On September 21st, 2021, the Estonian Ministry of Finance published a draft law to amend the Money Laundering and Terrorist Financing Prevention Act (the AML Act). On December 23rd, the Estonian government approved draft legislation. The bill has now been submitted to the Estonian parliament, where it needs to undergo three readings to become law.
March 18th, 2022 is the deadline for regulated crypto businesses to bring their operation and documents into compliance. In this article, we cover the latest amendments introduced by the Ministry of Justice on December 21st and give a detailed breakdown of the major changes.
Who’s affected
The amendments target Virtual Assets Service Providers (VASPs) operating in Estonia, including crypto exchanges and wallets. When the bill is passed, decentralized platforms, ICOs and some other services will also fall under the VASP category.
Since 2020, VASPs are regulated the same way as financial institutions. Accordingly, they’re required to follow the AML Act and verify their users. Also, VASPs can only operate in Estonia if they have a license from the Financial Intelligence Unit (FIU).
What’s changed
Estonia is one of the first jurisdictions to change its legislation to comply with the FATF’s Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers.
The amendments introduce the FATF Travel Rule, provide stricter license demands, and expand the scope of the AML Act to cover new virtual currency services. We’ve gathered the main changes here. Click the toggles for more details.
Expanded definition of “virtual currency service”
Before: The term only included virtual currency exchanges and wallet services.
After: Definition of the term “virtual currency service” is expanded to include:
- Virtual currency transfer services
- Services related to the issuance of virtual currency, i.e. the organization of its public or directed offer, sale, or the provision of related financial services
This means that the following businesses now fall under the category of VASPs and must comply with AML obligations and license requirements:
- Any intermediaries between buyers and sellers and services that bring buyers and sellers together (brokerage services, order-book exchange services, etc.)
- Decentralized platforms, such as P2P or DeFi platforms. In cases where there’s no legal entity, the individual who set up or developed the platform, or who has any additional rights or controls over the platform will be considered a VASP (see the explanations here)
- Services who delegate any transactions to third parties (all business partners in this case will be considered VASPs)
- ICO platforms and other similar services, such as ISO and TGE, provided by the issuer itself or any third parties that help to market, sell or distribute virtual assets
To decide whether they are considered VASPs, businesses should follow the FATF’s functional approach to each definition.
Under this approach, businesses are required to analyze the services they offer and not solely rely on the terminology they use to describe themselves. For instance, they must take into account what transactions are performed to provide their service, who are the parties, and how the currency ownership changes as a result of the transaction.
License and operational fees
Before: The fee for a VASP license was €3,300 and the share capital minimum was €12,000.
After: The proposed regulation requires an even higher license fee, plus some additional fees for providers. Here’s what’s changed:
- The administrative fee for a VASP license will be increased to €10,000
- Share capital minimum will be €125,000 for wallet services, exchanges, and ICO and similar platforms; for transfer services, it will be €350,000
- An FIU supervision fee will apply on the 1st of April 2022, amounting to 1% of share capital and 0.035% of the total amount of initiated and accepted transactions in the course of the provision of the virtual currency transfer services
The draft law required funds belonging to VASPs to correspond with the share capital minimum or to the sum calculated in accordance with the methodology provided in the §72² of the Act, whichever is greater.
License application requirements
Before: The AML Act required businesses to submit information about their service, internal rules and procedures, and more (see the full list in §70 of the AML Act).
After: Businesses must provide additional information and documents to get a license. These include:
- Financial information such as assets and share capital size, an overview of income, cash flows, and more
- A business plan that includes a description of the nature of the applicant’s business activities, organizational and management structure, etc.
- Documentation of risk appetite and risk assessment
- Information on the technology systems used for the provision of the planned services, including a description of the security measures, business continuity measures and the level of technical organization
- Description of the information technology systems to be used for identification and monitoring of transactions, customers and their beneficial owners, as well as for the transmission of information necessary for the performance of the Travel rule obligation
- Information on the applicant’s financial audit firm that checks their funds. Businesses should also appoint and provide information on an internal auditor that will check AML systems and procedures, good practices, and decisions of the management bodies
- Information on the number of shares and votes that are acquired or owned by each shareholder
The full list can be found in §70 of the draft bill. If a provider wants to use subsidiaries, it must submit the same information about them.
Updated requirements for the management board
Before: The FIU demanded proof of the board of directors’ level of education, work experience, nature of earlier posts, etc.
After: The new regulation specifies these requirements for the management board and contact persons. Here are the two main demands:
- Board members must have higher education and at least two years of professional work experience
- A member of the management board may not hold more than two positions in a VASP
As in the previous updates, members of the management body can’t have a bad business reputation or any unexpired conviction for a criminal offense.
Grounds for license refusal
Before: A business could be denied a license due to a lack of AML procedures, payment account(s) in Estonia, and more.
After: The amendments introduce additional grounds for VASP licensing refusal. These include:
- There is doubt as to the legal origin of the share capital
- The business doesn’t intend to operate in Estonia or has no significant connections with Estonia (it’s not enough to have a place of business or a management board in the country)
- The internal rules are insufficient considering the nature and complexity of the business activity
- Information technology systems and other technological means are insufficient for the provision of service
- A license previously granted to an entity or a holder of a qualifying holding was revoked
The full list can be found in §72 of the draft law. The FIU decides whether to grant a license within 60 working days of receipt of all required documents and information.
A business, members of its management body, or holders of a qualifying holding won’t be allowed to apply for a new license within two years from the date of revocation of an existing license or refusal by the FIU to grant a license.
Grounds for license revocation
Before: A license could be revoked due to repeated failures to follow the demands of the FIU or due to non-compliance that is not addressed within a given time limit (the AML Act, §75).
After: Additional grounds for revocation are introduced, including:
- A VASP is inactive longer than six consecutive months
- A VASP has chosen Estonia as a place for license application and registration in order to avoid stricter AML requirements in a foreign country where it actively operates
- A VASP publishes wrong or misleading information or advertisement about its activity
- A VASP is engaged in money laundering or terrorist financing or has violated international sanctions
The full list of the grounds for license revocation can be found in §75 (1st and 2nd parts) of the Act. If VASPs don’t bring their activities into compliance with the proposed amendments and do not submit all of the necessary documents, the FIU will revoke their license.
The “Travel rule” for VASPs
Before: The Travel Rule applied only to banks and other financial institutions.
After: VASPs are required to follow the FATF Travel Rule. Under the Rule, providers must gather data on the originator of a transaction and share it with the service provider of the recipient of the transaction when completing a virtual currency exchange or transfer.
The information that VASPs must collect on the originator slightly differs between natural and legal persons. For natural persons, it includes:
- Name
- Unique identifier of the transaction
- Identifier of the payment account or virtual currency wallet identifier and personal identification code
- Name and number of the identity document or date of birth
- Place of birth and address of residence
For legal persons, it includes:
- Name
- Unique identifier of the transaction
- Identifier of the payment account or the virtual currency wallet identifier
- Registry code in the absence thereof, the relevant identifier of the country of the residence (a combination of numbers or letters equivalent to the registration number)
- Address of location
VASPs will be required to retain documents that they gathered in compliance with the Travel Rule.
Sanctions for non-compliance
The purpose of these amendments is to reduce the risks related to virtual currencies. It’s the duty of the management board to bring their business into compliance by March 18th and submit an audit report by August 15th, 2022.
For those who overlook the new requirements, non-compliance with the AML Act can lead to the revocation of their license.
The amended AML Act also adds three new offenses:
- Opening of an anonymous account, savings book, wallet, or purse of virtual currency
- Breach of own funds requirements
- Violations of the obligations of a VASP, such as failure to establish or control information related to the originator of a transaction
These violations can lead to a fine of up to 300 fine units (one fine unit equals €4) for a natural person and a fine of up to €400,000 for a legal person.
We’ll continue to monitor the changes and will update this article once the Act takes effect.
Explanatory note on the regulation of decentralized platforms
As we stated above, under the proposed amendments, some of the decentralized platforms may fall under the new regulation. The Explanatory Note to the draft law clarifies this provision to help companies evaluate whether they would be considered a VASP.
In line with Explanatory Note to the Draft law:
“the application used is not a virtual currency service provider, but creators, owners, administrators, and other persons who have influence or control over the terms and conditions of the service or other parameters may be obligated persons, even if the provision of the service is organised in a decentralised manner and/or some processes are automated.”
Also, “a person who creates and/or sells a software application or a platform for offering and/or trading virtual currency may not be a virtual currency service provider if their activity is limited to creating and/or selling the application and/or platform. However, as a rule, a party who supervises the creation and development of a software or platform for the purpose of providing virtual currency services also qualifies as a virtual currency service provider, especially if it retains control or sufficient influence over the virtual currency, software, protocol, platform or business relationship with users of the software, even if this is done through a smart contract.”
The Explanatory Note (Seletuskiri RahaPTS jt SE_OKT.docx) can be found here on the website by searching “rahapesu” with the number “21-1113.”