Estonia has been a forerunner in regulating services related to cryptocurrencies. Until recently, the regulatory framework was very relaxed and the barrier for entry was set low. This is subject to change as amendments to the existing laws are introduced that provide further clarity and regulation to the cryptocurrency industry. In short, requirements for providing cryptocurrency-based exchange, trading, transfer, and wallet services shall be more akin to e-money institutions and other licensed financial service providers in Europe.
Amendments to the Estonian AML Act that also regulates cryptocurrency services, enter into force on 15 March 2022. The aim of the amendments is to mitigate the risks of money laundering and terrorist financing more efficiently. As additional requirements for the virtual asset service providers (VASPs) are introduced to implement this goal, the already licensed VASPs, as well as new applicants, are required to bring their activities and documentation into conformity with the amendments.
New requirements for the VASP license application
In order to apply for the VASP license in Estonia, the applicant must:
a) have a sound internal compliance and risk management framework in place, including AML regulations, risk management policies, business continuity plan, etc.;
b) have no prior convictions regarding economic activities and have a good business reputation (be “fit and proper”), this includes both, the management of the company and the investors;
c) have a share capital of EUR 250,000 to offer virtual currency transfer service or otherwise share capital of EUR 100,000 for other VASP services. Source of funding must be thoroughly disclosed as well;
d) draw up the business plan and financial projections for at least two subsequent years;
e) depending the services to be offered, have enough capital for the “own funds” buffer, calculated either based on fixed cost or transaction volume, depending on offered services;
f) have substantial local substance – Estonian local managers, AML officer, employees, office, etc.;
g) have a sound IT system framework & a plan to provide services.
To sum up, applicants are expected to create a functioning business unit in Estonia that is also governed from Estonia. Many of the requirements above are not surprising to those, who have already worked in the financial sector as new requirements mimic the existing financial service provider’s requirements to a great extent.
New requirements for the existing VASPs
All the organisational requirements applicable for new VASP applications shall also be enforced for the existing VASPs. VASPs must review their internal setup to see if they need to improve or adjust internal controls, risk assessments, management board’s composition, etc. While there are many tiny details included in the new AML Act, we strongly advise to keep in mind at least the following:
a) Make sure that you have identified the VASP services you provide under the amended AML act. It is very important to establish how much the share capital should be increased and what the specific own funds’ requirements are. For example, the virtual currency transfer service makes it obligatory to have a share capital of EUR 250,000 and enough own funds based on the percentage of transaction volume. While it is obvious that this transfer service shall be applied to various crypto payment services, it should be noted that transfer means any kind of transfer between two wallets. Hence, if the crypto exchange offers account withdrawals off-exchange in cryptocurrencies, this transaction is also a transfer service because the movement of funds is from wallet A to wallet B.
b) Auditing is mandatory. An important caveat is that for the companies, the fiscal year of which begins earlier than 10.03.2022, the auditing obligation shall be applied from 2023 onward. If the company’s fiscal year starts after 10.03.2022, the auditing obligation is applied right away.
c) An internal auditing is mandatory. VASPs must hire/outsource an internal audit service provider. Internal auditor is someone, who regularly reviews the effectiveness of a company’s internal controls and regulations. In practice, this means that VASPs must use the “three lines of defence” internal control system, required from other financial service providers as well.
d) MLROs/AML Officers are tied to two companies. The newly amended law stipulates that MLROs/AML Officers can only serve two separate companies. The Financial Intelligence Unit (“FIU”) can allow persons to be a member of the management board for one additional company, but this is an exception that the FIU is not forced to provide. Currently, most MLROs/AML Officers serve on multiple management boards simultaneously. If the company’s MLRO/AML Officer is also serving on multiple boards, it is wise to have a discussion if the person shall remain with the current company or if a new MLRO/AML Officer must be hired.
e) Making changes is more expensive. Every change regarding the composition of the management board, shareholders, etc., shall cost EUR 4,000. Therefore, it is advisable to make the changes rarely and together in bulk, if necessary.
f) Higher F&P requirements for the management board members. All members of the management board must have at least higher education and have professional work experience for at least 2 years.
g) Transaction monitoring. Upon any exchange or transaction activity, transaction ID and information regarding both, the originator and recipient must be saved and stored. If possible, such information must be shared with the recipient service provider. This is a simplified version of the FATF (Financial Action Task Force) “Travel Rule”. If it is not possible to share information with the recipient’s service provider, the VASP must simply store transaction data and monitor all the transactions live to stop any suspicious transactions from occurring.
Most of those requirements are applicable from 15.06.2022. However, the requirement regarding transaction monitoring shall be applicable from 15.03.2022. Therefore, it is important that existing VASPs start working on upgrading the level of compliance as soon as possible. Before 15.06.2022, VASPs must provide the FIU proof that new measures have been implemented and VASPs are compliant with the new requirements.
This article is only a high-level overview of key changes. In addition to that, the newly amended law also has other technical details, that can influence the customer flow and other business processes. We strongly advise consulting with internal legal advisors or law firms, to ensure that all the relevant changes are implemented to existing work processes and there are no gaps in the overall compliance of the company.