MiCA · Germany · CASP authorisation

MiCA licence in Germany for serious crypto-asset service providers

A BaFin-facing compliance page for founders, exchanges, custodians, brokers, transfer providers and token platforms preparing to operate under the EU Markets in Crypto-Assets Regulation from Germany.

View application roadmap MiCA licence in Germany

EU-wide

MiCA creates a harmonised authorisation route for qualifying CASPs.

BaFin-led

German applications are reviewed through a demanding supervisory lens.

Controls-first

Policies must match systems, people, evidence and daily operations.

Passportable

Authorised CASPs can use MiCA passporting within the EU framework.

01 · German crypto regulation under MiCA

Germany treats MiCA authorisation as a supervisory readiness exercise, not a paper filing

MiCA replaces fragmented EU crypto rules with a directly applicable regime for crypto-asset issuance, trading, custody and service provision. In Germany, this framework sits on top of a mature financial supervision culture. Applicants should therefore prepare a complete operating model: who controls the business, how clients are protected, how outsourcing is monitored, how AML risks are managed and how incidents are escalated.

What changes

CASP authorisation becomes the central access route for crypto-asset services covered by MiCA, with passporting logic across the EU.

What remains German

BaFin expectations on governance, reliable management, risk management and documented procedures remain decisive in practice.

02 · Target applicants

Who should prepare for a German MiCA licence

Crypto exchanges

Platforms exchanging crypto-assets for funds or other crypto-assets, including order-book and quote-driven models.

Custody providers

Wallet infrastructure, private key custody, institutional custody and safekeeping of client crypto-assets.

Brokerage and execution desks

Businesses executing orders, receiving and transmitting client orders or arranging crypto transactions.

Transfer service providers

Providers transmitting crypto-assets between addresses, accounts or networks on behalf of clients.

Advisory and portfolio services

Firms giving crypto-asset advice or managing portfolios where crypto-assets are part of the mandate.

EU expansion groups

Non-German companies selecting Germany as a regulated EU base for credibility, infrastructure and market access.

03 · Licence scope

Services that usually define the application perimeter

Service line	Regulatory focus	Typical evidence
Custody and administration	Client asset segregation, key management, liability model, wallet architecture.	Custody policy, signing flow, access controls, reconciliation logs.
Trading platform operation	Market rules, fair access, order handling, conflicts and market abuse monitoring.	Rulebook, surveillance procedures, matching-engine description.
Exchange and execution	Pricing, best execution logic, client disclosures and transaction records.	Execution policy, fee schedule, records retention process.
Transfer services	Originator-beneficiary information, wallet risk, sanctions and travel rule controls.	Transaction monitoring rules, blockchain analytics setup, escalation logs.

04 · BaFin-facing preparation

A credible file must survive detailed supervisory questioning

German preparation should start before incorporation or restructuring decisions are final. BaFin-facing work is strongest when legal classification, business model, technology, AML, staffing, outsourcing and capital planning are aligned in one evidence trail.

01
Perimeter mapping
Map each product, token, client journey and revenue stream to a MiCA service category.
02
Entity and management design
Confirm German substance, directors, reporting lines, fit-and-proper evidence and shareholder transparency.
03
Control framework drafting
Prepare policies that reflect real systems rather than generic templates.
04
Regulatory Q&A readiness
Build a response matrix for likely BaFin questions on custody, AML, ICT and outsourcing.

05 · Governance requirements

Governance must show independence, competence and operational control

Management body

• Fit-and-proper management members
• Clear division of responsibilities
• Documented decision-making and escalation

Three-lines logic

• Operational owners for first-line controls
• Compliance, AML and risk oversight
• Internal audit or independent review plan

Outsourcing governance

• Critical provider register
• Due diligence and exit planning
• Incident and service-level reporting

06 · AML controls

AML design for German CASPs should be risk-based, technical and auditable

Core AML checklist

Business-wide risk assessment KYC and KYB procedures PEP and sanctions screening Blockchain analytics rules Suspicious activity escalation Travel rule workflow High-risk jurisdiction controls Periodic file review

What supervisors usually test

The AML file must demonstrate more than written rules. Expect scrutiny of onboarding flows, wallet screening thresholds, alert handling, false-positive management, staffing levels, reporting lines, training records and whether risk appetite is reflected in actual client acceptance decisions.

07 · Application documents

Document package for a German MiCA application

Corporate file

Articles, commercial register evidence, group chart, shareholder information, beneficial ownership details and capital proof.

Programme of operations

Business plan, target clients, countries, crypto-assets, revenue model, service categories and growth assumptions.

Governance pack

Management CVs, fit-and-proper forms, organisational chart, committee terms, risk framework and conflicts policy.

Compliance policies

AML, client asset protection, complaints, market abuse controls, conduct rules, remuneration and record keeping.

ICT and security file

System architecture, access management, resilience, backup, incident response, cyber controls and outsourcing register.

Financial projections

Initial capital analysis, own funds planning, forecast P&L, liquidity assumptions and stress considerations.

08 · Timeline

Practical application roadmap

Phase 1

Diagnostic

Service mapping, gap analysis, governance design and initial BaFin strategy.

Phase 2

Build

Policies, operating procedures, AML controls, ICT evidence and financial model.

Phase 3

Submit

Application compilation, consistency review, submission and supervisory correspondence.

Phase 4

Operate

Licence conditions, reporting calendar, audits, remediation and EU passport planning.

09 · Operating obligations

After authorisation, compliance becomes a recurring operating function

Obligation	Practical requirement	Owner
Own funds monitoring	Track regulatory capital and trigger escalation before breaches.	Finance / management body
Client asset reconciliation	Daily or periodic matching of client entitlements, wallets and records.	Operations / custody
AML monitoring	Review alerts, suspicious activity, sanctions exposure and high-risk clients.	MLRO / compliance
Incident reporting	Classify operational, cyber and custody incidents and notify where required.	ICT / risk / compliance

10 · Pricing factors

What affects the cost and workload of a German MiCA project

Service complexity

Custody, exchange, execution and transfer services require different evidence depth.

Technology stack

In-house custody, outsourced wallets and matching engines affect ICT review scope.

Group structure

Cross-border shareholders, outsourcing and shared services increase documentation work.

Existing maturity

A regulated fintech with policies is faster than a startup building controls from zero.

11 · FAQ

Practical FAQ on Germany’s MiCA licensing route

Is a German MiCA licence suitable for EU passporting?+

Yes, MiCA is designed around an EU authorisation and passporting framework. A German authorisation can support cross-border EU services, subject to the correct notification and operating model.

Can a foreign company apply directly in Germany?+

In practice, applicants normally need a suitable German or EU legal entity with real governance, substance and accountable management. The structure should be assessed before filing.

Does MiCA replace AML obligations?+

No. MiCA authorisation does not remove AML, sanctions, travel rule, transaction monitoring or suspicious activity obligations. These controls remain central to the authorisation file.

What is the biggest application risk?+

The biggest risk is inconsistency: a business plan that says one thing, policies that say another and systems that cannot evidence either. Supervisory readiness requires alignment.

When should preparation begin?+

Preparation should begin before launch or migration. Governance, custody, AML, outsourcing and financial forecasts are easier to build correctly than to retrofit under regulatory pressure.

12 · Contact block

Request a Germany MiCA readiness assessment

For a real project, prepare a short description of your services, custody model, countries, target clients, token types, management team and current compliance documents.