Germany: The revised draft of the eWpRV and its potential impact on the eWpG
On 10 June 2021, the German Electronic Securities Act ('eWpG') came into force. Since then, issuers have been able to launch securities electronically, e.g. using blockchain or distributed ledger technology. The eWpG facilitates the issuance of bonds and investment fund shares certificates by waiving the previously required securities certificate and allowing their registration in an electronic securities register. In order to specify the general requirements of the eWpG with regard to the maintenance of electronic securities registers, an ordinance on requirements for electronic securities registers ('eWpRV') is to be issued by the German Federal Ministry of Finance and the German Federal Ministry of Justice. Based on Sections 15 and 23 of the eWpG, a second draft of the eWpRV was published on 14 January 2022. Andreas Wiencke and Manuel Poncza, from Heuking Kühn Lüer Wojtek PartGmbB, discuss the revised draft of the eWpRV and its regulatory content.
Purpose of the eWpRV
The eWpRV specifies general requirements for the establishment and maintenance of an electronic securities register, the authentication mechanisms that must be implemented, the accessibility of the underlying source code, and the requirements for cryptographic procedures and interfaces. In addition, the ordinance sets out in more detail the requirements for specification and documentation obligations, information in the registers, and requirements for participation in, and inspection of, the registers.
Electronic securities registers within the meaning of the eWpG and the eWpRV are central registers maintained by the central securities depository or a custodian bank (Section 12 of the eWpG) or crypto-securities registers maintained by means of distributed ledger technology, such as blockchain or other comparable technologies (Section 16(2) of the eWpG). The operation of these electronic securities registers qualifies as a financial service within the meaning of the German Banking Act ('KWG'). Individuals or entities that maintain the central register or the crypto-securities register, i.e. that make entries in the central register for central register securities or in crypto-securities registers for crypto-securities (as crypto-securities registrars) and hold a corresponding license pursuant to Section 32 of the KWG, qualify as register-keeping entities. Since registrars are thus considered financial services institutions within the meaning of the KWG, they are also subject to Sections 25(a) et seq. of the KWG and the administrative ordinances issued to specify them, such as the Minimum Requirements for Risk Management ('MaRisk') and the Banking Supervisory Requirements for IT ('BAIT').
It is to be noted that the maintenance of a crypto-securities register pursuant to Section 16 of the eWpG constitutes a separate financial service pursuant to Section 1(1)(a)(2)(8) of the KWG that is subject to the licensing requirement of Section 32 of the KWG.
Compared to central securities registers, the requirements for crypto-securities registry administrators are more extensive. In this respect, the eWpRV, on the one hand, sets out common rules for central and crypto-securities registry administrators in Chapter 2 and, on the other hand, provides further regulations, which must be observed only by crypto-securities registry administrators in Chapter 3.
Joint regulations governing central registers and crypto-securities registers
Participants within the meaning of the eWpG
Pursuant to Section 2(1) of the eWpRV, a participant is anyone who has been entered into the register. Issuers or holders of electronic securities therefore generally qualify as participants within the meaning of the eWpG.
In contrast, individuals and entities for which a restriction on disposal pursuant to Sections 13(2)(1)(1) or 17(2)(1)(1) of the eWpG has been entered in the electronic securities register are only deemed participants if they are separately identified in the respective electronic securities register. Otherwise, these individuals and entities are referred to the right of inspection pursuant to Section 10(2) of the eWpG in the event of a legitimate interest.
Furthermore, a participant is anyone who is granted access to the functions of the electronic securities register on the basis of an agreement with the respective register-keeping entity in accordance with Section 2(2) of the eWpRV. However, the German legislator has not specified the functions of the register to which access must be granted. In this respect, only the agreement with the entity keeping the register is authoritative. The requirement of an agreement with the register-keeping body governing access to the register's functions precludes individuals who may only use a function of the register or effect a change to the register on a case-by-case basis from qualifying as participants.
Participants within the scope of Section 2(2) of the eWpRV are, for instance, the parents of a child, the liquidator, the administrator of a will, or a legal representative who is granted their own access to the register.
This definition of the term 'participant' is important not least because, pursuant to Section 10(1) of the eWpG, participants in an electronic securities register have the right to inspect the register electronically.
Specification and documentation obligations
Section 3 of the eWpRV imposes extensive documentation obligations on register-keeping entities. These documentation obligations concern:
essential aspects of the establishment and maintenance of the register;
- the transmission and execution of an instruction or approval;
- the appropriate period for transfers; and
- the requirements for the validity of transfers.
The aforementioned documentation should be comprehensive and 'easy for a knowledgeable third party to understand'. The reference to knowledgeable third parties limits the depth of the documentation to a level of detail that is easily understandable to individuals possessing general knowledge of the matter. However, the quality of the specifications or the documentation required for the register-keeping entity is not described in the eWpRV. Rather, reference is made to standards set out in the MaRisk.
Registry-keeping entities are required to retain documentation (including its records of the establishment and maintenance of the registry) for a period of at least ten years. In this respect, the retention period deviates from the retention period of five years mentioned in general part 6, Item 1 of the MaRisk. The retention period of ten years is intended to ensure that the register-keeping entity can be supervised effectively and to facilitate the enforcement of civil claims.
Additional documentation obligations solely for crypto-securities registers are set forth in Sections 13 and 21 of the eWpRV.
Deposition of the issuing conditions
The requirements set out in the eWpRV for the deposition of issuing conditions are limited. The eWpRV merely stipulates that the information of the issuing conditions should be saved in a 'permanent electronic form' (translated from the German: beständiges elektronisches Dokument), which ensures that the relevant information can be reproduced at any time. As to the saving in permanent electronic form, it is necessary that the saving is carried out in such a way that the information can be reproduced in unaltered form at any time and that evidence can be provided that no change has taken place in the meantime.
In addition, the issuing conditions must be freely accessible on the internet and be retrievable via a common method. Neither the eWpRV, nor its recitals indicate the meaning of a commonly used method. Therefore, care should be taken that the information on the issuing conditions is easy to find via common web search engines.
Furthermore, changes to the issuing conditions must be recorded and published in a timely and comprehensible manner. Moreover, changes to the access to the issuing conditions must be published in an appropriate way. In this regard, neither the eWpRV, nor its recitals provide details on the method of publication.
However, the question as to whether the initial issue of the security is deemed valid if the issuing conditions are defective remains unanswered.
Maintenance of the electronic securities register
The register-keeping entity is obliged to implement the necessary technical and organisational measures to prevent the loss of data or unauthorised modification of data for the entire period for which the electronic security is registered. This is intended not least to ensure that the total holdings of securities issued electronically by the respective issuer are not changed by entries and transfers.
This is particularly relevant for measures regarding the IT security of the register. The aim of such measures should be to ensure that the confidentiality, integrity, availability, and authenticity of the data entered into the register are ensured over the entire period during which such protection is required.
It is to be noted that the register-keeping entity may be liable for damages incurring as a result of a loss or unauthorised modification of data. Specific technical or organisational measures that are to be implemented or observed are, however, not mentioned in the eWpG or the eWpRV. Therefore, the processes and measures that a register-keeping entity intends to implement can be defined by the entity itself as long as the measures comply with common standards.
In order to examine those standards properly, the register-keeping entity can use, for example, the publications of the Federal Office for Information Security ('BSI') as a guide. In this respect, the technical guideline TR-02102, published by the BSI, describes measures that can be used in the context of assessing the state of the art on cryptographic processes. The government draft of the eWpRV explicitly mentions that this technical guideline is in line with other regulatory requirements for IT security and therefore complies with the requirement to implement state of the art technical and organisational measures.
Irrespective of the specific security measures defined and chosen, technical 'self-evident minimum standards' should be met and maintained in any case. In this sense, for example, the systems and software used must be tested and approved by the responsible specialists and technicians before they are used for the first time and after significant changes, such as updates or upgrades, have been made. Updates to be installed should generally be tested in a separate test environment before being transferred to the production environment. Care should also be taken to separate the test and production environments from each other.
Mandatory register information
The eWpG defines mandatory details for central registers in the scope of Section 13(1) of the eWpG, as well as for crypto-securities registers within the meaning of Section 17(1) of the eWpG. The eWpRV further specifies how the material content of the right associated with the security should be presented.
In the case of electronic bearer bonds (translated from the German: Inhaberschuldverschreibungen), the reference to the issuing conditions described in the relevant electronic securities register will suffice for the indication of the essential contents pursuant to Sections 13(1) or 17(1) of the eWpG. If, however, the register-keeping entity does not make use of the foregoing reference option, all information relevant for the investment decision from the perspective of a reasonable investor must be included in the register as essential content of the right. This includes at least the information on:
- the term, amount, and type of interest including the calculation method applied;
- the due date of all payments;
- ordinary and extraordinary termination rights; and
- subordination agreements (translated from the German: Rangrücktrittsvereinbarungen).
A corresponding right of choice does not exist with regard to electronic unit certificates in an investment fund (translated from the German: elektronische Anteilscheine eines Investmentvermögens) pursuant to Section 95(1) of the German Capital Investment Code. In the case of electronic unit certificates, it is mandatory to refer to the investment conditions of the respective investment fund. The reason for this is that the content of the investment conditions of an investment fund cannot be reasonably narrowed down to a specific set of relevant information. Furthermore, changes in the access to the investment fund rules have to be published in due time and in an appropriate manner.
In addition, personal data of the issuers and holders must be included in the electronic securities registers. In case of natural persons, the first name and surname, date of birth, place of residence and, if applicable, academic degree, and previous surnames must be provided. On the other hand, in the case of legal persons, commercial companies, and partnership companies, the company name and the registered office must be indicated, as well as the relevant register details or the legal entity identifier. If a valid legal entity identifier is available, the register details must not be provided.
In principle, only the information valid at the time of registration should be considered. Accordingly, there is no obligation to update the content of the register in the event of a change, e.g. due to a change of residence. However, if a request for updating is submitted by the registered individuals or if the register-keeping entity otherwise becomes aware of a change of name or place of residence, it may be required to update the register as appropriate.
Additional requirements for register-keeping entities of crypto-securities registers
Additional specification and documentation obligations
The entity administering a crypto-securities register should, in addition to the items specified in Section 3(1) of the eWpRV, document the following:
the registration of electronic securities in an crypto-securities register;
- the correction of the crypto-securities register due to unauthorised changes to the content of the register within the meaning of Section 18(5) of the eWpG;
- the precautions and procedures for the transfer of crypto-securities register upon instruction of the issuer (Section 22 of the eWpG) or upon order of the Federal Financial Supervisory Authority (Section 21(2) of the eWpG);
- criteria for participation in the register that promote fair and open access; and
- the type, format, and content of the register extract under Section 19 of the eWpG.
In addition, Section 21(1) of the eWpRV further specifies the content and requirements for the description and documentation of the crypto-securities register. Accordingly, the documentation should reflect the following:
- a description of the databases or other storage systems used, including the decentralised recording system, the relevant interfaces, and the automated procedures used for this purpose;
- a description of the system in which the contents of the register are stored in each case, in particular which contents are stored outside the decentralised recording system;
- a description of the data stored in the crypto-securities registry beyond what is provided for under the regulations of the eWpG;
- a description of the consensus procedure applied on the decentralised recording system, as well as a description and evaluation of the associated risks, including an indication of the period of time after which entries or transfers made in the recording system become valid and under which circumstances valid entries or transfers become invalid;
- a description of the technical procedures for the removal of entries; and
- details about the implemented cryptographic functions and procedures, as well as the implemented interfaces and their availability.
As mentioned, the eWpRV does not stipulate conclusive requirements that the technology and design of the decentralised recording system used by the register-keeping entity has to comply with. Within the scope of Section 4(11) of the eWpG, the registry-keeping entity decides which databases or storage systems it will use and how they will be linked.
Provision of the source code and the description of the recording system
Section 14 of the eWpRV provides that the record-keeping entity should make available the source code of the system of record, including smart contracts, and a description of the system of records to anyone who substantiates a special interest. In this context, it remains unclear whether, in addition to all development work, source codes of third-party providers will have to be disclosed by the record-keeping entity in the future.
The revised draft of the eWpRV of the Federal Ministry of Justice and the Federal Ministry of Finance promotes the digitalisation of Germany as a financial market and centre. The eWpRV sets out the legal framework by defining general requirements for the maintenance of securities registers for issuers and investors and, in this respect, considerably substantiates the requirements of the eWpG.
With regard to the implementation of adequate technical and organisational measures, however, the German legislators, as usual, do not make any binding specifications. While it takes into account the principle of technology neutrality and innovativeness, this approach will burden the registry-keeping entities with the responsibility to establish adequate technical and organisational measures, in particular with regard to the administration of crypto-securities registries. Given that no market standard has yet been established in this respect, registry-keeping entities are essentially required to bear the risk of compliant technical implementation.
Accordingly, it remains to be seen whether companies will use the legal framework introduced by the German legislators vis-à-vis the remaining risks and the requirements for the initial capital of €150,000 to be fulfilled as part of a licensing procedure pursuant to Sections 32 et seq. of the KWG.