In 2017, Estonia became one of the first EU member states to enact legislation that regulates and controls cryptocurrencies, effectively making it one of the first jurisdictions in the world to provide a framework that facilitated crypto entrepreneurship and innovation. This, on top of the country’s progressive tax system and robust digital economy, has made Estonia one of the most popular destinations for establishing DeFi businesses. However, upcoming changes to anti-money launderig regulations (AML) may change this.
Estonia has approved draft legislation that will make compliance with AML requirements very difficult, if not impossible, for virtual currency service operators and DeFi projects established in the Baltic state. While the upcoming regulatory changes do not specifically outlaw DeFi platforms in Estonia, the highly stringent requirements set by the draft legislation makes compliance for DeFi platforms exceedingly difficult in the country to the extent where it might as well be banned outright. Estonia is effectively no longer a crypto-friendly jurisdiction.
Approved by Estonia’s government on 23 December 2021, the draft legislation will introduce amendments to the AML Act and has been submitted to parliament where it will undergo three readings prior to becoming law. According to lawmakers, the amendments are aimed towards mitigating risks related to financial crime and are built on guidelines set out under the Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers developed by the Financial Action Task Force (FATF).
What changes are to be introduced?
The scope of a ‘virtual currency service’
Prior to the draft legislation, a virtual currency service in Estonia was limited to only crypto exchanges and wallet services. The upcoming regulations will expand the scope of a virtual currency service to encompass all manner of transactions involving virtual assets, including crypto transfers, issuance of virtual currencies or tokens, brokerage services, peer-to-peer services, and DeFi.
The expanded definition of a virtual currency service will therefore mean that all companies registered in Estonia that offer any type of crypto or DeFi services will be subject to the requirements of the draft legislation. Following FATF’s functional approach for the definition of a Virtual Asset Service Provider, the applicability of the draft legislation’s provisions will be based on the actual services provided by operators rather than anecdotal terminologies.
The ‘travel rule’
Under the draft legislation, virtual currency service operators will be required to undergo additional due diligence and know-your-customer (KYC) measures that align with the ‘travel rule’ guidelines set out by FATF. What this means is that operators will be required to gather identifying data on the originator of a virtual currency transaction and share it with the service provider of the recipient. This includes names, unique identifiers, dates of birth, residential addresses, and registry codes.
In addition, virtual currency service operators will be required to ask originators to produce proof of funds and provide documents outlining the source of their funds, which is virtually impossible to do in the DeFi sphere given the decentralised nature of the transactions involved. Even if a particular wallet is involved in an unscrupulous transaction, tracing the money trail back to the perpetrator would be impossible given that they can simply run their funds through different protocols between centralised exchanges.
Minimum capital requirements and fees
The upcoming amendments also introduce dramatic changes in licensing fees and minimum capital requirements. Virtual asset service operators seeking to obtain a VASP license will be required to pay an administrative fee of EUR 10,000 on top of a minimum share capital of EUR 350,000 for operators that offer transfer services, and EUR 125,000 for those that offer wallet services or offering platforms. In addition, the Estonian Financial Intelligence Unit (FIU) will levy a supervision fee starting on 1st April 2022 that will amount to 1% of the operator’s share capital and 0.035% of all initiated and accepted virtual currency transactions.
Even for large, high-volume operators, such exorbitant fees and capital requirements can be perceived as hindrances to their operational viability. This will ultimately translate to higher fees for their users and may drive away upcoming or existing operators in Estonia that will be burdened by the high costs associated with maintaining an entity in the Baltic state.
Licensing application requirements
In addition to existing requirements under Section 70 of the AML Act, the draft legislation will require registrants to submit the following:
- Financial information, including any assets an operator may have, its share capital, and a summary of their income, cash flows, and liabilities;
- A business plan that illustrates the operator’s business activities, organisational chart, and operational procedures;
- Risk assessment documents;
- Information outlining technological systems to be used for services offered, particularly around security, business continuity, and operations;
- Information outlining the applicant’s financial audit firm; and
- Documentation highlighting the number of shareholders, the shares they hold, and how many votes they are entitled to.
Applicants looking to create subsidiaries will also be required to provide the same information and documentation as mentioned above. Moreover, the draft legislation will require members of the management board to have attained higher education and at least two years of professional work experience. They should also not hold more than two positions in a VASP.
Grounds to deny a license application or revoke existing licenses
The draft legislation provides officials in Estonia with greater leeway in denying license applications or revoking existing VASP licenses held by virtual currency service operators. Prior to the regulatory changes, the FIU only denied license applications if an operator lacked AML procedures, payment accounts in Estonia, or for lacking other operational procedures deemed necessary by the regulatory body; however, license applications can now be denied if it is found that an applicant does not intend to conduct sufficient operations in Estonia, if previous licenses have been revoked, or if the operator lacks sufficient rules and processes for conducting their business activities. Moreover, the FIU can deny a license application if it questions the legal origin of the applicant’s share capital.
There are also additional conditions for maintaining a VASP license. The upcoming regulations stipulate that an operator must actively conduct business activities in Estonia for six consecutive months and must only publish accurate information about its business activities. If a license holder is found to have participated in money laundering or terrorist financing activities, or has chosen Estonia simply to avoid stricter AML requirements in foreign countries it actively operates in, the FIU will have grounds to revoke a VASP license.
Who will be affected?
The Ministry of Finance explained that the draft legislation will not apply to customers and will specifically target virtual currency service operators based in Estonia, regardless of the activities or services they offer. This will include crypto exchanges, wallet service providers, DeFi platforms, and IDO launchpads that were incorporated in the country. In essence, such entities will be regulated in the same way as financial institutions based in Estonia.
What penalties can be expected for non-compliance?
On top of existing penalties, the draft legislation will also introduce three additional offences that VASPs need to take into consideration. These include:
- Opening anonymous accounts, savings books, or wallets that hold virtual currencies;
- Breaching their own fund requirements; and
- Violating obligations of a VASP, including establishing or controlling information relevant to the originator of a transaction.
VASPs found to be in violation of the upcoming legislation’s provisions will face fines of up to 300 fine units for a natural person, where one unit is the equal to EUR 4, and up to EUR 400,000 for juristic persons.
Does the draft legislation mean the end of crypto in Estonia?
The Ministry of Finance clarified in a statement on 2 January 2022 that the draft legislation will not ban customers from owning or making transactions in crypto, but that its provisions will apply to decentralised platforms that facilitate non-custodial wallet services that allow users to fully own their crypto assets and private keys. According to Estonian Finance Minister Keit Pentus-Rosimannus, the upcoming bill simply aims to tighten the country’s anti-money laundering (AML) requirements to prevent the creation of anonymous accounts that could be used for money laundering activities.
Nonetheless, while the draft legislation aims to address existing shortfalls surrounding AML regulations as previously mentioned, the newfound requirements are too restrictive for operators, particularly those that do not have the capacity to meet the new capital requirements or due diligence processes under the upcoming regulations. Moreover, the draft legislation may entail considerable business restrictions for virtual currency service providers that offer services or platforms related to DeFi due to regulation’s emphasis on banning anonymous wallets and accounts.
The draft legislation has been submitted to Estonia’s parliament and is awaiting further reading before it passes into law. However, Estonia-based virtual currency service operators are strongly encouraged to review their circumstances and seek legal counsel to determine their next course of action amid the upcoming regulatory changes which, as previously mentioned, is virtually impossible to comply with.
Silk Legal will continue to monitor developments on this front and will provide an update as soon as possible.
For more information about the upcoming regulations, please contact us at [email protected] or by using the contact form provided.