The Virtual Currency Regulation Review: Germany

Introduction to the legal and regulatory framework

As early as 2013 – shortly after virtual currencies gained public attention and the first investor risk warnings could be heard2 – the German financial regulatory authority (BaFin) was quick to bring virtual currencies like Bitcoin within the general financial services licensing scheme (see Section III.i). Distributed ledger technology (DLT) has developed since, and brought with it various business models based on a multitude of tradable token types as digital representations of value.

While Germany has no specific regulatory framework for virtual currencies and other virtual assets in place yet, the general financial regulatory regime applies instead, and brings various types of DLT tokens within the ambit of capital markets, banking, financial services, anti-money laundering (AML) and other laws. In some aspects, the application of these legal regimes for virtual currencies has recently been clarified by the legislature (e.g., use of digital registers for dematerialised securities).3 BaFin itself, in line with the European Union, emphasises a reasonable approach, aiming to eliminate risks to financial stability and consumers through virtual currencies, while not stifling innovation. However, the complexity of this regulatory regime with numerous and partially overlapping German and EU sources of law, as well as the initial lack of clarity in regulatory guidance by BaFin and the European Securities and Markets Authority (ESMA),4 have led to some legal uncertainty. Regulators meanwhile acknowledge the wide variety of cryptoassets and seem to keep pace with new guidance,5 emphasising the need for a case-by-case analysis, a technology-neutral approach, and a level playing field for similar activities and assets regardless of their form.6 However, a clear overall picture for the vast number of applications and business models is only emerging slowly. Against this background, the European Commission's proposal for a markets in cryptoasset regulation (MiCA)7 published in September 2020 not only has the potential to provide for an EU harmonised regulatory framework for cryptoassets, but could also be a catalyst for the development of a consistent approach to the panoply of cryptoasset-related business activities. While MiCA, by virtue of its nature as a directly applicable regulation, will shape the future of cryptoasset regulation in Germany, it does not determine the regulatory present. Neither the Council nor the European Parliament have taken a stance on MiCA yet. With the legislative process still being at an early stage and MiCA likely not applying before the middle or end of 2022, if not later, this chapter will refrain from discussing MiCA in more detail and leave that to future editions.

As a basis for this chapter, we make a distinction between three types of tokens that has proven useful in practice, namely:

  1. cryptocurrency tokens, which are mainly designed as a means of payment or store of value, and thus shall serve as decentralised virtual currencies for transactions with third parties or marketplaces (with Bitcoin as the prominent example);
  2. security tokens, which confer upon their holders access to future profits, interest or possibly some control rights over the issuer (e.g., voting rights on certain business decisions, projects, investments), and are therefore in their function similar to rights typically conferred by securities; and
  3. utility tokens, which do not entitle the holder to payment, but confer access to certain products or services (e.g., specific functions of the respective DLT network) that may already exist or will be developed in the future. Provided that the tokens can be traded on secondary markets, however, holders also may generate profits from the sale of utility tokens.

This classification provides a mere rule of thumb, as hybrid token forms can be easily designed and exist in various business models. Utility tokens especially may take such hybrid forms if their value proposition is not mainly access to services, but also depends on future developments and thus may have a speculative investment component driven by profit expectations through subsequent sales on secondary markets. For such tokens, the regulatory regime is briefly as follows:

  1. cryptocurrency tokens are regulated under banking laws (but are not considered securities) and related services may require a licence in Germany;
  2. security tokens are now also regulated under banking laws and they will often be considered securities, which means various capital market and investment laws (with prospectus requirements) may apply;
  3. the regulatory treatment of utility tokens is rather unclear, with good arguments that their service-related (rather investment-related) characteristics justify not applying capital market laws, since typical investor information asymmetries are not concerned; and
  4. AML rules may apply to all of them.

In any case, the German regulator will engage in an individual case-by-case assessment based on the specific functional token design (form follows function).8

Securities and investment laws

This section provides an overview of the qualification of tokens under securities laws, prospectus requirements and liability, asset management regulation and market integrity laws.

i General qualification of tokens under securities laws

The qualification of tokens as financial instruments and, in particular, securities under the securities laws constitutes the linchpin for the application of any financial and capital market regulation. Under German and European law, a commonly accepted or uniform definition of the notion of a security – such as the Howey test under US securities laws9 – does not exist. Any legal assessment of cryptocurrency tokens, security tokens or utility tokens therefore applies only with respect to the corresponding legal act.

Within an increasingly interlinked framework of EU financial regulation, the revised EU Markets in Financial Instruments Directive 2014/65/EU (MiFID II) constitutes the central reference point, as most EU regulatory acts – including prospectus laws and market abuse laws – refer to the MiFID definition of financial instruments. Under Germany's securities and banking laws, however, a different definition applies (see Section III).

Article 4 Paragraph 1 No. 15 and Section C of Annex I of MiFID II define the term financial instrument under an exhaustive enumeration of different types of instruments of which transferable securities are the most relevant in the context of token sales. Under Article 4 Paragraph 1 No. 44 MiFID II, the notion of transferable securities is defined as 'those classes of securities which are negotiable on the capital market, with the exception of payment instruments, such as: (a) shares in companies and other securities equivalent to shares in companies . . . (b) bonds or other forms of securitised debt . . . (c) any other securities giving the right to acquire or sell any such transferable securities'.10

The decisive characteristic for classification as a security is therefore tradability on the capital market. This requires, more specifically, that a security – under a case-by-case-assessment – meets the formal criteria of transferability, standardisation and tradability, and is comparable to the examples of the definition from a functional perspective.

First, as regards transferability, it may generally be assumed that tokens can be transferred freely among holders, for example, by way of assignment, and that crypto exchanges allow for liquid secondary markets in those tokens (i.e., that the first criterion will regularly be met).

Secondly, a token will require a sufficient degree of standardisation. Currently, virtual currencies are standardised in the sense of a uniform structure within one issuance of tokens only, but there is no uniform token standard among different categories and types in the sense of a common protocol or platform. Taking into account that standardisation serves the purpose of tradability to allow for efficient trading, however, it becomes clear that a standardisation on the level of the individual issuance should be deemed sufficient.

Thirdly, the actual trading of tokens on crypto exchanges indicates their tradability on a capital market. To the extent that tokens – immaterial by nature – cannot be acquired in good faith,11 this does not lead to a different result: distributed ledger or blockchain technology serves as a functional equivalent of a bona fide acquisition, as transactions may not be reversed for technical reasons.12

Fourthly, and most importantly, according to the prevailing interpretation of securities requirements, a token must be functionally comparable to one of the examples listed in the definition. This criterion substantially limits the scope of tokens qualifying as securities as it requires the token to be similar to shares, bonds or other securities traded on capital markets. Where a token promises access to future revenue streams (e.g., profit-based or interest-like) and possibly control rights, such a securities token will likely be comparable to traditional securities. Where, in contrast, the characteristics of tokens are rather comparable to traditional money, they should not constitute securities, as the definition explicitly excludes payment instruments.

Utility tokens that promise future access to goods or services, however, prove difficult to qualify and should be carefully assessed in light of their individual characteristics: if a token, from an objective point of view, may be regarded as an investment promising an increase in value and serves as a corporate financing instrument rather than a means of direct or immediate access to goods or services, it could potentially qualify as a security.13 Simply put, if a token embeds 'hope and expectations' rather than access to use, its qualification as a security for the purposes of MiFID II appears likely. Whether and to what extent utility tokens should be further included in investor protection legislation is currently being discussed on an EU and German level.14

ii Prospectus requirements and liability

To provide investors with sufficient information to make an informed investment decision, thereby reducing informational asymmetries and allowing for an efficient allocation of capital, securities laws set out formal prospectus requirements.

As of 21 July 2019, the Prospectus Regulation15 provides a common legal basis for securities offerings in the European Union. The German Securities Prospectus Act (WpPG), which originally implemented the Prospectus Directive,16 now provides rules complementing the Prospectus Regulation. Both legal acts require, first and foremost, securities within the meaning of MiFID II to be offered to the public. In addition, under the WpPG, issuers of electronic securities within the meaning of the eWpG have to publish a security information sheet, which can be described as a mini-prospectus.17 With respect to investments that do not qualify as MiFID II securities, prospectus requirements under asset management laws may apply (see below).

Securities must be offered to the public or admitted to trading on a regulated market. With respect to (securities) token issuances, an admission to trading on a regulated market appears unlikely, as these are authorised and regulated public law institutions under the German Stock Exchange Act that require participants to be formally admitted to trading. An offer may, however, constitute an offer of securities to the public, given that the definition includes communication in any form and by any means that presents sufficient information on the terms of the offer and the securities to be offered.18

The Prospectus Regulation and the WpPG contain certain exemptions. In particular, thresholds with respect to institutional offerings or small offerings to retail investors apply. The Prospectus Regulation sets out detailed criteria on the content of the prospectus that the issuer is obliged to draw up, submit to the national regulator for approval and publish thereafter. However, EU companies that qualify as small and medium-sized enterprises (SMEs)19 that do not fall under the exemption thresholds may also offer securities tokens to the public by taking advantage of a new simplified prospectus regime (the EU Growth prospectus).20

Where the prospectus (e.g., in the case of token sales often labelled as a white paper) does not provide sufficient information – that is, all necessary information material to an investor for making an informed decision – or no prospectus exists at all, the issuer or other persons responsible may be held liable towards investors.21 Such liability may apply to the initiator or sponsor of a token sale (as the issuer) or any third party offering tokens to investors (as the offeror).

Aside from liability provisions under the prospectus laws, issuers or offerors may be subject to prospectus liability under general civil law, which is not limited to the notion of securities under MiFID II. In this case, liability does not result from a responsibility regarding information in a prospectus, but rather the violation of an independent pre-contractual duty of disclosure.

iii Asset management regulation

Collective investment undertakings

The German Capital Investment Code (KAGB) provides a comprehensive regulatory framework for the distribution, management and safekeeping of investment funds, and sets out organisational and transparency requirements for their managers and depositaries. It implements undertakings for collective investment in transferable securities (UCITS)22 and the Alternative Investment Fund Managers Directive (AIFMD).23 Prospective investors must be provided with detailed information in the form of a prospectus or offering memorandum. Failure to comply with the pertinent requirements will expose managers to liability claims.

The KAGB defines the central notion of investment undertaking broadly as a 'collective investment undertaking, which raises capital from a number of investors, with a view to investing it in accordance with a defined investment policy for the benefit of those investors and which is not an operative undertaking outside the financial sector'.24 This definition, which is rooted in the AIFMD, may apply in particular to investment funds investing into cryptocurrency tokens, security tokens or utility tokens (crypto funds) or to crypto-mining ventures (mining pools) – that is, the pooling of resources to share processing power over a network and split the rewards according to the individual contribution to the pool.

The scope of requirements under the KAGB further depends on the type of fund. In this respect, the KAGB distinguishes between alternative investment funds (AIFs) that are available to professional and semi-professional investors only (special AIFs),25 and public investment funds,26 such as public AIF and UCITS funds, that are available to retail investors.

With respect to crypto funds, closed and, following a recent legislative reform, also open-ended special AIF may, at least to a certain extent (20 per cent of their assets) invest in cryptoassets as defined under the KWG. As opposed to that, public AIFs and UCITS may only invest in virtual currencies if, among other things, these qualify as securities as defined under UCITS.27

Mining pools are likely to qualify as investment funds in the form of an AIF if the manager – irrespective of the legal structure – offers to external investors a pooled investment that diversifies risk and does not undertake any further operative business. This may be the case where cloud or hardware-based mining pools collect revenues to allow for a probabilistic distribution of mining rewards. A contribution in the form of tokens such as cryptocurrency tokens will likely qualify as the raising of capital for the purposes of the definition of an investment fund, but would constitute a contribution in kind. Under the KAGB, this form of contribution is permitted with respect to special AIFs, but not with respect to public AIFs and UCITS.28

Asset investments

Complementary to the KAGB, the German Asset Investment Act (VermAnlG) sets out further requirements for investments offered publicly to retail investors. It only applies to asset investments that do not qualify as investment funds under the KAGB or as securities under the WpPG, and that are distributed in a public offering. These rules may apply to tokens of any type (i.e., cryptocurrency tokens, security tokens or utility tokens), in particular where a securities token embeds certain characteristics of an investment (e.g., the promise of future revenues) but does not meet all criteria required for the qualification of a transferable security under MiFID II (e.g., where it lacks tradability owing to insufficient standardisation or barriers to transferability).

Under the VermAnlG, a token could qualify as an asset investment as defined under an exhaustive list. These include investments that grant a participation in the profits of a company, trust assets, participatory or subordinated loans, profit participation rights, registered bonds or other investments that promise interest and repayment.29

In the context of a typical initial coin offering (ICO), the private placement exemption under the VermAnlG is unlikely to apply as it requires that (either) no more than 20 instruments are offered, the volume of all investments offered within 12 months does not exceed €100,000 or the minimum investment exceeds €200,000 per investor.30 Issuers of certain types of asset investments may, however, benefit from privileges applicable to crowdfunding and social or charitable projects if the total volume of the issuance does not exceed €2.5 million and certain other conditions are met.31

Unless an exemption from the prospectus requirements applies, issuers of such asset investments are required to prepare and publish a sales prospectus and an investment information sheet that are both subject to prior BaFin approval. Anyone who assumes responsibility for a prospectus and those who are assumed to have issued a prospectus may be held liable for incorrect or incomplete information in that prospectus or in the information sheet, or for the lack thereof.

iv Market abuse rules

The efficient allocation of capital and the orderly functioning of the capital markets require rules that ensure the integrity of the financial markets and investor confidence. To that effect, market abuse laws prohibit unfair market practices. Effective as of 2016, the Market Abuse Regulation (MAR)32 provides a common framework that prohibits the unlawful disclosure of inside information and market manipulation (market abuse). Both insider trading and market manipulation constitute criminal offences and may entail severe administrative fines.

MAR applies to any type of financial instrument that is traded or admitted to trading on a regulated market or a multilateral trading facility, as defined under MiFID II, as well as to financial instruments the price of which depends on, or has an effect on, such traded financial instruments (e.g., over-the-counter derivatives).33 As set out above, tokens that qualify as financial instruments under EU law (i.e., security tokens and certain utility tokens) will generally be within the scope of MAR. Nothing else follows from national provisions34 that expand the scope of MAR to goods and foreign currencies that are being traded on a domestic exchange because such an exchange – irrespective of the potential qualification of tokens as goods – includes regulated public exchanges only.

Crypto exchange operators that provide a venue to buy or sell financial instruments will typically not qualify as a regulated market, but may qualify as an alternative trading venue in the form of a multilateral trading facility provided that they match buying and selling interests in a non-discretionary manner (see also Section III.i). The consent of the issuer, an approval or listing are not required: that is, the trading of tokens on a venue that qualifies as a multilateral trading facility as such may bring it into the scope of market abuse rules.

For the purposes of MAR, inside information comprises any precise information relating to a token or its issuer that 'would be likely to have a significant effect on the prices': that is, that reasonable investors would be likely to use such information as part of the basis of their investment decisions.35 Anyone who possesses inside information is prohibited from trading the respective instrument for its own account or that of a third party, and from recommending another person to do so, or inducing another person to do so, as such activity would constitute insider dealing.36

In addition, MAR also prohibits engaging in or attempting to engage in market manipulation. This concept includes any transaction, order or behaviour that could or is likely to give false or misleading price signals, or to secure prices at an abnormal or artificial level, or that employs a form of deception or contrivance as well as the dissemination of false or misleading signals or rumours in relation to a financial instrument and the transmission of such information in relation to a benchmark.37

Certain aspects of MAR apply to benchmarks, such as indices that financial instruments as defined under MiFID II make reference to.38 As benchmarks may be based on any type of input data, they can relate to security tokens, cryptocurrency tokens or utility tokens. In addition, Regulation (EU) 2016/1011 on indices used as benchmarks sets out detailed requirements for the provision and use of benchmarks. Crypto market data providers may, therefore, without issuing financial instruments themselves, be subject to registration or authorisation requirements.

Banking and money transmission

The core issues in the realm of banking and money transmission regimes are the statutory licence requirements that may arise under various laws and bring with them, inter alia, specific supervisory, process and compliance as well as AML obligations (see Section IV).

i German Banking Act

Banking Act licence requirements

The KWG entails, in line with various EU laws, the general regulatory regime for banking and financial services in Germany. It sets out strict licence requirements not only for classical banking but also for various financial services, together with, inter alia, minimum capital requirements; management requirements (e.g., fit-and-proper tests) and risk management rules; AML and know your customer (KYC) principles; supervision requirements; and a detailed framework on various other issues.

The licence requirements depend, inter alia, on the types of assets and regulated business activity in question (see below).

Failure to obtain the necessary licences may have harsh consequences: not only can administrative proceedings be brought by BaFin,39 but this may trigger criminal proceedings against responsible persons such as founders or CEOs,40 who may also face personal civil liability.

For cross-border operations, which are typical for DLT networks, BaFin takes the stance that German regulation applies not only for domestic businesses with a seat or branch in Germany,41 but also where cross-border services (e.g., crypto exchanges located abroad) actively target the domestic market (taking into account, for example, means of advertising, language, share of transactions in Germany; however, the mere accessibility of websites in Germany is unlikely to suffice as such). However, only businesses domiciled in Germany can obtain a German banking licence. A licensed financial service business can passport a German licence throughout the European Union (and vice versa). In practice, cooperation with licensed banks or financial services providers is also conceivable, with the caveat that control over the business will vest with the licensed business.42

Regulatory trigger: tokens as financial instruments

What constitutes financial services is exhaustively defined in the KWG and entails several activities related to financial instruments. One core question is therefore whether tokens qualify as financial instruments within the meaning of the KWG.43 This term does not fully correspond with the same term under the WpHG and MiFID II,44 but is broader and encompasses, inter alia, units of account, which BaFin has applied under the current law since 2013 in standing practice to virtual currencies (cryptocurrency tokens). This approach was confirmed in both its 2018 ICO notice45 and its second notice on prospectus and licence requirements in connection with the issuance of token,46 where it reiterated its position that several cryptoasset-related activities may require a licence under the KWG (see below). Differentiated by token, the regulatory approach under these notices was, therefore, as follows: cryptocurrency tokens qualify as financial instruments under the KWG (but not MiFID II) in the specific form of units of account.47 This category, which has so far covered units of value such as the International Monetary Fund's special drawing rights or privately issued complementary currencies, had evolved to be the new main regulatory anchor for cryptocurrencies. Although this administrative practice finds support in the legal literature, a German appellate court rejected this approach in criminal proceedings involving the operation of a Bitcoin exchange.48 The court had doubts that such a broad reading of regulatory licensing requirements that are subject to criminal penalties is compatible with legal certainty.

However, the discussion on whether cryptocurrency tokens are units of account has now become moot in the course of the implementation of Directive (EU) 2018/843, which extends anti-financial crime rules to virtual currencies, into German law. A KWG amendment, which came into force on 1 January 2020, has now explicitly added cryptoassets to the key concept of financial instruments.49 The KWG now expressly defines 'cryptoassets' widely as digital representations of a value that is neither issued nor guaranteed by a central bank or public entity and does not enjoy the status of a currency or money, but is accepted by natural or legal persons, as agreed or customarily, as a means of exchange or payment, or for investment purposes, and that can be transferred, stored or traded electronically (excluding e-money).50 In particular, the KWG now includes a broad range of tokens and is not confined to currency tokens, like the amended AML Directive, but also covers security tokens by making explicit reference to 'investment purposes'. Security tokens falling under MiFID II already usually qualify as financial instruments within the meaning of the KWG.51 Given that cryptocurrency tokens are already considered units of account, BaFin understands the new category of cryptoassets as a wide definition to catch all forms of use of crypto tokens relevant for financial markets, even where some forms may already be covered by other KWG licensing requirements.52 However, some uncertainty remains regarding whether other categories of tokens that neither serve as a means of exchange or payment nor for 'investment purposes' will also qualify as financial instruments within the meaning of the KWG in the future.53 In that regard, BaFin's statements explicitly exclude electronic vouchers for the purchase of goods and services, which cannot be traded and do not represent investment expectations in the gain of value of such vouchers or the issuer's business.54 Hybrid forms of utility tokens especially will be more likely to qualify as financial instruments the more their characteristics resemble security tokens or cryptocurrency tokens. If utility token transactions also involve cryptocurrency tokens or security tokens, licence requirements may already be triggered by the latter and apply to the whole transaction.55

Regulation of token-related business models

Provided that tokens qualify as financial instruments, KWG licences are required for a broad range of business activities if they are performed as commerce or on a scale requiring a commercial business organisation.56

A KWG licence is particularly relevant and usually necessary for crypto exchange platforms and similar token trading models. The KWG amendment that entered into force on 1 January 2020 has expressly brought 'crypto custody business' within the ambit of financial services. It is defined as the safekeeping, administration or safeguarding of cryptoassets or private cryptographic keys used to hold, store or transfer cryptoassets and the safeguarding of private cryptographic keys used to hold, store or transfer crypto securities within the meaning of Section 4 Paragraph 3 eWpG for others.57 Safekeeping of cryptoassets includes, in particular, the storage of cryptoassets in a collective inventory where the customers have no knowledge of the cryptographic keys used. Administration of cryptoassets includes the exercise of rights resulting from a cryptoasset, such as collection activities or notification services. Safeguarding of cryptoassets includes not only the service of digital storage of private cryptographic keys, but also the storage of physical data storage devices (e.g., USB sticks) on which such keys are saved. The mere offering of hardware and software that is operated by users for such purposes without access of providers to cryptographic keys is not subject to licensing requirements. The same is true for web hosting or cloud storage providers as long as they do not explicitly offer key storage.58 This broad definition has also brought wallet providers within the scope of financial services, but is not limited to such services. In this respect, again, the KWG amendment goes beyond the definition of Directive (EU) 2018/843 as the new regulated activity also extends to safekeeping and administration services as well as to the concept of cryptoassets.

A very recent KWG amendment, which took effect on 1 July 2021, has brought the maintenance of a crypto security register within the scope of financial services.59 Crypto security registers allow for the issuance of electronic securities that are created by making a register entry into such a crypto security register.60

Aside from the crypto custody business and the maintenance of a crypto security register introduced by recent KWG amendments, licensing requirements that were previously discussed may still have relevance for related services61 on the basis that such activities may constitute investment broking62 (where broking transactions involve the purchase and sale of financial instruments, which may also be done through an electronic platform63) or the operation of a multilateral trading facility64 (which brings together multiple third-party buying and selling interests in financial instruments in the system, in accordance with non-discretionary rules and in a way that results in a contract).65 Business models should also be assessed as to whether they might be considered as financial broking services66 (with the purchase and sale of financial instruments in a service provider's own name but on a third party's account67) or contract broking68 (where the aforementioned purchase and sale occur in a third party's name on its account69). The further case of proprietary trading70 is quite broad, and involves the purchase and sales of financial instruments as a market maker, systemic internaliser or participant in markets with high-frequency trading systems, and also cases where purchases and sales on a person's own account are offered as a specific service for others.71 This may be relevant, for example, for solicited regular buying and selling activities in virtual currencies if such activities involve a further services element (e.g., if the entity has better access to the market or creates a market by regular trading activities that would otherwise not be available for others).72 In any case, this will require a case-by-case assessment of the technical and functional details.

BaFin further states that in the context of ICOs, depending on the individual circumstances, underwriting business73 (with the taking over of financial instruments at one's own risk for placement74) or placement business75 (with the placement of financial instruments without a firm commitment basis76) require a licence.

Other typical regulated financial intermediary activities may also require a prior KWG licence if such activities are offered in connection with virtual currency business models. This may be the case for rendering investment advice77 (in the form of personal recommendations for transactions in specified financial instruments, based on an examination of an investor's personal circumstances and not exclusively announced through information distribution channels or to the public78) or financial portfolio management79 (with discretionary management of individual investments in tokens as financial instruments for others80).

Within that framework, other actors in a DLT ecosystem normally do not need a KWG licence. The mere use of virtual currencies as a means of payment does not require any licence; neither does operating a DLT network for token transactions as such, given that the network is a mere technical facility for effecting transactions and not an entity for trading and, in particular, not a multilateral trading facility.81 Finally, whether operations of miners will in the future fall under the activities regulated by the KWG, remains to be seen. For now, this could be the case for specific services, such as organising mining pools. Where a central pool operator would sell mined virtual currency to third parties and disburse collected money or virtual currency to individual miners, the operator could be considered as acting for a third person and engaging in proprietary trading services.

ii German Payment Services Supervision Act

Further licence requirements, which may potentially be relevant for virtual currencies, exist under the Payment Services Supervision Act (ZAG). This law, which implements the Payment Services Directive82 and the E-money Directive,83 regulates in essence two types of business activities, namely rendering certain (enumerated) payment services and issuing e-money. For such business activities, the ZAG sets out certain requirements, inter alia, as to management qualifications, capital requirements and risk management.84 Structurally similar to the KWG, foreign entities require a licence if their business activities target the German market, and a ZAG licence can be passported throughout the European Union. For some KWG-licensed entities (Capital Requirements Regulation credit institutions), no additional ZAG licence is necessary.85


A licence is required for engaging in the business of issuing e-money.86 E-money is defined as electronically (including magnetically) stored monetary value represented by a claim against the issuer, which is issued against the receipt of funds for the purpose of making payment transactions, and which is accepted by a natural or legal person other than the electronic money issuer.87 Thus, where a company provides an electronic monetary value in exchange for an equal amount of (fiat) money, it will serve as an electronic means of payment for the substitution of cash. The ZAG licence covers not only issuing e-money, but also ancillary activities such as related payment services and the operation of payment systems.

While tokens can take various forms, the currently prevailing opinion is that virtual currency tokens – unlike electronic cash cards – are in the majority of cases not e-money. First, these tokens would have to be issued in exchange for (fiat) money (which is conceivable for example, in the case of pre-mined tokens, but is not the general case).88 Secondly, this would require a monetary claim against a specific issuer, which virtual currency tokens (especially cryptocurrency tokens) normally do not confer.89 Thirdly, even if a token was seen as e-money, the ZAG licence would be the responsibility of the issuer, not the miner, for example.

Payment services

The ZAG further sets out an exhaustive list of regulated payment services.90 Given that all such services are related to money in cash, bank accounts or e-money, but not (yet) to virtual currencies,91 a ZAG licence becomes relevant where virtual currency transactions involve some element of processing fiat money (rather than being wholly virtual currency transactions). It is mainly for the issuing of virtual currency tokens and exchanges that the question arises of whether they are involved in rendering payment services. As such, the most relevant issues in a virtual currency context include payment initiation services92 (which allow access to payment accounts, but without acquiring possession of the transferred money); issuing of payment instruments or acquiring of payment transactions, or both;93 or, as a broad catch-all clause,94 money remittance services,95 where a payer (without any payment accounts created) pays funds to a payment service provider with the aim of transferring a corresponding amount to a payee (or another payment service provider acting on the payee's behalf), or where such funds are received on behalf of and made available to the payee, or both.

Thus, if an issuer or trader of virtual currency tokens collects fiat money to broker it on a platform with token purchasers, this may, depending on technical and functional details, constitute a regulated payment services business. The transferor and transferee of tokens are normally not subject to a ZAG licence; neither would a DLT network operator (if any) be regulated. The operation of miners does normally not fall under ZAG-regulated activities, and it is also doubtful whether operating virtual currency wallets (unlike e-money wallets) as such would require a ZAG licence.96

Even if activities are related to payment services, some exceptions may apply, for example, for mere technical support service providers who do not obtain possession of funds (including, for example, data processing and storage, trust and privacy protection services, authentication and communication, unless they are payment initiation and account information services),97 or commercial agent models98 (who are authorised via agreement to negotiate or conclude the sale or purchase of goods or services on behalf of only the payer or only the payee).

Anti-money laundering

i General framework

Several actors in a DLT ecosystem may be subject to AML laws, namely the German Anti-Money Laundering Act (GwG), which provides, together with some AML-related provisions in the KWG,99 the main legal basis for AML requirements under German law. The GwG transposes the Fourth Anti-Money Laundering Directive (AMLD)100 into German law, and was recently amended (see Section III) to implement the amendments to the Fourth AMLD at EU level.101 The amended AMLD further tightens AML rules as part of the European Commission's 2016 AML action plan, which also responds to the Panama Papers revelations.

Currently, AML rules are based on a wide understanding of property that may be involved in money laundering, including assets of any kind (corporeal or incorporeal, movable or immovable, tangible or intangible),102 so that any kind of tokens involved in criminal acts can be the object of money laundering activities. This concerns not only transactions with tokens (as the main subject matter of the transaction), but also payments with tokens (a typical virtual currency case), as long as the transacting entity is subject to the AML rules.103

The amended AMLD explicitly defines virtual currencies,104 and brings entities that provide services such as holding, storing and transferring virtual currencies into the scope of the AML obligations, which most notably apply to crypto exchanges as well as to wallet providers. The amendment to the KWG (see Section III.i), which defines cryptoassets as a new category of financial instruments, goes beyond the scope of the AMLD and substantially expands the scope of AML requirements for actors in cryptoasset ecosystems.

ii AML subjects

Generally, German AML rules are based on certain listed types of obliged entities that engage in specific activities susceptible to money laundering activities.105

As far as is relevant in the context of virtual currencies, banking and financial service institutions that require a KWG licence (first and foremost token exchanges: see Section III.i) must generally comply with AML rules.106 Thus, the implementation of the amended AMLD into German law has broadened the scope of AML subjects to the extent that they require a KWG licence for operating crypto custody business or for engaging in the maintenance of a crypto security register.

Similarly, AML obligations apply to undertakings if they render certain payment or e-money services and require a ZAG licence as payment institutions and e-money institutions (see Section III.ii).107 In the (currently infrequent) event that tokens should qualify as e-money, the issuer as well as the merchant accepting such payments are also subject to AML rules.108

Previous ambiguities with regard to the classification under AML laws (e.g., qualification of token transactions as trades in goods109) are likely to lose relevance in the course of the implementation of the amended AMLD owing to the explicit classification of a large number of tokens as cryptoassets (i.e., as financial instruments) and the related fact that a large number of intermediaries will qualify as obliged entities. However, this should still be in line with the government's previous statements that the mere holding or use of cryptographic currencies, for example as a means of payment (as opposed to rendering services related to cryptocurrency and other tokens) should not fall under the AML rules.110

Finally, neither the network operation (if any such entity exists at all in a decentralised system) nor mining as such are currently regarded as AML-relevant activities.

iii AML duties and responsibilities

Entities subject to German AML rules must comply with various duties and responsibilities, most notably:

  1. establishing an adequate and effective risk management system with ongoing analysis of activity-related risks, and with customer and business-related internal security measures, which may include, for example, procedures and controls, codes of conduct or reliable compliance processes;111
  2. the appointment of a sufficiently equipped AML officer at management level in Germany (and a deputy) who is responsible for ensuring AML compliance;112
  3. customer due diligence (customer due diligence (CDD), as a KYC principle), which aims at identifying and verifying customers and beneficial owners, for example, when entering into a business relationship, where transaction values exceed certain thresholds, where indicators of suspicious transactions exist or when information provided by customers seems to be inaccurate.113 The scope of CDD is subject to proportionality and depends on certain risk-based criteria, which may limit114 or broaden115 the CDD scope. In addition, CDD requires the identification of politically exposed persons; and
  4. reporting of suspicious transactions to the Central Financial Transaction Investigation Unit where circumstances indicate that assets originate from criminal offences relevant to AML, are related to terrorist financing or where necessary identification documents have not been provided.116

Going forward, entities subject to German AML rules that are involved in the transfer of cryptoassets will likely be subject to the German implementation of the travel rule (i.e., the obligation to collect, store and transfer information relating to a transfer of cryptoassets and the parties to such transfer). To this end, the German Federal Ministry of Finance is currently consulting a draft cryptoasset transfer regulation117 mirroring the recommendations of the Financial Action Task Force's Guidance for a Risk-Based Approach to Virtual Currencies.118

Regulation of exchanges

German law provides no specific regulation of virtual currency exchanges; however, the general rules apply and, since 2020, explicitly include the operation of crypto exchanges and wallet providers for cryptoassets as financial services, which require a licence. Depending on the specific activity and type of token traded, laws on securities (see Section II), banking laws (see Section III) and AML rules (see Section IV) may be applicable.

Regulation of miners

German law provides no specific regulation of miners; however, the general rules set out in this chapter apply. Normally, mining as such will require no licence, except in special cases (e.g., commercial operation of mining pools; see Section III.i).

Regulation of issuers and sponsors

For regulation of issuers, the general rules set out in this chapter apply. Depending on the specific activity and type of token traded, laws on securities (see Section II), banking laws (see Section III) and AML rules (see Section IV) may be applicable.

Criminal and civil fraud and enforcement

In addition to specific criminal regulations – as set out above for insider trading and market manipulation,119 failure to meet prospectus requirements,120 lack of required financial licences under the KWG,121 KAGB122 or ZAG,123 or money laundering124 – virtual currency-related fraudulent activities will normally fall within the scope of general criminal law (most notably computer fraud,125 unauthorised access to data126 or interference with data127). In 2017, the German Federal Supreme Court128 convicted operators of a botnet for mining cryptocurrency tokens that used the power of infiltrated computers for several offences of data criminality.129 Hacking and the misuse of private keys may be sanctioned as computer fraud within the context of data processing. Cases of market manipulation or transactions or ICOs with fraudulent information might also be pursued as general fraud130 or criminal breach of trust.131 Any proceeds from such activity may be the object of money laundering. Virtual currencies as proceeds from criminal offences – regardless of their legal character132 – may be subject to forfeiture.133

Criminal liability will usually coincide with civil law damages and restitution claims,134 but procedural details for virtual currencies have not yet been litigated in Germany.135 A transfer of virtual currencies in such cases can be enforced, for example, by handing over a private key to avoid – as generally under German civil procedure law – a penalty payment or imprisonment.136 For virtual currencies stored in wallets, claims against the wallet provider could also be seized.137

Apart from criminal sanctions and private civil law enforcement, administrative enforcement is the most used measure to ensure regulatory compliance in the authorities' toolbox. In 2017, BaFin initiated 36 proceedings to verify regulatory compliance and, in four cases, closed down such operations and involved criminal prosecutors.138 In 2020 and 2021, BaFin continued to warn investors of the risks posed by ICOs and by fraudulent online trading platforms and prohibited a number of unlicensed market participants from operating.


While virtual currency tax issues are extensively discussed, authoritative guidance is still limited, but growing. In the absence of specific virtual currency-related regulation, general German tax laws apply.

Value added tax (VAT), following the European Court of Justice Hedqvist judgment139 and guidance of the German Federal Ministry of Finance,140 will not be triggered by a conversion of cryptocurrency tokens to fiat money (and vice versa).141 Despite some uncertainties at the EU level,142 the Ministry of Finance further states the same for transaction fees (or cryptocurrency tokens) received by miners.143 In contrast, fees for services providing a wallet144 or a cryptocurrency token exchange145 (unless trading cryptocurrency token as intermediary on its own behalf146) may trigger VAT. The mere use of cryptocurrency tokens as a means of payment (instead of fiat money) has normally no influence on the qualification of transactions under tax laws,147 but may require documenting exchange rates.148 For utility tokens and security tokens, the absence of authoritative statements leads to some uncertainties. Some authors argue that the issue of security tokens will not trigger VAT, but that the issue and sale of utility tokens may be subject to VAT.

As regards taxes on profits, in June 2021, the German Federal Ministry of Finance has issued a draft circular setting out its stance as to the income tax treatment of virtual currencies: virtual currencies are immaterial assets, and profits (e.g., as the difference between the acquisition price and disposal price, or for ICOs between the book value and issue price, after the deduction of losses and expenses like platform operating costs) can, in principle, be taxed as personal income. In particular, the issuer of utility tokens in an ICO may have accounting profits taxed if a utility token is issued in exchange for cryptocurrency tokens. According to statements of the Federal Ministry of Finance, profits from occasional mining of virtual currency may also be taxed as income.149

Details of the tax regime vary depending on whether transactions are carried out in a private or commercial context, and by whom. In a private context, tax on personal income will accrue for individuals who realise profits such as gains in virtual currency value,150 but only if in this context virtual currencies are held less than a year.151 If virtual currencies are created or bought as a commercial activity, earnings from a sale or exchange may be subject to taxation as business income.152 If done by commercially acting individuals or partnership companies, taxes will accrue as private income tax at the shareholder level; and if done by (both public and private) limited liability companies, taxes will accrue at the corporate level.

Other issues

Anyone commercially involved in a virtual currency business must refrain from false advertising and supplying misleading information. Thus, even in the absence of specific prospectus obligations (see Section II.ii), ICO white papers must be correct and not omit relevant information, and information on the prospects of success and economic development must not be misleading. This follows from German unfair competition law,153 which is quite effectively enforced by competitors, business associations and consumer organisations. Furthermore, potential contractual parties are required to act truthfully, and may under special circumstances have to disclose information that is important but unknown to the other party proactively under general civil law. If they withhold such information or provide false information, they may be held liable.154 It is argued that this may apply also for issuers of tokens.

Operators of internet platforms where virtual currency tokens are commercially offered may also have to comply with general e-commerce and consumer protection laws.155 Since the legal nature of tokens may vary, some uncertainties exist as to the applicability of such regulations. While the European Central Bank has stated that neither consumer rights nor e-commerce regulations are applicable to cryptocurrency token transactions,156 it is conceivable that at least utility tokens could be subject to such regulation. If applicable, this would include extensive information duties (e.g., on entrepreneur's identity, modalities of online contract formation, characteristics of goods and services, costs)157 and – rather theoretically – customer withdrawal rights in some cases.158

Looking ahead

While the current virtual currency regulation and regulatory practice are still, to some extent, shaped by legal uncertainty and the various national approaches of EU Member States (which means that business models have to be discussed with individual regulators), with MiCA ante portas, the regulatory framework for virtual currencies will be largely harmonised across EU Member States in the foreseeable future.

In addition to the regulatory (i.e., public law) aspects discussed in this chapter, the legal discussion about the issuance, administration and servicing of tokens increasingly takes civil and corporate law aspects into consideration. More fundamentally, use cases and activities related to securities tokens raise the question of potential efficiency gains in post-trade activities, that is, the holding, clearing and settling of securities through custody chains governed by DLT protocols. In this context, two technical concepts appear to emerge: the issuance of tokens linked to securities held by the German central securities depository (CSD) (mirror DLT securities) and the genuine issuance of tokens on a DLT platform in book-entry form (genuine DLT securities). By enacting the eWpG, German lawmakers have taken a first step to foster the issuance of genuine DLT securities. While limited to electronic bonds and investment fund units initially, it could well be a blueprint for and expand to electronic shares in the not so distant future.


1 Matthias Berberich is counsel, Tobias Wohlfarth is a senior associate and Gerrit Tönningsen is an associate at Hengeler Mueller Partnerschaft von Rechtsanwälten mbB.

2 EBA Opinion on virtual currencies of 4 July 2014 (EBA/op/2014/08), p. 21 et seq.

3 German law on the introduction of electronic securities, BGBl. I Nr. 29 v. 9. Juni 2021 (eWpG), which stipulates that securities under German law can also be issued as electronic securities, requiring the registration of the electronic securities in an electronic security register, Section 2 Paragraph 1 eWpG. Under German law, such an electronic security shall have the same legal effect as a traditional security, unless otherwise expressly stipulated (Section 2 Paragraph 2 eWpG).

4 See ESMA statement of 13 November 2017 on ICO regulatory requirements (ESMA50-157-828); BaFin notice of 20 February 2018 (WA 11-QB 4100-2017/0010); for investor risks, see ESMA statement of 13 November 2017 (ESMA50-157-829); BaFin article in BaFin Journal November 2017, p. 15 et seq.

5 See ESMA Advice on Initial Coin Offerings and Crypto-Assets of 9 January 2019 (ESMA50-157-1391).

6 ESMA Advice on Initial Coin Offerings and Crypto-Assets of 9 January 2019 (ESMA50-157-1391); BaFin notice of 20 February 2018 (WA 11-QB 4100-2017/0010).

7 European Commission, Proposal for a Regulation of the European Parliament and of the Council on Markets in Crypto-assets, and amending Directive (EU) 2019/1937, COM/2020/593 final.

8 BaFin Notice of 20 February 2018 (WA 11-QB 4100-2017/0010), emphasising that terminology is not decisive.

9 See Hacker/Thomale, Crypto-Securities Regulation: ICOs, Token Sales and Cryptocurrencies under EU Financial Law, Working Paper November 2017 (SSRN ID 3075820), p. 18.

10 Note that, alongside MiCA, the European Commission has published a proposal for a Directive of the European Parliament and of the Council amending Directives 2006/43/EC, 2009/65/EC, 2009/138/EU, 2011/61/EU, 2013/36/EU, 2014/65/EU, (EU) 2015/2366 and EU/2016/2341, COM(2020) 596 final. Among others, the European Commission proposes to clarify the notion of financial instrument under Article 4, Paragraph 1 No. 15 MiFID II to include instruments issued by means of distributed ledger technology.

11 German law now provides for the good faith acquisition of certain tokens, namely electronic securities within the meaning of Section 4, Paragraph 1 eWpG, see Section 26 eWpG.

12 BaFin Notice of 20 February 2018 (WA 11-QB 4100-2017/0010).

13 cf. Klöhn/Parhofer/Resas, 'Initial Coin Offerings (ICOs) – Markt, Ökonomik und Regulierung', ZBB 2018, 89, 102 et seq.; Zickgraf, 'Initial Coin Offerings – Ein Fall für das Kapitalmarktrecht?', AG 2018, 293, 303 et seq.

14 ESMA Advice on Initial Coin Offerings and Crypto-Assets of 9 January 2019 (ESMA50-157-1391); Federal Ministry of Finance and Federal Ministry of Justice and Consumer Protection joint discussion paper on the basic framework for the regulatory treatment of electronic securities and crypto tokens of 7 March 2019.

15 Regulation (EU) 2017/1129.

16 Directive 2003/71/EC.

17 Section 4 Paragraph (3a) eWpG.

18 Article 2(d) Prospectus Regulation; (previously Section 2 No. 4 WpPG).

19 According to Article 2(f) Prospectus Regulation, this includes companies that meet at least two of the following criteria: (1) fewer than 250 employees on average during the year; (2) total balance sheet not exceeding €43 million; and (3) annual net turnover not exceeding €50 million.

20 Article 15 Prospectus Regulation.

21 Article 11 Prospectus Regulation in conjunction with Section 8 et seq. WpPG.

22 Directive 2009/65/EC on Undertakings for Collective Investment in Transferable Securities.

23 Directive 2011/61/EU on Alternative Investment Fund Managers.

24 Section 1 Paragraph 1 KAGB.

25 Section 1 Paragraph 6 s. 1 KAGB.

26 Section 1 Paragraph 6 s. 2 KAGB.

27 Section 192 et seq. and Section 219 KAGB.

28 Section 71 Paragraph 1 s. 3 KAGB.

29 Section 1 Paragraph 1 VermAnlG.

30 Section 2 Paragraph 1 VermAnlG.

31 Sections 2a, 2b and 2c VermAnlG.

32 Regulation (EU) No. 596/2014.

33 Article 2 Paragraph 1 MAR.

34 Section 25 WpHG.

35 Article 7 Paragraph 1 MAR.

36 Article 14 MAR.

37 Article 12 Paragraph 1 MAR.

38 Article 2 Paragraph 2 c) MAR.

39 Section 37 KWG.

40 Section 54 KWG.

41 Section 53 Paragraph 1 KWG.

42 Gebundener Vermittler, Section 25e KWG.

43 Section 1 Paragraph 11 KWG with an extensive list.

44 BaFin Notice of 20 February 2018 (WA 11-QB 4100-2017/0010).

45 BaFin Notice of 20 February 2018 (WA 11-QB 4100-2017/0010).

46 BaFin Notice of 16 August 2019 (WA 51-Wp 7100-2019/0011 and IF 1-AZB 1505-2019/0003).

47 Section 1 Paragraph 11 s. 1 No. 7 KWG.

48 Higher Regional Court of Berlin, decision of 25 September 2018, Ref. No. (4) 161 Ss 28/18 (35/18).

49 Section 1 Paragraph 11 s. 1 No. 10 KWG.

50 Section 1 Paragraph 11 s. 4 KWG.

51 Section 1 Paragraph 11 s. 1 Nos. 1 to 4 KWG.

52 BaFin Notice of 3 March 2020 on crypto custody business.

53 Public BaFin statements remain vague (see only BaFin, Journal 11/2017, p. 18); dissenting Bundesverband Blockchain, Statement on Token Regulation, p. 39.

54 BaFin Notice of 3 March 2020 on crypto custody business.

55 The provision of financial services for utility tokens that will not be acquired or disposed of in exchange for security tokens and cryptocurrency tokens will be less likely to qualify as a regulated activity under the KWG, Bundesverband Blockchain, Statement on Token Regulation, p. 27.

56 Section 1 Paragraph 1 s. 2 and Section 1a s. 2 KWG.

57 Section 1 Paragraph 1a s. 2 No. 6 KWG.

58 BaFin Notice of 3 March 2020 on crypto custody business.

59 Section 1 Paragraph 1a s. 2 No. 8 KWG.

60 Section 2 Paragraph 1 eWpG.

61 BaFin Notice of 3 March 2020 on crypto custody business sets out rules regarding the relationship between various licensing requirements.

62 BaFin Notice of 20 February 2018, WA 11-QB 4100-2017/0010.

63 Section 1 Paragraph 1a No. 1 KWG.

64 BaFin Notice of 20 February 2018 (WA 11-QB 4100-2017/0010).

65 Section 1 Paragraph 1a No. 1b KWG, similar to Article 4 Paragraph 1 No. 22 MiFID II.

66 BaFin Notice of 20 February 2018 (WA 11-QB 4100-2017/0010).

67 Section 1 Paragraph 1 s. 2 No. 4 KWG. It is reported that in 2017 BaFin closed down four exchanges of Bitcoins into euros without having a licence for financial broking.

68 BaFin Notice of 20 February 2018 (WA 11-QB 4100-2017/0010).

69 Section 1 Paragraph 1a No. 2 KWG.

70 BaFin Notice of 20 February 2018 (WA 11-QB 4100-2017/0010).

71 Section 1 Paragraph 1a s. 2 No. 4 KWG.

72 Every transaction that is not trading on own account will qualify as dealing on own account, which normally requires no licence, unless done by undertakings within a Capital Requirements Regulation group, engaging in other licensed banking and financial services or as participant in a multilateral trading facility or organised trading facility, or with electronic marketplace access. The question has been raised whether users of a crypto exchange, which qualifies as multilateral trading facility, who purchase or sell tokens may require a licence based on that wording. With the legislative history of the KWG and MiFID II in mind, it appears unlikely that authorities would follow such an approach.

73 BaFin Notice of 20 February 2018 (WA 11-QB 4100-2017/0010).

74 Section 1 Paragraph 1 s. 2 No. 10 KWG.

75 BaFin Notice of 20 February 2018 (WA 11-QB 4100-2017/0010).

76 Section 1 Paragraph 1a s. 2 No. 1c KWG.

77 BaFin Notice of 20 February 2018 (WA 11-QB 4100-2017/0010).

78 Section 1 Paragraph 1a s. 2 No. 1a KWG.

79 BaFin Notice of 20 February 2018 (WA 11-QB 4100-2017/0010).

80 Section 1 Paragraph 1a s. 2 No. 3 KWG.

81 Section 1 Paragraph 1a s. 2 No. 1b KWG.

82 Directive EU 2015/2366.

83 Directive 2009/110/EC.

84 Details in Section 12 ZAG.

85 Section 1 Paragraph 1 No. 1 and 3 ZAG; Section 1 Paragraph 3d KWG.

86 Section 11 Paragraph 1 ZAG.

87 Section 1 Paragraph 2 s. 3 ZAG.

88 BaFin Notice of 22 December 2011 (as amended on 29 November 2017) on the interpretation of the Payment Services Supervision Act.

89 BaFin Notice of 22 December 2011 (as amended on 29 November 2017) on the interpretation of the Payment Services Supervision Act. This interpretation was confirmed by the Higher Regional Court of Berlin, decision of 25 September 2018, Ref. No. (4) 161 Ss 28/18 (35/18).

90 See Section 1 Paragraph 1 s. 2 Nos. 1 to 8 ZAG for a list of payment services regulated by the ZAG.

91 BaFin Notice of 22 December 2011 (as amended on 29 November 2017) on the interpretation of the Payment Services Supervision Act, No. 2.

92 Section 1 Paragraph 1 s. 2 No. 7 ZAG.

93 Section 1 Paragraph 1 s. 2 No. 5 ZAG.

94 See legislative materials, BT-Drucks. 18/11495, p. 104. The former case of digital payment business has been abandoned in the course of implementation of the Second Payment Services Directive in the ZAG, and legislative materials state that such cases will normally be within the scope of the aforementioned cases: see BT-Drucks. 18/11495, p. 104.

95 Section 1 Paragraph 1 s. 2 No. 6 ZAG.

96 It may be argued that wallets are in particular not payment authentification services (Section 1 Paragraph 1 s. 2 No. 5, Section 1 Paragraph 20 ZAG), as wallets are not personalised means or procedures agreed between a user and a payment services provider for effecting payments.

97 Section 2 Paragraph 1 No. 9 ZAG.

98 Section 2 Paragraph 1 No. 2 ZAG.

99 In addition to the GwG, financial services institutions are also subject to AML requirements under Section 25h KWG, which partially overlap with the GwG provisions.

100 Directive (EU) 2015/849.

101 Directive (EU) 2018/843.

102 Section 1 Paragraph 7 GwG.

103 In this vein (although very generic), the ESMA statement of 13 November 2017 on ICO regulatory requirements (ESMA50-157-828).

104 Under the amended AMLD, virtual currencies means a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons as a means of exchange and that can be transferred, stored and traded electronically.

105 Section 2 Paragraph 1 GwG.

106 Section 2 Paragraph 1 No. 1 and 2 GwG; Section 1 Paragraph 1 and 1a KWG.

107 Section 2 Paragraph 1 No. 3 GwG; Section 1 Paragraph 3 ZAG.

108 Section 2 Paragraph 1 No. 3 and 16 GwG.

109 Whether transactions with tokens (be they within an ICO by the issuer in the primary market or later on the secondary markets) qualify as trades in goods is being discussed. The Federal Ministry of Finance refers in that regard to classical civil law sales contracts (Statement, German Federal Ministry of Finance, VII A 3–WK 5023/11/10021), which would cover only token-against-fiat transactions (Bundesverband Blockchain, Statement on Token Regulation, p. 29), but arguably not the use of tokens as means of payment for other tokens or goods.

110 BT-Drucks,18/12521, p. 8. This is far from being undisputed.

111 Sections 4 to 6 GwG. In 2017, the Joint Committee of European Regulators issued guidance on risk factors for specific sectors (JC 2017 37).

112 Section 7 GwG.

113 Sections 10 to 13 GwG.

114 Simplified due diligence under Section 14 GwG, for example when transactions are conducted by a customer who is a public enterprise or agency or who has its registered office in an EU Member State or a country with similar AML and counter-terrorist financing requirements.

115 Enhanced due diligence under Section 15 GwG. For example, for transactions by politically exposed persons, transactions without any obvious economic purpose or transactions by enterprises or agencies residing in high-risk jurisdictions.

116 See Section 43 GwG.

117 German Federal Ministry of Finance, Draft Cryptoasset Transfer Regulation, 11 May 2021.

118 Financial Action Task Force, Guidance for a Risk-Based Approach to Virtual Currencies, 2015, Recommendation 15, note 7b).

119 Sections 119 Paragraph 1, 120 Paragraph 2 No. 3 WpHG in conjunction with Article 15 MAR (market manipulation); Section 119 Paragraph 3 No. 1, 2, 3 WpHG in conjunction with Article 14 MAR (insider trading).

120 Actions within the meaning of Section 35 WpPG.

121 Section 54 Paragraph 1 No. 2 in conjunction with Section 32 Paragraph 1 s. 1 KWG.

122 Section 339 Paragraph 1 KAGB.

123 Section 63 Paragraph 1 No. 4, 5 in conjunction with Section 10 Paragraph 1 s. 1, Section 34 Paragraph 1 s. 1 or Section 11 Paragraph 1 s. 1 ZAG.

124 Actions within the meaning of Section 56 Paragraph 1 GwG.

125 Section 263a StGB (Computerbetrug).

126 Section 202a StGB (Ausspähen von Daten).

127 Section 303a StGB (Datenveränderung).

128 BGH, NStZ 2018, 401.

129 Sections 202a, 303a StGB; see BGH, NStZ 2018, 401, 402 et seq.

130 Section 263 StGB (Betrug).

131 Section 266 StGB (Untreue).

132 BGH, NStZ 2018, 401, 404 et seq.

133 Section 73 StGB (Einziehung, formerly Verfall), cf. BGH, NStZ 2018, 401, 404 et seq.

134 Section 823 Paragraph 2 German Civil Code (BGB); Section 812 et seq. BGB.

135 See, for example, Bundesverband Blockchain, Statement on Token Regulation, p. 38.

136 Section 888 ZPO. Issue was not answered by, e.g., BGH, NStZ 2018, 401, 405.

137 Section 857 ZPO.

138 See statement of the government of 21 February 2018, BT-Drucks. 19/851, p. 2.

139 European Court of Justice, judgment of 22 October, C-264/14 – Hedqvist, Paragraph 53; Article 135 Paragraph 1 lit. e Directive 2006/112/EC.

140 German Federal Ministry of Finance, letter of 27 February 2018, III C 3 – S 7160-b/13/10001; Parliamentary State Secretary at the German Federal Ministry of Finance, 5 January 2018, BT-Drucks. 19/370, p. 21 et seq.

141 Section 4 No. 8 lit. b UStG.

142 Parliamentary State Secretary at the German Federal Ministry of Finance, 5 January 2018, BT-Drucks. 19/370, p. 22.

143 German Federal Ministry of Finance, letter of 27 February 2018, III C 3 – S 7160-b/13/10001, p. 2.

144 German Federal Ministry of Finance, letter of 27 February 2018, III C 3 – S 7160-b/13/10001, p. 3.

145 German Federal Ministry of Finance, letter of 27 February 2018, III C 3 – S 7160-b/13/10001, p. 3.

146 German Federal Ministry of Finance, letter of 27 February 2018, III C 3 – S 7160-b/13/10001, p. 3; Section 4 No. 8 b) UStG.

147 Statement of Parliamentary State Secretary of the Federal Ministry of Finance, BT-Drucks. 17/14062,
p. 25.

148 German Federal Ministry of Finance, letter of 27 February 2018, III C 3 - S 7160-b/13/10001, p. 2.

149 Section 22 No. 3 EStG; German Federal Ministry of Finance, letter of 3 June 2021, p. 10 et seqq.

150 German Federal Ministry of Finance, letter of 3 June 2021, p. 13.

151 Section 23 Paragraph 1 No. 2 EStG; German Federal Ministry of Finance, letter of 3 June 2021, p. 13.

152 Section 15 EStG; German Federal Ministry of Finance, letter of 3 June 2021, p. 12 et seq.

153 Section 5 UWG, implementing the EU Unfair Commercial Practices Directive 2005/29/EC and the EU Misleading and Comparative Advertising Directive 2006/114/EG.

154 Sections 280 Paragraph 1, 311 Paragraph 2, 241 Paragraph 2 BGB.

155 For example, with the E-Commerce Directive 2000/31/EC, Consumer Rights Directive 2011/83/EU and Financial Services Distance Marketing Directive 2002/65/EC, which are implemented in the BGB.

156 ECB, Virtual Currency Schemes, 2012, p. 44 et seq.

157 Details in Section 312d Paragraph 2 and Article 246b Introductory Act to the Civil Code (EGBGB) for B2C financial services; Section 312d BGB and Article 246a EGBGB for B2C distance selling contracts; Section 312j BGB and Article 246a EGBGB for B2C e-commerce contracts; Section 312i BGB and Article 246c EGBGB for all e-commerce contracts (including B2B).

158 Section 312g BGB.

The Law Reviews content