Virtual currency service providers will have to go through another licensing renewal process with the introduction of a new draft legislative act in Estonia. This time a year ago, virtual currency service providers were busy getting ready for a regulation which ended up causing the revocation of over 1,800 licenses. There are 396 existing licence holders who remain active today, following the introduction of requirements, which, among others, require the management board’s seat to be located in Estonia. With the planned amendments, the number of service providers will be cut even more. Whilst the Crowdfunding and Other Investment Instruments and Virtual Currencies Act is currently only going through its first round of feedback, the intended deadlines for current licence holders in relation to the requirements contained within the act are extremely burdensome.
The most significant change is that, under the new act, supervision will move from the Financial Intelligence Unit (FIU) to the Financial Supervision Authority (EFSA), meaning that most of the requirements which now apply to other financial services, such as payment services, will also apply to virtual currency service providers.
Current requirements for virtual currency service providers
In order to provide a comparison with the new requirements, here is a list of the current requirements for virtual currency service providers in Estonia:
- the company’s share capital must be at least EUR 12,000;
- the registered office of the company, the seat of the management board and the place of business must be in Estonia (foreign companies must be operating in Estonia through a branch which is registered in the commercial register and has its registered office and head office in Estonia);
- the management board must have a good business reputation (assessed based on absence of records in the criminal registry, educational and professional records, identity documents and public knowledge available on the relevant persons);
- the company must appoint a compliance officer who works permanently in Estonia and has the education, professional suitability, abilities, personal qualities, experience and impeccable reputation required for the performance of the duties of a compliance officer. This appointment is to be coordinated with the FIU;
- the company must have in place internal procedure rules and risk assessment documents with respect to AML and sanctions rules and risks;
- the company; members of its management body; and its procurator, beneficial owner and owner are to be checked for any unexpired penalties for a criminal offence against the authority of the state, criminal offences relating to money laundering or other wilfully committed criminal offences, and criminal registry extracts need to be submitted for that purpose;
- the company must have a payment account with a credit institution, an electronic money institution or a payment institution established in Estonia or a Contracting State of the European Economic Area providing cross-border services in Estonia or having established a branch in Estonia.
New requirements for virtual currency service providers
Under the new requirements, service providers must have/provide, among other things, the following:
- share capital of at least EUR 25,000, or a quarter of the previous year’s fixed costs;
- a registered location and head office located in Estonia;
- the management board must have impeccable business reputation, knowledge, skills, experience, education and professional suitability for the management of the service provider. This knowledge, skills and experience must include aspects such as understanding the technology on which the service is based, preventing and avoiding risks, protection of customers’ interests, the preservation of financial stability and avoidance of illegal activity;
- the management board must consist of at least two persons;
- a business plan;
- balance sheet and statement of income, expenses, profits, losses and cash flows and, if available, the accounts for the last three financial years;
- internal rules corresponding to the requirements in the act;
- internal accounting rules;
- information concerning the information technology systems and other technological means and systems necessary for the provision of the planned services, including a description of the security measures used to ensure continuity of service and the level of technical organisation of activities;
- security policy, or rules and information on ensuring security, including measures to ensure cyber-security;
- internal control rules and rules of procedure which ensure the fulfilment of obligations in connection with the prevention of money laundering and terrorist financing (this requirement already applies), now including financing of the activities of the applicant;
- a description of the applicant’s organisational structure;
- a list of shareholders, with identification details (this requirement already applies);
- information on the qualifying holding;
- information on the managers of the applicant, including identification information, details of residence, a description of their education, a complete list of jobs and positions held, and, in the case of members of the management board, a description of their area of responsibility, as well as supporting documents which the applicant considers relevant (this requirement already applies);
- information concerning companies in which the participation of the applicant or a member of its management body exceeds 20 per cent;
- information concerning the audit firm and internal auditor of the applicant;
- documents certifying the amount of own funds, together with a sworn auditor’s report;
- a list of payment accounts held in the name of the service provider (this requirement already applies).
Application fee to decrease but annual supervision fee will apply
The application fee with the EFSA will be EUR 1,000; currently, with the FIU, it is EUR 3,300. The EFSA must process all new applications within 3 months of receipt of all required documents but within 6 months from the receipt of the application. An annual supervision fee will also apply.
Definition of service provision expands and a definition of investment token is added
Virtual currency trading platform management services are included under the definition of virtual currency services. This means that platforms which do not offer exchange services but only offer intermediate virtual currency purchasing and sales transactions are also covered under the regulation.
Service provision is envisaged as being intertwined with crowdfunding services, as the new act includes a definition of an investment instrument as well as an investment instrument based on crypto-assets (investment tokens). The definition of an investment instrument is very broad, including “securities not listed in the Securities Markets Act” as well as “instruments resembling securities”. Essentially, the goal is to provide the definition of a non-MiFID instrument, which grants voting, profit distribution or other similar rights conditionally inherent to shareholding or otherwise controlling an entity. With this proposed definition, the legislator leaves a very wide discretion to the EFSA in determining what activities constitute offering investment instruments, as well as creating great uncertainty for the market participants. In case of offering investment instruments to the public, a key information document (of up to 6 pages) should be drafted and published, including information on the obligations, financial standing, profits and losses, and future prospects of the issuer, as well as rights related to the offered instrument; relevant risks regarding both the issuer and the instrument, the terms of the offering and the use of proceeds. Each key information document needs to be submitted to the EFSA, and for any offerings of investment instruments above EUR 5 million, the registration of a key information document with the EFSA is required before the offering is published. Operators of platforms allowed to trade with investment instruments are also subject to licencing by the EFSA. Further, certain inside information requirements apply to issuers whose investment instruments can be traded, or if offerings exceed EUR 1 million per year.
Requirements to be introduced for keeping registrars
Additional regulation will apply to the keeping of the register of investment instruments. According to the regulation, all investment instruments of one kind must be listed with the same registrar. However, in case the investment instruments are inherently different from each other, they can be listed with separate registrars (e.g. if a service provider offers crowdfunding instruments as well as blockchain instruments, it is permitted for this provider to register each of these instruments with separate registrars). Furthermore, registrars can only be persons who are able to ensure the performance of the tasks specified in the law and the record-keeping agreement as stipulated in the act, in terms of the registrar’s activity’s level of organisational and technical management, the internal control measures applied to management and operational risks, their financial situation, the competence and experience of the employees concerned and other means. Therefore, the provision of registry-keeping services may be transferred to, among others, a credit institution, investment firm, payment institution, e-money institution or a securities depository of a Member State, or another service provider under the act. This means that any tokens which currently exist and qualify under the abovementioned definition of an investment token must be listed with such a registrar. If a token is not registered in this manner, it cannot be offered by a service provider in Estonia.
List of investment token owners to become public
Specifically for investment tokens, the list of investment token owners in the system based on secure technology must be public and the technology used must enable anyone to view the registrations. A system based on secure technology must ensure the digital presentation and disclosure of information about each investment token and its owners and restrictions, as well as the submission of all data on transactions made with the investment token, and their indefinite retention. Further requirements may be established by the relevant ministry.
Consumer protection aspects to be introduced
There are many other aspects in the act that will significantly affect the everyday business of virtual currency service providers, including the requirement to evaluate the relevance of an investment instrument to investors, providing a four-day consideration period, certain publication and the EFSA notification requirements, regulation of insiders’ information, and many more. Becoming compliant with such requirements takes considerable resources in terms of both money and time. Any breach of the legal requirements may cost the service provider up to EUR 400,000 in fines. While this sum has not changed, the potential grounds for a breach have significantly expanded.
Requirements to be met by 1 October 2021
However, regardless of the intended extent of the regulation, the act is due to come into force on 1 July 2021. All virtual currency service providers which are currently licensed by the FIU will have to ensure compliance with the new requirements by 1 October 2021. The EFSA will process all licence renewal applications within six months. This means that in order to ensure confirmed compliance with the deadline, existing licence holders would ideally have submitted information to the EFSA by 1 April 2021, when the Act will not yet have even come into force, which means that the EFSA will not have authority to start the assessment.
Moreover, any entities whose licence has not been renewed by the EFSA by 1 October 2021 may not provide their services to new clients until a new licence has been granted. Existing clients may be served under the currently existing regulation until 1 June 2022 or until the new licence has been granted. This means that the time in which the EFSA will have to process up to 396 applications for the new requirements is three months, and, if the process is delayed, many people may be out of job for months.
Taking into account all of the above, we are hopeful that even if the act is enforced in its current form, market participants will be given considerably more time to become compliant. The new requirements should not come into force before market participants have been given sufficient time to ensure compliance after the new act has become law and the regulator has had time to prepare an action plan and make investments in the newly required knowledge base.
In any case, we recommend existing licence holders keep an eye on the legal developments and start to consider how to comply with the requirements in the future should the law be adopted. However we would not recommend to rush into making changes until there is further clarity with respect to the draft. In case of any questions regarding the above, please feel free to contact our lawyers Krista Ševerev at firstname.lastname@example.org, Kätlin Krisak at email@example.com or Monika Tomberg at firstname.lastname@example.org.