Regulatory developments in the Crypto-Asset space – implications for Crypto-Custody at German Banks

Veröffentliche eine Notiz:

Recent legal developments in Germany and internationally point to a step-change in the acceptance of Crypto-Currencies and other Crypto-Assets as being legitimate parts of private and institutional investment portfolios. The new German law allowing all electronic securities to be recorded using blockchain technology aligns with the 2019 strategy paper on blockchain by the Federal Government, thus demonstrating willingness from public authorities to implement this strategy consistently and systematically. On the regulatory side, BaFin has already set solid foundations for the operationalization of Crypto-Asset related financial services in Germany through its guidance on alignment with the KWG and on its own regulatory compliance expectations to market participants, especially those engaging in Crypto-Custody.

The timing of these developments does not seem to be random. On July 22, 2020, a major regulatory development in the United States effectively enabled the provision of Crypto-Custody services by major US banks. The Office of the Controller of the Currency Interpretive Letter #1170 was interpreted by legal commentators as immediately permitting US-regulated banks to custody Crypto-Assets, provided that regulatory safeguards are met. Indeed, the repercussion appears to be that such custody services are permissible for banks to offer either as a fiduciary or as a non-fiduciary, via traditional or electronic means. The Securities and Exchange Commission separately clarified on December 6, 2020 terms of the applicability of the “Custody Rule” to state-chartered trust companies vs. those financial institutions authorized as Qualified Custodians – and followed up on December 23, 2020 with relevant guidance for Broker-Dealers. Thus, the regulatory framework in the US is also evolving to accommodate increased usage of Crypto-Assets in investment portfolios. It is still not all-encompassing (especially in the absence of landmark case-law), but the direction appears to be clear in the US as well.

In parallel, the European Union issued seminal regulatory proposals on September 24, 2020 under the heading “Digital Finance”. The package of proposals included a statement about the ECB and the European Commission considering the introduction of a Central Bank Digital Currency, the Digital Euro. More importantly, it included the texts of two proposed regulations with direct significance to Crypto-Custody actors: the “Markets in Crypto-Assets” (MiCA) and the “Digital Operational Resilience Act” (DORA) regulations. The detailed technical nature of these texts suggests that a given strategy is being consistently invested into, this time at the European Union level. 

The big picture emerging is that of a global financial system moving decidedly to make sure that the latest fruits of digitalization (the Blockchain paradigm in particular) are used in a systematic, controlled manner, to effect the next stage of financialization of our economies. Apart from developments at the extreme ends of the regulatory spectrum (the state-sponsored Digital Renminbi in China on one side and the proliferation of unregulated Crypto-Trading Exchanges all around the world on the other), a converging, balanced approach to the regulation of Crypto-Assets appears to be gaining traction in major financial market jurisdictions such as the US, EU and the UK. The repercussions for financial institutions will be significant, putting their Crypto-Custody businesses in focus, and untapping new business models which could give first movers an immense competitive advantage.

The traditional (i.e. non-crypto) Custody industry has been converging to a relatively stable operating model in the last 15 years. The constellation of the usual actors (Global Custodians, Sub-Custodians, Brokers, Central Security Depositories, Issuer Services, Trustees, etc.) is well understood and the catalogue of core and ancillary services of the Custody business (safe-keeping, deliveries and trade settlements, corporate actions, investment reporting and accounting, proxy voting, income and repayments, liquidity and risk management, securities lending, etc.) have made regulators comfortable enough to prescribe well-thought out risk frameworks around it. There are, granted, some legal issues around ownership title propagation remaining, but the basic canvas on which courts can decide and regulators monitor/enforce, is stable. 

The Crypto-Custody business, however, is a totally different construct. First, the technological sophistication needed to operate even in an imaginary threat-free environment is one level above what traditional financial institutions were used to previously. Crypto assets quite simply introduce special risks that are vastly different of those assumed in the risk profiles of traditional banks. For instance, each Crypto-Custodian must create from the ground-up or at least thoroughly adapt its risk framework to address:

  • Theft and loss of private keys (leading to total loss of client assets)
  • Duplicate keys and non-fungibility of tokens
  • Legal risk (e.g. difficulty to execute asset freezing, resp. follow asset forfeiture)
  • Fiduciary risk (e.g. difficulty to corroborate best execution)
  • Liquidity risk (e.g. due to much higher volatility of crypto assets)
  • Digital assets lending 
  • Need for new internal controls (new asset classes, controls titled much more towards technology)
  • Anti-Money-Laundering and Sanctions Compliance (having to execute controls in a purely digital, sometimes quasi-anonymous world)
  • Record-keeping and reporting (e.g. due to prolonged off-chain residence of some client assets)

The above list is certainly not exhaustive and will vary in importance from bank to bank and evolve with the further proliferation of Crypto-Assets in investment portfolios. 

Will there be an actual need to address such risks going forward? Will German banks need to plan for a Crypto-Custody world?

With increasing interest and larger portfolio shares in Crypto-Assets, it is quite likely that (German/European) Banks will need to plan and act. There is a societal evolution afoot, and its direction is clear. The estimated Crypto-Currency (i.e. not of all Crypto-Assets) market capitalization has grown from less than 13 billion USD in 2014 to close to 1 trillion USD as of late January 2021. Therefore, it is only a matter of time before Crypto-Asset Investment Funds (ETFs and bespoke portfolios), securitizations and seamless transfer of funds among fiat-currency and digital currency (either Stablecoin or Central Bank Digital Currency) positions will proliferate to the point of making such activities a necessity for any Bank that needs to service a sophisticated investing clientele. The imputed in-bank business activities (e.g. asset-liability management and treasury operations with Crypto-Currencies in the balance sheet, position hedging, risk management, tax accounting and reporting, economic and regulatory capital calculations, etc.) will be of such a sophistication that any bank which does not understand the Crypto-Currency business will either have to outsource critical parts of the value chain or avoid this business area altogether. In the latter case, it risks being left behind in a totally new world, as some banks did with derivatives trading in the late 1980’s / early 1990’s. On the other side of the spectrum, being the first mover will give individual banks a pole position to a new business with enormous return potential.

How can IBM help German banks in their Crypto-Custody journey?

Given that the market is still rather new and that regulators are already pointing towards supporting new business models, planning is key. Institutions must start developing strategies and implementation models aimed and offering these new services to clients that want exposure to new asset classes. The compliant implementation of new infrastructure requires a partner with a strong footprint in providing significant (IT-) Infrastructure in the Financial Industry. IBM has a proven track-record of delivery capabilities at all levels of Crypto-Custody implementation. We can offer your institution:

  • Formulation and specification of regulatory and business process functional and non-functional requirements for a Crypto-Custody target operating model and strategy.
  • A comprehensive vendor selection process through our business process and technical consultants for Crypto-Custody solutions.
  • The implementation and integration of a state-of-the-art technical infrastructure for Crypto-Custody operations, either on premise, on hybrid cloud or on IBM cloud.
  • Business process outsourcing of the actual, day-to-day operation of your Crypto-Custody middle- and back-office.
  • Analysis of the legal and regulatory framework to ensure that your future business model and risk & compliance frameworks around Crypto-Custody are compliant (including policies, procedures, granular controls, management, and regulatory reporting, as well as business continuity management).
  • Analysis of the robustness of your internal controls frameworks by our regulatory and audit/assessment experts (covering both business and technical perspectives) to make communication towards external auditors and regulators more efficient. 
  • Identification of improvement potential in your end-to-end Crypto-Custody operating model to make your investment future-proof. 

If you would like to discuss your strategic vision or tactical needs around Crypto-Custody in a confidential and non-committal setting, please feel free to contact our authors Marinela Bilic-Nosic and Johannes Giannakouros. 

Additional information and insights can also be found via


Marinela Bilic-Nosic

Partner Risk & Compliance

Johannes Giannakouros

Risk, Legal & Regulatory Compliance Advisory

More stories
By Gregor Resing on Juni 6, 2023

The Software Defined Vehicle

The automotive industry is going through fundamental changes from hardware centric to software-based products. In our report "The software defined vehicle", we describe the required changes of the vehicle E/E architecture and software, OTA updates and the AI/ML closed loop from the cloud to the vehicle. Leveraging DevOps, CI/CD, security, container technology, and virtual testing processes, IBM proposes reference architectures together with organizational changes to bring future-proof client experiences faster to the market and to limit costs and complexity for OEMs.


By innovate-banking on Februar 1, 2023

Owner oder Enabler? Strategische Ausrichtung von Retail-Banken im Kontext des Open Banking

Einleitung Spätestens seit der Einführung der PSD2 ist das Thema Open Banking bei Bankern und Beratern in aller Munde. Eines scheint dabei klar zu sein: Die Tage, an denen die Banken isoliert von ihrem Umfeld arbeiten konnten, sind gezählt. Stattdessen werden sie sich von nun an immer häufiger zusammen mit FinTechs und anderen Anbietern in […]


By and Marcus Abel on Januar 12, 2023

Verteidigungssysteme bedingt einsatzbereit? Jetzt ist Daten-Aufrüstung geboten!

Zu Beginn des Ukraine-Kriegs hat Bundeskanzler Olaf Scholz eine Zeitenwende angekündigt. Damit einhergehend soll die Bundeswehr besser ausgerüstet werden – unter anderem mithilfe des Sondervermögens von zusätzlichen 100 Milliarden Euro. Das Geld will sinnvoll eingesetzt sein. Höchste Zeit also, um hier ein wichtiges Thema auf den Tisch zu bringen, dessen Potenzial bislang noch kaum angetastet […]