How the New Estonian AML Act Affects Virtual Currencies

On March 15th, 2022, amendments to the Estonian Money Laundering and Terrorist Financing Prevention Act came into force.

June 15th, 2022 is the deadline for licensed virtual currency service providers to bring their operations and documents into compliance.

Who’s affected

The amendments target Virtual Assets Service Providers (VASPs) operating in Estonia. These include:

• crypto exchanges and wallets;
• crypto transfer providers;
• services related to issuance of virtual currency.

For an exact list, check out the next section of the article.

Since 2020, VASPs are regulated the same way as financial institutions. Accordingly, they’re required to follow the AML Act and verify their users. Also, VASPs can only operate in Estonia if they have a license from the Financial Intelligence Unit (FIU).

What’s changed

Estonia is one of the first jurisdictions to change its legislation to comply with the FATF’s Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers.

The amendments introduced the FATF Travel Rule, provided stricter licensing demands and expanded the scope of the AML Act to cover new virtual currency services. Click the toggles for more details. 

Expanded definition of “virtual currency service”

Before: The term only included virtual currency exchanges and wallet services.

After: Definition of the term “virtual currency service” is expanded to include:

• Virtual currency transfer services;
• Services related to the issuance of virtual currency, i.e. the organization of its public or directed offer, sale, or the provision of related financial services.

Taking into account the Explanatory Note to the draft Law, the following businesses may now fall under the VASP category and be obliged to comply with AML and licensing requirements:

• Any intermediaries between buyers and sellers and services that bring buyers and sellers together (brokerage services, order-book exchange services, etc.);
• Decentralized platforms, such as P2P or DeFi platforms. In cases where there’s no legal entity, the individual who set up or developed the platform, or who has any additional rights or controls over the platform will be considered a VASP (see the explanations here);
• Services who delegate any transactions to third parties (all business partners in this case will be considered VASPs);
• ICO platforms and other similar services, such as ISO and TGE, provided by the issuer itself or any third parties that help to market, sell or distribute virtual assets.

To decide whether they are considered VASPs, businesses should follow the FATF’s functional approach to each definition.

Under this approach, businesses are required to analyze the services they offer and not solely rely on the terminology they use to describe themselves. For instance, they must take into account what transactions are performed to provide their service, who are the parties, and how virtual currency ownership changes as a result of the transaction.

Sumsub helps crypto businesses stay compliant with ever-changing AML requirements. Take a look at what we can offer.

License and operational fees

Before: The fee for a VASP license was €3,300 and the share capital minimum was €12,000.

After: The proposed regulation requires an even higher license fee, plus some additional fees for providers. Here’s what’s changed:

• The administrative fee for a new VASP license is increased to €10,000;
• The administrative fee for a change in crypto activity is €4,000;
• Share capital minimum is now €100,000 for wallet services, exchanges, and ICO and similar platforms; for transfer services, it’s €250,000;

The draft law required funds belonging to VASPs to correspond with the share capital minimum or to the sum calculated in accordance with the methodology provided in the §72² of the Act, whichever is greater.

License application requirements

Before: The AML Act required businesses to submit information about their service, internal rules and procedures, and more (see the full list in §70 of the AML Act).

After: Businesses must provide additional information and documents to get a license. These include:

• Financial information such as assets and share capital size, an overview of income, cash flows, and more;
• A two-year business plan that includes a description of the nature of the applicant’s business activities, organizational and management structure, etc.;
• Documentation of risk appetite and risk assessment;
• Information on the technology systems used for the provision of the planned services, including a description of the security measures, business continuity measures and the level of technical organization;
• Description of the information technology systems to be used for identification and monitoring of transactions, customers and their beneficial owners, as well as for the transmission of information necessary for the performance of the Travel rule obligation;
• Information on the applicant’s financial audit firm that checks their funds. Businesses should also appoint and provide information on an internal auditor that will check AML systems and procedures, good practices, and decisions of the management bodies;
• Information on the number of shares and votes that are acquired or owned by each shareholder.

The full list can be found in §70 (32) of the law. If a provider wants to use the license for subsidiaries, it must submit the same information about them.

Updated requirements for the management board

Before: The FIU demanded proof of the board of directors’ level of education, work experience, nature of earlier posts, etc.

After: The new regulation specifies these requirements for the management board and contact persons. Here are the two main demands:

• Board members must have higher education and at least two years of professional work experience;
• A member of the management board may not hold this position at more than two VASPs.

As in the previous updates, members of the management body can’t have a bad business reputation or any unexpired conviction for a criminal offense.

Grounds for license refusal

Before: A business could be denied a license due to a lack of AML procedures, payment account(s) in Estonia, and more.

After: The amendments introduce additional grounds for VASP licensing refusal. These include:

• There is doubt as to the legal origin of the share capital;
• The business doesn’t intend to operate in Estonia or has no significant connections with Estonia (it’s not enough to have a place of business or a management board in the country);
• The internal rules are insufficient considering the nature and complexity of the business activity;
• Information technology systems and other technological means are insufficient for the provision of service;
• A license previously granted to an entity or a holder of a qualifying holding was revoked.

The full list can be found in §72 of the law.

The FIU decides whether to grant a license within 60 working days of receipt of all required documents and information.

A business, members of its management body, or holders of a qualifying holding won’t be allowed to apply for a new license within two years from the date of revocation of an existing license or refusal by the FIU to grant a license.

Grounds for license revocation

Before: A license could be revoked due to repeated failures to follow the demands of the FIU or due to non-compliance that is not addressed within a given time limit (the AML Act, §75).

After: Additional grounds for revocation are introduced, including:

• A VASP is inactive longer than six consecutive months;
• A VASP has chosen Estonia as a place for license application and registration in order to avoid stricter AML requirements in a foreign country where it actively operates;
• A VASP publishes wrong or misleading information or advertisement about its activity;
• A VASP is engaged in money laundering or terrorist financing or has violated international sanctions.

The full list of grounds for license revocation can be found in §75 (1st and 2nd parts) of the Act. If VASPs don’t bring their activities into compliance with the amendments, the FIU can revoke their license.

The “Travel rule” for VASPs

Before: The Travel Rule applied only to banks and other financial institutions.

After: VASPs are required to follow the FATF Travel Rule. Under the Rule, providers must gather data on the originator of a transaction and share it with the service provider of the recipient of the transaction when completing a virtual currency exchange or transfer.

The information that VASPs must collect on the originator slightly differs between natural and legal persons. For natural persons, it includes:

• Name;
• Unique identifier of the transaction;
• Identifier of the payment account or virtual currency wallet identifier;
• Name and number of the identity document and personal identification code, or date and place of birth and residential address.

For legal persons, it includes:

• Name;
• Unique identifier of the transaction;
• Identifier of the payment account or the virtual currency wallet identifier;
• Registry code or, in the absence thereof, the relevant identifier of the country of the residence (a combination of numbers or letters equivalent to a registration number);
• Place of business.

VASPs will be required to retain documents that they gathered in compliance with the Travel Rule.

To onboard more customers, increase revenue, and comply with the Estonian regulation, try Sumsub’s remote verification solution. Request a demo today.

Sanctions for non-compliance

It’s the duty of the management board to bring their business into compliance by June 15th, 2022. Also, they are to submit an audit report on compliance with the requirements regarding the business’s own funds by January 1st, 2023. This auditing obligation applies to a VASP’s annual accounts for the periods beginning on March 10th, 2022 or later.

For those who overlook the new requirements, non-compliance with the AML Act can lead to the revocation of their license.

The amended AML Act also adds three new offenses:

• Opening of an anonymous account, savings book, wallet, or purse of virtual currency;
• Breach of own funds requirements;
• Violations of the obligations of a VASP, such as failure to establish or control information related to the originator of a transaction.

These violations can lead to a fine of up to 300 fine units (one fine unit equals €4) for a natural person and a fine of up to €400,000 for a legal person.

Explanatory note on the regulation of decentralized platforms

As we stated above, under the amendments, some decentralized platforms may fall under the new regulation. The Explanatory Note to the draft law clarified this provision to help companies evaluate whether they would be considered a VASP.

In line with Explanatory Note to the Draft law:

“the application used is not a virtual currency service provider, but creators, owners, administrators, and other persons who have influence or control over the terms and conditions of the service or other parameters may be obligated persons, even if the provision of the service is organised in a decentralised manner and/or some processes are automated.”

Also, “a person who creates and/or sells a software application or a platform for offering and/or trading virtual currency may not be a virtual currency service provider if their activity is limited to creating and/or selling the application and/or platform. However, as a rule, a party who supervises the creation and development of a software or platform for the purpose of providing virtual currency services also qualifies as a virtual currency service provider, especially if it retains control or sufficient influence over the virtual currency, software, protocol, platform or business relationship with users of the software, even if this is done through a smart contract.”

The Explanatory Note (Seletuskiri) can be found here.

Need quick and easy video identification to onboard users in Estonia? Check out Sumsub’s video interviews designed to nail fraudsters and onboard honest users in just 3-5 minutes.