Crypto custodians in Germany: BaFin license for key storage

Grigorii Lutcenko

07.02.2026 | 6 min read

Updated: 07.02.2026

I regularly meet executives who are ready to scale work with digital assets, but are stuck on two things: the BaFin license and the architecture of secure key storage. Since 2016 the team COREDO has supported dozens of projects for company registration in the EU and Asia, obtaining financial licenses and building compliance functions. During this time I have gathered a set of proven approaches that really save time and reduce operational risks. In this text I will systematically go through the path from legal structure to key architecture and regulatory reporting – with a focus on Germany and BaFin, but taking into account MiCA and EU requirements.

Our experience at COREDO has shown: a strong custody service doesn’t start with HSM, but with a clear regulatory model, a comprehensible operational architecture and compliance discipline. Technology is an important layer here, but without the right license, contractual framework and AML/KYC procedures the business risks getting a stop signal at the start.

Regulatory framework of Germany and the EU

Illustration for the section «Regulatory framework of Germany and the EU» in the article «Crypto custody in Germany BaFin license for key storage»
The regulatory framework of Germany and the EU increasingly shapes requirements for the handling and storage of crypto-assets, setting standards for licensing, supervision and investor protection. Below we will examine the key elements of oversight – including the role of BaFin and the specifics of regulating crypto custody.

BaFin regulation of crypto custody

In Germany, crypto custody (Kryptoverwahrgeschäft) is a licensed activity for the storage of third parties’ private keys. A BaFin license for key storage is required if you provide clients with custody of cryptocurrencies for business purposes, including corporate wallets, sub-accounts and API access. The regulator refers to the KWG (banking law), MaRisk (risk management) and BAIT (IT requirements), as well as the German AML law (GwG). Crypto-custody regulation in Germany implies segregation of client assets (segregation of client assets), clear internal controls, independent risk management and audit.

A couple of important nuances. BaFin supervision closely looks at the actual storage of private keys and operational processes, not only the legal structure. And if your model includes custodial staking, the regulator expects risk disclosures, a liquidity policy, management of slashing risk and contractual mechanisms for the allocation of rewards and costs.

MiCA: impact on BaFin custodians

The MiCA regulation forms a pan-European framework for crypto-asset service providers, including custodians. For Germany this means alignment of requirements, the possibility to passport custody services within the EU when meeting pan-European standards, and harmonization of reporting. COREDO’s practice confirms: if you build processes “according to MiCA” already at the stage of preparing for a BaFin license, subsequent expansion to other EU countries proceeds faster.

MiCA does not eliminate national specifics – BaFin will retain the right to inspections, the requirement for IT resilience and expectations for incident management. But the common language for compliance, risk-based approach and information security will become unified across the EU, which simplifies scaling.

AMLD5 and AMLD6: AML/KYC and GDPR

AMLD5 and AMLD6 set the level of control for business KYC providers, AML transaction monitoring and sanctions screening. In Germany these rules are implemented in the GwG; the regulator expects a risk-oriented approach, client segmentation, monitoring scenarios and a documented escalation methodology. In custody GDPR and key storage intersect through personal data of owners, activity logs (audit trail) and access logs. I recommend implementing data minimization and a strict role-based access model: this reduces risk and facilitates passing inspections.

BaFin license for crypto custody

Illustration for the section «BaFin license for crypto custody» in the article «Crypto custody in Germany BaFin license for key storage»
BaFin‑Licensing of crypto custody requires strict compliance with regulatory requirements and transparent documentation. Below we will examine in detail the stages and structure of obtaining the license, including the key legal, operational and technical criteria for successfully completing the process.

How to obtain a BaFin custody license

I recommend starting with the legal structure for custody in the EU (GmbH, AG). For crypto custody in Germany a GmbH is usually suitable, while mature players planning to raise capital choose an AG. Capital requirements for custody depend on the service profile; for pure storage of private keys the starting capital is usually from €125,000, and is higher when combined with payment services. The cost of obtaining a BaFin license consists of document preparation, technology implementations (HSM/MPC), hiring key personnel (MLRO, CISO, Head of Risk), certifications (ISO 27001, sometimes SOC 2 Type II), insurance and legal support.

According to COREDO’s observations, a conservative project budget often falls in the mid- to multi-million euro range, depending on scale, geography and degree of automation.

Process stages:

Pre-licensing gap analysis against BaFin/BAIT/MaRisk and MiCA.
Designing the operational model: custody vs non-custodial, cold/hot storage, MPC or multisig, key ceremony protocol and key rotation policy.
Building compliance: AML/KYC, sanctions screening, risk-based approach, incident management and notifications to the regulator.
IT and security: HSM (Hardware Security Module) or MPC (Multi-Party Computation), cold key storage infrastructure, air-gapped signing, audit trail and logging.
Documentation and submission: policies, regulations, client agreements, legal agreements for HSM outsourcing.
On-site inspections and responses to inquiries.

Checklist for preparing for a BaFin inspection

The COREDO team has conducted dozens of pre-licensing “dry” audits and compiled a checklist for preparing for a BaFin inspection:

Governance: qualified executives, independent risk and compliance, information security committee.
Policies and procedures: private key storage requirements, access management and role models in custody, key ceremony and backup, disaster recovery plan and business continuity plan.
IT governance under BAIT: asset inventory, vulnerability management, change management, incident response.
Security: BaFin HSM security requirements, description of MPC/threshold signatures, multisignature and key storage, cold wallet architecture and hot wallet risk.
Quality control: penetration testing and red team, bug bounty programs, security audit for crypto custody, SOC 2 Type II audit if available, ISO 27001 certification.
Finance: capital requirements, OPEX vs CAPEX model, ROI calculation for security investments and overall financial plan.
Contract framework: preparation of custody agreements for corporate clients, SLA 99.9% availability, key storage regulations and GDPR, fiduciary duty for custodians, segregation of client assets, trustee model custody.
Reporting: BaFin regulatory reports, security metrics for BaFin reporting, incident notification policies.

Supervision and incident reporting

BaFin expects transparent incident management and notifications to the regulator in case of material failures, breaches or risks to clients’ funds. Notification timings align with GDPR (generally within 72 hours for personal data) and internal regulations. I recommend drafting in advance a criticality matrix, an escalation procedure, a communications role model and message templates for the regulator and clients. Regular regulatory reports to BaFin include information security and operational resilience KPIs.

Enforcement action precedents show that the regulator is particularly sensitive to commingled asset storage, weak access policies and insufficient transaction monitoring. COREDO’s practice confirms: a mature audit trail, forensic readiness and automated access control simplify communication with supervision.

Key storage architecture

Illustration for the section "Key storage architecture" in the article "Crypto custody in Germany BaFin license for key storage"
Building the technological architecture for key storage defines a set of decisions responsible for the security, availability and manageability of cryptographic materials. In the following subsections we consider the role of HSMs and outsourcing options for critical components to show how different approaches affect risks and operational requirements.

Outsourcing critical components and HSM

HSMs, the de-facto standard for protecting master keys, are especially important when supporting Bitcoin and Ethereum in custody and managing corporate sub-accounts. BaFin looks at HSM certification (e.g., FIPS 140-2/3), key lifecycle management, load/unload policies and role models. Outsourcing HSMs and the legal risks must be addressed separately: agreements with providers, third-party risk management, requirements for locations and verification procedures.

The solution developed at COREDO usually combines HSMs for root secrets and MPC for operational flexibility. This approach increases resilience and simplifies scaling as the number of clients and transactions grows.

MPC, multisig and secret sharing

MPC for key storage and threshold signatures allow the signing computation to be split across multiple independent nodes, reducing the risk of a single point of failure. Multisignature and multisig key storage architectures remain relevant for Bitcoin’s UTXO model and some enterprise scenarios. Shamir’s Secret Sharing is suitable for backups and recovery procedures, but I don’t use SSS for online signing when MPC is available.

A combination of cold wallet architecture with air-gapped signing and a hot environment with limited limits increases security and operational flexibility. Key rotation policy must take L2 protocols and smart contracts into account, especially for cross-chain custody and when working with wrapped tokens. Key ceremony and backup procedures are documented in detail, with video recording and checklists.

Fault tolerance, scaling and audit

Designing a fault-tolerant key architecture includes distributed key storage for scaling, geo-replication, independent quorum channels and deterministic run-books for incidents. A multi-tenant custody platform requires strict segmentation, circuit isolation and continuous monitoring. Audit trail and logging must cover administrative actions, transactions, access to secrets and configuration changes.

I build in forensic readiness: time synchronization, immutable logs, a retention policy and regular recovery tests. Incident response and notification are practiced scenarios with roles, timers and feedback loops. This saves hours during real crises and increases client trust.

Custodial staking: risks

Staking-as-a-service for corporate clients raises questions about liquidity management, reward distribution, validator fees and slashing risk. Liquidity management in custodial staking requires buffers, transparent unbonding rules and synchronization with accounting. In contracts I record protocol risks, responsibility for validator selection and the compensation procedure for slash events.

Smart contracts, custodial vs non-custodial models, support for ERC-20 and ERC-721 and integration of layer-2 and custody (for example, rollups): all of this is reflected in risk methodologies. Our architects at COREDO form a risk profile for each network stack separately.

Assets, integrations and SLA

Support for Bitcoin (Bitcoin UTXO model) and Ethereum requires different addressing logic, monitoring and nonce/fee control. For business I set up custody API integrations with exchanges and brokers via API integration (REST, WebSocket), with restrictions by keys, IP allowlist and a fine-grained limit system. Enterprise onboarding processes include corporate client Due Diligence, issuance of sub-accounts and configuration of role models.

SLA 99.9% availability is a fair benchmark for custody, while transaction creation time and approval delays depend on the number of signatures and the limit policy. Setting SLAs for crypto custody services provides RTO/RPO for infrastructure, maintenance windows and a plan for functional degradation.

Risk management and compliance

Illustration for the section «Risk management and compliance» in the article «Crypto custody in Germany BaFin license for key storage»
Effective risk management and strict compliance require a systemic approach to identifying and mitigating financial threats. In this context, AML/KYC and regular transaction monitoring become key tools to prevent fraud and money laundering.

AML/KYC: transaction monitoring

Compliance for crypto custody Germany is built on a risk-based approach: segmentation of clients by jurisdictions, types of activity and volumes. AML KYC for crypto custody requires reliable KYC providers, periodic review processes (KYC refresh), sanctions checks and transaction monitoring using behavioral and blockchain analytics. Sanctions screening and lists of high-risk wallets are better automated, but manual review should be retained for complex cases.

AML transaction monitoring should include scenarios for the microstructure of transfers, analysis of sources of funds and behavior when using mixers. I define clear rules for escalation and suspension of operations so the team does not lose time on approvals at critical moments.

Resilience and security

ISO 27001 certification for custodians and a SOC 2 Type II audit are strong arguments for BaFin and corporate clients. They are complemented by regular penetration testing and red team exercises, bug bounties and independent code reviews for custom components. Transparency through the implementation of proof of reserves for custodians and attestation reports increases trust, especially with large corporate deposits.

Security metrics for BaFin reporting and key KPIs for CTO/CISO may include: MTTR for incidents, proportion of critical vulnerabilities, average patch-management time, percentage of MFA/SSO, frequency of key rotation, share of transactions processed through expedited scenarios, and results of independent audits.

Insurance and fiduciary duties

Insurance of crypto custody assets: a separate track. Custody insurance policy and underwriting of crypto risks take into account limits for hot and cold wallets, exclusions and deductibles. How to choose an insurance product for a custodian? I assess the insurer’s financial stability, cyber-risk coverage, limits on social engineering and control requirements.

Fiduciary duty (fiduciary duty for custodians) and segregation of client assets are critical in the event of a custodian’s bankruptcy and in protecting clients. A proper contractual and operational model (for example, trustee model custody) helps separate client assets from the insolvency estate. COREDO’s experience has shown: clear ownership registers and segregation at the level of addresses/smart contracts simplify law enforcement.

Data privacy and regulations

The key storage policy and GDPR go hand in hand with data governance: minimization of personal data, encryption «at rest» and «in transit», access management and retention. Logging and observability should not disclose sensitive elements of key infrastructure, and log sizes should not exceed what is reasonably necessary. We balance this through anonymization, pseudonymization and strict telemetry control.

Strategy and economics of launching a service

Illustration for the section «Strategy and economics of launching a service» in the article «Crypto custody in Germany BaFin license for key storage»
The project’s economics and the chosen strategy shape the decision-making framework during preparation and launch of the service, setting priorities for resources and the acceptable level of risk. Below we will examine in detail the cost model, required capital and key ROI metrics to build a justified go-to-market plan.

Cost model and ROI

OPEX vs CAPEX модель помогает прозрачнее коммуницировать с советом директоров. CAPEX, HSM, сети, лицензии на ПО, сертификации; OPEX – штат комплаенса и ИБ, страховки, аудит, колокации, bug bounty. Стоимость получения лицензии BaFin и последующее содержание зависят от масштаба.

The ROI estimate for launching a crypto-custody service is built on revenue from custodial services, transaction fees, staking rewards (if applicable), and cost savings from in-house risk control.

How to estimate ROI from implementing your own crypto-custody? I model scenarios along three lines: organic growth of the corporate customer base, cross-sales (for example, exchange/trading/payments) and retention thanks to high SLA and security. The ROI calculation for security investments takes into account the probability of incidents and potential damage; this is an important argument before the investment committee.

In-house vs third-party and white-label

The comparison of in-house vs third-party custody boils down to control, speed of launch, and the regulatory curve. White-label custody solutions allow faster market entry but increase dependence and requirements for third-party risk management. Migration of crypto-assets between custody providers — a scenario I plan for at the start — includes procedures for key rotation, attestation of balances and client notifications.

Outsourcing HSM legal agreements require clear SLAs, audit rights, requirements for data geography and recovery plans. Third-party risk management includes periodic assessments, stress tests and forensic clauses in contracts.

Operational resilience and SLA

Operational resilience: not only data-center redundancy, but also disaster recovery plan drills, degraded-mode business processes and client communications. SLAs should cover availability, transaction processing time, maintenance windows and RTO/RPO. I always link SLA settings for crypto-custody services to team KPIs and bonus models: this way SLA ceases to be “paper” and becomes a practical tool.

COREDO case studies: licensing and integration

In a series of COREDO case studies we show practical steps – from obtaining a license to real bank integration scenarios. Using the example of Germany, we examine BaFin’s requirements, key architecture and technical solutions necessary to comply with regulatory and banking requirements.

BaFin: license and key architecture

The COREDO team recently implemented a project for a fintech planning custody for large corporate clients. We chose a GmbH, prepared the BaFin submission package, deployed HSMs for master keys and MPC for operational signing. The client obtained ISO 27001 certification, underwent a SOC 2 Type II audit and set up proof-of-reserves methodologies with regular attestation reports. The contractual framework established segregation of client assets and a trustee-model custody, as well as terms for custodial staking and disclosure of slashing risk.

At the pre-audit stage we ran a practical checklist to prepare for the BaFin review, ‘dry’ key ceremonies, an incident response test and tuning of regulatory reports. The solution proved resilient, and the final regulatory dialogue took less time than we had planned in our risk scenarios.

EU passporting after launch

Another client launched custody in Germany with an eye on the EU. We built a model compatible with MiCA and prepared EU passporting for custody services. The legal structure and policies immediately accounted for Cyprus and Estonia’s requirements for IT resilience and staffing, which accelerated regional expansion.

Our experience at COREDO has shown: unifying policies and a single key architecture reduces total cost of ownership and simplifies change management.

Integration into a banking group

A separate case — implementing custody in a banking group with presence in the UK, Singapore and Dubai. We integrated custody into the bank’s structure via API, REST/WebSocket, supporting corporate accounts and sub-accounts. For the CTO/CISO we set up key KPIs, reports for risk committees and regular red team exercises.

Practice has shown that BAIT discipline and banking IT standards map harmoniously onto crypto custody if roles and processes are organized correctly.

Practical tools

To minimize risks when choosing a custody provider, rely on practical methods and tools that turn abstract requirements into concrete checks. Below is a compact checklist for reviewing custody providers with key criteria for security, compliance and operational reliability.

Checklist for reviewing custody providers

Reviewing custody providers: a checklist for the director

Licenses and supervision: BaFin license for crypto custody, MiCA plans, regulatory history, inspection precedents.
Security: HSM/MPC, key ceremony protocol, air-gapped signing, penetration testing, bug bounty, ISO 27001/SOC 2.
Operations: SLA 99.9%, incident response, disaster recovery, business continuity, audit trail.
Compliance: AML/KYC, sanctions screening, AML transaction monitoring, GDPR.
Legal: segregation of client assets, trustee model custody, insurance, outsourcing, HSM legal agreements.
Technology: support for Bitcoin/Ethereum, ERC-20/ERC-721, layer-2 and custody, cross-chain custody, API REST/WebSocket.
Economics: fees, limits, OPEX vs CAPEX, ROI assessment.
Migration: export of keys/addresses, proof of reserves during transition, timelines and risks.

What to include in contracts and SLAs

Preparing custody agreements for corporate clients should specify:

Scope of services, supported assets, custodial staking requirements.
Segregation of assets, fiduciary duty, insurance and limits.
Incident management and regulator notifications, RTO/RPO, maintenance windows.
Key policies: private key storage requirements, key rotation, access controls.
Proof of reserves and attestation reports, audit rights.
Management of custody operational risks and third-party risk management.

Recovery after key compromise

A key recovery plan after compromise should include:

Identification of the affected area and containment scenario.
Generation of new keys (key ceremony), transfer of assets, policy updates.
Communications: clients, regulator, counterparties.
Forensics package: collection of artifacts, preservation of logs, independent analysis.
Post-incident plan: lessons learned, control updates, retesting and attestations.

Frequently Asked Questions and Short Answers

Which legal structures are optimal for custody in Germany? GmbH – a flexible start; AG: for mature capital and exchange plans. In both cases consider capital requirements and governance requirements.

How to obtain a BaFin license for custody and how long does it take? The readiness of the company and the documentation package determines the timelines. Mature processes and IT significantly speed up the dialogue. Budget and team are key to predictability.

What SLA metrics are important for corporate custodian clients? Availability, signature latency, RTO/RPO, incident handling time and reporting accuracy. Plus security metrics: key rotation frequency, MFA coverage and time to patch.

How to choose an insurance product for a custodian? Look at coverage of hot/cold wallets, exclusions, limits, payout terms and control requirements. Compare underwriting criteria and the insurer’s financial stability.

How to assess the ROI of implementing your own crypto custody? Sum new revenue, risk savings, synergy with existing services and cost of capital. Don’t forget growth scenarios and stress tests.

Conclusions

Custody is not just about storing keys. It’s about trust, predictability and a mature operational model. I’ve seen projects with strong architecture and compliance discipline obtain a BaFin license for key custody and quickly scale across the EU thanks to MiCA. I’ve also seen the opposite: when savings on processes and documentation come back as delays and additional requirements.

COREDO doesn’t offer magical shortcuts. But we do have the tools, practices and experience that make this path manageable: from choosing between HSM and MPC to BaFin regulatory reports and proof of reserves. If you are planning a custody case in Germany, Czechia, Slovakia, Cyprus, Estonia, the United Kingdom, Singapore or Dubai – let’s break it down into clear modules, calculate ROI and build an architecture that will withstand both regulatory audits and the requirements of your corporate clients. COREDO’s experience shows: a systematic approach pays off faster than promises to ‘do everything in three weeks’.