Bitcoin, the first successful blockchain with the crypto asset bearing the same name, has shown since 2009 that decentralised technologies too can work reliably. In 2015, a new dimension was added by the blockchain ethereum with its smart contracts (decentralised computer programs executed on a blockchain), which became known in connection with this DLT. This paved the way for technologies such as decentralised autonomous organisations (DAOs: token-based governance structures), initial coin offerings (ICOs: issuance of tokens for the purpose of raising capital) and a vast number of new crypto tokens. By means of a security token offering (STO), for example, traditional financial instruments can also be tokenised and thus entered into a distributed ledger, meaning they can be issued and transferred via a blockchain.

Current forms of financial technology such as crypto assets pegged to reference values (known as “stablecoins”), decentralised finance (smart contract-based financial services) and non-fungible tokens (NFT: crypto tokens that cannot be interchanged with another token), are showing a clear trend: technological innovations allow for the creation of an infrastructure that facilitates the continual development of new business and organisational models. And this takes place across international borders, with ever shorter innovation cycles. DLT is now playing a role globally in considerations regarding the creation of payment methods that can be seamlessly integrated into automated and digital processes (digital programmable money).

Distributed ledger and blockchain technologies, alongside their applications, are still at an early stage. Substantial turbulence and volatility can thus be observed on the market as regards the valuation of crypto assets, not least owing to the fact that the potential of this technology is not yet clear. In addition to this, cyber risks and opaque roles and responsibilities among those involved in DLT infrastructures pose a problem that must be taken seriously. BaFin has issued numerous clear warnings concerning the risks in particular for investors.

Disruptive potential

However, if DLT and blockchain technologies overcome these challenges and if the potential attributed to them is realised in full, they would significantly impact the way in which financial services are provided in future. In particular the diverse applications in the decentralised finance (DeFI) sector are in many ways similar to the conventional financial system. For this reason, standard-setters and supervisory authorities around the world are working to prevent the misuse of these technologies and to adequately tackle risks to the integrity of the financial markets. Taking the implications of these technologies to their logical conclusion, a world in which DLT and blockchain are used as basic technologies would no longer need, at least from a technical viewpoint, classic financial intermediaries in order to transfer assets or rights worldwide (disintermediation). Alongside risks, this brings many opportunities, such as reduced transaction costs, for example for international payments. Entirely new business models and services that meet the needs of a digitalised financial market could be established, and the financial industry as a whole could be given a whole new dynamic. New products and services are already giving us an insight into what the new financial world will look like.

Regulation

For new technologies and for a stable financial system, nothing is more important than trust in their integrity and long-term stability. Forms of distributed ledger technology are therefore subject to supervisory scrutiny for a variety of reasons, which reflects their potential to change a variety of processes in the financial market. Alongside ongoing work to identify possible risks for financial stability, this also includes specific legislative measures at the European and national levels. The following information does not provide an exhaustive overview of all legislative acts related to distributed ledger and blockchain technology. Rather, it serves to shine a light on a selection of recent regulatory projects.

Regulation at the EU level

The European Union has become a global pioneer in establishing rules for the application of DL/blockchain technology in the financial market. This centres around the planned Regulation on Markets in Crypto-Assets – (MiCA), the Transfer of Funds Regulation (TFR) and the regulation on the creation of a DLT pilot regime. These legislative acts are to help establish a consistent European legal framework in order to provide legal certainty with regard to distributed ledger technology and to allow for further testing of this technology in the financial market. With this uniform regulatory framework, the European Union is acknowledging the potential of distributed ledger technology and is creating a regulatory framework that is intended to address the many challenges that distributed ledger and blockchain technology pose to financial stability, market integrity and collective consumer protection. This also serves to build trust among market participants.

Regulation at the national level

In 1998, with digital assets in mind, units of account were introduced as a form of financial instrument, thus providing a suitable legal basis for the classification of certain crypto assets under supervisory law. At the beginning of 2020, the legislature incorporated crypto assets and crypto custody business into the German Banking Act (Kreditwesengesetz – KWG). In addition, the German Electronic Securities Act (Gesetz über elektronische Wertpapiere – eWpG) has been in force since June 2021. The act allows for the issuance of crypto securities, one of two categories of electronic securities. In August 2021, the new Fund Jurisdiction Act (Fondsstandortgesetz – FoStoG) also entered into force.

Supervision

As a result of the substantial growth in markets for crypto assets in recent years, the increasing interconnectedness of these markets and the traditional financial system, and the multitude of initiatives introduced by legislators and standard-setters, supervisors too are paying closer attention to the developments involving DL and blockchain technology. The overarching objective is to identify as early as possible potential risks for market integrity, financial stability and consumer protection and to mitigate these risks at the earliest possible stage.

Financial market integrity

BaFin's basic responsibilities include examining the business of new market participants or new business models of established providers to determine whether they require authorisation under supervisory laws. Providers conducting banking business or providing financial services under the German Banking Act (Kreditwesengesetz – KWG), conducting insurance business under the German Insurance Supervision Act (Versicherungsaufsichtsgesetz – VAG), providing payment services under the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG) or managing investment funds within the meaning of the German Investment Code (Kapitalanlagegesetzbuch – KAGB) require authorisation for this business. If providers have already commenced an activity requiring authorisation without having obtained authorisation from BaFin, BaFin enforces the authorisation requirement and ensures that the business is discontinued and any transactions are wound up immediately. Since the business model itself is important and not the underlying technology, these rules also apply to business activities that make use of DLT and blockchain. Legislators in Europe and in Germany have already reacted to the emergence of new business models based on DLT and blockchain with new legal provisions that also set out supervisory authorisation requirements.

If, on the basis of its investigations, BaFin determines that a provider does not hold the required supervisory authorisation and is therefore conducting unauthorised business, it can make use of its extensive powers as a supervisory authority to ensure these activities are stopped immediately. If the provider does not cease their activities voluntarily at the first request, BaFin formally prohibits the unauthorised business operations and orders the company to wind up its unauthorised activities. Depending on each individual case, BaFin may also issue additional instructions intended to ensure the operations are wound up properly. This applies to traditional financial transactions, but also to business activities involving crypto assets that are subject to an authorisation requirement.

One of BaFin’s core tasks is its contribution towards money laundering prevention in the German financial sector. The German Crypto Asset Transfer Regulation (Kryptowertetransferverordnung – KryptoWTransferV), which entered into force on 1 October 2021, makes an essential contribution towards mitigating the risk of money laundering associated with the transfer of crypto assets. The regulation includes increased due diligence requirements that must be observed when transferring crypto assets. It serves to implement the international standards set out by the Financial Action Task Force (FATF Recommendation 16 “travel rule”).

Collective consumer protection

In July 2015, important provisions of the Retail Investor Protection Act (Kleinanlegerschutzgesetz) entered into force. BaFin’s supervisory objective of ensuring collective consumer protection has since been laid down in law. In accordance with this, BaFin carefully monitors the risks that could emerge for investors from crypto assets and other business models based on DLT/blockchain. BaFin has already reacted to multiple such risks and issued numerous warnings as a result. In a detailed article published in December 2018 in BaFinJournal on the illegal unregulated capital market, and in a joint warning issued together with the Federal Criminal Police Office (Bundeskriminalamt – BKA), BaFin raised awareness of the risks associated with payment tokens, among other things (see December 2018 edition of BaFinJournal – only available in German). In February 2022, BaFin highlighted the highly speculative – and risky – nature of investments in crypto assets. BaFin also advised potential investors to be very sceptical of any recommendations they see on social media. Investment tips shared on social media regarding crypto assets or other financial products are not considered reliable. They may even be incorrect, misleading or entirely fictitious.

Supervisory practice

In line with the legal requirements, BaFin supervises companies active in Germany that provide services related to crypto assets. This includes crypto trading platforms, firms that operate crypto ATMs and companies that conduct crypto custody business or operate crypto securities registers.

Crypto custody business was incorporated into the KWG as a new financial service by the German Act Implementing the Amending Directive on the Fourth EU Anti-Money Laundering Directive of 19 December 2019 (Gesetz zur Umsetzung der Änderungsrichtlinie zur Vierten EU-Geldwäscherichtlinie) (Federal Law Gazette I, p. 2602). Since the act came into force in January 2020, companies wishing to provide this service have required authorisation from BaFin. The key elements of the authorisation procedure for crypto custody business and the essential requirements for granting authorisation are set out in the publication “Guidelines on applications for authorisation for crypto custody business”. Furthermore, crypto custody business is subject to the notice of 6 July 2018 issued by the Deutsche Bundesbank on the granting of authorisation to provide financial services.

Under the German Act on the Introduction of Electronic Securities (Gesetz zur Einführung von elektronischen Wertpapieren; Federal Law Gazette Part I, no. 29 of 9 June 2021, p. 1423) crypto securities registration was incorporated into the KWG as a new financial service. Since the act came into force on 10 June 2021, companies wishing to provide this service have required authorisation from BaFin. Information about authorisation for crypto securities registration can be found in a Guidance Notice issued by BaFin.

A key aspect of digitalisation is the increasing dependency on functioning IT infrastructures. This brings the significance of IT risks into focus, which is a result of increasing cyber attacks in the financial sector. The large sums of money that are transferred across national borders and jurisdictions are a worthwhile target for hackers. Cyber attackers around the world also operate at the international level. And they have the knowledge and skills to identify even the smallest security gaps in the IT infrastructures of financial companies and to exploit these gaps as gateways to carry out cyber attacks. BaFin has reacted to the persistently substantial and increasing IT threats and, at the beginning of 2016, established a new organisational unit exclusively devoted to issues of IT security in supervised entities. BaFin has since also issued minimum requirements regarding the IT infrastructures of banks, insurers, capital market service providers and providers of payment services.

Financial stability

All of the efforts by financial regulators and supervisors follow the overarching objective of ensuring financial stability, which is essential if the financial system is to fulfil its core purpose: serving as the transmission mechanism for the economy. The central body for macro-prudential oversight in Germany is the Financial Stability Committee (FSC). Macro-prudential oversight serves to limit systemic risk and to improve the resilience of the financial system. The FSC is formed of representatives of BaFin, the Deutsche Bundesbank and the Federal Ministry of Finance (BMF), since these three authorities, in their functions as supervisory authority, central bank and competent ministry, play a central role in maintaining financial stability.

In its ninth report to the German Bundestag on financial stability in Germany, which was published in June 2022, the FSC reached the conclusion that there are currently no indications of stability risks in the German financial system as a result of crypto assets. An important reason for this risk assessment with regard to crypto assets is that their market capitalisation remains relatively low. However, increased vigilance is necessitated by the strong market growth in this area, the interconnectedness with the traditional financial system, and the emergence of new instruments, for instance through decentralised finance.

BaFin is not only involved in macro-prudential supervision at the national level as part of the FSC, it is also active at the European level in the European Systemic Risk Board (ESRB) and with a global focus in the Financial Stability Board (FSB), which also very closely monitor current developments in the area of DLT and blockchain.