Status: As of 2 July 2026, BaFin’s 2020 crypto custody guidance remains a published interpretive reference for Germany’s Banking Act (Kreditwesengesetz, or KWG). Its practical role is now narrower because MiCAR, Germany’s Kryptomärkteaufsichtsgesetz (KMAG), and amendments to the KWG have moved most crypto-asset service supervision into the EU MiCAR framework.
The guidance, formally titled Guidance notice – guidelines concerning the statutory definition of crypto custody business, explained when the custody, management and protection of cryptoassets or private cryptographic keys could fall within the former KWG crypto custody business category. BaFin issued the guidance for market participants assessing whether a business model could require authorisation under the Banking Act.
Key provisions of the BaFin crypto custody guidance
The guidance focused on the statutory definition in section 1 (1a) sentence 2 no. 6 KWG as it applied from 2020. It addressed whether a provider was acting “for others,” whether the provider held or controlled cryptoassets or relevant private keys, and how custody, management and protection should be distinguished from purely technical services. The guidance was especially relevant for wallet providers, exchanges, institutional custody providers and service models involving access to client private keys.
- Regulatory perimeter: BaFin described crypto custody business as a regulated financial service under the Banking Act when the statutory elements were met.
- Private-key control: The guidance treated access to, or control over, private cryptographic keys as a central scoping issue.
- Technical-service limits: Services such as self-operated hardware or software wallets were generally treated differently where the provider did not control client assets or keys.
- Authorisation context: The KWG licensing framework remained relevant for businesses that carried out regulated financial services in Germany.
Germany’s current MiCAR and KWG custody context
Germany’s 2020 crypto custody regime was later reshaped by the EU Markets in Crypto-Assets Regulation. The Bundesbank states that MiCAR entered into force on 29 June 2023 and that Title V rules for crypto-asset service providers apply from 30 December 2024. Germany implemented the national supervisory layer through the KMAG and the Financial Market Digitalisation Act.
Under the current KWG, section 1 (1a) sentence 2 no. 6 refers to qualified crypto custody business, covering custody and administration of cryptographic instruments for others and the safeguarding of private cryptographic keys used for certain DLT-based instruments or securities. This means the 2020 BaFin guidance should not be read as a complete statement of the current German custody framework for ordinary MiCAR crypto-assets.
Jurisdictional impact
The profile is jurisdiction-specific to Germany, with BaFin as the supervisory actor and the KWG as the domestic banking statute. It should also be linked to European Union MiCAR coverage because the EU framework now supplies the main authorisation architecture for crypto-asset service providers, while Germany’s national laws allocate supervisory powers and preserve specific KWG treatment for qualified crypto custody involving cryptographic instruments.
Status and transition timeline
BaFin also published interpretive guidance on section 64y KWG in March 2020 for firms that were already conducting crypto custody business when the 2020 regime began. That transitional route required notice to BaFin by 31 March 2020 and a complete authorisation application by 30 November 2020. Separately, KMAG later created a MiCAR transition for certain firms that were lawfully active on 29 December 2024; that transitional permission expired no later than 31 December 2025.
For CryptoSlate’s legal-reference purposes, this profile classifies the BaFin document as German agency guidance with an In force taxonomy status, subject to an editorial caveat: it is a historical and interpretive BaFin document that should be read alongside MiCAR, KMAG, and the current KWG text. It is not a compliance checklist or legal advice.


