On September 21st, 2021, the Estonian Ministry of Finance published a draft law to amend the Money Laundering and Terrorist Financing Prevention Act (the AML Act). On December 23rd, the Estonian government approved draft legislation. The bill has now been submitted to the Estonian parliament, where it needs to undergo three readings to become law.
March 18th, 2022 is the deadline for regulated crypto businesses to bring their operation and documents into compliance. In this article, we cover the latest amendments introduced by the Ministry of Justice on December 21st and give a detailed breakdown of the major changes.
The amendments target Virtual Assets Service Providers (VASPs) operating in Estonia, including crypto exchanges and wallets. When the bill is passed, decentralized platforms, ICOs and some other services will also fall under the VASP category.
Since 2020, VASPs are regulated the same way as financial institutions. Accordingly, they’re required to follow the AML Act and verify their users. Also, VASPs can only operate in Estonia if they have a license from the Financial Intelligence Unit (FIU).
Estonia is one of the first jurisdictions to change its legislation to comply with the FATF’s Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers.
The amendments introduce the FATF Travel Rule, provide stricter license demands, and expand the scope of the AML Act to cover new virtual currency services. We’ve gathered the main changes here. Click the toggles for more details.
Before: The term only included virtual currency exchanges and wallet services.
After: Definition of the term “virtual currency service” is expanded to include:
This means that the following businesses now fall under the category of VASPs and must comply with AML obligations and license requirements:
To decide whether they are considered VASPs, businesses should follow the FATF’s functional approach to each definition.
Under this approach, businesses are required to analyze the services they offer and not solely rely on the terminology they use to describe themselves. For instance, they must take into account what transactions are performed to provide their service, who are the parties, and how the currency ownership changes as a result of the transaction.
Before: The fee for a VASP license was €3,300 and the share capital minimum was €12,000.
After: The proposed regulation requires an even higher license fee, plus some additional fees for providers. Here’s what’s changed:
The draft law required funds belonging to VASPs to correspond with the share capital minimum or to the sum calculated in accordance with the methodology provided in the §72² of the Act, whichever is greater.
Before: The AML Act required businesses to submit information about their service, internal rules and procedures, and more (see the full list in §70 of the AML Act).
After: Businesses must provide additional information and documents to get a license. These include:
The full list can be found in §70 of the draft bill. If a provider wants to use subsidiaries, it must submit the same information about them.
Before: The FIU demanded proof of the board of directors’ level of education, work experience, nature of earlier posts, etc.
After: The new regulation specifies these requirements for the management board and contact persons. Here are the two main demands:
As in the previous updates, members of the management body can’t have a bad business reputation or any unexpired conviction for a criminal offense.
Before: A business could be denied a license due to a lack of AML procedures, payment account(s) in Estonia, and more.
After: The amendments introduce additional grounds for VASP licensing refusal. These include:
The full list can be found in §72 of the draft law. The FIU decides whether to grant a license within 60 working days of receipt of all required documents and information.
A business, members of its management body, or holders of a qualifying holding won’t be allowed to apply for a new license within two years from the date of revocation of an existing license or refusal by the FIU to grant a license.
Before: A license could be revoked due to repeated failures to follow the demands of the FIU or due to non-compliance that is not addressed within a given time limit (the AML Act, §75).
After: Additional grounds for revocation are introduced, including:
The full list of the grounds for license revocation can be found in §75 (1st and 2nd parts) of the Act. If VASPs don’t bring their activities into compliance with the proposed amendments and do not submit all of the necessary documents, the FIU will revoke their license.
Before: The Travel Rule applied only to banks and other financial institutions.
After: VASPs are required to follow the FATF Travel Rule. Under the Rule, providers must gather data on the originator of a transaction and share it with the service provider of the recipient of the transaction when completing a virtual currency exchange or transfer.
The information that VASPs must collect on the originator slightly differs between natural and legal persons. For natural persons, it includes:
For legal persons, it includes:
VASPs will be required to retain documents that they gathered in compliance with the Travel Rule.
The purpose of these amendments is to reduce the risks related to virtual currencies. It’s the duty of the management board to bring their business into compliance by March 18th and submit an audit report by August 15th, 2022.
For those who overlook the new requirements, non-compliance with the AML Act can lead to the revocation of their license.
The amended AML Act also adds three new offenses:
These violations can lead to a fine of up to 300 fine units (one fine unit equals €4) for a natural person and a fine of up to €400,000 for a legal person.
We’ll continue to monitor the changes and will update this article once the Act takes effect.
As we stated above, under the proposed amendments, some of the decentralized platforms may fall under the new regulation. The Explanatory Note to the draft law clarifies this provision to help companies evaluate whether they would be considered a VASP.
In line with Explanatory Note to the Draft law:
“the application used is not a virtual currency service provider, but creators, owners, administrators, and other persons who have influence or control over the terms and conditions of the service or other parameters may be obligated persons, even if the provision of the service is organised in a decentralised manner and/or some processes are automated.”
Also, “a person who creates and/or sells a software application or a platform for offering and/or trading virtual currency may not be a virtual currency service provider if their activity is limited to creating and/or selling the application and/or platform. However, as a rule, a party who supervises the creation and development of a software or platform for the purpose of providing virtual currency services also qualifies as a virtual currency service provider, especially if it retains control or sufficient influence over the virtual currency, software, protocol, platform or business relationship with users of the software, even if this is done through a smart contract.”
The Explanatory Note (Seletuskiri RahaPTS jt SE_OKT.docx) can be found here on the website by searching “rahapesu” with the number “21-1113.”