Cryptocurrency license requirements in Estonia (2022 updates)
The changes to Estonian AML Act were approved by the Parliament on 23rd of February. The new AML rules will come into effect by 15th of March 2022 and the state fee for obtaining the license will be 10 000€.
As of 8 March 2022, 394 valid licenses for the provision of virtual asset services had been issued in Estonia. These licensed service providers have until 15th of June 2022 to bring their activities into line with the new regulation. Which means modifying and submitting all existing and new supportive documentation to the Financial Intelligence Unit (FIU). Failure to do so will result in the revocation of the licenses. All the companies with valid licenses will also have to pay the state fee of 4000€ for making the changes in their license application.
Main changes are following:
1. Share capital of a virtual currency service provider must be a minimum of:
· 100 000 euros for virtual currency wallet and exchange services and for the organizations of a public or direct offer or sale or the provision of related financial services on behalf of an issuer involved in the issuance of virtual currency (including ICOs).
· 250 000 euros for transfer services. A virtual currency transfer service is a service that allows a transaction to be made at least in part electronically through a virtual currency service provider on behalf of the originator for the purpose of transferring the virtual currency to the recipient’s virtual currency wallet or account. Transfer service is considered as any kind of transfer between two wallets so if the crypto exchange offers account withdrawals off-exchange in cryptocurrencies, this transaction is also a transfer service because the funds move from wallet A to wallet B.
All service providers will be required to have a minimum of 100 000 or 250 000 euros of share capital, depending on the type of service offered, increased from the currently required 12 000 euros.
Undertakings that are issuers of virtual currency are not required to apply for a license, but only persons who provide a public or directed offer or sale organization service related to the issuance of virtual currency.
Services that require license:
Virtual Currency Wallet Service
A virtual currency wallet service is a service that creates or maintains encrypted keys for customers that can be used to store, store and transfer virtual currencies.
Virtual Currency Exchange Service
A virtual currency exchange service is a service in which a person exchanges a virtual currency for money or money for a virtual currency or one virtual currency for another.
Virtual Currency Transfer Service
The purpose of the transfer service is to transfer virtual currency from one customer to another. This means that a person does not provide a wallet or exchange service, but mediates the movement of virtual currency from one person to another. As part of the transfer service, the virtual currency service provider enters into a transaction on behalf of a natural or legal person, within the framework of which the virtual currency moves from one virtual currency wallet or from one account to another. The service includes all services that enable a person using the service to transfer ownership, possession, other control over the virtual currency or the opportunity to benefit from the virtual currency to other persons.
Issuing a virtual currency (ICO)
Issuing Virtual Currency — Virtual currency can be issued and / or transferred using spreadsheet or block chain technology. One mechanism for distributing such assets is an event commonly referred to as an ICO (initial coin offering). In an ICO, the issuer or PR engine usually offers virtual currency for sale for cash or another virtual currency. An ICO may be involved in raising money for a project. At the time of the offer, issuers or other persons associated with the ICO may allow buyers of the virtual currency the opportunity to earn income from changes in the price of the virtual currency or the execution of the project. Once issued, the virtual currency may be resold on the secondary market.
2. The following information and documents shall be submitted:
1) the amount of the share capital of the assets and the documents certifying the share capital contribution. The share capital contribution needs to be done by monetary payment to an active company bank account. This also includes updating of the Articles of Association and company information in the Commercial Registry. The share capital payment should be paid to the company bank account from the shareholders’ personal bank account.
2) opening balance sheet and overview of income, expenses, profits and cash flows and the underlying assumptions or, in the case of an operating company, the balance sheet and profit and loss account at the end of the month preceding the application for an activity license;
3) a business plan for at least two years (from the submission date).
The business plan of a virtual currency service provider shall contain a description of the nature of the proposed business activities, organizational structure and management structure and a description of the rights, obligations and responsibilities of persons involved in the provision of planned services, as well as a description, forecast and analysis:
· the amount of income and expenses by fields of activity;
· obligations related to the provision of services;
· the amount of the applicant’s assets and share capital;
· strategy, competitors and planned market share;
· the planned activities, the services provided, the products offered and the expected customers, including the expected share of customers resident in Estonia and other countries, and the volumes of the services provided;
· plans of balance sheets and financial indicators, which set out, inter alia, the income, expenses, profit and cash flows and the assumptions on which they are based;
· general principles of risk management and risk management strategy;
· intermediaries and other persons and services used in the business activities of the applicant;
4) risk appetite statement and risk assessment;
5) a description of the IT systems and other technological means and systems necessary for the provision of the planned services, including a description of the security measures used to ensure the continuity of the service and the protection of customer assets, a description of business continuity measures and the level of technical organization;
6) a description of the IT systems and other technological means used in the provision of the planned services by which the service provider ensures the transmission of information and identification of the customer and its actual beneficiaries, including the identification and immediate notification of circumstances characterizing a higher risk and suspicious transactions. There is no required format of the descriptions that must be submitted.
7) information concerning companies in which a member of the management body holds more than 20 per cent, the information includes the name, location, registry code and number of shares owned by a member of the management body.
Please keep in mind that all original documents must be accompanied by documents with an Estonian translation!
*The full list of the documents can be found in §70 of the Act.
If a service provider wants to use subsidiaries, it must submit the same information about them.
3. The own funds of a virtual currency service provider shall at all times correspond to one of the following amounts, whichever is greater:
1) the amount of share capital;
2) the amount of own funds calculated in accordance with the calculation methodology below:
· If the service provider provides only the wallet and ICO services, the own funds of the service provider shall not be less than 25 per cent of the fixed overheads of the previous financial year. Overheads are reviewed annually.
· If a service provider provides the transfer or exchange services, the own funds of the service provider shall be at least equal to the sum of the following volumes:
i. 4 percent of the part of the volume of transactions entered into within the framework of the provision of services which is up to or equal to 5 million euros;
ii. 2.5 percent of the portion of the volume of transactions entered into in the framework of the provision of services which exceeds 5 million euros but does not exceed 10 million euros;
iii. 1 percent of the portion of the volume of transactions entered into in the framework of the provision of services which exceeds 10 million euros but does not exceed 100 million euros;
iv. 0.5 per cent of the portion of the volume of transactions entered into in the framework of the provision of services which exceeds 100 million euros but does not exceed 250 million euros;
v. 0.25 per cent of the part of the volume of transactions made within the framework of the provision of the service which is more than 250 million euros.
4. Service providers are required to implement real-time risk analysis.
Accounts opened with Estonian virtual assets service providers cannot be anonymous and service providers cannot offer anonymous accounts or wallets. This is a simplified version of the FATF (Financial Action Task Force) “Travel Rule”. Under the “Travel Rule”, providers must gather data on the originator of a transaction and share it with the service provider of the recipient of the transaction when completing a virtual currency exchange or transfer.
The data collected and passed along with the transaction is as follows:
For natural persons (individuals):
· Full name;
· Payment account, virtual asset wallet identifier or, if not applicable, a unique identifier of the transaction;
· Personal identification code (if available) — an Estonian unique personal identification system that derives from the date of birth;
· Date of birth, if no personal identification code is available;
· Place of birth, if no personal identification code is available;
· Name and number of their identity document (passport, ID card);
· Residential address.
For legal persons (companies, etc):
· Full legal/business name;
· Payment account, virtual asset wallet identifier or, if not applicable, a unique identifier of the transaction;
· Estonian registry code; if not applicable, a registry or identification code of the resident country;
· Address where business is conducted.
According to the regulation if the recipient’s virtual currency wallet does not have a virtual currency service provider or the recipient’s service provider is unable to receive or process data, the originator’s virtual currency service provider shall ensure real-time monitoring of transactions and risk analysis of each transaction using a dedicated technology solution. The virtual currency service provider shall store the data in such a way that it can be provided without delay upon request by the supervisory or investigating authority. That meant the companies could also use the automated crypto transaction monitoring systems for doing the real-time risk analysis. If it is not possible to share information with the recipient’s service provider, the service provider must simply store transaction data and monitor all the transactions live to stop any suspicious transactions from occurring.
The virtual currency service provider shall keep the documents, copies of documents and data related to the fulfillment of obligations for five years after the termination of the business relationship with the client.
5. More attention will be paid to the company’s connection with Estonia and the company’s actual place of business.
Place of business and management board members must be in Estonia. The FIU has the right to refuse to issue a virtual currency activity license if the information provided by the company shows that its purpose is not to operate in Estonia, or its business has no connections with Estonia other than the Estonian location and the members of the management board located in Estonia.
This requirement was added since currently most service providers licensed by Estonia have only a weak relationship with Estonia. The analysis concluded by the FIU indicated that many service providers have only a few employees, if any, in Estonia and their client base consists of a marginal share of Estonian clients.
6. The service provider’s annual reports will have to be audited.
The audit obligation applies to the virtual currency service provider’s annual reporting periods beginning on or after March 10, 2022. For the companies whose fiscal year begins earlier than March 10, 2022, the auditing obligation shall be applied from 2023 onward, but if the company’s fiscal year starts after March 10, 2022, the auditing obligation is applied right away.
The audit must be done by an association of sworn auditors or a self-employed sworn auditor. The audit firm shall verify compliance with the own fund’s requirements established by the virtual currency service provider as of the balance sheet date and submit an opinion to the virtual currency service provider and the FIU by the deadline for submission of the respective annual report of the virtual currency service provider.
Please keep in mind that internal and external audit must be provided by two different service providers!
7. The service provider shall appoint an internal auditor to perform the tasks of the internal audit activity.
The virtual currency service provider shall implement adequate internal control measures covering all levels of management and operations of the virtual currency service provider.
The requirements and legal bases for the activities of a certified internal auditor apply to the internal auditor. A certified internal auditor is a person who has passed the special part of internal auditors and the sub-part of the certification of internal auditors of the professional examination and who has been awarded the qualification of an internal auditor by a decision of the minister responsible for the area.
The internal auditor shall not perform any duties which give rise to or may give rise to a conflict of interests.
The task of the internal auditor is to check the compliance of the activities of the virtual currency service provider and its managers and employees with the legislation, precepts of the FIU, decisions of the management bodies, internal rules, agreements entered into by the virtual currency service provider and good practice.
In practice, this means that service providers must use the “three lines of defense” internal control system, required from other financial service providers as well.
State fee
The state fee for obtaining the license is 10 000 euros and a state fee of 4,000 euros shall be paid for the review of an application for the amendment of an activity license in the field of virtual currency. No state fee shall be charged for the review of an application for change if the change is limited to the change of the address data of the location of the company within Estonia.
Recent updates that are still applicable:
Currently the main requirements for cryptocurrency license holders are:
· Management board member and AML officer must reside in Estonia;
· A minimum of 12 000€ share capital;
· Passport copies and non-criminal records from all countries of citizenship;
· CV-s (resumes) and education info for all participants in the company;
· Physical presence in Estonia including the office space;
· Information about company bank account including bank name and IBAN code in the European Economic Area(EEA). The account needs to be opened at a traditional bank or e-money institution or payment service provider operating officially in the EEA and approved by the Estonian Financial Supervision and Resolution Authority(FSA);
· The description of services and the document describing management board member activities;
· AML internal procedures that are compliant with the AML regulations.
The analysis made by the FIU indicated that the legislative amendments made in 2020 did not fulfil their purpose. Therefore the authority decided to add new and stricter requirements.
Management board member
A member of the board of a virtual currency service provider must have a university degree and at least two years of professional experience.
A member of the management board may not hold the position of more than two members of the management board of a virtual currency service provider.
All management board members must be located in Estonia. The management board member is a person who will be personally responsible for the company’s activities and that is why he/she needs to have a clear background and abilities to represent your company with the FIU.
As in the previous updates, members of the management body can’t have a bad business reputation or any unexpired conviction for a criminal offense.
AML Officer
The AML officer is responsible for all reporting and communication with the Estonian FIU. Only a person who possesses the education, professional aptitude, required abilities, personal qualities and experience and impeccable reputation may be designated as an AML officer. When applying for a cryptocurrency license, an AML Officer is required for every company. The appointment of the AML officer shall be coordinated with the FIU.
Responsibility areas:
· Assuring company’s compliance with Anti Money Laundering regulations, including drafting necessary internal regulations and applications to be submitted to regulating authorities.
· The organization of the collection and analysis of information referring to unusual transactions or transactions or circumstances suspected of money laundering or terrorist financing, which have become evident in the activities of the company.
· Reporting to the FIU in the event of suspicion of money laundering or terrorist financing.
· Performance of other duties and obligations related to compliance with the requirements of the Money Laundering and Terrorist Financing Prevention Act.
· Monitoring and implementation of an ongoing AML training program for other employees.
According to the new law, the contact person of a virtual currency service provider may not be the contact person of another virtual currency service provider or the head of a structural unit. A member of the management board of a virtual currency service provider may work as a contact person or head of the respective structural unit only in those virtual currency service providers where he or she is a member of the management board.
Non-criminal records extract
Non-criminal record should be issued by local police/authority and can’t be older than 3 months. It also needs to be certified and translated into English.
In situations where it is not possible to obtain a countrywide statement of the absence of criminal records (like it is with the US citizens), it will be possible to submit a statement under oath made at the notary in Estonia claiming that the required person is absent of criminal offences.
Transferability of activity license
The activity license shall not be transferable to another person. The activity license shall be revoked if the service provider merges with the establishment of a new entity or merges and the acquiring entity continues to operate as a service provider.
The FIU has the right to refuse to issue an activity license in the field of virtual currency if:
· a significant connection between the undertaking and another person impedes the exercise of adequate supervision over the applicant or it is impeded due to the requirements arising from the legislation of the other state with which the applicant has a significant connection or the implementation thereof;
· The business doesn’t intend to operate in Estonia or has no significant connections with Estonia (it’s not enough to have only an office space, management board and AML officer in Estonia);
· the internal rules are not sufficient, proportionate and unambiguous considering the nature, extent and degree of complexity of the activities of the applicant or are in conflict with applicable law;
· Information technology systems and other technological means are insufficient for the provision of service;
· there is doubt as to the legal origin of the share capital;
· A license previously granted to an entity or a holder of a qualifying holding was revoked.
*The full list can be found in §72 of the AML Act.
The license can be revoked if:
· Service provider is inactive longer than six consecutive months;
· The company has chosen Estonia as a place for license application and registration in order to avoid stricter AML requirements in a foreign country where it actively operates;
· Service provider publishes wrong or misleading information or advertisement about its activity;
· the amount of own funds of the virtual currency service provider does not comply with the requirements provided by law;
· A company is engaged in money laundering or terrorist financing or has violated international sanctions.
*The full list of the grounds for license revocation can be found in §75 of the Act.
If service providers don’t bring their activities into compliance with the proposed amendments and do not submit all the necessary documents, the FIU will also revoke their license.
A business, members of its management body, or holders of a qualifying holding won’t be allowed to apply for a new license within two years from the date of revocation of an existing license or refusal by the FIU to issue a license.
Submission of the application
The application can be submitted through Consumer Protection and Technical Regulatory Authority webpage.
The FIU decides whether to grant a license within 60 working days of receipt of all required documents and information.
The virtual currency service provider can no longer give notice of temporary withdrawal.
If you’re interested in obtaining the crypto license, please get in touch with us via our webpage or write directly to tallinn@comistar.com.
