Crypto Assets Custody License in Spain

Discounts on events and training are available to all BACS members.

Your level is STANDARD and you have a 10% discount.

Your level is PREMIUM and you have a 20% discount.

Your level is PREMIUM + and you have a 30% discount.

In Spain, entities that offer the service of custodianship of crypto assets must apply for their license issued by the Bank of Spain.

Those entities that hold custodianship of crypto assets, will be obliged to request this license in Spain. Crypto assets deposited through smart contracts, unrelated to the custody function, are excluded.

Providers of this service, maintain and protect clients private keys and thus the crypto assets belonging to their wallets through their own security mechanisms.

Private keys are codes used to access and transfer cryptocurrencies in a digital wallet. Each wallet has its own address and unique private key. Whoever possesses the private key can access the wallet and, as a result, dispose of the crypto assets within it. The difference between the virtual wallet address and the private key is that the former is public, all participants in the blockchain can know the address of any wallet in the ecosystem; the latter is private and is only possessed by the owner of the virtual wallet.

By using a custody service, customers can delegate the responsibility of storing their cryptocurrencies to a trusted entity that has additional security measures, such as the following:

Two-factor authentication systems:

These additional security mechanisms are used to guarantee the protection of customers crypto assets, requiring two different forms of identity verification to access the virtual wallet and thus be able to dispose of the deposited crypto assets.

By means of a password or PIN that the customer must enter to log into their account, or a randomly generated code sent to the customer’s mobile phone, a fingerprint, a facial scan, or a personal security question, unauthorized access to the crypto assets stored in a wallet is prevented. This also protects users who have shared their private key.

Cold storage:

It is a security technique that involves storing the private keys of crypto assets offline. This protection measure manifests itself in different ways: using hardware storage devices, such as USB devices or smart cards, that are disconnected from the Internet and stored in a secure and physically protected location.

Custody License:

“In accordance with the second additional provision of Law 10/2010, of April 28, on the prevention of money laundering and the financing of terrorism (“LPBCFT”), introduced with Royal Decree-Law 7/2021″ ^[1] It is the responsibility of the Bank of Spain to act as the regulatory entity for the registration and supervision of those companies registered for the custody of crypto assets in Spain.

The new European Union MiCA (Markets in Crypto Assets) regulation states that, regarding the provision of services related to the handling of crypto assets, all member countries must incorporate and implement this regulation through their internal legislative processes. As a result, the Bank of Spain, through document ES_BDE_C79B_P274 – Registry of providers of virtual currency exchange services for fiduciary currency and electronic wallet custody – establishes the requirements for those interested in being granted the license to provide this service in Spain to do so effectively, thus promoting its incorporation.

The custody license will be granted to entities (legal and physical persons) that wish to provide this service, provided that the following registration requirements are met:

Registration in the Registry of Custody Service Providers when intending to safeguard electronic wallets.
Assessment of suitability for virtual currency exchange and electronic wallet custody service providers. The suitability of the requesting legal entity will be evaluated, as well as an suitability assessment form for each of the physical persons who effectively direct the entity, signed by each of them.
Criminal Record Certificate: Criminal record certificate of the requesting legal entity and each of the physical persons who effectively direct the entity.
Identity Document: Copy of the national identification document/NIE/NIF/Foreign identification document of the legal person applying for registration, as well as all the physical persons who effectively direct the entity, when such a provider is a legal person.
Manual for the prevention of money laundering and terrorist financing.
Risk analysis document.

The “Manual for the Prevention of Money Laundering and Terrorist Financing” and the “Risk Analysis Document” have minimum requirements that the applicant (Legal and Physical Person) must meet to be considered suitable for presentation.

Manual for the prevention of money laundering and terrorist financing:

With the aim of reducing the risk of these types of illegal activities in the financial sector, this manual establishes a series of measures and structured procedures to ensure adequate prevention of money laundering and terrorist financing for obligated parties. All applicants for the license from the Bank of Spain must confirm in writing that they will ensure the proper management, periodic verification, and effective control of the measures proposed to prevent “LPBCFT”.

The admission policy for obligated parties’ clients, the structured procedures for due diligence and internal control measures, and the description of internal information flows are some of the requirements set forth by the Manual for prevention. ^[2]

Risk analysis document:

The “Risk Analysis Document” is a comprehensive analysis that must take into account various factors, such as the type of clients, countries or geographic areas in which it operates, products, services, operations, and distribution channels used. Additionally, it must include information about the obligated party’s business model, as well as possible third parties or agents who may market its services.

The document must specify the systems or channels used for the entry, payment, distribution, movement, or transmission of fiat and virtual currencies, and must include a diagram with the intended flows. Any other factors considered relevant to the prevention of money laundering or terrorist financing must be included. ^[3]

^[1]https://sedeelectronica.bde.es/sede/es/menu/tramites/autorizaciones-de-entidades-de-credito-y-otros/registro-de-proveedores-de-servicios-de-cambio-de-moneda-virtual-por-moneda-fiduciaria-y-de-custodia-de-monederos-electronicos.html

^[2] To know in detail the requirements of the Manual for the Prevention of Money Laundering and Terrorist Financing go to: https://sedeelectronica.bde.es/sede/es/menu/tramites/autorizaciones-de-entidades-de-credito-y-otros/registro-de-proveedores-de-servicios-de-cambio-de-moneda-virtual-por-moneda-fiduciaria-y-de-custodia-de-monederos-electronicos.html

^[3] To know in detail the requirements of the Risk Analysis Document go to: https://sedeelectronica.bde.es/sede/es/menu/tramites/autorizaciones-de-entidades-de-credito-y-otros/registro-de-proveedores-de-servicios-de-cambio-de-moneda-virtual-por-moneda-fiduciaria-y-de-custodia-de-monederos-electronicos.html

Share your crypto thoughts

All BACS members have access to this section to share their reports, narratives, and other thoughts related to their professional sector and the blockchain technology environment.

If you wish to submit your publication, please email info@bacsociety.com or use the form.

Previous Content and form of the Cryptoassets White Paper Next Spanish NFT Regulation