Austria -- Custody Regulations Regulatory Overview

Austria, like many EU member states, has primarily regulated crypto-asset custody through an Anti-Money Laundering (AML) lens, classifying custodians as Virtual Asset Service Providers (VASPs). However, the landscape is significantly evolving with the EU's Markets in Crypto-Assets (MiCA) Regulation, which will introduce a comprehensive prudential framework.

Here's a breakdown of the current and upcoming regulations:

Current Regulatory Framework (Primarily AML-Focused)

Under the current regime, the primary legislation governing entities providing crypto-asset custody is the Financial Market Anti-Money Laundering Act (FM-GwG - Finanzmarkt-Geldwäschegesetz), which transposes the EU's 5th Anti-Money Laundering Directive (AMLD5).

1. Custodial License Requirements:

• VASP Registration: There is no dedicated "custody license" per se. Instead, entities providing custody of virtual assets are classified as Virtual Asset Service Providers (VASPs) and are required to register with the Austrian Financial Market Authority (FMA).
• Scope: The FM-GwG defines "providers of services related to virtual currencies" to include "the safekeeping of virtual currencies for third parties" (i.e., custody).
• Requirements for Registration:
  • Fit and Proper Management: Key persons involved in the management must demonstrate their suitability and reliability.
  • Robust AML/KYC Framework: Implementation of comprehensive policies and procedures for customer due diligence (KYC), transaction monitoring, risk management, and reporting of suspicious activities to the Financial Intelligence Unit (FIU).
  • Internal Controls: Establishment of internal controls and risk management systems to prevent money laundering and terrorist financing.
  • Designated AML Officer: Appointment of a dedicated officer responsible for AML compliance.
• Regulatory Reference:
  • Finanzmarkt-Geldwäschegesetz (FM-GwG): § 2 Z 22 FM-GwG defines virtual currency and § 32a FM-GwG outlines the registration requirements for providers of services related to virtual currencies.
    • RIS - FM-GwG (German)
  • FMA Guidance on Virtual Assets: The FMA provides guidance on the interpretation and application of the FM-GwG for virtual asset service providers.
    • FMA - Virtual Assets (English section, may link to German guidance)
    • FMA - Information sheet on the legal qualification of tokens and the regulation of virtual assets (German, with English summary)

2. Segregation of Client Assets Rules:

• Current: The FM-GwG, being an AML law, does not explicitly mandate prudential segregation of client crypto assets from the custodian's own assets.
• Implicit Expectation: While not a specific legal mandate for crypto, general principles of good business conduct and the FMA's supervisory expectations would lean towards ensuring customer assets are identifiable and protected from insolvency of the custodian to the extent possible, though this is not as robust as under a prudential financial services license.

3. Insurance/Bonding Requirements:

• Current: There are no explicit, dedicated insurance or bonding requirements specifically for crypto custodians under the current FM-GwG VASP registration.
• General Business Practices: Custodians are expected to have robust internal security measures and risk management, and may obtain general business liability insurance, but not a specific prudential insurance for client crypto assets.

4. Cold Storage Mandates:

• Current: Austrian regulation does not explicitly mandate the use of cold storage for crypto assets.
• General Security Requirements: The FMA expects VASPs to have robust IT security measures and operational resilience to protect client assets from theft, loss, or unauthorized access. This implicitly encourages the use of secure storage solutions, which commonly include cold storage for a significant portion of assets.

5. Qualified Custodian Definitions:

• Current: The term "qualified custodian" as defined in some jurisdictions (e.g., by the SEC in the US) does not have a distinct regulatory definition for crypto assets in Austria under the current VASP registration regime. The closest is being a registered VASP, which primarily means meeting AML/CTF obligations, not necessarily the broader prudential and capital requirements typically associated with a "qualified custodian" in traditional finance.

Pending Custody Legislation (MiCA Regulation)

The EU's Markets in Crypto-Assets (MiCA) Regulation (Regulation (EU) 2023/1114) will significantly transform the regulatory landscape for crypto-asset services, including custody, across all EU member states, including Austria. MiCA was published in the Official Journal in June 2023 and will be phased in, with most provisions becoming applicable from December 30, 2024 (stablecoin provisions earlier, from June 30, 2024).

Key Impacts of MiCA for Crypto Custody in Austria:

MiCA introduces the concept of Crypto-Asset Service Providers (CASPs), which require authorization by national competent authorities (like the FMA in Austria) to operate across the EU. "Custody and administration of crypto-assets on behalf of clients" is a defined service under MiCA.

1. Custodial License Requirements:

• EU-Wide Authorization: Custodians will need to obtain authorization as a CASP from the FMA. Once authorized, they can "passport" their services across the EU.
• Comprehensive Requirements: MiCA introduces robust requirements beyond AML, including:
  • Organizational Requirements: Clear governance arrangements, effective risk management, internal controls, and operational resilience.
  • Fit and Proper Requirements: For management and shareholders.
  • Prudential Safeguards: Capital requirements (see below).
  • Complaint Handling: Procedures for client complaints.
  • Conflict of Interest: Policies to prevent and manage conflicts of interest.
• Regulatory Reference:
  • Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA): Articles 53-56 specifically address requirements for custody and administration of crypto-assets.
    • EUR-Lex - MiCA Regulation

2. Segregation of Client Assets Rules:

• Explicit Mandate: MiCA explicitly mandates the segregation of client crypto-assets and funds from the CASP's own assets.
• Protection in Insolvency: CASPs must ensure that client crypto-assets are not used in their own interest and are protected in the event of the CASP's insolvency.
• Record Keeping: Detailed records of each client's crypto-assets must be maintained.
• Regulatory Reference:
  • MiCA Regulation: Article 53(1) and (2).

3. Insurance/Bonding Requirements (Prudential Safeguards):

• Capital Requirements: MiCA introduces initial capital requirements and ongoing prudential requirements for CASPs, which vary based on the services provided. For custody, specific capital requirements apply (e.g., the higher of a fixed amount or a percentage of fixed overheads).
• Professional Indemnity Insurance: CASPs are also required to hold professional indemnity insurance or own funds to cover liability risks, particularly for loss of crypto-assets.
• Regulatory Reference:
  • MiCA Regulation: Article 6 and Article 53(4).

4. Cold Storage Mandates:

• Operational Resilience & Security: MiCA emphasizes strong security protocols, operational resilience, and robust IT systems. While not explicitly mandating "cold storage," the requirements for safeguarding client crypto-assets, including robust custody policies and procedures, strong cryptographic key management, and prevention of unauthorized access, strongly imply the need for industry best practices, which include multi-signature solutions, hardware security modules (HSMs), and cold/hot storage strategies.
• Liability: Custodians under MiCA will be liable to their clients for any loss of crypto-assets or funds as a result of a fault or operational failure. This increased liability will push firms towards the most secure storage methods.
• Regulatory Reference:
  • MiCA Regulation: Article 53(3), Article 54, Article 55, and Article 56 (liability).

5. Qualified Custodian Definitions:

• MiCA's CASP Framework: MiCA's robust authorization and ongoing supervision framework for CASPs providing custody will effectively establish a new standard akin to a "qualified custodian" within the EU. These authorized entities will meet high standards for governance, capital, operational security, and client asset protection.

Conclusion

Austria currently regulates crypto custody primarily through an AML lens, requiring VASP registration with the FMA. While this ensures AML/CTF compliance, it lacks specific prudential requirements for asset segregation, capital, or specific storage mandates.

The implementation of the MiCA Regulation will usher in a harmonized, comprehensive, and prudential regulatory framework for crypto custody. This will introduce robust licensing requirements, mandatory client asset segregation, capital requirements (or professional indemnity insurance), and clear liability for custodians, bringing the regulation of crypto custody much closer to that of traditional financial services in Austria and across the EU. Austrian financial institutions offering crypto custody services will need to adapt their operations significantly to comply with MiCA's stringent rules by the end of 2024.