As a BaFin-regulated FinTech company, ecrop operates in a strictly regulated environment. Transparency and legal certainty are our top priorities. This chapter provides you with a comprehensive overview of the legal framework in which we operate and explains in detail how ecrop complies with all relevant laws and regulations, particularly the eWpG, CryptoAssetTransferV, and MiCAR regulation. We show you how our solutions help minimize compliance risks and manage your digital assets securely and efficiently.

Core Licenses (in Application Process)

ecrop is in the application process for two core BaFin licenses (crypto register operation allowed due to grandfathering with final license pending. license application for crypto custody pending) that form the foundation of our business model: the permission as a crypto securities registry manager under § 1 Para. 1a Sentence 2 No. 8 KWG in conjunction with § 16 eWpG and the permission for crypto custody under § 1 Para. 1a Sentence 2 No. 6 KWG.

Currently, the KWG license for crypto custody is still in the application process. Once granted, ecrop will offer custody of crypto assets in accordance with the requirements of KWG and CryptoAssetTransferV.

Crypto Securities Register (eWpG)

  • License Scope: As a licensed (grandfathering; final license pending) registry manager under eWpG, ecrop offers all necessary functions for the issuance, registration, transfer, and management of crypto securities.

    • Crypto Securities Registry Manager (pursuant to § 1 Para. 1a Sentence 2 No. 8 KWG in conjunction with § 16 eWpG): This BaFin license (grandfathering; final license pending) allows us to maintain the electronic securities register for crypto securities. It covers the issuance, registration, transfer, and management of crypto securities and ensures that all transactions and ownership relationships are documented transparently and traceably.

  • Legal Foundations: The ecrop crypto securities register is based on a solid legal foundation and meets all relevant legal requirements:

    • eWpG (Electronic Securities Act): The eWpG creates the legal framework for digital securitization of securities in Germany and regulates their issuance, registration, transfer, and custody. It enables the decorporealization of securities, i.e., the separation of the right to the security from the physical certificate. This creates electronic securities that exist exclusively digitally and are maintained in an electronic securities register. The eWpG differentiates between various types of electronic securities, including crypto securities based on Distributed Ledger Technology (DLT).

      Link to eWpG

    • eWpRV (Electronic Securities Register Regulation): The eWpRV specifies the requirements of the eWpG for maintaining electronic securities registers and defines detailed requirements for data security, transparency, and integrity. It regulates, among other things, the technical requirements for the register, the processes for issuing, registering, and transferring electronic securities, as well as the obligations of the registry manager. The eWpRV serves to protect investors and ensures the functionality of the electronic securities market. As a crypto securities registry manager, ecrop fulfills all requirements of the eWpRV and thus ensures the secure and reliable operation of the crypto securities register.

      Link to eWpRV

    • KWG (Banking Act): The KWG regulates the activities of credit institutions and financial services institutions in Germany and sets, among other things, strict requirements for business organization, risk management, compliance with money laundering regulations, and custody of client funds.

      Link to KWG

  • Organizational Requirements: ecrop fulfills all organizational requirements for operating a crypto securities register:

    • ISO 27001 certified ISMS: We operate an Information Security Management System (ISMS) according to ISO 27001 and thus ensure compliance with the highest international security standards.

      Link to ISO 27001 Certification

    • Information Security Officer (ISB): Our ISB is responsible for implementing and monitoring the ISMS and ensures compliance with all security guidelines and processes.

    • Compliance Management System: We maintain a comprehensive compliance management system that ensures adherence to all relevant laws, regulations, and internal guidelines.

    • Clear Roles and Responsibilities: Clear roles and responsibilities are defined for all employees working with the platform and the securities managed on it.

    • Technical Requirements: The ecrop platform meets all technical requirements for secure and reliable operation of a crypto securities register:

      • Secure and Reliable IT Infrastructure: Our IT infrastructure is redundantly designed and operated in the secure and high-performance AWS cloud.

      • Private Permissioned Blockchain Technology: The use of a Private Permissioned Blockchain ensures data integrity, authenticity, and availability.

      • Comprehensive Security Measures: ecrop employs numerous security measures, such as encryption, access controls, and monitoring, to ensure the security of the platform and managed securities.

  • Regulatory Obligations: As a crypto securities registry manager, ecrop fulfills all regulatory obligations under eWpG and eWpRV:

    • Proper Registry Management: We maintain the register in accordance with the requirements of eWpG and eWpRV, particularly regarding the registration, modification, and deletion of securities.

    • Comprehensive Documentation: All processes and transactions are comprehensively and traceably documented.

    • Regular Reporting: We regularly submit reports to BaFin, particularly regarding transactions and holdings.

  • Compliance Management: Our comprehensive compliance management system ensures adherence to all relevant regulations:

    • Internal Controls: We employ internal control mechanisms to ensure compliance with regulatory requirements.

    • Risk Management: Our integrated risk management system identifies, assesses, and manages all relevant risks associated with operating the register.

    • Audit Requirements: We conduct regular internal and external audits to verify compliance and the effectiveness of the ISMS.

Crypto Custody (KWG)

The secure custody of crypto assets is one of the biggest challenges for institutional investors in the crypto sector. ecrop is working intensively to offer a reliable and fully regulated solution for the custody of your digital assets that meets all requirements of the KWG and CryptoAssetTransferV. Currently, our license for crypto custody under § 1 Para. 1a Sentence 2 No. 6 KWG is in the application process. Once the license is granted, we will provide you with our cold storage architecture and multi-level security architecture to optimally protect your crypto assets.

The Challenges of Crypto Custody

  • Key Management: The secure generation, storage, and management of private keys is complex and time-consuming. The loss or theft of keys leads to the irrevocable loss of associated crypto assets.

  • Security Risks: Crypto assets are an attractive target for cybercriminals. Attacks, exploits, and security vulnerabilities in software can lead to significant financial damage.

  • Regulatory Requirements: Compliance with applicable laws and regulations in the area of crypto custody is complex and requires special expertise.

The ecrop Solution: Maximum Security and Compliance through Multi-Custody Approach

ecrop uses a multi-custody approach that combines the advantages of cold storage and state-of-the-art security technology to ensure the highest possible protection for your crypto assets while maximizing flexibility and availability for transactions. This approach enables us to meet our customers’ individual needs while maintaining the highest security standards and complying with all relevant regulatory requirements.

  • Cold Storage Architecture: Your Private Keys are generated and stored offline in Hardware Security Modules (HSMs). HSMs are specialized hardware devices that offer a high degree of tamper protection and are ideal for secure storage of cryptographic keys.

  • Multi-level Security Architecture: Our multi-level security architecture includes:

    • Access Controls: Strict, role-based access control (RBAC) limits access to sensitive data and functions to a minimum number of authorized persons.

    • Multi-Factor Authentication (MFA): MFA requires multiple independent factors for authentication, significantly increasing security.

    • Four-Eyes Principle: Critical operations, such as transaction approvals, follow the four-eyes principle. Two authorized employees must independently review and approve the activity.

    • Encryption: All data is encrypted both at rest (AES-256) and during transmission (TLS 1.3).

    • Firewalls and Intrusion Detection Systems: Firewalls and intrusion detection systems monitor network traffic and system activities in real-time and block potential threats.

    • Regular Security Reviews: Penetration tests, security audits, and vulnerability scans by internal and external experts ensure a continuously high security level.

    • Incident Response Plan: A detailed incident response plan defines clear processes and responsibilities in case of security incidents and ensures quick and effective response.

Regulatory Requirements:

As a BaFin-regulated company, ecrop fulfills all relevant regulatory requirements for crypto custody:

  • KWG Compliance: Custody is provided in accordance with the requirements of KWG and CryptoAssetTransferV.

  • Data Protection Compliance: Personal data is processed in accordance with GDPR and BDSG.

  • Regular Audits & Security Reviews: Internal and external audits ensure compliance with all regulatory requirements and security standards.

Core Functions in Detail:

  • Custody Services:

    • Secure Custody: Store your crypto assets securely in cold storage. Various cryptocurrencies and tokens are supported.

    • Wallet Management: Manage your wallets easily and intuitively through our user-friendly web portal. You have full insight into your holdings and transaction history at all times.

    • Automated & Manual Deposits and Withdrawals: Benefit from automated processes for quick and efficient transactions. Manual transactions are also possible.

    • Use Case: An institutional investor wants to hold various crypto assets securely long-term. With ecrop’s custody services, they can store their assets in cold storage and benefit from maximum security and compliance.

  • Key Management:

    • Secure Key Generation: ecrop generates unique key pairs for each customer in HSMs using cryptographically secure random number generators (CSPRNGs). The keys are never stored or transmitted unencrypted.

    • Secure Key Storage: Private keys are stored offline in HSMs and are protected against unauthorized access.

    • Regular Key Rotation: Keys are regularly rotated according to a defined schedule and as needed to minimize the risk of compromise.

    • Secure Recovery Procedure: A secure and documented procedure for key recovery is available in case of emergency.

    • Multi-level Access Controls & Encryption: Access to keys is strictly controlled and requires authorization from multiple persons (MFA and four-eyes principle). All key data is encrypted.

    • HSM Technology: The use of HSMs provides maximum security and tamper protection for your keys.

  • Transaction Management:

    • Secure and Efficient Processing: ecrop ensures secure and efficient processing of crypto transactions.

    • Real-time Transaction Status Tracking: You can track the status of your transactions in real-time at any time.

    • Integration with Trading Platforms (future): Seamless integration with existing trading platforms enables smooth trading of crypto assets.

    • Automated Verification and Approval: Automated verification and approval processes accelerate transaction processing.

  • Reporting & Compliance:

    • Comprehensive Reporting: Comprehensive reporting functions for customers and supervisory authorities provide full transparency and meet all regulatory requirements.

    • Detailed Audit Trails: Detailed and audit-proof audit trails document all transactions and system events and enable complete traceability.

    • Export Functions: Flexible export functions allow you to export data in various formats and integrate it into your existing systems.

    • API Integration: Powerful APIs enable automated data querying and processing as well as integration with your existing systems.

Note: We will inform you immediately once our KWG license for crypto custody has been granted. In the meantime, please feel free to contact our team to learn more about our developed custody solution and its integration into your company.
Quick Start GuidesAML