The Legal Side of Crypto-Assets Custody

Recent legal developments worldwide have shown acceptance of digital assets. Many governments have understood the great possibilities and opportunities that Blockchain technology brings and the unavoidable direction towards tokenization of assets and the crypto economy that the financial industry has been taking. A pivot point in history has occurred by supporting crypto custody which implies an assessment of the risks and solutions to mitigate them. Here, we present a summary of the countries working towards the crypto-economy and relevant information about minimum requirements for the custody of digital assets.    


The German Act Implementing the Amending Directive on the Fourth EU Anti-Money Laundering Directive of 2019 included the crypto custody business in the German Banking Act (Kreditwesengesetz – KWG) as a new financial service. Here is the summary of the most important implications:

  • Reports must be provided and documents submitted in accordance with Section 32 (1) KWG to BaFin (German Federal Financial Supervisory Authority) and a license must be obtained in order to offer crypto-custody services.
  • In those cases where business activities also cover financial instruments within the meaning of MiFID II, the authorization process might be based on Delegated Regulation (EU) 2017/194 instead of section 32 (1) sentence 1 of the KWG.
  • The credit institutions and financial service providers will now be allowed to combine safekeeping and/or trade of crypto-assets with traditional banking and financial services as long as the required license is obtained (Deloitte, 2019). 
  • A lighter regulatory regime under the German Banking Act will apply to an authorized financial service provider who would like to focus on crypto-custody only (Deloitte, 2019).
  • An application for authorization to conduct crypto custody business within the meaning of section 1 (1a) sentence 2 no. 6 of the KWG must document, inter alia, sufficient initial capital of at least EUR 125,000 and that the undertaking has reliable owners as well as reliable and qualified managing directors. 
  • A business plan must also be attached to the application. As well as planning encompassing the balance sheets and profit and loss accounts for the first three full financial years, in particular, this must cover the undertaking’s organizational structure and present its intended internal control mechanisms.
  • Germany has defined crypto assets as a digital representation of value, not issued or guaranteed by a central bank or public authority, with no legal status of currency or money (Reuters, 2021).
  • Crypto-assets are based on agreement and accepted as means of exchange or payment, an investment, and can be transferred, stored, and traded electronically.


Greece has joined the European Blockchain Partnership and implemented the Fifth European Directive on Anti-Money Laundering (AMLD5) as a member state of the European Union. The Hellenic Capital Market Commission defines cryptocurrencies as portfolio assets and not currency (Reuters, 2021). 

  • It requires providers of digital wallets, custody services, and exchange services between cryptos and fiat currencies to be registered. 
  • Taxation for mining is considered income from commercial enterprises and the profits that will arise after deducting the operating expenses are taxed according to the general provisions and the applicable tax rates. Holders of cryptocurrencies are taxed at a rate of 15% as income from capital gains.
  • Custodianship of digital assets qualifying as financial instruments under the Greek MiFID Law is an ancillary investment service and, when combined with other investment services and activities, such custodians must be licensed in accordance with the Greek MiFID Law (Chambers and Partners, 2021).

United States

The term “digital asset” refers to an asset that is issued and/or transferred using distributed ledger or blockchain technology. A digital asset may or may not meet the definition of a security under the federal securities laws. A digital asset that is a security is referred to as a “digital asset security.” 

  • Digital asset securities are regulated by the Securities and Exchange Commission (SEC).
  • A registered adviser with custody of client funds and securities is required by Rule 206 (4) – 2 of the Advisers Act (the “Custody Rule”) to establish a set of controls to safeguard those assets. Custody means “holding, directly or indirectly, client funds or securities, or having any authority to obtain possession of them”.
  • Digital assets are subject to the Custody Rule if they are either “funds” or “securities” and if the registered investment adviser has any authority to obtain possession of them. 
  • In the case of mutual fund shares:  With respect to shares of an open-end company as defined in section 5(a)(1) of the Investment Company Act of 1940 (15 U.S.C. 80a-5(a)(1)) (“mutual fund”), you may use the mutual fund’s transfer agent in lieu of a qualified custodian for purposes of complying with paragraph (a) of section 206(4)-2 of the Advisers Act.
  • An adviser with custody must maintain client funds and securities with a qualified custodian either under the client’s name or under the adviser’s name as agent or trustee for its client. A qualified custodian is a federally insured bank or savings association, a registered broker-dealer, a registered futures commission merchant (with respect to client funds and security futures), or a foreign financial institution that holds financial assets for its customers. 
  • The qualified custodian must send an account statement at least quarterly to each client, and client funds and securities must be verified at least annually.
  • SEC and the Financial Industry Regulatory Authority (FINRA) say a broker-dealer seeking to custody digital asset securities must comply with the Customer Protection Rule. Rule 15c3-3 requires a broker-dealer to physically hold customers’ fully paid and excess margin securities or maintain them free of lien at a good control location.   
  • Provision of Crypto-Custody services by major US banks. The Office of the Controller of the Currency (“OCC”) Interpretive Letter #1170 was interpreted by legal commentators as immediately permitting US-regulated banks to custody Crypto-Assets, provided that regulatory safeguards are met.



The Payment Services Act (“PSA”) defines the custody of crypto assets (“CA Custody”) as the “administration of crypto assets on behalf of another person.”

  • Definition of Crypto Asset Custody (Arora, 2020): If a service provider is in a position to execute the transfer of users’ crypto assets on its own, for example, when the service provider holds private keys by itself or jointly with another person, by which the service provider can initiate crypto assets transfer without the users’ involvement, such service is recognized as CA Custody under the PSA, provided that whether a service falls under “administration of crypto assets on behalf of another person” shall be determined substantively based on the actual services on a case-by-case basis.
  • Article 2 of PSA defines exchange services as engagement in any of the following as a business:
    • Sale and purchase of cryptoasset or exchange of cryptoasset for other cryptoasset;
    • Intermediary, brokerage, or delegation for the acts listed in (1) above; or
    • Management of users’ money in connection with the acts listed in (1) or (2) above;
    • management of users’ crypto-assets for the benefit of another person (custodian services).
  • The PSA requires any entity that is providing exchange services to be registered with the Financial Services Agency (“FSA”) and the local finance bureau.
  • Among other things, the applicants are also required to have:
    • a sufficient financial basis with a minimum capital amount of JPY10 million and net assets with a positive value;
    • a satisfactory organizational structure and systems to provide the exchange services appropriately and properly; and
    • certain systems to ensure compliance with the applicable laws and regulations.
  • Crypto Asset Exchange Service Providers are required to separate users’ funds separately from its own funds and they are also required to use third-party operators (such as trust companies or custodian services) to store users’ assets as per the provisions of the new Cabinet Office Ordinance. Moreover, the CAESP’s are also required to store the entrusted cryptoassets in cold wallets (offline wallets), however, if it interferes in smooth functioning of their operations, they can keep them in the hot wallets, but then they will be obligated to hold “the same kind and the same quantities of cryptoassets” to repay their users if the hot wallet is compromised. 
  • Cryptocurrency custody service providers (that do not sell or purchase crypto-assets) fall under the scope of the PSA, while cryptocurrency derivatives businesses fall under the scope of the Financial Instruments and Exchange Act (FIEA).
  • In April 2020, Japan was the first country to create self-regulatory bodies, the Japanese Virtual Currency Exchange Association (JVCEA) and the Japan STO Association. The JVCEA and the STO Association promote regulatory compliance and play a significant role in establishing best practices and ensuring compliance with regulations.



The Securities Commission Malaysia (SC) issued guidelines regulating various digital currency platforms operating in the country. The Capital Markets and Services (Prescription of Securities) (Digital Currency and Digital Token) Order 2019 ruled that digital tokens are “securities” for purposes of securities laws (Reuters, 2021). 

  • Digital currency is defined as “a digital representation of value recorded on a distributed digital ledger that functions as a medium of exchange and is interchangeable with any money including through the crediting and debiting of an account.” 
    • All exchange offerings and digital asset custodians are required to register and “assess and conduct the necessary due diligence on the issuer, review the issuer’s proposal and the disclosures in the whitepaper, and assess the issuer’s ability to comply with the requirements of the Guidelines and the SC’s Guidelines on Prevention of Money Laundering and Terrorism Financing.”
    • The services of providing safekeeping, storing, holding, or maintaining custody of digital assets for the account of another person is specified to be a capital market services for the purposes of section 76A of the CMSA (Securities Commission Malaysia, 2020).
    • In the case of a registered recognized market operator or registered trustee who seeks to provide any of the services of crypto custody, such registered recognized market operator or registered trustee must notify the SC of its intention prior to it providing the specified services.
  • A digital asset custodian must have a minimum– (a) paid-up capital of RM500,000, and (b) shareholders’ funds of RM500,000 maintained at all times.


About micobo

micobo GmbH is a leading European software company for Security Token Offerings and Blockchain Software Development (DLT). It provides fully compliant software solutions for Security Token Offerings and advises structuring DLT- and Blockchain-based Securities. micobo empowers financial institutions with state-of-the-art technology focusing on providing a better customer experience and achieving measurable results.

micobo’s solution eliminates redundant verification processes and redundant information registered in isolated databases using distributed ledgers. It uses a proven and fully compliant set-up, adaptable to the customer’s needs.


Laura Andrade (

tokenization platfrom