In 2017, Estonia became the first country to set the European legal framework for virtual currencies. The country then enacted amendments to its anti-money laundering (AML) legislation that define cryptocurrencies as value represented in digital form that is digitally transferable and acceptable as a payment instrument but not a legal tender.
In the following year, the European Union (EU) adopted the Fifth Anti-Money Laundering Directive (AMLD5), which introduced AML and know-your-client (KYC) obligations for cryptocurrency exchanges and wallet providers. To comply with the EU directive, Estonia made changes to its Money Laundering and Terrorist Financing Prevention Act, which were implemented in March 2020.
Since then, Estonia has started treating virtual currency service providers as "financial institutions," subjecting them to the same reporting regulations and requirements as other financial institutions within the country.
In March 2022, Estonia further tightened its regulations with amendments to its Money Laundering and Terrorist Financing Prevention Act. These amendments enforced the FATF Travel Rule, set more stringent licensing conditions for crypto service providers, and broadened the AML Act's reach to include new virtual currency services.
By introducing the FATF Travel Rule, Estonia expanded the definition of "virtual currency service" to include virtual currency transfer services and services related to the issuance of virtual currency.
Based on the changes, intermediaries between buyers and sellers and services that bring buyers and sellers together, decentralized platforms, services that delegate transactions to third parties, ICO platforms, and other similar services all fall under the VASP category. Hence, they must comply with AML and licensing requirements.
Meanwhile, regulators raised the cost of obtaining a VASP (Virtual Asset Service Provider) license to €10,000. They also set a minimum share capital requirement of €100,000 for licensees and introduced a new administrative fee for changes in crypto-related activities.
Businesses also had to submit extra documents, such as a two-year business plan, financial details, descriptions of the information technology systems for identifying and monitoring transactions, information about customers and their beneficial owners, and details required for fulfilling the Travel Rule obligation.
Moreover, regulators updated the management board requirements and introduced additional grounds for refusing or revoking a VASP license.
Having implemented the FATF Travel Rule in March 2022, the Estonian Financial Intelligence Unit (FIU) gave crypto businesses only three months, up until June 15, 2022, to enforce the rules. However, there is no minimum transaction threshold for reporting transactions.
Under the Estonia Crypto Travel Rule, VASPs must collect data on a transaction's originator and share it with the service provider of the transaction's recipient when completing a virtual currency exchange or transfer. For legal persons, the information to be gathered and shared includes:
- Full Name & Place of business
- Unique transaction identifier
- Crypto wallet identifier or payment account identifier
- Registry code or residence country identifier
Meanwhile, the information to be collected for natural persons includes:
- Full Name
- Unique transaction identifier
- Crypto wallet identifier or payment account identifier
- Identity number and personal identification code
- Date of birth, place of birth, and residential address
To comply with the Travel Rule and avoid license revocation, VASPs must maintain accurate records. While transactions involving private wallets are not directly covered by the rule, VASPs initiating such transactions are obligated to perform risk assessments.
Additionally, the revised AML Act imposes stringent penalties for non-compliance. Fines can reach up to €400,000, with additional penalties of up to 300 fine units (€4 per unit) for violations, including failing to meet capital requirements, neglecting VASP duties, and creating anonymous wallets or accounts.
In Estonia, the Crypto Travel Rule applies to all VASPs operating within its borders, including foreign VASPs, which must register locally to offer their services. VASPs here means crypto exchanges, crypto transfer providers, and any services related to virtual currency issuance.
Initially, Estonia offered two different licenses to crypto exchanges depending on their functions: the Exchange Service License and the Wallet Service License. However, it has now changed to just one license: the Estonian Cryptocurrency Exchange License.
To apply for the Estonian Cryptocurrency Exchange license, VASPs must meet stringent requirements that cover but are not limited to the following:
- The virtual currency company should be registered in Estonia.
- The company's business plan must include its intended business activities as well as operational procedures and expected spending.
- A description of the information technological system and other systems to be used to operate the business.
- The company's intended security measures to protect customer assets.
- Information about the company's assigned audit firm, including their name, personal identity code, or personally identifiable information (PII).
- A share capital of at least EUR 100,000 for exchange services and EUR 250,000 for transfer services.
In transactions involving unhosted (non-custodial or self-hosted) wallets, Estonian VASPs are not obliged to transmit detailed personally identifiable information (PII). However, they must assess the transaction's risk, retain essential information about both the transaction's originator and beneficiary, and provide this data to regulatory or supervisory bodies when requested.
While PII from the beneficiary is not always mandatory in transactions from self-hosted wallets, the originator must supply PII when transferring to a VASP. Additionally, transactions of high value or those conducted frequently may require the beneficiary's PII as well.
The FATF guidance and various global regulators further stipulate that VASPs must apply the Travel Rule to transactions above the $1,000 threshold. This minimum requirement varies based on jurisdictions. For instance, in the US, this limit is higher at $3,000, while some jurisdictions, like Estonia, do not have one at all.
Moreover, contrary to the guidance of FATF, Estonia doesn't need VASPs to gather and share any personal information about the Beneficiary customer. Most jurisdictions require the beneficiary's name to be obtained and transmitted. This may cause issues when an Estonia exchange exchange interacts with a foreign exchange, as they may reject the transaction that has no information about the beneficiary.
By enforcing the FATF Travel Rule and revising its AML laws, Estonia has set a framework that necessitates a detailed approach to transactions and service provider operations. These regulations aim to ensure transaction transparency and combat financial crimes, posing challenges for both regulators and industry participants to navigate this evolving landscape. In this evolving regulatory landscape, any actions taken must be carefully considered for their impact, with a focus on maintaining both security and a positive user experience.
Q1: What is the FATF Travel Rule, and how does it apply in Estonia?
The FATF Travel Rule requires virtual asset service providers (VASPs) to share transaction data between senders and receivers for transparency. In Estonia, this rule applies to all transactions regardless of their value.
Q2: Who is considered a VASP under Estonian regulations?
In Estonia, the definition of a VASP is broad, including crypto exchanges, wallet providers, and any service related to the transfer, exchange, or issuance of virtual currencies.
Q3: What are the licensing requirements for crypto businesses in Estonia?
Crypto businesses must obtain a VASP license, meet criteria such as a minimum capital requirement (which varies by service type), and pay a licensing fee, which has been increased to ensure only compliant entities operate.
___________________________________
Shyft Network powers trust on the blockchain and economies of trust. It is a public protocol designed to drive data discoverability and compliance into blockchain while preserving privacy and sovereignty. SHFT is its native token and fuel of the network.
Shyft Network facilitates the transfer of verifiable data between centralized and decentralized ecosystems. It sets the highest crypto compliance standard and provides the only frictionless Crypto Travel Rule compliance solution while protecting user data.
Visit our website to read more, and follow us on X (Formerly Twitter), GitHub, LinkedIn, Telegram, Medium, and YouTube. Sign up for our newsletter to keep up-to-date on all things privacy and compliance.
