody licenses or other pre-MiCA German regulatory status, specifying the pathway for transitioning to MiCA CASP authorization within the 18-month transitional period ending June 2026. Entities with existing BaFin licenses benefit from expedited review of MiCA applications — BaFin can apply MiCA authorization conditions to existing licensees without requiring a full de novo application in many cases.

BaFin has also published guidance addressing the interaction between the eWpG framework and MiCA: crypto securities registered under eWpG are instruments to which MiCA does not apply (as they are financial instruments under MiFID II), but services connected to crypto securities (custody, trading, issuance of related crypto-assets) may require both eWpG compliance and MiCA CASP authorization depending on the specific activity.

Interaction with BaFin’s Securities and Investment Supervision

BaFin supervises securities markets and investment services through its securities supervision division (Wertpapieraufsicht), which is distinct from its banking supervision division (Bankaufsicht). For tokenized securities — eWpG crypto securities, fund tokens, and other blockchain-based financial instruments — BaFin’s securities supervision applies the same investor protection, prospectus, and market conduct obligations as for conventional securities. The digital or tokenized format of the instrument does not create an exemption from German securities law.

The Securities Prospectus Act (Wertpapierprospektgesetz, WpPG) — implementing the EU Prospectus Regulation — applies to public offerings of eWpG crypto securities, requiring a BaFin-approved prospectus for public offers above EUR 8 million. Private placements below this threshold or directed exclusively to qualified investors may benefit from prospectus exemptions, as under conventional securities offerings.

Further Resources

• ESMA — MiCA Coordination
• MiCA Regulation Overview
• Jurisdiction Profiles — Germany
• Tokenization Licensing Overview