Amendment of VASPs' regulatory framework in Estonia

The purpose of this article is to give a review on the further changes of Estonian regulatory framework regarding Virtual Assets Service Providers (VASPs). In this article will be accessed the amendment of Money Laundering and Terrorist Financing Prevention Act (MLTFPA), which is planned to come into force in 15.03.2022. The existing VASPs should bring their activities in accordance with the new legislation by 15.06.2022.
On the 21st of October 2021 Estonian Ministry of Finance has made a proposal for amending of MLTFPA. Currently the draft law is subject to a third reading in the parliament. In accordance with this proposal's explanatory memorandum, within period since 2019 to 2021 Estonia carried out National Risk Assessment (NRA). As a result, it became clear that there is a need for risk mitigation measures in a number of sectors, including VASPs. New MLTFPA aims the rapidly mitigating money laundering and terrorist financing risks related to VASPs and virtual assets. This amendment will bring substantial changes, which affect all licensed providers of virtual currency services in Estonia: licensing requirements will be similar to other finance market participants (primarily PSPs and EMIs), however supervision authority will remain the same – Estonian Financial Intelligence Unit (FIU). Also, it was noticed, that license application proceeding takes many resources, thus amendment will solve this issue too.

THE DEFINITION OF VIRTUAL CURRENCY SERVICES

The amendment will affect the legal definition of virtual currency services: there shall be described the difference between virtual currency wallet service (which allows only store VC wallets' private keys) and virtual currency transfer to another wallet via VASP. In addition, changes will affect organizing of ICOs and other virtual currency-related projects. Thus, the updated definition of virtual currencies shall be the following:

In addition to new approach to servicesregarding the law's update, VASPs will be not permitted to provide any virtual currency services without concluding a business relationship. It means, that occasional transactions with VASPs will be permitted and all customers shall pass through customer due diligence process, including ongoing due diligence measures.

ADDITIONAL DATA COLLECTING FROM NATURAL PERSONS

Under the current MLTFPA, data on the means of communication is collected for identification purposes only  for the legal person and such measure was not implemented against the natural person. In practice, within the course of subsequent investigations and monitoring, situations have arisen where the collection and investigation of data would have been greatly facilitated by the existence of data on means of communication of natural persons. Thus, the amendment will oblige VASPs to collect means of communication also regarding the natural persons – at least the phone number and e-mail address of the natural persons must be provided.

TRAVEL RULE AND ADDITIONAL OBLIGATIONS WHEN PERFORMING TRANSACTIONS

In June 2019 the Financial Action Task Force (FATF) has made recommendation to extended the "travel rule" requirement to VASPs. It obliges VASPs to collect and retain the details of the transaction’s originator (incl. originator's personal data). This data shall be sent promptly and securely to the recipient's VASP. However, VASP provider is not able to receive or process the data, the aforementioned obligation would be deemed to be fulfilled if:

• the VASP of the originator of the transaction ensures real-time monitoring of the transactions and a risk analysis of each transaction, using a dedicated technological solution; and
• where the necessary data is stored by the VASP of the originator of the transaction in a way that allows them to make the data available without delay upon the request of a supervisory or investigative authority.

The VASP of the originator of the transaction will be obliged to collect at least the following information on the originator of the transaction:

ADDITIONAL DOCUMENTS AND INFORMATION FOR LICENSE APPLICATION

The amendment extends the list of documents and information to be submitted with an application in order to receive a license. The state fee for the submission of the application for VASP license will be risen to 10 000 euros (the current cost is 3 300 euros). For making changes in the existing license, a state fee in the amount of 4 000 euros must be paid (except for the change of the address of the VASP, and the new address shall be also in Estonia).

Requirements for share capital and own funds

In a case when the VASP provides any virtual currency services besides virtual currency transfer service, its share capital must be at least 100 000 euros. In a case when virtual currency transfer services are provided, the share capital amount of the VASP must be at least 250 000 euros. In both cases the share capital must be paid in full by monetary contribution. There are also requirements regarding monitoring of amount of own funds. The VASP's own funds must at all times correspond to one of the following amounts, whichever is higher:

• the amount of the share capital;
• at least one quarter of the fixed overheads of the preceding financial year.

It's important to notice, that requirements for calculation of overheads, specified in REGULATION (EU) No 575/2013 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 will apply to VASPs

Business plan

The business plan must cover the period of at least 2 years and as a minimum must contain description of the nature of the VASP's proposed business, its organisational structure and management structure and a description of the rights, obligations and responsibilities of the entities involved in the provision of the envisaged services, as well as a description, forecast and analysis of:

• the amount of income and expenses by activities;
• obligations related to the provision of the service;
• the amount of the applicant's assets and share capital;
• strategy, competitors and planned market share;
• planned activities, services provided, products offered and expected customers, including the expected share of customers resident in Estonia and other countries, and volumes of services provided;
• plans of balance sheets and financial ratios, which set out, inter alia, revenue, expenses, profit and cash flows and the underlying assumptions;
• general principles of risk management and risk management strategy;
• intermediaries and other persons and services used in the applicant's business;
• other relevant circumstances.

The business plan shall provide information on the proposed business activities, which will enable to assess whether the VASP will continue to comply with the requirements after granting the license.

Financial information

The VASP must provide opening balance sheet and a statement of income, expenditure, profits and cash flows and underlying assumptions or, in the case of an operating company, the balance sheet and profit and loss account as at the end of the month preceding the month in which the application for license is submitted and, if available, the accounts for the last three financial years. VASP will also be subject to the obligation to have its annual accounts audited. VASP will be required to provide information on the audit firm providing the services.

Risk assessment documents

Such documents must show the determination of the VASP’s risk assessment procedures as well as the VASP’s risk appetite.

Description of IT systems

Virtual currency services are services based on electronic systems, where the security of the systems and the protection of customer and investor data are of particular importance. Therefore, VASP which intends to obtain a license must pay attention to assessing and mitigating the risks associated with the solutions used to provide the service and the security of the data held by the external service providers. Data on the IT systems must include the following:

• details of the IT systems and other technological equipment and systems necessary for the provision of the envisaged services, including a description of the security measures to be used to ensure the continuity of the service and the level of technical organisation of operations;
• description of the IT systems and other technological means to be used in the provision of the proposed services, by which VASP will ensure the identification and monitoring of transactions and customers in a manner that allows the fulfilment of the obligations laid down in MLTFPA and the specific obligations laid down in the MLTFPA on international sanctions, including the identification of higher risk characteristics, the identification and immediate notification of suspicious transactions.

Information about shareholders

Information about shareholders of a VASP must include the following:

• information on the number of shares and the number of votes held by each shareholder or participant;
• details of persons with a qualifying holding in the applicant, including name, personal identification code, date of birth in the absence thereof, place of birth, nationality, address of residence, position and contact information;
• information on companies in which the shareholding of the VASP or a member of its management board exceeds 20%. Such information includes the amount of the share capital.

With regard to the supervision of the ownership of significant shareholdings of VASPs, it is necessary to establish the ownership of the company at the time of the application for the license. It is also required to have information on the economic links between the VASP and the members of its management bodies in order to avoid a situation where adequate supervision of the VASP is hindered because of a significant link between the VASP or a member of its management body and another entity.

Good business reputation

Definition of good business reputation has an amendment in the following. Entity does not have a proper business reputation if the circumstances that cast doubt on its existence or confirm its absence became known to FIU. An entity's business reputation is not proper if:

• his or her acts or omissions have led to the bankruptcy of the service provider or other entity subject to financial supervision or to the withdrawal of the license at the initiative of the financial supervisory authority;
• he or she has committed a criminal offence of the first degree;
• he or she has been subjected by a court of law to a prohibition on engaging in business activities or a prohibition on engaging in business activities, as well as if he is subjected to a business prohibition or a prohibition on engaging in a particular profession or occupation or has been punished for a violation of such a prohibition;
• he or she is unable to organize the activities of the service provider in such a way that the interests of investors and clients are adequately protected;
• he or she has provided false information or omitted to provide material information to the FIU;
• he or she has been convicted of an economic, professional, property or public trust offence and the relevant criminal record has not been expunged from the criminal record in accordance with the Criminal Records Act or he has been subject to an international sanction.

Requirements for VASP's management and compliance officers

Board members of the VASP must have at least higher education and 2 years of professional experience. Also, board member of the VASP has no right to be board member in more than 2 VASPs, except the case, when they're in the same group of companies or the VASP has a significant shareholding in the other VASP. If board member wants to be in same position in one more entity – he or she shall ask permission for this from the FIU. 
However a person acting as the contact person of FIU may not act as the contact person of FIU nor a head of a structural unit in any other VASP.

Restriction for transfer of license

A license for provision of the virtual currency service is not transferable. The license shall be revoked if the VASP merges with the establishment of a new entity or merges and is continued by the merging entity.

RIGHT TO REFUSE TO GRANT A LICENSE AND RIGHT TO REVOKE A LICENSE

The FIU has the right to refuse to grant a license for provision of virtual currency service in the following cases:

• the significant relationship between the undertaking and another person prevents the applicant from being adequately supervised or is hindered by the requirements or implementation of the legislation of another country in which the person with which the applicant has a significant connection is established;
• the information provided by the undertaking shows that its purpose is not to operate in Estonia or its business has no connections with Estonia or its business has no significant connections with Estonia other than the place of business in Estonia and the members of the management board located in Estonia;
• the internal rules proposed by the undertaking are not sufficient, proportionate and unambiguous in the light of the nature, scale and complexity of the applicant's activities or are contrary to applicable law;
• the undertaking’s IT systems and other technological means are not sufficient to provide the service;
• there is doubt as to the legal origin of the share capital;
• an undertaking or a person with a qualifying holding in the undertaking has previously been issued an activity license which has been revoked.

Thereby, there are lot of grounds for refuse in granting license to the VASP. Some of them require FIU's discretion which also makes regulation regarding VASP less predictable. Also, FIU's rights to revoke the license granted were amended regarding the following grounds:

• the VASP's activity has been suspended for more than 6 consecutive months;
• the VASP merges with the establishment of a new association or merges and continues to be operated by the merging association;
• false information has been provided by or on behalf of the VASP to the FIU;
• the VASP or a member of its management body has been convicted of an economic offence, a professional offence, an offence against property, an offence against public trust or a terrorist offence or an offence of financing or supporting the commission of such an offence, and the corresponding criminal record has not been expunged from the criminal record in accordance with the Criminal Records Act;
• the VASP has committed money laundering or financed or aided and abetted the commission of a terrorist offence, or has violated an international sanction, or is in violation of a regime established by legislation imposing an international sanction;
• the VASP belongs to a group of companies which structure does not allow the availability of the information necessary for consolidated supervision, or a company belonging to the same group as the VASP is established in a country where the competent supervisory authority has no legal basis or means to cooperate with the FIU, or which legal requirements or their implementation would prevent the applicant from being adequately supervised;
• the existence of a significant link between the VASP and any other entity prevents adequate supervision;
• it appears that the VASP has chosen Estonia as the place of application and registration for the purpose of evading prohibitions or stricter requirements imposed on the VASP or the activity in the foreign country in which it mainly operates;
• according to the information provided to the FIU by the competent supervisory authority of an EEA Contracting State or a third country, the VASP has violated the conditions laid down in the legislation of an EEA Contracting State or a third country;
• the VASP publishes materially inaccurate or misleading information or advertising about its activities or managers;
• the amount of the VASP’s own funds does not comply with the requirements laid down in MLTFPA or in legislation enacted pursuant thereto;
• the VASP has repeatedly or materially infringed the provisions of the legislation governing its activities.

Equal to grounds for refusing license application, here's a lot of discretion power given to the FIU.

Restriction for the application resubmission

VASP, a member of the VASP's management body and a person with a qualifying holding in the VASP may not submit a new application for license for a period of 2 years from the date of entry into force of the FIU's decision to refuse or revoke of the license.

VASP ACTIVITIES REQUIREMENTS AND CONDITIONS FOR COMPLIANCE HEREOF

Audit requirements

Amendment specifies requirement regarding annual report auditing by sworn auditor.

Internal auditor

VASP shall appoint internal auditor. Such person shall have no other duties in the VASP which will or might cause any conflict of interest and have obligations which lead from law to report compliance issues to supervisory authorities (primarily, FIU). The internal auditor will be subject to the requirements and legal basis for the activities of an accredited internal auditor set out in the Auditors Activities Act, where among other things, they must have passed a respective vocational examination.

Restriction for temporary renouncement of the license

It's restricted to temporary renounce activities for a VASP. Thus, VASP shall be in compliance with the license requirements.