The last few years have brought significant changes to the regulatory requirements of the virtual currency service providers. As the Estonian legislator continues to seek effective solutions for mitigating risks of the rapidly evolving sector, two new draft acts are expected to come into force.
The amendment to the current Money Laundering and Terrorist Financing Prevention Act (the draft AML Act) was expected to come into force from 1 February 2022. As this deadline can not be met, it is unclear when the change of law will take place but it appears to be the political will that the regulations will change soon. The draft AML Act is a follow-up to a previous draft of the same Act which was introduced in autumn 2021, as covered here.
Additionally, the Crowdfunding and Other Investment Instruments and Virtual Currencies Act (the draft Crowdfunding etc. Act) (more information on the previous version is available here) has re-emerged and is undergoing approval procedure, meaning that relatively soon this piece of draft legislation potentially could be approved by the Estonian Government and thereby, introduced in the Estonian Parliament. Taken together, both drafts intend to establish a comprehensive legal framework for virtual currency service providers.
Meanwhile, the proposed regulatory framework for virtual currencies at the EU level is still going through the negotiation phase within the EU institutions. As for the latest development, in November 2021, the European Council published its position on the proposal for Regulation on Markets in Crypto Assets (the Regulation) (available here). This development signals that the Regulation has moved forward in the political negotiations and is one step closer to the formal adoption. Regardless, certain important aspects of the proposed Regulation, such as the technical implementation of the travel rule, are expected to come into force no earlier than 2028.
New requirements under the draft AML Act
After receiving the approval of the Estonian Government on 23 December 2021, the draft legislation which introduces amendments to the AML Act must undergo the procedure for the passage of laws in the Estonian Parliament. For this reason, there may be further amendments expected, however, in the following sections we aim to provide an overview of the draft AML Act as it stands now.
Scope of the ‘virtual currency services’ definition
In the first place, in addition to the currently regulated virtual currency exchange and wallet service, the virtual currency service will include the “virtual currency transfer service, which enables at least partially electronic transaction through a virtual currency service provider on behalf of the originator for the purpose of transferring the virtual currency through the virtual currency service provider to the recipient’s virtual currency wallet or account, regardless of whether the originator and recipient are the same person or the recipient uses the same service provider”.
In short, this means that in addition to persons who exchange the virtual currencies themselves, the amendment seeks to also include those persons who simply enable transfer in virtual currencies.
Secondly, the virtual currency service will also include the “issue of a virtual currency, the organization of its offer or sale or the provision of related financial services”. A note to be made is that this point includes both services provided by the issuer itself and services provided by another party in connection with the offer, marketing, sale, distribution, and measures necessary to ensure trading.
In short, this means that any ancillary activities to the current virtual currency service provision, such as companies facilitating ICOs or marketing agencies for virtual currency services, will be subject to licensing requirements in the future.
Additional limitations in the authorisation and the transfer of the license
A new application for authorisation may not be submitted for a period of two years from the date of entry into force of the Estonian Financial Intelligence Unit’s (the FIU) decision to refuse or revoke the authorisation, whereas currently there are no such limits applicable.
Once the virtual currency services provider obtains the license, it may not be transferred to another company according to the draft AML Act. It remains unclear whether this intends to prohibit the possibility of changing the shareholders of a company that holds the relevant license.
Current requirements for the authorisation
To provide a comparison with the new requirements, here is a list of the current requirements applicable to virtual currency service providers in Estonia:
- the company’s share capital must be at least EUR 12,000;
- state fee for the application is EUR 3,300;
- the company must appoint a compliance officer who works permanently in Estonia and has the education, professional suitability, abilities, personal qualities, experience, and impeccable reputation required for the performance of the duties of a compliance officer. This appointment is to be coordinated with the FIU;
- the company must have in place internal procedure rules and risk assessment documents with respect to AML and sanctions rules and risks;
- the company; members of its management body; and its procurator, beneficial owner, and owner are to be checked for any unexpired penalties for a criminal offense against the authority of the state, criminal offenses relating to money laundering, or other wilfully committed criminal offenses, and criminal registry extracts need to be submitted for that purpose;
- the company must have a payment account with a credit institution, an electronic money institution or a payment institution established in Estonia or a Contracting State of the European Economic Area providing cross-border services in Estonia or having established a branch in Estonia.
New requirements for the authorisation
Under the draft AML Act, virtual currency service providers must meet the following (new) requirements:
- the company’s paid-in share capital must be at least EUR 150,000 or EUR 350,000 (depending on the type of services offered);
- the own resources of a virtual currency service provider shall at all times correspond to one of the following amounts, whichever is greater: the amount of share capital or at least a quarter of the fixed overheads of the previous financial year;
- state fee for the application is EUR 10,000;
- the registered office, seat, and place of business of the virtual currency service provider must be in Estonia;
- it should be possible at any time to ensure that a representative of the supervisory or investigative body has access to the data collected and stored by the service provider;
- a member of the board of a virtual currency service provider must have a university degree and at least two years of professional experience and may not hold the position of the member of the board in more than two virtual currency service providers. A member of the management board must also have a good business reputation. A person does not have a good business reputation if:
- his or her activities or omissions have resulted in the bankruptcy of the service provider or another person subject to financial supervision or revocation of the activity license on the initiative of the financial supervision authority;
- he or she has committed a criminal offense of the first degree;
- the court has imposed a prohibition on acting or a prohibition on entrepreneurship;
- he or she is unable to organize the activities of the service provider in such a way that the interests of investors and customers are sufficiently protected;
- he or she has submitted false information to the Financial Intelligence Unit or failed to submit important information;
- he or she has been punished for an offense of economic, professional, property, or public trust and his or her corresponding punishment information has not been deleted from the punishment register pursuant to the Punishment Register Act or an international sanction has been applied to him or her.
- the contact person may not be the contact person or the head of a structural unit of another virtual currency service provider;
- a member of the management board may work as a contact person or as the head of a corresponding structural unit only in those virtual currency service providers where he or she is a member of the management board;
- a person that may acquire, hold and increase a qualifying holding shall have a good business reputation, strong financial position, ability to ensure that the service provider is able to comply with the own funds and asset management requirements, absence of reasonable doubt that the acquisition is related to money laundering or terrorist financing and absence of international sanctions.
Additionally, the amendment provides that the following documents and information must be provided to FIU:
- the amount of assets and the share capital as well as the documents certifying that;
- the applicant’s opening balance sheet and overview of income, expenses, profit, and cash flows and the underlying assumptions;
- a business plan:
- The information provided in the business plan should inform the supervisory authority about how the applicant intends to start providing the virtual currency service(s) within the first two years after the authorisation;
- This information will be necessary for the supervisory authority, inter alia, in relation to the later verification that the virtual currency service provider indeed starts the activity within six months after the authorisation. If the company fails to do so, the FIU will revoke the license;
- In addition, the business plan provides the supervisory authority with information on how the company intends to ensure compliance with the requirements of the license in the future.
- information concerning the information technology systems and other technological means and systems (as well as technological solutions required for the travel rule);
- information concerning the number of shares or units and votes acquired or owned by each shareholder, partner, or member;
- information concerning the audit firm of the applicant must be provided;
- information concerning persons who have a qualifying holding in the applicant;
- information concerning companies in which the applicant or a member of its management body holds more than 20 percent.
Grounds for refusal to grant the license
In addition, the draft AML Act introduces grounds for a refusal to grant a license to a virtual currency service provider. These are the grounds on which the FIU will have to exercise its discretionary powers. The grounds concern the ability of the FIU to exercise supervision, the legality of the origin of the paid-up share capital, compliance with internal rules, and the adequacy of the technological systems and resources. There is also a basis for the FIU not to issue an authorisation if the information provided by the company shows that it does not have the purpose of doing business in Estonia or that its business has no significant and genuine links with Estonia, other than the location of the place of business and the management board.
Obligation to audit the annual accounts
The draft AML Acts lays down the obligation to audit the annual accounts of a virtual currency service provider. The general requirements for mandatory auditing are laid down in the Auditors Activities Act (available here).
Travel rule and other protection methods
Currently, there is no obligation on virtual currency service providers to collect information on the recipient of the virtual currency transaction which is an inherent problem in the virtual currency service business and cannot be implemented by one service provider alone.
Under the draft AML Act, virtual currency service providers must also collect the name of the recipient of the transaction, along with the identifier of the payment account or virtual currency wallet, in their absence, the unique identifier of the transaction. The new information collection rule will make the responsibilities of virtual currency service providers equal to those of a bank and payment institution.
This amendment introduces an additional specific due diligence requirement for virtual currency service providers. The explanatory memorandum refers to the fact that, as transactions in virtual currencies are more anonymous than traditional money transfers, in June 2019, the FATF extended the “travel rule” requirement for payment services to virtual currency service providers. However, the explanatory memorandum fails to mention the fact that for the “travel rule” to be successfully implemented, it must be followed by other jurisdictions as well. Just one service provider alone cannot fulfill the “travel rule” requirements and thus, would be unable to comply with the legal obligations under Estonian law. The Estonian market is too small to cater for the “travel rule” implementation successfully.
Moreover, the draft AML Act sets out due diligence measures in case the recipient’s virtual wallet does not have a virtual currency service provider or the recipient’s virtual currency service provider is not able to receive or process the data. These measures apply to transactions involving un-hosted wallets, as well as where the virtual currency service providers serving the parties to the transaction use incompatible technical solutions or where one party does not use a suitable solution. Such situations will be common as long as there is no international agreement on common standards. As such text of the draft AML Act has been deliberately left open, allowing the virtual currency service providers to use the technical solutions that suit them best. The information must flow in the same direction as the virtual currency and without significant delay.
Supervision fee
The supervision fee consists of a capital component (1% of the share capital) and a volume component (0.035% of the total amount of transactions executed by the virtual currency service provider and initiated or received in the course of the provision of the service). The FIU will send instructions to the person concerned indicating the applicable supervision fee rate, the amount of the supervision fee due, and the due date for payment.
When and what should be done
Initially, this amendment was planned to come into force on 1st February 2022, and virtual currency service providers were supposed to bring their activities and documents into compliance with the amended AML Act by 18th March 2022 at the latest. However, due to the delayed process, the amendments to the current AML Act will have to come into force at a later date. Currently, the legislator has not indicated a new deadline for compliance. Likewise, the supervision fee was initially planned to be enforced from 1st April 2022, yet the legislator has not indicated a new date.
Despite the lack of concrete deadlines, virtual currency service providers should begin preparations to at least consider their ability to comply with the new requirements outlined in the draft AML Act.
New requirements under the draft Crowdfunding etc. Act
The draft Crowdfunding etc. Act aims to regulate innovative ways of raising capital, with the view to ensure a better investor protection regime. In other words, this draft legislation will likely regulate a significant part of the Estonian FinTech sector. In particular, the following entities are covered by the draft Crowdfunding etc. Act: crowdfunding platforms, including crowdfunding platforms providing consumer credit; cryptocurrency investment businesses, including virtual currency service providers; other operators offering alternative investment opportunities.
The most significant change is that, under the new act, supervision will move from the FIU to the Estonian Financial Supervision Authority (the EFSA).
Definitions of service provision and investment token
Virtual currency trading platform management services are included under the definition of virtual currency services. This means that platforms that do not offer exchange services but only offer intermediate virtual currency purchasing and sales transactions are also covered under the regulation.
Service provision is envisaged as being intertwined with crowdfunding services, as the new act includes a definition of an investment instrument as well as an investment instrument based on crypto-assets (investment tokens).
The definition of an investment instrument is very broad, including “securities not listed in the Securities Markets Act” as well as “instruments resembling securities”. Essentially, the goal is to define a non-MiFID instrument, which grants voting, profit distribution, or other similar rights conditionally inherent to shareholding or otherwise controlling an entity. With this proposed definition, the legislator leaves a very wide discretion to the EFSA in determining what activities constitute offering investment instruments, as well as creating great uncertainty for the market participants. In case of offering investment instruments to the public, a key information document (of up to 6 pages) should be drafted and published, including information on the obligations, financial standing, profits and losses, and future prospects of the issuer, as well as rights related to the offered instrument; relevant risks regarding both the issuer and the instrument, the terms of the offering and the use of proceeds. Each key information document needs to be submitted to the EFSA, and for any offerings of investment instruments above EUR 5 million, the registration of a key information document with the EFSA is required before the offering is published. Operators of platforms allowed to trade with investment instruments are also subject to licensing by the EFSA. Further, certain inside information requirements apply to issuers whose investment instruments can be traded, or if offerings exceed EUR 1 million per year.
Authorisation process
Once the Crowdfunding etc. Act comes into force, it is expected that the license granted under the AML Act will expire, meaning that all virtual currency service providers will have to apply for a new license under the Crowdfunding etc. Act. To apply for an authorisation, the service provider must submit documents to EFSA confirming that the service provider meets the requirements set out in the draft Crowdfunding etc. Act. In comparison to the current required documents, there is a new obligation for the applicant to provide the details of each payment account (e.g. IBAN, name of the institution), virtual wallet (e.g. unique identifier), or other instrument used by the service provider to receive or deposit money or funds from the customer.
If EFSA issues a decision not to grant authorisation, the applicant may submit a new application after three months.
Substantial differences of the draft Crowdfunding etc. Act
Once the Crowdfunding etc. Act enters into force, it will replace and invalidate certain provisions of the AML Act, especially the ones regulating the authorisation process. In general, the basic requirements for virtual currency service providers listed under the draft Crowdfunding etc. Act are quite similar to the requirements listed in the draft AML Act (see above). However, there are some substantial differences as well:
- Cross-border activities must be approved by EFSA:
- If the licensed virtual currency service provider wishes to operate abroad, including establishing a branch abroad or providing cross-border services abroad, the virtual currency service provider shall submit an application and relevant documents to the EFSA. The EFSA will then decide whether to approve the application or not within one month from the receipt of the required documents. The decision shall be made based on, among other things, the applicant’s financial state, organizational structure, and business plan.
- The cross-border provision of a service should be understood as an active supply of a product or service in any country other than Estonia (for example, provision of a service through an office or personnel located in a foreign country, the continuous disclosure of information in a foreign language, actively marketing the service to foreign nationals, etc).
- The virtual currency service provider must comply with an extensive list of consumer protection measures, here are some examples:
- The service provider must establish, through its internal rules, a workable and transparent procedure to deal reasonably and promptly with complaints from customers.
- The service provider must establish and publish on its website a policy on the processing of personal data.
- If the amount invested by the investor in a single investment project exceeds EUR 200, then the investment intermediary must provide for a pre-contractual cooling-off period (minimum of four calendar days) during which the investor may withdraw the offer without giving any reasons.
- A key information document must be drawn up for the offer of an investment instrument.
- Where an investment instrument offered (to the public) can be acquired or disposed of on a financial intermediary platform, the provisions on misuse of insider information and market manipulation apply.
- Requirements for keeping registrars:
- All investment instruments of one kind must be listed with the same registrar. However, in case the investment instruments are inherently different from each other, they can be listed with separate registrars (e.g. if a service provider offers crowdfunding instruments as well as blockchain instruments, it is permitted for this provider to register each of these instruments with separate registrars).
- Registrars can only be persons who are able to ensure the performance of the tasks specified in the law and the record-keeping agreement as stipulated in the act, in terms of the registrar’s activity’s level of organisational and technical management, the internal control measures applied to management and operational risks, their financial situation, the competence and experience of the employees concerned and other means. Therefore, the provision of registry-keeping services may be transferred to, among others, a credit institution, investment firm, payment institution, e-money institution, or a securities depository of a Member State, or another service provider under the act.
- Mandatory audit of the service provider’s annual accounts.
- List of investment token owners:
- Specifically for investment tokens, the list of investment token owners in the system based on secure technology must be public and the technology used must enable anyone to view the registrations. A system based on secure technology must ensure the digital presentation and disclosure of information about each investment token and its owners and restrictions, as well as the submission of all data on transactions made with the investment token, and their indefinite retention.
Supervision fee
The supervision fee consists of a capital component (1% of the highest minimum amount of share capital required by law for the activity indicated in the authorisation) and a volume component (0.1-1% of the commercial revenue).
When and what should be done
Under the draft, the information regarding the deadlines for existing license holders is conflicting. Due to delays in the legislative process, it can be expected that the deadlines will be updated. However, under the current version of the draft, a license granted under the AML Act will become invalid between 31 December 2022 and 1 July 2023. Therefore, a virtual currency service provider who holds a license issued on the basis of the AML Act and who wishes to continue the provision of services must submit an application to the EFSA to that effect in time before the license becomes invalid.
Concerns regarding the burdensome draft legislative acts
These amendments aim to, inter alia, address the weaknesses identified in the Estonian national risk assessment (the NRA). Accordingly, the NRA highlighted that the greatest risks of money laundering and terrorist financing are among the providers of virtual currency services which have soared due to shortcomings in the authorisation process, inadequate regulation of virtual currency licenses, and an excessively low entry threshold.
Be that as it may, the Estonian Ministry of Finance has clarified that, despite the proposed tougher regulation, Estonia does not plan to render the ownership of virtual currencies illegal. Likewise, the statements of the director of FIU that circulated in the media around October about revoking all licenses of the virtual currency service providers and forcing companies to reapply, have been rendered to be false. Nonetheless, as the license granted to virtual currency service providers under the AML Act is expected to expire soon after the Crowdfunding etc. Act comes to force, thereby forcing companies to apply for a new license under the Crowdfunding etc. Act, it seems that the idea expressed in these statements is still being implemented, just through less drastic measures.
Regardless, from a legal perspective, the new requirements introduced by both drafts are, without doubt, incredibly burdensome for the virtual currency service providers. It is expected that numerous companies that are unable to attain the new capital requirements or due diligence processes will be forced out of the market. Indeed, whereas the concern of the heightened risk of money laundering and terrorist financing in the area of virtual currency services is valid, it is important not to undermine the facilitation of innovation in Estonia along with the growth and development opportunities.
Got questions?
If you require further assistance, please feel free to contact our specialists:
- Senior associate Monika Tomberg, monika.tomberg@sorainen.com
- Associate Krista Ševerev, krista.severev@sorainen.com
- Assistant Lawyer Jaanika Vainula, jaanika.vainula@sorainen.com