How The New Estonian AML Act Affects Virtual Currencies

How The New Estonian AML Act Affects Virtual Currencies

On September 21st, 2021, the Estonian Ministry of Finance published a draft law to amend the Money Laundering and Terrorist Financing Prevention Act (the AML Act). The law is now undergoing inter-agency consultations, but it is set to go into force on February 1, 2022.

The deadline for regulated crypto firms to put their operations and paperwork into conformity with New Estonian AML Act is March 18th, 2022. In this post, we examine the Ministry of Justice’s most recent modifications, which were announced on December 21st, and provide a full explanation of the significant changes.

The high points

  1. Who’s affected
  2. What’s changed
  3. Sanctions for non-compliance

Who’s affected

The New Estonian AML Act affects virtual currencies and are aimed at Estonian Virtual Assets Service Providers (VASPs), such as crypto exchanges and wallets. Decentralized platforms, initial coin offerings (ICOs), and some other services will be included in the VASP category if the law is enacted.

Since 2020, VASPs have been subject to the same regulations as financial institutions. As a result, they must adhere to the AML Act and verify their users’ identities. In addition, VASPs can only operate in Estonia if they obtain the Financial Intelligence Unit (FIU).

What’s changed with new Estonian AML Act

Estonia is one of the first jurisdictions to change its legislation to comply with the FATF’s Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers.

The modifications include the FATF Travel Rule, tighter license requirements, and an expansion of the AML Act’s reach to include new virtual currency businesses. We’ve compiled a list of the most significant changes.

  • The term “virtual currency service” has been defined more broadly.

Before: The term only included virtual currency exchanges and wallet services.

After: Definition of the term “virtual currency service” in New Estonian AML Act is expanded to include:

  • Virtual currency transfer services;
  • Services relating to virtual currency issue, such as the formation of a public or directed offer, sale, or supply of related financial services.

As a result, the following firms are now considered VASPs and must adhere to AML duties and license requirements:

  • Any intermediaries between buyers and sellers, as well as intermediary services (brokerage, order-book exchange, and so on);
  • Decentralized systems, such as peer-to-peer (P2P) or decentralized wireless (DeFi).
  • Services that delegate any transactions to other parties (in this case, all business partners will be considered VASPs);
  • Issuer-provided ICO platforms and other comparable services, such as ISO and TGE, that assist in the marketing, sale, or distribution of virtual assets;

Businesses should use the FATF’s functional approach to each definition to determine if they are VASPs.

Businesses must assess the services they provide under this method, rather than relying primarily on the words they use to define themselves. For example, they must consider what transactions are carried out to deliver their service, who the participants are, and how the ownership of the currency changes as a result of the transaction.

  • License and operational fees

Before: A VASP license cost €3,300, and a minimum share capital of €12,000 was required.

After: The proposed rule calls for a higher licensing price, as well as certain extra provider fees. What has changed is as follows:

  • The administrative fee for a VASP license will be increased to €10,000;
  • Share capital minimum will be €125,000 for wallet services, exchanges, and ICO and similar platforms; for transfer services, it will be €350,000;
  • Beginning April 1, 2022, a FIU supervision fee of 1% of share capital and 0.035 percent of the total amount of started and accepted transactions in the process of providing virtual currency transfer services will be charged.
  • The proposed law required VASP funds to equal the share capital minimum or the sum calculated using the technique outlined in section 722 of the Act, whichever was greater.
  • License application requirements

Before: Businesses were obliged to disclose information about their service, internal rules and processes, and more under the AML Act (see the entire list in section 70 of the Act).

After: To obtain a license, businesses must offer further information and papers. These are some of them:

  • Financial data including as assets and share capital, as well as an overview of income and cash flows;
  • A business plan outlining the applicant’s activities, organizational and managerial structure, and other pertinent information;
  • Documentation of risk appetite and risk assessment;
  • Details on the technological systems that will be used to supply the proposed services, including a description of security measures, business continuity plans, and the level of technical organization;
  • A description of the information technology systems that will be utilized to identify and monitor transactions, customers, and their beneficial owners, as well as to transmit information required to fulfill the Travel Rule duty;
  • Information regarding the applicant’s financial auditing company, which conducts financial audits. Businesses should also name and disclose an internal auditor who will examine AML systems and procedures, as well as best practices and management decisions.
  • Information on the number of shares and votes that are acquired or owned by each shareholder.

The whole list may be found on page 70 of the proposed legislation. If a provider wants to use subsidiaries, the same information must be filed for them as well.

Updated requirements for the management board

Before: The FIU wanted verification of the board of directors’ education, professional experience, and previous positions, among other things.

After: These obligations for the management board and contact individuals are spelled out in the new rule. The two primary demands are as follows:

  • Members of the board must have a bachelor’s degree and at least two years of professional job experience.
  • A member of the management board may not hold more than two positions in a VASP.

As mentioned in previous editions, members of the management body cannot have a bad business reputation or an unresolved criminal term.

Grounds for license refusal

Before: A business could be denied a license due to a lack of AML procedures, payment account(s) in Estonia, and more.

After: The amendments introduce additional grounds for VASP licensing refusal. These include:

  • There is doubt as to the legal origin of the share capital;
  • The company has no plans to operate in Estonia or has no major ties to the nation (having a place of business or a management board in Estonia isn’t enough);
  • Given the nature and complexity of the company activity, the internal rules are insufficient.
  • A license previously granted to an entity or a holder of a qualifying holding was revoked.

The whole list may be seen on page 72 of the proposed legislation. The FIU chooses whether or not to grant a license within 60 working days of receiving the necessary papers and information.

Within two years of an existing license being revoked or the FIU refusing to issue a license, a firm, members of its management body, or holders of a qualifying holding will not be allowed to apply for a new license.

  • Grounds for license revocation

Before: A license might be canceled if a person repeatedly fails to comply with the FIU’s demands or if non-compliance is not handled within a certain time limit (the AML Act, section 75).

After: Additional grounds for revocation are introduced, including:

  • A VASP is inactive longer than six consecutive months;
  • A VASP has chosen Estonia as the location for its license application and registration in order to avoid having to comply with harsher anti-money laundering regulations in a foreign nation where it operates;
  • A VASP publishes wrong or misleading information or advertisement about its activity;
  • A VASP has breached international sanctions or is involved in money laundering or terrorist funding.

The Act’s sections 75 (1st and 2nd parts) include a complete list of causes for license revocation. The FIU will cancel VASPs’ licenses if they do not bring their activities into accordance with the proposed modifications and submit all required papers.

  • The “Travel rule” for VASPs

Before: The Travel Rule applied only to banks and other financial institutions.

After:  The FATF Travel Rule must be followed by VASPs. When executing a virtual currency exchange or transfer, providers must collect data about the originator and beneficiary of the transaction and communicate it with all parties involved.

The information that VASPs must gather about the originator vary somewhat depending on whether the originator is a natural or legal person. It comprises the following for natural persons:

  • Name;
  • Payment account or virtual currency wallet identifier (if these are absent, a unique identifier of the transaction);
  • Personal identification code;
  • Date of birth;
  • Name and number of the identity document;
  • Place of birth and address of residence.

For legal persons, it includes:

  • Name;
  • Payment account, virtual currency wallet identifier, or a unique identifier of the transaction;
  • Registry code (if absent, a relevant identification code of the country of location);
  • Address of location.

VASPs must collect the same information on both natural and legal persons as they do on the transaction’s receiver. It contains the name of the user as well as the payment account or virtual currency wallet identity.

VASPs will be required to keep records acquired in accordance with the Travel Rule for a period of time.

Sanctions for non-compliance

The goal of these changes is to lower the dangers associated with virtual currency. The management board is responsible for bringing their company into conformity by March 18th and submitting an audit report by August 15th, 2022.

Noncompliance with the AML Act might result in the cancellation of a license for those who ignore the new regulations.

The amended New Estonian AML Act also adds three new offenses:

  • Creating an anonymous virtual currency account, savings book, wallet, or handbag;
  • Breach of own funds requirements;
  • Violations of the obligations of a VASP, such as failure to establish or control information related to the originator of a transaction.

These violations can lead to a fine of up to 300 fine units (one fine unit equals €4) for a natural person and a fine of up to €400,000 for a legal person.

We’ll keep an eye on the changes and update this post after the Act goes into force. For more information about anti-money laundering rules in Estonia and other jurisdictions you are interested in, please contact our specialists. You can also see our offers in the category “Ready-made companies” and “Licenses for sale”.

Prev Next