Crypto Regulation in Estonia Is About To Change and Will Affect Service Providers

It has been less than five years since Estonia took an innovative and proactive approach in setting a regulatory framework to regulate virtual currency service providers, and we have witnessed lots of changes as the entire sector matured. As an Estonian-licensed virtual currency service provider, we are following the latest Estonian AML regulatory initiative with great interest. As one of the leading market players, we will be directly affected by the new Estonian Law on the Prevention of Money Laundering and Terrorist Financing (the “New AML Act”), and more importantly, our clients will be affected as well. As we have recently been presented with many portentous headlines suggesting that “Estonia Wants to Revoke All Crypto Licenses” or “Estonia preparing a sweeping crackdown on digital coins” or “Estonia crypto regulators consider banning all crypto business licenses,” we are naturally concerned about the impression clients receive about their safety in working with Estonian virtual currency service providers like us.

It seems as if the most numerous stakeholders, our clients, are being overlooked in this “crypto witch hunt.” Therefore, we publicly plead that such negative and misleading communication be discontinued, as it significantly affects the general trust of customers in the Estonian market and consequently negatively impacts our business. In the past few weeks, we have attended many conferences where the main topic was the regulatory changes and where government representatives participated.

Importantly, the message is clear: There is no general crypto ban. Regulators have no intention of sweeping away the crypto market in its entirety, even though some government representatives themselves have triggered many official-sounding negative posts.

To mitigate the situation and provide a clearer picture of Estonia’s new approach to crypto licence regulation, we have prepared an overview of the planned changes. We hope this approach will serve to settle the dust and remind everyone that (1) we are talking only about draft legislation, and (2) the proposed changes are intended to increase client safety.

A brief summary of announced key changes includes:

1. Increasing share capital requirement from the current EUR 12,000.00 to EUR 350,000.00.
2. State fee for license amendments (EUR 4,000.00).
3. Supervisory fee (EUR 3,500.00 + 0,035% of the total amount of transactions initiated or received).
4. Mandatory annual audit requirement and a requirement to appoint an internal audit manager to supervise the department that performs the internal audit.
5. in addition to the current documentation requirements, which include AML/CFT procedures and internal control rules, the following are required:
   • Balance sheet, profit and loss statement, and, if available, the accounts for the last three financial years.
   • A two-year business plan that must among other things include a description of the nature, organizational structure, and management structure of the business and the rights, obligations, and responsibilities of the persons involved in providing the services, as well as a description, forecast, and analysis of (i) the amount of income and expenses by field of activity; (ii) obligations related to the provision of services; (iii) the amount of assets and share capital; (iv) planned activities, services provided, products offered, and expected customers; (v) forecasts of balance sheets and financial indicators, which include, inter alia, the income, expenses, profit, and cash flows along with the assumptions on which they are based; (vi) general principles of risk management and risk management strategy; (vii) intermediaries and other persons and services used in the business activities of the applicant.
   • Description of the IT systems used (including the systems used for implementing due diligence measures such as KYC).
6. A requirement for management to have higher education and at least two years of professional experience.
7. The unilateral right of the Financial Intelligence Unit (the “FIU”) to withhold the license if information submitted by the applicant shows that its purpose is not to operate in Estonia or its business activities have no connections with Estonia.
8. Restrictions for service provision outside Estonia: namely, for service provision outside Estonia, an application will have to be submitted to the FIU with the foreign market specification and action plan for the services subject to the unilateral decision of the FIU to either approve or prohibit the provision of services in a foreign state.

As follows from recent media statements by FIU management, the FIU’s tendency is to introduce a more restrictive crypto license regulation and thus upgrade the existing one. To avoid the (unjustified) possible impression that the current Estonian crypto licensing system is improper, we wish to demonstrate via our business that existing Estonian AML regulation, if implemented in accordance with the legal requirements and – very importantly – high internal ethical standards, is effectively preventing money laundering and terrorist financing. Improvements are of course possible, and we welcome new requirements that increase the level of responsibility on the part of service providers and that increase client safety. We also understand the need to mitigate risks that have been indicated in the results of the national risk assessment. This is absolutely necessary if we want to increase the reputation of the crypto market, boost user confidence, and further the adoption of virtual currencies – and, importantly, to secure the reputation and good name of Estonia itself.We hope that this letter will help regulators understand the reality “from the field” and that you interpret it as the expression of a humble wish to establish a dialogue with legislators.

Before we continue with the New AML Act draft assessment, we wish to briefly introduce ourselves, as this will help explain our position toward the new proposed regulation.

Kriptomat OÜ was established in Estonia in 2018 for one important reason: Estonia was the first country with a functional regulatory framework. The founders of the company, who have a proven history of business success, have opted for Estonia as the country of establishment as they wanted to operate within a regulated market, understanding and anticipating that the gap between virtual currencies and financial markets will narrow.

Today, Kriptomat is a fast-growing fintech group built by a team of professionals from various fields, all passionate about the virtual currency, blockchain, and finance industries. We nurture the culture of compliance and follow the principle of integrity, the principle that leads us in everyday decisions. The common denominator to our business is “Making it the right way with the right attitude”. We do not pursue profit; we pursue satisfied clients and honorable business. We are devoted to working in accordance with best practices. Thus, we are ISO 9001:2015 (Quality Management System) and ISO 27001:2015 (Information Security Management) certified. Our compliance management system is built in accordance with ISO 37301:2021 guidelines.

We are very aware of the responsibility we have towards our clients, and thus we follow proven best practices. Our business embodies a process-based approach and risk-based thinking. Importantly,we consciously take responsibility for building a secure crypto environment as we strive to leave a positive sustainable footprint of our business in the market. We develop technologies that enable access to virtual currencies to everyone and our services are used by citizens of EEA countries.
In order to fully evaluate the current virtual currency legislative changes, it is important to consider some background information. In 2018, Estonia promoted itself as a technologically advanced crypto oasis. Providers were able to obtain a license in a relatively easy and cost-effective way, resulting in Estonia issuing more than 4,000 licenses. In 2020, the new AML act came into effect, and companies had to adapt to additional requirements (the share capital was increased from EUR 2,500.00 to EUR 12,500.00, management board presiding in Estonia, Estonian AML officer, and so on). The country was already taking a more restrictive approach at the time, leading to a significant reduction in the number of licenses, which is currently around 400.

Taking into consideration the recent legislative initiatives, some obvious parallels can be drawn to the financial industry, which means the regulatory gap between crypto and the traditional financial industry is indeed narrowing. Because we understand the (increasing) value and contributions of the crypto industry, we are absolutely keen on this convergence. Managing clients’ assets should be controlled because the value of cryptocurrencies cannot be overlooked even if they are not recognized assets in terms of currency.

Evaluating the proposed changes from such a perspective does not lead to instant opposition to the changes, even if they will significantly impact the majority of the companies and the transition period is unusually short. If the government has recognized a risk, it must, of course, be properly mitigated as soon as possible. Thus, our opinion on the proposed changes reflects the intent and goodwill of Estonia as it protects its position in the sense of macroeconomics.
The heavily increased minimum share capital is aimed to increase client safety. Thus, even though it may pose a challenge with smaller companies, it is understandable, with a reservation note that it would make much more sense to make a tier system based on the type of virtual currency service and the volume of its business.

The additional documentation request should also not pose a significant issue. In fact, virtual currency service providers who do not have in place clear accounting and financial reporting procedures, IT management systems, compliance management systems, and risk management systems should start working on that immediately – not because of the new legislative requirements, but because such systems are necessary to protect the business and clients’ assets.
We see the requirement for submitting a two-year business plan as beneficial, as submission of a business plan is a usual request in the process of opening a bank account, when concluding relationships with key business partners, or obtaining investments. Our business plan includes projections for a minimum of five years. Naturally, this is a living document, but it also represents the compass and future trajectory of the business.

At this point, we need to emphasize that there is a certain overall lack of clarity with the new regulatory requirements. In the end, a lot will depend on further explanations and instructions issued by the FIU. The requirement that companies need to indicate that “their purpose is to operate in Estonia, and business activities have business connections with Estonia” is already a requirement that companies need to fulfill, with requirements for local presiding management, a local AML officer, establishment of an office in Estonia, and so on. The companies do, however, need to be able to provide sufficient evidence that they are actually operating in Estonia beyond names on paper and a virtual office. This, in our opinion, is only logical and necessary for assuring the ability to implement an efficient system of supervision. But if there are other requirements related to this “operating in Estonia” requirement, the FIU should be transparent about them and clarify in advance to avoid revoking licenses without prior communication.

Since the provision on the restriction on cross-border business runs counter to the fundamental principles of the EU on the free movement of services and capital, we hope that the provision in question will be omitted from the final AML Act. Keeping such restrictions in place would tie companies to a very small national market, which is simply not viable. In practice, this would mean companies would be forced to relocate outside Estonia, which would have a counter effect from the desired purpose of the new legislation.

The FIU has explained that AML requirements are behind many of the new requirements. We wish to repeat that current AML requirements are sufficient tools for money-laundering prevention, assuming companies are prudent with their compliance processes and risk assessment. AML requirements based on the Estonian AML Act are in fact equivalent to those applicable to financial services. In our opinion, there is no justification for virtual currency service providers failing to implement a reliable and efficient compliance system, including KYC, wealth source verification, ongoing monitoring, set risk appetite, and risk management.

There are, naturally, some important differences between the financial industry and virtual currency services, including the anonymity of transactions to wallets outside service providers’ systems (if they also provide custodial wallets). It is this anonymity that is mostly being exploited for fraudulent transactions. And this is the area where providers divide into two groups – providers that adhere only to the minimum AML requirements and providers that have established a fraud prevention system that upgrades the minimum AML requirements subject to crypto market specifics.

Based on our experience, efficient compliance management is built on a robust automated system that fuels its prevention system from manual inputs reflecting legislative requirements, internal processes, and good proactive (and, very importantly, automated) inputs from big data management transaction analysis. Technical solutions are becoming indispensable tools for detecting fraudulent remote access, for instance, which is largely the most common type of fraud. (The client enables fraudulent transactions by enabling the fraudulent broker to manage its computer and assets using remote control software such as AnyDesk.)

This is the area where the new legislative requirements can make the difference, as service providers will have to disclose how the processes are actually implemented. Together with the supervision of the FSA (which will, in the near future, hold supervision rights currently granted to the FIU), Estonia will have a great option to separate the good and insufficient players on the market, and further define good practice requirements.

If the idea of the new regulatory draft is indeed to recognize the above and make sure that AML quality is assured at the operational level, not just on paper, then we welcome the changes.

Since this topic is the subject of a lot of heated discussions on the current media playground, we would like to conclude with an important insight from an investor’s point of view:Estonia is in the eyes of international businessmen respected for its efforts to build a business environment that is friendly to crypto and agile business culture. As indicated above, we, Kriptomat, are the first in line to employ and raise business standards in the crypto industry and to introduce best practices, including those found in the financial sector. Many of us have worked in accordance with quality management principles from the time the company was launched. We hope the FIU will recognize the contributions of companies like Kriptomat and allow us to prove that Estonia is a trustworthy business environment. Otherwise, in case the goal of the new legislation changes is indeed to “wipe out” crypto providers, then we will have to leave. But importantly, we will never come back, and other investors will also remember the abrupt shift in political mindset and policies, and Estonia could easily be perceived as no longer a business-friendly country, but as a high-risk country with uncertainty for business. And for such a small market, that could have significant long-term consequences.

We look forward to further developments with the sincere aim of being able to continue prospering in Estonia.

Kriptomat Management Team