On March 15th, 2022, amendments to the Estonian Money Laundering and Terrorist Financing Prevention Act came into force.
The amendments target Virtual Assets Service Providers (VASPs) operating in Estonia. These include:
For an exact list, check out the next section of the article.
Since 2020, VASPs are regulated the same way as financial institutions. Accordingly, they’re required to follow the AML Act and verify their users. Also, VASPs can only operate in Estonia if they have a license from the Financial Intelligence Unit (FIU).
Estonia is one of the first jurisdictions to change its legislation to comply with the FATF’s Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers.
The amendments introduced the FATF Travel Rule, provided stricter licensing demands and expanded the scope of the AML Act to cover new virtual currency services. Click the toggles for more details.
Before: The term only included virtual currency exchanges and wallet services.
After: Definition of the term “virtual currency service” is expanded to include:
Taking into account the Explanatory Note to the draft Law, the following businesses may now fall under the VASP category and be obliged to comply with AML and licensing requirements:
To decide whether they are considered VASPs, businesses should follow the FATF’s functional approach to each definition.
Under this approach, businesses are required to analyze the services they offer and not solely rely on the terminology they use to describe themselves. For instance, they must take into account what transactions are performed to provide their service, who are the parties, and how virtual currency ownership changes as a result of the transaction.
Before: The fee for a VASP license was €3,300 and the share capital minimum was €12,000.
After: The proposed regulation requires an even higher license fee, plus some additional fees for providers. Here’s what’s changed:
The draft law required funds belonging to VASPs to correspond with the share capital minimum or to the sum calculated in accordance with the methodology provided in the §72² of the Act, whichever is greater.
Before: The AML Act required businesses to submit information about their service, internal rules and procedures, and more (see the full list in §70 of the AML Act).
After: Businesses must provide additional information and documents to get a license. These include:
The full list can be found in §70 (32) of the law. If a provider wants to use the license for subsidiaries, it must submit the same information about them.
Before: The FIU demanded proof of the board of directors’ level of education, work experience, nature of earlier posts, etc.
After: The new regulation specifies these requirements for the management board and contact persons. Here are the two main demands:
As in the previous updates, members of the management body can’t have a bad business reputation or any unexpired conviction for a criminal offense.
Before: A business could be denied a license due to a lack of AML procedures, payment account(s) in Estonia, and more.
After: The amendments introduce additional grounds for VASP licensing refusal. These include:
The full list can be found in §72 of the law.
The FIU decides whether to grant a license within 60 working days of receipt of all required documents and information.
A business, members of its management body, or holders of a qualifying holding won’t be allowed to apply for a new license within two years from the date of revocation of an existing license or refusal by the FIU to grant a license.
Before: A license could be revoked due to repeated failures to follow the demands of the FIU or due to non-compliance that is not addressed within a given time limit (the AML Act, §75).
After: Additional grounds for revocation are introduced, including:
The full list of grounds for license revocation can be found in §75 (1st and 2nd parts) of the Act. If VASPs don’t bring their activities into compliance with the amendments, the FIU can revoke their license.
Before: The Travel Rule applied only to banks and other financial institutions.
After: VASPs are required to follow the FATF Travel Rule. Under the Rule, providers must gather data on the originator of a transaction and share it with the service provider of the recipient of the transaction when completing a virtual currency exchange or transfer.
The information that VASPs must collect on the originator slightly differs between natural and legal persons. For natural persons, it includes:
For legal persons, it includes:
VASPs will be required to retain documents that they gathered in compliance with the Travel Rule.
It’s the duty of the management board to bring their business into compliance by June 15th, 2022. Also, they are to submit an audit report on compliance with the requirements regarding the business’s own funds by January 1st, 2023. This auditing obligation applies to a VASP’s annual accounts for the periods beginning on March 10th, 2022 or later.
For those who overlook the new requirements, non-compliance with the AML Act can lead to the revocation of their license.
The amended AML Act also adds three new offenses:
These violations can lead to a fine of up to 300 fine units (one fine unit equals €4) for a natural person and a fine of up to €400,000 for a legal person.
As we stated above, under the amendments, some decentralized platforms may fall under the new regulation. The Explanatory Note to the draft law clarified this provision to help companies evaluate whether they would be considered a VASP.
In line with Explanatory Note to the Draft law:
“the application used is not a virtual currency service provider, but creators, owners, administrators, and other persons who have influence or control over the terms and conditions of the service or other parameters may be obligated persons, even if the provision of the service is organised in a decentralised manner and/or some processes are automated.”
Also, “a person who creates and/or sells a software application or a platform for offering and/or trading virtual currency may not be a virtual currency service provider if their activity is limited to creating and/or selling the application and/or platform. However, as a rule, a party who supervises the creation and development of a software or platform for the purpose of providing virtual currency services also qualifies as a virtual currency service provider, especially if it retains control or sufficient influence over the virtual currency, software, protocol, platform or business relationship with users of the software, even if this is done through a smart contract.”
The Explanatory Note (Seletuskiri) can be found here.