top of page

Virtual currency service providers sector needs immediate mitigation actions according to NRA

Estonian money laundering and terrorism financing prevention national risk assessment (NRA) report was published at the end of last month and assessment covers 2017-2019. According to NRA, the biggest threats and vulnerabilities to money laundering and terrorist financing are related to virtual currency service providers.

Based on the NRA virtual currency service providers whose actual business activities are not related to Estonia are posing high risk for money laundering, terrorist financing and the financing of the proliferation of weapons of mass destruction and it highlights that its crucial to strengthen cooperation with the private in order to reduce the attractiveness of the virtual currency environment for criminal exploitation. The stricter requirements for virtual currency providers that came into force already in 2020 but apparently have not been sufficient and there is still a lack of transparency in this area.

Risks identified in the field of virtual currencies based on the NRA:

  • Companies that have an activity license in Estonia have their economic activity directed outside Estonia, so the link with the Estonian economy is limited

  • Requests for legal assistance to the Estonian police related to suspicion of fraud and financial crime have increased

  • Actual location of the management board - there is a danger that although according to the law the management board must be located in Estonia, in reality the member of the management board located in Estonia is a shadow figure and the company's activities are managed outside Estonia

  • Anti-Money Laundering Reporting Officer are fictitious: they are registered with several companies, are not actually aware of the company's activities and do not have access to real transactions nor have the required knowledge

  • Due diligence measures and data retention quality differs

  • Anonymity of virtual currency transactions, due to which it is not possible to associate the wallet number with a specific person

  • Lack of notifications to FIU. Only 1% of virtual currency companies have complied with the notification obligation provided by law

  • Virtual currency service providers do not have the necessary data about the client: personal data is incorrect, contact details provided are incomplete and unverified, a driving license is used as an identity document (if asked at all) and identity is mostly checked using software of varying quality

Proposed mitigation measures:

  • Require that procedures and internal control rules submitted when applying for licence are effectively mitigating and managing the risks identified in the national risk assessment

  • The virtual currency sector shall always implement additional enhanced due diligence measures

  • Apply the rule of transfers of funds for the information collecting and transmitting for the payer and the payee

  • All persons who have established a customer relationship and / or use the platform for the transaction must be identified

  • Improve KYC automated solution systems

  • For "high risk" clients, require human involvement in the identification process

  • The identification must include a valid mobile phone number and e-mail address, the validity of which is checked semi-annually (sending verification codes)

  • If the same person has several wallets, they must be linked

  • Verification of PEP status when establishing a customer relationship, requesting the customer's first payment through the bank account of an EEA credit institution

  • Control and enforcement of international sanctions

The following changes are planned at the legislative level:

  • Establish a regular reporting obligation for the virtual currency service provider’s sector

  • Review and extend the grounds for revocation of the license and set restrictions on the application for a new license

  • Impose restrictions on the transfer of ownership after applying for the license. Within the next six months from the moment of applying for the license, the transfer of the ownership with the license is prohibited

  • Set a higher barrier to market entry: appropriate requirements for assessing the suitability of managers / owners and the origin of capital, background checks; significant increase of the activity license processing fee, connection of the activity with Estonia

  • Set higher requirements for the member of the management board (comparable to, for example, the requirements of a contact person)

  • Additional requirements for the position of the Money Laundering Reporting Officer, including restriction for contact person to work in several companies

  • Money Laundering Reporting Officer with the necessary knowledge, with physical location in Estonia who has access to transaction information. Knowledge and physical location are checked before a license is issued. Periodic reporting requirement. Law firms in the activities of AML contact person must be excluded. Contact person must be an official employee of the company

  • Additional requirements for the place of business. Physical access to customer/transaction data must also be guaranteed in Estonia. Requirement to keep copies of documents, profile photos and contact numbers of persons who have established a customer relationship

Other measures:

  • Don't allow anonymous virtual currencies on Estonian licensed platforms

  • Consider the establishment of a national central government virtual currency register without transaction data, which would gather:

  • name of the service provider, first and last name of the client, date of birth, country of birth, residence, citizenship, mobile phone number, e-mail address.

  • Introduce an annual asset and payment-based supervision fee for the virtual currency service provider’s sector

Source: Eesti rahapesu ja terrorismi tõkestamise siseriiklik riskihinnang 2020

bottom of page