Why Estonia is doubling down on AML/KYC regulations and how you can comply with them
Recently, an article from Bloomberg with a certainly sensationalist headline, took by storm the e-Residency community. If you read the article, top to bottom, it does not actually put Estonia in such a bad light. Conversely, it shows why Estonia is doubling down on AML/KYC regulations for crypto companies, I.E: companies who provide a virtual currency wallet service or provide services of exchanging a virtual currency against a fiat currency to third parties.
In this article, we explain why Estonia is tightening their anti-money laundering regulations, and making sure companies operating with crypto-licenses and offering crypto-exchange or crypto-wallet services operate in the most strict legality. We also describe some of the new regulations that came into force recently and how you can comply with them.
What happened, and why is Estonia doing this?
In 2017, Estonia, alongside Latvia, Russia and other countries, were hit by a scandal involving the allegedly money laundering activities of the Estonian branch of a Denmark’s bank, Danske Bank. You can read about the incident here. It has been considered possibly the largest money laundering scandal ever in Europe.
Despite the fact that it had nothing to do with e-Residency per-se (if you read about from the news or trusted sources, the e-Residency Program is not even mentioned), but with the activities of the local branch of Danske Bank, it hit the reputation of Estonia. Fortunately, the transparency of the Estonian business system, and the decisive reaction of Estonia, helped to dissipate any doubts about the legitimacy of the Estonian financial ecosystem.
Since then, Estonia has been focusing on increasing and improving their AML protocols and control mechanisms to avoid money laundering. The last package of measures where approved and entered into force in early 2020, and targeted companies offering services which require a crypto license, either:
- a license for providing services of exchanging a virtual currency against a fiat currency (FVR, or crypto-trading license for short)
- a license for providing a virtual currency wallet service (FRK, or crypto-wallet license for short)
Why focusing on crypto companies then?
Unfortunately, crypto currencies are often associated with illegal or money laundering activities. According to the data from the tax authorities and the FIU, of 56 supervisory inspections in 2019, 34 (60%) concerned virtual-currency companies. It is, no doubt, one of the fields more susceptible to money laundering if the proper AML and KYC protocols are not in place.
These measures then try to increase the control on these companies to make sure they not only have legit goals, but also that the customers of these companies can’t use their services for money laundering or financing terrorism or other illegal activities.
And that’s a positive thing. All these measures only help us have a stronger, more secure, and reliable business ecosystem. If your company has completely legit and legal goals, you should be allowed to do business, and you should also enforce control measures to prevent your customers from abusing your platform or business to do illegal activities. It’s not only protecting the whole ecosystem, but also helping you to set measures to prevent abuse from your own customers.
But these measures are too strict!
Some crypto-company owners, especially those who have lost their licenses, complain about the strictness of the new regulations. It is, of course, understandable. They invested money and effort on the licenses. But these people need to understand what kind of business they have in their hands. We are not talking about an online marketing agency or an e-Commerce. The FVR and FRK licenses allows you to basically act as a “crypto-bank”.
Now, imagine that you find a new cool Fintech bank and are considering investing your savings in it. Researching about the company, you learn that it is founded by three friends in their twenties, with no previous experience at Fintech, they have no offices anywhere, and there are no known employees working for them. Their company has not even proven to have the minimum share capital, let alone a fund to guarantee that your money will be safe. Would you left your savings in their hands? Of course not. We are early adopters and supporters of modern banking alternatives such as Revolut Business, Wise, etc, but these companies have a solid team, offices, the right resources, people devoted to anti-money laundering and financial aspects, and have proved that they implement the necessary AML regulations and protocols.
Accordingly, if you want to get into this area of business, people need to trust you. They need to know that you have a real office with real employees where they can check what you are doing. They need to know you have some resources (and 12,000€ is a laughable amount of money in this field), and they need to know that you, or someone from your team, knows what they are doing and how to prevent money laundering activities. Similarly, getting the licenses and not showing activity in half a year or more does not add trust in your company and its goals, even if they are legit.
The measures are there to make sure that, if you open a crypto business, you want to start a legit activity now, and have all the required knowledge, manpower, resources, and expertise in place.
What are these measures?
These are the most important changes regarding companies who want to apply or keep their crypto-trading and crypto-wallet licenses:
- The minimum share capital is 12,000€ for companies which apply for these licenses.
- The contribution of the share capital must be made effective and registered in the e-Business Register, that is, the payment of at least 12,000€ must be done and registered before proceeding with the license application.
- A real and constant presence in Estonia will be required. That means owning or renting premises in Estonia, possibly employees working there, etc.
- Previously, only routine due diligence measures were enforced for users of your platform. Now, you will be required, as part of your AML policies, to perform a stricter due diligence that also includes people related to the users of your platforms, such as their immediate relatives and partners.
- The control and management of anti-money laundering activities of the company must be carried out from Estonia. This will involve having a director and an anti-money laundering officer (AML officer) in Estonia.
- Copies of criminal records and passports of the directors / procurators / beneficial owners will be requested for all citizenships. Previously, they were only requested for one of your citizenships. These records must be stamped with a valid apostille and translated into Estonian or English.
- Directors / procurators may be required to provide educational certificates, CVs, and even a document describing “suitability for the position” if required by the FIU.
If you analyze these new requirements, you will realize they have been designed to, first, make sure only “serious” businesses with legit intentions will benefit from the Estonian business system and the e-Residency program, and second, to allow more control on their activities and the activities of their customers. The authorities want to know who are the members of the company, know where to find them, and make sure they understand their responsibilities to prevent money laundering activities.
How does it affect you and how can you comply?
If your company obtained one of such licenses, or is considering applying for them, you will have to comply with these regulations. There are two big areas you need to consider:
First, you need premises in Estonia, real premises, like an office, where the AML activity of the company is performed. This activity needs to be conducted by an AML officer who resides in Estonia. Hence, your first consideration should be renting a space there and hiring an AML officer.
Also, you need at least one board member residing in Estonia too. If one of the members of the board of your company can live in Estonia and work there in your premises, that’s an ideal situation. This person should be acquainted with the anti-money laundering legislation and make sure that the right control points are properly established in the company to prevent illegal activities. He or she will also be in charge of reviewing the activity of your customers, set protocols to detect irregularities, and elaborate reports regularly for the board to track how the protocols and measures are being fulfilled.
Now, the AML officer can not work without a well-established set of rules to understand the risks involved in the activity of the company, the protocols to prevent illegal activities, how to properly identify your customers, and the right guide to maintain these measures updated.
That’s why your company needs to elaborate AML and KYC documents.
What are the AML and KYC documents?
The AML document contains the rules that dictates how your company defines, identifies, prevents and reacts to money laundering activities.
The AML document should usually be redacted with the help of a lawyer or verified by one to ensure it complies with the Estonian AML regulations. The official legislation covering these topics can be found in the Money Laundering And Terrorist Financing Prevention Act.
The KYC document (KNOW YOUR CUSTOMER) should contain the description of the information that your system collects of its users at different stages, the nature and purpose of such information collection, and optionally a form illustrating how this information request is presented to the user.
This document obviously varies a lot from company to company, based on the activity of the company, the information collected, what you allow your customers to do in your platform, etc.
In Your Company In Estonia, we have elaborated our own AML and KYC documents. Even if we don’t offer crypto services, some of our customers do, and our activity involves the possibility of being exposed or detecting money laundering activity from any of our customers. As an official business service provider of the e-Residency Program, and proud e-Residency Marketplace members, we are deeply committed to the prevention of money laundering and terrorist financing.
Things to take into account when elaborating or updating your AML document.
As we mentioned, you should always hire a professional lawyer to help you elaborate your AML document, but it is perfectly fine to take care of the first draft or write the main ideas and measures that you want your company to implement. Just make sure to discuss at least these points:
Risk Assessment and Risk Appetite
The Risk Appetite of a company is the level of risk that this company is willing to accept while pursuing its objectives, and before any action is determined to be necessary in order to reduce this risk. Put simply, it is the amount of risk you are willing to tolerate for your company. This risk comes from things such as: the type of customers you accept, the activities that these customers do using your services, products or resources, the activities that your own company does in its own, the activities of your employees, etc.
You need to clearly define this concept, alongside categories of risks (i.e: geographical, customers, etc…), and the factors that reduce or increment this risk. You should also identify risks associated with new and existing technologies, services or products, used by your company or your customers.
Customer’s risk profile
Once you have determined what constitutes a risk for your organization, and the types of risks you are willing and not willing to tolerate, you need to define a clear way to determine the risk profile of a customer, so you can univocally place this customer in a risk category. This will later allow you to take decisions related to the information you need to collect from this customer, regular reviewing of their activities, or measures to implement to limit or restrict access to certain parts of your system.
Identifying your customers
It is essential that you describe which information you collect from your customers, and how this information can help you decide the risk category of the customer, and even if you are taking that customer or not. It is a good idea to separate this section in legal persons (i.e: organizations and companies) from natural persons (i.e: individuals).
This identification is linked to the Know Your Customer document, and you should establish the rules to apply and enforce the KYC protocols.
Special attention must be given to subjects of international sanctions (individuals, collectives, or even countries). Here, a good understanding of the regions subject to sanctions, and the nature of these sanctions, is essential.
Procedure for application of due diligence measures
You need to specify the measures that you are going to apply to prevent money laundering and terrorist financing. These should include both protocols for new customers and periodical reviews for existing ones.
It is a good idea to elaborate two different types of measures, a simplified procedure for low-risk customers, and an enhanced procedure for high-risk customers. Don’t forget that the risk category of your customers should be re-evaluated from time to time.
Politically exposed persons
A politically exposed person (PEP) is a natural person who is or who has been entrusted with prominent public functions, also a family member and close associate of such a person. Why is this distinction important? Because PEPs, because of the prominent public (political, judicial or administrative) functions they hold or have held, are exposed to particular risks.
You need to establish especial measures and identification requirements for PEP as much as you need to do for high-risk customers, including whether you can accept these customers or not, and under which circumstances.
The measures to prevent money laundering, and the identification and classification of your customers, should not be static, or performed only once. The AML officer must ensure that there is a continued monitoring of the customers and their activities. You should also specify:
- what constitutes irregularities in the expected operations of users and customers
- what constitutes a breach of trust or triggers a due diligence process
- when and how a business relationship can be terminated as a result of any of the previous points
- how you collect and store data of your customers and users and how you protect it
- if and under which conditions some of these activities can be outsourced
Compliance with the notification obligation
One of the most important parts of your document should specify how you are going to notify the authorities (Tax Office, FIU, etc) if a suspicious activity is detected, or some transactions or operations are determined to potentially incur in money laundering or terrorist financing activities. The AML officer is the person in charge of doing that, and must do so in accordance with the rules contained in the AML document.
Training your employees
Your employees should learn the AML protocols of the company, and know how to detect suspicious activity and notify it. You have the obligation to regularly train them and refresh their knowledge on AML measures, the KYC protocol, and the legislation. The AML officer is in charge of doing this, alongside offering a report to the board of all the measures implemented throughout the year to make sure the employees stay updated about them.
In this article, we shared our points of view regarding the latest measures of Estonia, which is doubling down on AML/KYC regulations and asking crypto-companies to comply with more strict requisites. Many companies have lost their licenses as a result. We understand this may be frustrating for a lot of them, and some of these entrepreneurs may be understandably upset. But in our view, keeping the business ecosystem secure, and making sure all Estonian companies (established through e-Residency or not) comply with the legislation, is only beneficial for all of us.
We also discuss how you can comply with the new regulations, and what you need to know to elaborate your AML document.