News

Once considered one of Europe’s most attractive jurisdictions for cryptocurrency, Estonia in recent months has intensified a regulatory crackdown aimed at dramatically reducing the number of virtual asset services providers, or VASPs, licensed to operate in the country.

Estonia became one of the first EU nations to begin licensing VASPs four years ago and in practice subjected them to only the most rudimentary background checks. Those policies prompted hundreds of cryptocurrency exchanges and wallet providers from around the world to flock to the Baltic nation in the years that followed.

Last year, however, Estonia’s Financial Intelligence Unit, or FIU, which supervises the cryptocurrency sector for anti-money laundering purposes, stripped 1,300 VASPs of their licenses after finding that they disproportionately served customers in high-risk jurisdictions and did not have adequate controls to manage the financial-crime risks their clients posed.

Matis Maeker, who began leading the FIU in June, told ACAMS moneylaundering.com that the agency remains concerned about the quality of local operators’ financial-crime controls amid a global rise in the use of Bitcoin and other cryptocurrencies in investment frauds, ransomware attacks and schemes to launder drug profits.

“The risks have increased,” Maeker said. “We need to know more about whether firms have risk-sensitive compliance measures and controls, and whether their owners and managers are fit for the job, taking into account the risk they’re dealing with.”

Officials began tightening the rules that govern VASPs in March 2020 by raising the cost of applying for a license from €300 to €3,300, introducing more stringent checks on applicants’ owners and directors, reviewing their compliance programs, raising capital requirements to €12,000 and requiring them to open a physical office and employ staff in Estonia.

The FIU also began axing VASPs that did not launch operations within six months of obtaining a license—in Estonia or elsewhere—and warned those operating entirely from beyond the Baltic nation’s borders that they would likely lose their license.

An offsite survey conducted shortly afterwards found that VASPs registered in Estonia mostly served clients in the United States, followed by clients in Venezuela, Russia, Vietnam, Indonesia, Brazil, India and Iran. By that point, the cryptocurrency sector’s six-month turnover had more than doubled year-on-year to reach €1.2 billion.

The FIU subsequently revoked the licenses of two-thirds of all VASPs by December of last year—stripping their ability to operate in Estonia—while continuing to license exchanges and wallet providers deemed fit for purpose.

In June, the month Maeker took office and weeks after Estonian officials ranked the cryptocurrency sector near the top of their country’s most potent financial-crime threats, the FIU directed VASPs in a questionnaire to submit details on their top clients, the jurisdictions with which they transact, the beneficial owners of the legal entities they serve and other data.

The FIU has since withdrawn licenses from a further 114 VASPs and not approved any new applications, said Maeker, who previously led the Estonian Financial Supervisory Authority’s AML unit.

Another 50 operators that did not respond to the questionnaire and a previous survey are also set to lose their licenses, Maeker said, adding that directors and owners of some VASPs lost permission to operate in Estonia after failing to pass more stringent “fit and proper” tests and hiding prior criminal convictions from regulators.

Maeker told moneylaundering.com that he plans to continue reducing the number of licensed VASPs to place regulators in a better position to supervise the cryptocurrency sector, but did not specify an amount he would consider manageable.

“First we need to clean up the sector as much as needed,” the FIU director said. “Then we need to be confident that we have a firm base of entities that really need to be here and are doing business we can really understand.”

The agency has also prodded Estonia’s Finance Ministry to further tighten licensing requirements. Last month, officials proposed legislation that would raise capital requirements from €12,000 to €350,000 and require all firms to undergo an external audit.

Mari-Liis Kurg, founder and chief executive of Complok, an AML consultancy based in Tallinn, told moneylaundering.com that the crackdown must be viewed in the context of an upcoming assessment of Estonia’s efforts against financial crime by Moneyval, the European affiliate of the Financial Action Task Force, early next year.

Moneyval’s impending review comes three years after the Baltic nation landed in the center of a major money-laundering scandal involving the local affiliate of Denmark’s Danske Bank, which admitted processing €200 billion in suspicious transactions for offshore entities from 2007 to 2015.

“Of course the risks with cryptocurrencies are here, and we cannot afford to have another money laundering scandal,” Kurg said. “But the industry would like to see clear communication from the FIU about what their strategy is for the sector, what the expectations are and what the Estonian government’s risk appetite is.”

Despite the crackdown, Estonia still counts around 400 licensed cryptocurrency exchanges and wallet providers and therefore remains an outlier in Europe, where most countries waited to begin authorizing VASPs until at least January 2020, when the EU’s Fifth AML Directive, or 5AMLD, took effect.

Germany has issued only three cryptocurrency licenses to date, France has issued 26, the Netherlands 24 and Malta around a dozen.

Britain, which transposed 5AMLD into national legislation despite exiting the EU last year, has extended the registration process to March 2022 after concluding in June that most VASPs still fell short of AML standards. The U.K. Financial Conduct Authority has only authorized 13 VASPs to operate as of October.

Estonia’s decision to reverse a previous licensing policy may appear unusual on its face, but aligns with a global trend towards “greater regulatory harmonization” of cryptocurrency-related oversight and regulation, said David Carlisle, director of policy and regulatory affairs at Elliptic, a cryptocurrency forensics and compliance firm in London.

“Most countries are thinking about how they will allow this technology to exist and interact with the formal financial sector while ensuring that it is safe, and that firms are operating to high standards,” Carlisle said.

A handful of countries, most prominently China, have gone a step farther by banning Bitcoin and other privately issued cryptocurrencies altogether.

Contact Koos Couvée at kcouvee@acams.org